State Student Privacy Laws

Passed 2013-2018

Updated June 21, 2018

Year Passed State BILL NUMBER High Level Summary Early Ed (Y/N) K-12 (Y/N) Higher Ed (Y/N) Legislating Vendors (Y/N) Legislating SEAs (Y/N) Legislating LEAs (Y/N)
2013 Arizona SB 1450 For school districts that release directory information to educational and occupational/military recruitors, they must provide students with the opportunity to opt-out of that release. Student transcripts can’t be released unless the student consents in writing. N Y N N Y Y
2016 Arizona SB1430 An Act Relating to School Accountability: Requires the Department to compile an annual achievement profile – any disclosure of educational records compiled by the department of education must comply with FERPA. N Y N N Y N
2016 Arizona HB2088 HB 2088 prohibits public schools from administering specified assessments or surveys to students without notifying and obtaining written informed consent from parents and prescribes penalties for violations. Y Y N N N Y
2017 Arizona SB1131 This bill relates to pupil assessments: It requires the State Board to adopt and implement a statewide assessment to measure pupil achievement in the state. The State Board must also survey teachers, principals and superintendents on achievement related non-test indicators, including information on graduation and dropout rates by ethnicity for each grade level. In conducting this survey, the state board shall not violate the provisions of FERPA nor disclose personally identifiable information. This privacy limitation similarly applies to the local school district governing boards when conducting the surveys and collecting data as required by the state board. N Y N N Y Y
2017 Arizona SB1314 Relating to the Student Accountability Information System: This is a general student privacy bill that would prohibit operators from engaging in targeted advertising, using information to creates profiles about students, sell or rent student’s information, or disclose covered information, with several exceptions. N Y N N N N
2013 Arkansas SB 833 Lays out the components and process to conduct teacher evaluations. Requires a written report as well as remedial measures to be taken for teachers receiving an unsatisfactory review and subsequent growth plans. N Y N N Y Y
2015 Arkansas HB 1241 Would end the state’s contract with PARCC (could be reinstated after 1 year). Would prohibit the state board or the state DOE from providing access of any student PII collected at the state level to the federal DOE or any DOE program, nor their TA providers, research partners, government assistance organizations, or program monitors without parental consent. N N N N Y Y
2015 Arkansas HB 1961 Would prohibit an operator from using certain information to amass public school student profiles for certain purposes, or selling or disclosing covered information. Would allow the use of recommendation engines. N N N Y N N
2017 Arkansas HB1793 An Act to Create a Panel on Data Transparency: This bill creates the Chief Data Officer and Chief Privacy Officer, both of which have numerous responsibilities, including overseeing, developing, and implementing methods to ensure that all state agencies comply with federal and state laws governing the privacy and access to protected data and to assure that the use of technology sustains and does not erode privacy protections relating to the use, collection, and disclosure of personal information. The director, or designee, from the Department of Education shall be a part of the Data and Transparency Panel. N N N N N N
2017 Arkansas SB647 This bill addresses a public school accountability system created by DOE that will include a statewide assessment system that should be both secure and confidential. It also provides fro public access to assessment data without the identification of individuals and subject to FERPA and the Arkansas Student Online Personal Information Protection Act. N Y N N Y N
2013 California SB 568 Prohibits vendors of websites, online services, and applications from using a minor’s information or disclosing it to a 3rd party for the purposes of marketing or advertising specific products. It also prohibits an advertising service from continuing to do so once a vendor has notified it of such. Vendors have to allow minors to request removal of their information unless that information was posted by a 3rd party. N N N Y N N
2014 California AB 1584 Mandates inclusion of certain provisions in an LEAs contract with a cloud service, data management, or education software vendor: student records are property and under control of LEA, how vendor will ensure security of student records, prohibits vendor from using student data for any purpose other than what is in contract, vendor must train individuals in charge of student records, and notification procedures to parents in event of unauthorized disclosure. N Y N Y N N
2014 California SB 1177 Prohibits K-12 website/application vendors from using, sharing, disclosing, or compiling student information for any purpose other than educational purpose and improving their service; they can’t sell the information and must delete the information if the school or district requests. They have to protect the information in a reasonable manner. They can disclose info for legit research purposes as required by state/fed law. They may share aggregated deidentified student info to improve their service. N Y N Y N N
2015 California SB 178 Under CalECPA, no California government entity – including schools – can search phones or devices and no police officer can search online accounts without going to a judge, getting our consent, or showing it is an emergency. N Y Y N N Y
2016 California AB2097 Relating to Pupil Records: The superintendent is required to assign a student identification number to individuals with exceptional needs for purposes of evaluating special education programs and related services. This bill prohibits school districts from collecting or soliciting social security numbers of the last 4 digits of social security numbers from pupils or their parents or guardians unless otherwise required to do so by state or federal law. This also authorizes the State Dept. of Education to additionally prohibit the collection and solicitation of other PII. N Y N N Y Y
2016 California AB 2799 Privacy: personal information – preschool and prekindergarten purposes. This bill would extend SOPIPA’s protections that restricts the use of information about elementary/secondary school students by operators of websites, online services, and applications to preschool and prekindergarten purposes Y N N Y N N
2016 California AB2828 Personal information: privacy – this bill would would require a person or business conducting business in California, and any agency, that owns or licenses computerized data that includes personal information to disclose a breach of the security of the data to the person whose information was breached. N N N Y N N
2016 California ACR 120 Recognizes that the Legislature supports the development of safe and secure data shairng between public education, social service, and research entities through the Silicon Valley Regional Data Trust as it pertains specifically to at-risk, foster, homeless, and justice-involved children and youth and their families. Requires the SVRDT to strictly adhere to existing state and federal law requiring the protection of personal information and data pertaining to students and at-risk youth and follow data security industry best practices in the interest of protecting California’s most vulnerable youth while allowing appropriate data access and sharing. N N N Y N Y
2014 Colorado HB 1294 Requires State Board to: create student data system, create and make publically available FERPA-compliant policies/procedures, develop data security plan, data retention and disposition policies (including data destruction), ensure validity and other requirements are met before disclosing student data for department-led research and requests from outside the state, and ensure vendor contracts include provisions that safeguard privacy and security. Prohibits collection of health records and biometric information and limits transfer of student data. N Y N N Y Y
