The Google for Education Community Platform

I would also add on to Kim's excellent response to block everything except what you approve. Otherwise it becomes the wild wild west really quickly.

Listed below are some thoughts and resources as you begin this process. Hopefully, it will help you as you begin laying out a technology mission statement and process for approving edu apps. 

1. Common Sense Education provides privacy practices of the developers and reviews from other teachers on their website of popular educational apps. 
2. Student Privacy Pledge has a list of signatories who are committed to safeguard student privacy regarding the collection, maintenance, and use of student personal information. For me, if the app is not on the signatories, it is not approved.
3. Learn about the data privacy laws, such as the Family Education Rights and Privacy Act (FERPA), Children's Internet Protection Act (CIPA) and the Children's Online Privacy Protection Act (COPPA). The article by EdTech Focus on K-12, Understanding FERPA, CIPA, and other K-12 Student Data Privacy Laws, could be helpful in understanding the laws. 
4. When you have the students and parents sign your AUP, include a statement that the parent's signature grants consent for their child to participate in the use of district approved technology resources and to have logins created for and necessary data shared with these applications. 
5. Ask the question of how this app will be used in the classroom and how does it integrate or support the curriculum. Often, teachers hear about and want to try something new but have not researched the app enough to see how it fits into the courses scope and sequence. Is the app enhancing the student's learning or simply filling class time? Sometimes this is a hard conversation to have but it is necessary to ensure that you have a technology program that supports you district's mission of technology.
6. As @mickiemueller said, it is best to start with a more locked down approach. You can block all the apps then add them to the allow list as they are approved. If you can help stakeholders understand that you are following the privacy laws and that you are motivated by protecting your students, the restrictions will be better received.
7. Look at larger school districts in your area and see if they have resources and/or a list of approved apps on their website. Often other districts will even share their process including forms that they require teachers to complete in order to have an app approved.

Thank you @bethhughes - that's a great list of resources for organisations in USA.

For us in the EU, it's of course GDPR that rules, and almost none of the American ones apply. Most significant difference is that parents have no say in what resources are used. That is always only decided by the school organisation, as they are fully responsible for all users' personal data, both students and staff.

That's a good point to make, @Kim_Nilsson , and including both EU and American resources is good for the international forum.  I do want to clarify, in the US parents do not have a specific say in what technology resources a school district uses. Per Google's requirement, "For users under the age of 18, your organization is responsible for obtaining parental consent, if required by applicable law (emphasis mine), before allowing these users to access third-party apps." For complete transparency that we are making those student accounts, we include the statement in our AUP to cover this.  We take very seriously the responsibility to protect the enduser's personal data by properly vetting 3rd-party apps which is critical to this protection. I think this is the heart of and the goal of the majority of schools when working with this data. It's nice that we can share what resources we each use so that someone else does not have to reinvent the wheel.