2016 Colorado HB1423 Student Data Transparency and Security Act: This bill adds to the existing laws re: student data security by adopting additional duties that the SBE, Dept, and school districts/boards of cooperative services/charter schools must comply with to increase transparency and security of the student PII. This requires the SBE to create and make publicly available a data inventory and dictionary that includes individual student PII – the SBE must then develop a security plan with all the basic requirements (compliance standards, audits, breach procedures) and guidance for authorizing access to the student data system. Y Y N N Y Y
2017 Colorado SB 144 This bill implements the recommendation of the department of regulatory agencies to continue the education data advisory committee. N Y N N N N
2015 Connecticut SB 949 Would require every agreement for a state agency to share confidential information with a contractor to require that the contractor to implement data security protections and limit access to those who need it. Agreements must prohibit contractors from copying, reproducing or transmiting data except as necessary for the completion of the contracted services. Would institute breach notification requirments and civil penalties. Would require the Secretary of the Office of Policy and Management to “develop a program to access, link, analyze and share data maintained by executive agencies and to respond to queries from any state agency, and from any private entity or person that would otherwise require access to data maintained by two or more executive agencies” and to implement data security practices. (higher ed. only implicated in last part re Office of Policy Mgmt.) N Y Y Y Y Y
2016 Connecticut HB5469 Would include contract requirements for service providers; Would require breach notification procedures; Would prohibit an online operator from selling student PII or using it for targeted advertising or to amass student profiles except for K-12 school purposes; Would allow the use of data for personalized learning and service provision, maintenance, or improvement; establishes a task force to study issues relating to student data privacy. Y Y N Y Y Y
2017 Connecticut HB7207 An Act making revisions to the Student Data Privacy Act of 2016: This bill requires local or regional boards of education to enter into written contracts with a contractor any time such local or regional board of education shares or provides access to student information, student records, or student generated content with such contractor. N Y N Y N Y
2018 Connecticut HB5170 This statute prohibits school employees from taking custody of a student’s mobile electronic device for purposes of accessing any data or other content stored upon or accessible from such device, or compel a student to produce, display, share, or provide access to any data or other content stored upon or accessible from such device, with some exceptions. N Y N N N Y
2018 Connecticut HB5444 An Act Concerning Revisions to the Student Data Privacy Act: This bill would create a uniform student data privacy terms-of-service agreement addendum for use in contracts, would require a one-time annual notice relating to contracts entered into by the board of education, would require the Department to provide written guidance on the laws relating to student data privacy, and would authorize the retention of student records required by state and federal law and for purposes of disaster recovery systems. N Y N N Y Y
2015 Delaware SB 79 Requires service providers to: implement security procedures, delete data in reasonable time; prohibits service providers from engagin in targeted advertising, building student profiles, selling student data, disclosing data (unless for listed exceptions); establishes Student Data Privacy Task Force to make recommendations about privacy/student data. N Y N Y N N
2016 Delaware SB 208 This bill amends the Student Data Privacy Protection Act that was created last year – it corrects a typographical error and corrects the enactment date (The recipient of the student data disclosed for K-12 school purposes of the internet/mobile application/etc. shall not further disclose the student data unless done to allow or improve the operability and functionality within that student’s classroom or school). N Y N Y N N
2014 Florida SB 188 Requires State Board to annually notify parents and students of their FERPA rights. Prohibits collection or retention of information such as political and religious affiliation, voting history, or biometric information of student, sibling, or parent. Prohibits use of a student’s SSN as their identification number. N Y N N Y Y
2017 Florida HB501 An Act relating to public records and public meetings – this bill creates an exemption from public records requirements for certain records held by a state university or Florida College System institutions which identify detection, investigation, or response practices for suspected or confirmed information technology security incidents and this bill authorizes disclosure of confidential and exempt information to certain agencies and officers. N N Y N N N
2015 Georgia SB 89 Would implement numerous governance and transparency measures and would prohibit service providers from using data for commercial purposes. N Y N N Y N
2016 Hawaii SB2607 Limits the ways in which the operator of a website, online service, online application, or mobile application working with the DOE can use student data. (SOPIPA); they have to have security procedures in place, delete information in reasonable time; permits operator to disclose information for legitimate research purposes. N Y N Y N N
2014 Idaho SB 1372 Requires State Board to: create student data system, create and make publically available FERPA-compliant policies/procedures, develop data security plan, data retention and disposition policies (including data destruction and penalties for noncompliance), ensure validity and other requirements are met before disclosing student data for research, ensure vendor contracts include provisions that safeguard privacy and security, and notify governor/legislature of changes in data system. Prohibits collection of health records and biometric information and limits transfer of student data. Limits transfer of student data. N Y N N Y Y
2015 Idaho HCR 3 Would authorize the Legislative Council to appoint a committee to study the state’s SLDS to determine which data points are necessary for tracking student academic progress; which data points must be collected and reported at the aggregate level; which data points should be personally identifiable and why; the extent to which federal funding is contingent upon the collection and reporting of student data to the federal government and the cost to the state of declining such funding; and recommendations on simplifying and minimizing the collection of student data without compromising essential evaluation of educational efficacy, protecting student privacy by limiting the collection of PII, and the cost/benefit of declining federal funds. N Y Y (but only study of) N N N
2017 Illinois SB887 This bill allows the Board of Higher Education to collect a fee to cover the cost of processing and handling individual student-level data requests pursuant to an approved data sharing agreement. This fee does not apply to entities complying with State or federal-mandated reporting. This bill also would prohibit the Board from providing personally identifiable information on individual students except in the case where an approved data sharing agreement is signed that includes specific requirements for safeguarding the privacy and security of any personally identifiable information in compliance with FERPA. N N Y N N N
2017 Illinois SB1796 Student Online Personal Protection Act: this Act is intended to ensure that student data will be protected when it is collected by educational technology companies and that the data may be used for beneficial purposes such as providing personalized learning and innovative educational technologies. This law amends the Illinois School Student Records Act and makes a technical change in a Section concerning the short title. N Y N Y N N
2014 Indiana HB 1003 Among non-student data privacy related information, this bill changes the state’s longitudinal data system (IDS) to the ‘network of knowledge’ to collect information from educational institutions at all levels. Data should include information about student progress and outcomes. Prohibits collection and storage of discipline, juvenile, criminal, and medical records. Requires the network to comply with FERPA and create a data security plan that must include breach, retention, and disposition procedures. Requires the network to have research approval procedures and report to governor and legislative council about data collection changes and overview of yearly studies. N Y N N Y Y
2018 Iowa HF2354 An Act relating to student personal information protection: This bill creates a general student privacy law – which would prohibit operators from knowingly engaging in targeted advertising, using information to amass a profile about a student, sell student’s information, or disclose covered information, with several exceptions. N Y N N N N
2014 Kansas SB 367 Allows for disclosure of student data to authorized personnel from educational agency, student/parent, and state board of regents. Lists requirements for a data-sharing agreement. Only allows aggregate data to be disclosed for research. Prohibits school districts from collecting biometric data and conducting survey on life-styles (sex history, religion, etc.) unless consent given in writting. Requires educational agency to create privacy policy and notify parents and student if there is a breach. Requires board to submit yearly report to governor and legislature on changes in data collection and summary of audits. N Y N N Y Y
2016 Kansas HB2008 (S sub) Creating the Student Online Personal Protection Act: An operator is prohibited from engaging in targeted advertising on the operator’s educational online product if the target of the advertising is based on any information, including student information and persistent unique identifiers. Operators are prohibited from using information to create student profiles as well as prohibited from selling or renting student information to a third party. N Y N Y N N
2014 Kentucky HB 232 Mandates businesses that handle personally identifiable information to notify owners of that PII “in the most expedient time possible and without unreasonable delay” of any security breach. Limits a cloud computing service’s use of student data to maintaining company’s “integrity” and prohibits use of student data for advertising or commercial purposes. Cloud is allowed to help schools conduct research within boundaries of FERPA. N Y N Y N N
2014 Kentucky HB 5 Governs contractual relationship between government offices/agencies and companies that contract with them and in turn receive PI from the office/agency. Mandates the companies to have security procedures and practices and take corrective measures against any breaches. Companies must notify the office/agency they contract with, as well as other government officials and the individuals affected by a security breach. They must also conduct an investigation and provide a report of their findings. Includes notification, investigative, and follow-up report procedures agency must follow in case of security breach. Adds to the responsibility of the Office of Technology the development of a privacy and information confidentiality structure and training programs for state agency staff responsible for PI. N Y Y (explicitly includes HE) Y Y Y
2014 Louisiana HB 340 Prohibits public or private educational institutions (and employers) from requesting login information from students or prospectives (and employees) to their personal online account that is not used for school-related communications. Prohibits the educational institution from chastising student in any way for failure to disclose. Y Y Y N Y Y
2014 Louisiana HB 946 (became HB 1076) Prohibits school system employees from collecting lifestyle information (political belief, sexual behavior, etc.) from students without parental consent. Lists exceptions to sharing PII. Requires Department to develop system of student ID numbers. Limits who can access computers that store student data to authorized individuals. Restricts use of predictive modeling that may limit student’s learning. Allows for transfer of student data to contracted vendors but also lists contract requirements: inclusion of privacy compliance standards, audits conducted under direction of local school superintendent, breach and notice procedure, and storage/deletion policy; places $10,000 fine on violation of the contract requirements. Prohibts school system or private entity from selling student data for use in advertising unless its permitted per a contract. Establishes requirements for consent forms to be given to parents to allow collection of PII. Requires postsecondary institutions to delete all data collected 5 years after student graduates. N Y N Y Y Y
2014 Louisiana HB 1283 Requires Dept. of Ed. to include information about the transfer of PII on its website regarding: who receives the PII, copy of agreement between department and recipient of PII, what data is actually transferred, statement of intended use of PII, contact person for questions, and how parents can register complaint for unauthorized transfer. N Y N N Y Y
2015 Louisiana HB 718 Would expand the parties districts can contract with for data services. Would leave the majority of the 2014 law’s provisions in place, but would allow access in accordance with local school board policy and would prohibit any contractor from using student data for predictive modeling to limit a student’s opportunities. N Y Y Y Y Y
2016 Louisiana SB270 Relative to Student Data Privacy: The Department of Education is required to provide each city, parish, or other local public school system with information, that could include personally identifiable student information, as the school system deems necessary to verify the enrollment and residency status of each student who resides within the geographic boundaries of the school system but who is enrolled in a public school outside of the jurisdiction of the local public school system. The school system must keep information strictly confidential and shall use the information for no other purpose than verifying student enrollment and residency. N Y N N N Y
2018 Louisiana HB716 This statute allows an official or employee of the state Department of Education to share student information with certain postsecondary education institutions conducting academic research provided the person and the department have entered into a memorandum of understanding. N N Y N Y N
2018 Louisiana SB378 This statute amends existing law to authorize a public school to disclose to the Louisiana Board of Regents, to be used solely for the purpose of providing feedback reports to each public school governing authority on the postsecondary remediation needs, retention rates, and graduation rates of graduates from each high school under its jurisdiction, and to evaluate comparative postsecondary performance outcomes based on certain student characteristics in order to develop policies or make recommendations for legislation to the legislature. N Y Y N Y Y
2014 Maine LD 1194 Instructs the Joint Standing Committee to research concerns associated with access and privacy of social media accounts, personal email accounts, and cloud services that hold personal information (employees) and student data. Instructs Committee to draft recommendation for legislation that limits access to these accounts and provides for remedies to violations. N Y Y N Y Y
2015 Maine HP 53 Would direct the Commissioner of Education to develop FERPA-aligned rules governing student data not already governed under law and determine penalties for violations of such rules. Y Y N N Y Y
2015 Maine HP 872 Would provide for the confidentiality of assessment data and allow the dissemination of PII with consent only. Would withdraw from Smarter Balanced (or any Common Core-aligned assessment) and require the state DOE to “adopt a method of education assessment” that does not collect or disseminate personal data or attributes of students. N Y N N Y Y
2015 Maine SP 183 Would require school service providers to provide clear info on the student data they collect and how the data are maintained and used, maintain a privacy policy and provide notice before making any changes, maintain a security program, facilitate access and correction of student personal data, collect and use student data with parental consent or for teacher/school authorized purposes, obtain consent for using data in a way “inconsistent” with the privacy policy or authorized purpose. Would prevent a school service provider from using data for behaviorally targeting advertisements to students (except for advertising based on the current visit), creating a student profile except for K-12 school purposes, or retain information except as authorized or with consent. N Y N Y N N
2017 Maine LD678 This bill specifies if a public or private school requests a student’s social security number, the public school or private school shall inform the parent or guardian of the student for what purpose the social security number will be used and provide the parent, guardian, or student the opportunity to opt out of providing the social security number. Also provides for the deletion of the social security number upon departure. N Y N N N N
2017 Maine LD1616 This Act corrects errors and inconsistencies in Maine laws – this bill allows operators to disclose student data: if another provision of federal or state law requires the operator to disclose the student data and the operator complies with applicable requirements of federal and state law in protecting and disclosing that information; for legitimate research purposes; and to a state agency, school administrative unit, or school for kindergarten to grade 12 purposes, as permitted by state or federal law. N Y N Y N N
2015 Maryland HB 298 Would prohibit an operator in contract or agreement with a public school or district Prek-12 use from using certain information to amass student profiles for certain purposes, or selling or disclosing covered information. Y Y N Y N N
2017 Maryland SB 1165 An Act concerning Maryland Longitudinal Data System: The Maryland Longitudinal Data System is a statewide data system that contains individual-level student data and workforce data from all levels of education and the State’s workforce and allows the center to organize, manage, disaggregate, and analyze individual student data. Through this bill, the linkage of student data and workforce data for the purposes of the Longitudinal Data System shall be limited to no longer than 20 years from the date of latest attendance in any educational institution in the State. Y Y Y Y Y N
2018 Maryland HB568 This bill requires the State Department of Education, in consultation with the Department of Information Technology and county boards of education, to develop and update certain best practices for county boards to manage and maintain data privacy and security practices in the processing of student data and personally identifiable information across the county board’s information technology and records management systems. N Y N N Y Y
2016 Michigan S510 An operator shall not knowingly engage in targeted advertising on the operator’s site, service, or application if any of the information provided includes covered information and persistent unique identifiers. Further an operator may not use the information to amass a profile about a student except in furtherance of K-12 school purposes. Finally, an operator may not sell or rent a student’s information, including covered information. There are certain exceptions under this bill where information may be disclosed (including in furtherance of the K-12 school purpose of the site, etc). An operator is required to implement and maintain reasonable security procedures and practices and delete a student’s covered information if the K-12 school or school district requests deletion. N Y N Y N N
2016 Michigan S33 Initial bill language replaced with Substitute S-2. Would prohibit the Department from selling or providing any pupil education record information to a for-profit business entity with the exception of an educational management organization. The Department could not disclose any information concerning a pupil that is collected or created except in accordance with a policy adopted and made publicly available by the State Board that clearly stated the criteria for disclosure. The Department would have to ensure that any contract with a vendor that allowed access to education records expressly required the vendor to protect the privacy of education records and provided express penalties for noncompliance. If the Department provided any collected or created information to a person other than the pupil’s school district, intermediate school district, PSA or its authorizing body or the pupil’s parent or legal guardian, the Department would have to disclose to the parent or guardian within 30 days the specific info disclosed, the name and contact information of each person to which the information was disclosed, and the reason for disclosure. N Y N N Y N
2017 Michigan HB 4313 This bill amends the School Aid Act of 1979 – This statute allows for competitive assistance grants to be distributed to districts and intermediate districts. Under the bill’s amendments, in order to receive funding, a regional data HUB must have a governance model that ensures local control of data, data security, and student privacy issues. The integration of data within each of the regional data HUBS shall provide for the actionable use of data by districts and intermediate districts through common reports and dashboards for efficiently providing information to meet state and federal reporting purposes. N Y N N Y Y
2014 Missouri HB 1490 Mandates state board to create rules on data accessibility, transparency, and accountability and a LDS; policies to comply with FERPA; policies to approve research and data requests; develop data security plan; privacy and security audits; breach planning and notification procedures; data retention and disposition policies; data security policiies (encryption and employee training); requirements for vendor contracts (vendor can’t sell or use student data in advertising). Prohibits collection of individual student data (criminal record, mental/healt, biometric, etc.). N Y N Y Y Y
2013 Nebraska LB 262 Allows student, parents, teachers, and admin. access to the student’s files and records. Parents must provide consent for anyone else to have access to the files/records. Discipline information must be destroyed after three years of a student’s absence from the school. Permits sharing of imformation between school districts and the State Board of Ed. N Y N N Y Y
2017 Nebraska LB 512 This bill creates the Student Online Personal Protection Act – this is a general privacy statute that would prohibit operators from knowingly engaging in targeted advertising, or amassing profiles about students, and it prohibits selling or renting a student’s covered information. N Y N Y N N
2015 Nevada SB 463 Would require school service providers to provide clear info on the student data they collect and how the data are maintained and used, maintain a privacy policy and provide notice before making any changes, maintain a security program, facilitate access and correction of student personal data, collect and use student data with parental consent or for teacher/school authorized purposes. Would prevent a school service provider from using data for behaviorally targeting advertisements to students, creating a student profile without consent or authorization, or retain information except as authorized or with consent. Would require annual PD on services and their data security. Y Y N Y Y Y
2015 Nevada AB 221 Would require the state and districts to create public data inventories and would require certain provisions in contracts with service providers. Would require state and district reporting on changes to data collection or management. Would instruct the state to develop a security policy and charge districts with complying. Would instruct the state to create rules around teacher use of online services. N Y N Y Y Y
2017 Nevada AB 7 This bill amends existing statute to provide that a “school service” is an internet website, online service, or mobile application that: collects or maintains personally identifiable information concerning a pupil, is used primarily for educational purposes, and is designed and marketed for use in public schools and is used at the direction of teachers and other educational personnel. It does not include anything designed or marketed for use by a general audience, an internal database, system, or program maintained or operated by a school district, charter school, or university school for profoundly gifted pupils, or a school service for which a school service provider has been designated as a school official under FERPA. N Y N Y N N
2014 New Hampshire HB 312 Restricts collection of biometric data by state agencies, municipalities, and political subdivisions and provides for private cause of action for misuse or unlawful collection of biometric data. N N N N Y Y
2014 New Hampshire HB 1587 Restricts the collection of certain type of data on students and their families to be stored on SLDS. Schools can release student name or identifier to testing agency only to identify the test taker but cannot give student PI to testing entity to perform a test analysis. Testing entity must destroy data as soon as test taker is identified. Y Y N Y Y Y
2015 New Hampshire HB 206 Would require school districts to adopt a policy governing the administration of non-academic surveys or questionnaires to students (surveys that elicit information about a student’s social behavior, family life, religion, politics, sexual orientation, sexual activity, drug use, and other information not related to student’s academics). The policy would allow parents to opt out of participation in any survey on “sensitive” or nonacademic data. Y Y N N Y Y
2015 New Hampshire HB 322 Would require the state DOE to create data security and breach notification policies. Plan must include audits, notification of breach procedures, and data retention and deletion polilcies. Would require the DOE to produce a public annual data security breach report. Data referred to herein covers both student and teacher data. DOE must ensure students and parents are aware of their rights regarding amending and disclosure of student data and right to file FERPA complaint. N Y N N Y Y
2015 New Hampshire HB 507 Would prohibit a school or district form disclosing student or teacher PII to any testing entity performing test-data analysis. Except as permited in state code, would prohibit the disclosure of student or teacher PII in the SLDS or any department data system to any entity other than the student or teacher’s school district. Would prohibit the recording of a classroom without consent or school board approval. N Y N N Y Y
2015 New Hampshire HB 520 Would prohibit an operator from using certain information to amass student profiles for certain purposes, or selling or disclosing covered information. N Y N Y N N
2016 New Hampshire HB1372 Prohibits recording a classroom for the purpose of teacher evaluation without school board approval after a public hearing and without written consent of teacher and parents of each student. Does not prohibit recording a classroom for a student with a disability whose IEP includes such recordings, for use of student instructional purposes, or for instruction of teacher interns. N Y N N N N
2016 New Hampshire HB1497 An Act Relative to the Limits on the Disclosure of Information Used on College Entrance Exams: this bill requires school districts to destroy personal information of students following the completion and verification of certain tests. This bill also gives students taking college entrance exams the option to have all their personal information destroyed by the testing entity following the completion and verification of the test. This bill specifices that schools may disclose students’ names, unique pupil identifiers, but not both, and birth date for the sole purpose of identifying the test taker. there is an exception when this is collected in conjunction with the SAT or ACT. This information then shall be destroyed as soon as verification of test takers is complete. Students taking the ACT or SAT, when that test is used for the state assessment, may opt to have all personal information destroyed by the testing agency. N Y N Y N Y
2016 New Hampshire HB 301 (2015) Would establish a committee to study the state’s SLDS and any other database that contains student-level data; committee shall assemble a dictionary of data elements collected; committee shall review the technical specifications given to contracts who designed and built each database; committee shall study the scope, use, and security of district databases and privacy policies N Y N N Y N
2017 New Hampshire SB43 An Act relative to non-academic surveys administered by a public school to its students: School districts are required to adopt a policy governing the administration of non-academic surveys or questionnaires to students – this policy must provide that no student is to be required to volunteer for or submit to a non-academic survey or questionnaire without written consent of a parent or legal guardian, unless the student is an adult or emancipated minor. Also eliminated an opt-out provision. N Y N N N Y
2018 New Hampshire HB1551 This bill adds a new section to existing statute specifying that upon a student’s graduation from high school, his or her parents may request the LEA in writing to have the student’s records and final individualized education program destroyed at that time or request that the records be retained until the student’s 26th birthday. Absent any request by the student’s parents at the time of graduation, the LEA shall destroy a student’s records and final individualized education program within a reasonable time after the student’s 26th birthday, provided all records be destroyed by a student’s 30th birthday. N Y N N N Y
2018 New Hampshire SB1612 This bill amends an existing privacy statute: This bill would now require each LEA to create and make publicly available an index of data elements containing definitions of certain individual student personally-identifiable data fields; develop a data security plan; make publicly available students’ and parents’ rights under FERPA; requires school districts that use digital badges to obtain the written consent of a parent or legal guardian; modifies certain requirements for contracting with operators of Internet websites. N Y N Y N Y
2014 New York SB 6356 (same as AB 8556) Education agency can decide not to provide a service provider PII for the purposes of creating a data system or have that information deleted upon request to the Dept.; Dept. and Educ. Commissioner cannot provide any PII to a service provider. Mandates appointment of a Chief Privacy Officer whose duties include: assisting in data breaches, implementing privacy practices, designing data request procedure, reviewing Dept. proposals on student or teacher data. Mandates publication of a Parents Bill of Rights for Data Privacy and that it is included in all contracts with service providers (lists requirements of the Bill of Rights). Mandates provisions for contracts with service providers. Y Y N Y Y Y
2014 North Carolina SB 815 Requires state board to create data system and data security plan with all the basic guidelines; privacy policies that comply with FERPA; prohibits transfer of data unless authorized by law; contracts with vendors have to include specific provisions; board must report to governor/leg. annually regarding change in data collection; prohibits collection of biometric and lifestyle information from students. Requires boards to notify parents annually about student records, opt-out opportunities for disclosure of information, and their rights under state and federal law. N Y N Y Y Y
2016 North Carolina HB1030 2016 Appropriations Act: A private college or university that discloses personally identifiable information in student data or records according to the terms of a written agreement with a State agency, local school administrative unit, community college, constituent institution of the University of NC, or the NC Independent Colleges and Universities, in compliance with FERPA, shall not be liable for a breach of confidentiality, disclosure, use, retention, or destruction of the student data or records, if the breach, disclosure, use, retention, or destruction results from actions or omissions of either: (1) the NC Independent Colleges and Universities, the State agency, local school administrative unit, community college, or constituent institution of the University of NC to which the data was provided, or (2) persons provided access to the data or records by those entities. Also mandates institutions of higher education to transfer student data according the Govt. Data Analytics Center. Mandates a study to be conducted by the Dept. of Public Instruction regarding cybersecurity in public schools and allows them to request security policies from schools. Y Y Y N Y Y
2016 North Carolina HB632 (2015) Prohibits Internet/application service providers to K-12 schools from engaging in targeted advertising baesd on covered information, using information to amass a profile aside from furthering K-12 purposes, selling student information, disclosing covered information (except for listed exceptions). Requires service provider to implement security procedures and delete covered information upon request school or local board of education. Provides cause of action for violation of the terms. N Y N N N N
2015 North Dakota SB 2326 Would require the development of terms of access to data in the SLDS, the implementation of privacy and security measures including audits, breach notification procedures, staff training for those with access to the SLDS. Would require state and dsitrct data inventories, why data are collected, and who can access them. House version: would prohibit most data sharing without consent of the board. Would require audits and data governance through a SLDS committee. N Y N N Y Y
2017 North Dakota SB 2295 A bill relating to the exemption of state university and college title IX records from public disclosure: This bill exempts university research records and student personally identifiable information from public disclosure. This however, does not apply to a student record or other information disclosed by an institution under the control of the state board of higher education to the statewide longitudinal data system. Further, any record relating to a complaint or investigation under title IX of teh Education Amendments of 1972 at an institution under the control of the state board of higher education is an exempt record. N N Y N N N
2014 Ohio HB 487 Mandates state board to adopt data system- among basic requirements, annually reporting data to public, safeguards for confidentiality; iterates numerous specific information that must be in the data sytem (costs, graduation rates, extracurricular information, information about staff) and assignment of student ID number. Allows dept. to sanction or takeaway funds from districts that do not adequately report information or conform to data requirements and supervise the data system thereafter. N Y N N Y Y
2016 Ohio SB321 To protect a private, non-profit institution of higher education from liability for a breach of confidentiality or other claim that arises from the institution’s disclosure of public records: No nonprofit institution that holds a certificate of authorization issued shall be liable for breach of confidentiality arising from the institutions submission of student data or records to the chancellor of higher education or any other state agency in compliance with any law, rule, or regulation, provided that the breach occurs as a result of: (1) An action by a third party during and after the transmission of the data or records by the institution but prior to receipt of the data or records by the chancellor of higher education or other state agency; (2) An action by the chancellor of higher education or the state agency. No nonprofit institution that holds a certificate of authorization shall be liable for breach of confidentiality or any other claim that arises from the institution’s disclosure of the public records pursuant to a request for public records, except for claims based on the institution’s failure to disclose public records. This provision applies to the submission of any student data or records that are subject to any laws of this state, or any federal law, including FERPA. N N Y N N N
2013 Oklahoma HB 1989 Mandates the State Board to create and make publically available an inventory of student data and for what purposes data is collected. Limits reasons for the State to transfer student data. Mandates State Board to create data security plan which includes privacy and security audits, breach procedures, and data retention and disposition policies. Governs privacy provisions in vendor contracts. Annually update the Governor and Legislature on a variety of updates, changes, and security audits in regards to new student data in the system. N Y N N Y Y
2016 Oklahoma HB2784 Student Records: The Board of Education of each school district is required to compile and maintain temporary and permanent records of students enrolled and must regulate access, disclosure, or communication of information contained in the student records in a manner consistent with state and federal law N Y N N N Y
2015 Oregon HB 2655 Would require the state board to develop rules around when education records can be transferred by a school. Would allow parents “the right to limit the collection, storage, use and transmittal of academic information and personally identifiable data.” Would allow parents to opt-out of statewide summative assessments. Would require information on summative assessments administered, their purpose, information for the student on the assessment and its use, and who has access to the data. N Y N N Y Y
2015 Oregon SB 187 Would prohibit an online service operator from using student data for commercial or secondary purposes while allowing for recommendation engines, personalized learning, and service improvement. N Y N Y N N
2014 Rhode Island HB 7124 Prohibits public or private educational institutions (and employers) from requesting login information from students or prospectives (and employees) to their personal online account that is not used for school-related communications. Prohibits the educational institution from chastising student in any way for failure to disclose. Prohibits the educational institution from requesting student log into an account in presence of school administration or staff and from adding school administration or staff as a contract on the account as a condition of participating in an extracurricular activity. Y Y Y N N N
2014 South Carolina HB 3893 Dept. of Ed. cannot collect student data from students or families unless it is to comply with IDEA. The Dept. has to have a data management system to which only authorized individuals can access. Dept. must also have data request procedures N Y N N Y Y
2014 South Dakota SB 63 Mandates Dept. of Ed. to create uniform system to gather and report educational data for the purposes of evaluating educational progress. Dept. must write annual report on progress and submit it to legislature, school districts, and public. Schools can’t collect lifestyle information unless adult student or parent provides consent. Prohibits Dept. to report PII to US Dept. of Ed. but can provide aggregated information. N Y N N Y Y
2014 Tennessee SB 1835 (HB1549) Data collected for the use of or testing under educational standards adopted by the board can only be used to track the academic progress and needs of students. Prohibits collection of and sharing with the federal government any personally identifiable data and lifestyle information of students and their families (including biometric and psychometric); prohibits collection of student data for commercial or political purposes. N Y N N Y Y
2016 Tennessee HB1931 (HA0885) Same as SB 1900; Would prohibit the the principal/designee from identifying the victim of harassment, intimidation, bullying, or cyber-bullying from being identified in a public report. This Amendment would erase all language of the original bill (HB1931) and insert the following: An operator shall not knowingly engage in targeted advertising on the operator’s site, service, or application if the information was acquired because of the use of that operator’s site, service, or application for K-12 school purposes, with some exceptions. N Y N Y N Y
2018 Tennessee HB 2690 This bill creates additional privacy protections for students’ education and health records and prohibits release of student records, including participation in a personal analysis, an evaluation, or a survey not directly related to academic instruction, in certain circumstances without parents’ informed written consent. This bill will amend existing statute to specifically require LEAs and schools to take all measures to protect personally identifiable information. Note: This bill amends several sections of current Tennessee statutes N Y N N N Y
2015 Texas HB 4046 Defines student record to include information an applicant sends for admission or transfer to a school. Would allow information to be redacted without requesting a decision from the AG. Would allow schools to release data upon request of a student or parent for admission processes. Y Y Y N N N
2017 Texas HB 2087 This bill relates to restricting the use of covered information, including student personally identifiable information, by an operator of a website, online service, online application, or mobile application for a school purpose. N Y N Y N N
2015 Utah HB 68 Would require the State Board to make recommendations to the Legislature on updating student privacy laws in statute and in board rule (with input from educators, parents, other stakeholders). Recommendations would address data security, communicating to parants how data are used, processes for data disclosure to other education agencies, other states, and third parties (including contact requirements and prohibitions against using data for non-education services and commercial purposes), Would require the State Board to designate a chief privacy officer. N Y N N Y N
2015 Utah HB 163 Would require an education entity to notify the parent if there is a release of the student’s PII due to a security breach. N Y N N Y Y
2015 Utah SB 204 Would allow a parent to opt-out of any federally or state mandated assessment or an assessment that requires use of a state assessment system or software that is provided or paid for by the state. Would require the State Board to publish a list of state assessments, state assessment systems, and software that qualify under the bill. N Y N N Y Y
2016 Utah HB358 Establishes that “a student own’s the student’s PII”; Would require the state board to establish a student data policy advisory group to discuss and make recommendations regarding enacted or proposed legislation and state and local student data protection policies in the state; Would require state board to establish a student data governance advisory group that performs duties rleated to state and local data protection; Would require the state board to establish a student data users advisory group composed of memberes who use student data at the local level and provides feedback and suggestsion on the practicality of actions proposed by the student data policy advisory gorup and the student data governance advisory gruop; Would prohibit collection of SSN by an edu entity; Defines ‘permanent record’; Would require the board to make rules regarding using and expunging student data; Prohibits educational entity from sharing student PII except as provided in FERPA and this bill N Y N Y Y Y
2017 Utah SB102 This bill provides that local school boards or charter schools governing boards must require public schools to make lists of individuals who are authorized to access education records. Further, local school and charter governing boards must provide training on student privacy laws and require individuals who are authorized to access education records to complete training on student privacy laws. Finally, this bill would prohibit local school boards and charter school governing boards, public schools, or school employees from sharing an education record with a school employee who is not authorized. N Y N N N Y
2017 Utah SB 163 This bill modifies provisions of the Student Data Protection Act. This amendment would delete the requirement that any education entity that collects student data shall prepare and distribute to parents and students a student data disclosure statement that states that parents and students are responsible for the collection, use, or sharing of student data. N Y N N Y Y
2018 Utah SB207 This bill amends provisions related to student data protection. This bill would establish who may access a student’s student data. Further, the board is required to make rules to define a significant data breach. This bill also amends existing statute regarding collection notice statements. Finally, this bill would prohibit education entities, including student data manager, from sharing personally identifiable student data without written consent. N Y N N N Y
2014 Virginia SB 242 A private or public institution of higher education can request from students who are committed to attend or currently attend their complete student record, including mental health record. No public institution of higher education shall sell students’ personal information to any person. N N Y N N N
2015 Virginia HB 1334 Would require the state DOE to develop and make publicly available policies to ensure state and local compliance with FERPA and state privacy laws (including policies around access to PII and review of requests from public and private entities) and require parental notification in instances of possible disclosures of electronic records in violation of FERPA or other federal or state law and remedial measures being taken. N Y N N Y N
2015 Virginia HB 1612 Would require school service providers to provide clear info on the student data they collect and how the data are maintained and used, maintain a privacy policy and provide notice before making any changes, maintain a security program, facilitate access and correction of student personal data, collect and use student data with parental consent or for teacher/school authorized purposes, obtain consent for using data in a way “inconsistent” with the privacy policy or authorized purpose. Would prevent a school service provider from using data for behaviorally targeting advertisements to students, creating a student profile without consent or authorization, or retain information except as authorized or with consent. N Y N Y N N
2015 Virginia HB 1698 Would require parental notice before the administration of any survey on “sensitive” topics, an explanation of privacy measures, and the right to exempt their child from participating. N Y N N N Y
2015 Virginia HB 2350 Would direct the state DOE and the Virginia Information Technologies Agency to develop a model data security plan for districts to implement policies and procedures related to the protection of student data and data systems. Would require the DOE to designate a chief data security officer to assist local school divisions with the development or implementation of policies around data security and data use. N Y N N Y Y
2016 Virginia SB 438 This bill prohibits a public or private institution of higher education from requiring a student to disclose the username or password to any of such student’s personal social media accounts. It also prohibits a public institution of higher education from selling student PII. N N Y N N N
2016 Virginia HB519 Would require school-affiliated entities (e.g. alumni associations, PTAs, scholarship organizations) to provide information on the student PII they collect and maintain and implement privacy and security policies. Would prohibit these entities from selling student PII or collecting, using, or disclosing it without consent. N Y N Y N Y
2016 Virginia HB 524 Amends existing law. Stipulates that teacher data may only be disclosed by SEA (for specific purposes, such as pursuant to a court order) when it does not “personally identify” any other teacher or student. N Y N N Y N
2016 Virginia HB 749 School Service Providers: Makes several changes to the provisions relating to the protection of student personal information by school service providers, including (i) providing that student personal information does not include information that is publicly available; (ii) defining “targeted advertising” as advertising that is presented to a student and selected on the basis of information obtained or inferred over time from such student’s online behavior, use of applications, or sharing of student personal information and prohibiting school service providers from knowingly using or sharing any student personal information for the purpose of targeted advertising for students in operating a school service pursuant to a contract with a local school division; and (iii) clarifying that other provisions of law do not prohibit school service providers from performing certain acts, including disclosing student personal information to ensure legal or regulatory compliance, protect against liability, protect the security or integrity of its school service, respond to or participate in judicial process, or protect the safety of school service users or other individuals. N Y N Y N N
2016 Virginia HB 750 Student personal information: Excludes any website, mobile application, or online service that is used for the purposes of college and career readiness assessment from the definition of “school service,” thus relieving providers of such websites, mobile applications, and online services from the obligation to provide various protections for student personal information collected through such websites, mobile applications, and online services. Each school service provider under this bill is required to provide clear information about the types of student personal information it collects through any school service and how it uses and shares such student personal information. N Y N Y N N
2017 Virginia SB951 School Service Provider: student access to collected personal information: This bill requires school service providers to provide each student’s parent with access to a downloadable electronic copy of any student personal information pertaining to such student that has been collected, maintained, used, or shared by the school service provider. Contracts between local school boards and school service providers may require that such copy be in a machine-readable format. N Y N Y N N
2018 Virginia HB1 Clarifies that the definition of “scholastic records” in the Virginia Freedom of Information Act includes directory information, but also provides that such directory information may be released to the public only if the student who is the subject of such information, or the student’s parent or legal guardian if the student is less than 18 years of age, has expressly consented, in writing, to the release of such information. N Y Y N N N
2015 Washington SB 5419 (HB 1495) Would require service providers to provide clear privacy policies and notice of any policy changes. Would require service providers to have a security plan. Would prohibit service providers from selling student information or from using it for targeted advertising, creating a profile, or any purpose not agreed to without consent.[Senate version of HB 1495] N Y N Y N N
2016 Washington, DC B21-0578 Bill 21-0578, the “Protecting Students Digital Privacy Act of 2016,” requires that any contract or agreement between a local education agency and a student information system provider shall expressly authorize and require the provider to establish, implement, and maintain appropriate security measures to protect student data; prohibits an educational institution or 1-to-1 device provider that provides a technological device to a student for overnight or home use from accessing or tracking the device except in limited circumstances; prohibits an educational institution from requiring or coercing a student or prospective student to disclose the user name and password to a personal social media account; and prohibits school employees from accessing or compelling a student to produce data stored upon, or accessible from a student’s personal technological device except in limited circumstances. Y Y N Y Y Y
2014 West Virginia HB 4316 Mandates the Dept. of Ed. to create data system, create and make publically available policies that comply with FERPA, restrict access to the data system to authorized staff, notify parents of inter-agency sharing agreements and give parents opportunity to opt-out of sharing their student’s data, develop data request procedures, develop data security plan with the basic requirements (compliance, audits, breach procedures, data retention/disposition, employee training), ensure vendor contracts have express provisions that safeguard privacy and security and penalties for noncompliance, notify governor/legislature of updates to data collection and audits. Prohibits collection of lifestyle information and reporting to state any biometric information. Mandates appointment of data governance manager and lists responsibilities. Development of guidance for districts to notify and deal with parental requests to access student data. N Y N N Y Y
2016 West Virginia HB4261 Student Data Accessibility, Transparency, and Accountability Act: A bill relating to student data – this bill prohibits the sale of transfer of student data to vendors and other profit making entities. Provides for certain exceptions including when the department enters a contract that governs student or redacted data with a contractor for the purpose of state level reporting; in the event the ACT or SAT tests are adopted as the state summative assessment, allows the ACT or College Board to use certain information; requiring written consent if information classified as confidential is required. N Y N N Y N
2014 Wyoming SF 79 Mandates Dept. of Enterprise Technology Services and State Superintendent to establish criteria for education data mgmt. system on education accountability and assessment, teacher certificatino, and school finances. Also mandates creation of data security plan with all the basic requirements; policies that comply with FERPA; prohibits sale of student data to private entities. N Y N N Y Y
2017 Wyoming HB0008 This Act would amend requirements of the State Superintendent and department of enterprise technology services regarding the state data security plan. This would ensure privacy of student data collected – this would require certain policies for the collection, access, privacy, security, and use of student data by school districts. N Y N N Y Y
2017 Wyoming HB0009 Student Electronic Writings and Other Electronic Communications – Expectation of Privacy. No ownership rights to any electronic writing or other electronic communication created by a student shall be conveyed, trasnferred, or otherwise affected solely as a result of the writing or other communication being stored on an electronic device paid for in whole or part by the university or transmitted or stored on the university’s network. N N Y N N N

 

Updated 6/21/2018

This chart was developed with the input of the Data Quality Campaign, Foresight Law+Policy, the National Association of State Boards of Education, and the Future of Privacy Forum.