State Student Privacy Laws

Passed 2013-2019
Updated 8/6/2019
Year PassedStateBILL NUMBERHigh Level SummaryEarly Ed (Y/N)K-12 (Y/N)Higher Ed (Y/N)Legislating Vendors (Y/N)Legislating SEAs (Y/N)Legislating LEAs (Y/N)
2013ArizonaSB 1450For school districts that release directory information to educational and occupational/military recruiters, they must provide students with the opportunity to opt-out of that release. Student transcripts can't be released unless the student consents in writing.NYNNYY
2016ArizonaHB2088HB 2088 prohibits public schools from administering specified assessments or surveys to students without notifying and obtaining written informed consent from parents and prescribes penalties for violations.YYNNNY
2017ArizonaSB1314Relating to the Student Accountability Information System: This is a general student privacy bill that would prohibit operators from engaging in targeted advertising, using information to creates profiles about students, sell or rent student's information, or disclose covered information, with several exceptions.NYNNNN
2018ArizonaHB2088This bill amends existing statutes to require that a person who conducts business in the state and that owns, maintains, or licenses unencrypted or underrated computerized data that includes personal information becomes aware of a security incident, the person shall conduct a reasonable investigation to promptly determine whether there has been a security system breach.NNNNNN
2015ArkansasHB 1241Would end the state's contract with PARCC (could be reinstated after 1 year). Would prohibit the state board or the state Dept. of Ed. from providing access of any student PII collected at the state level to the federal Dept. of Ed or any Dept. of Ed program, nor their TA providers, research partners, government assistance organizations, or program monitors without parental consent.NNNNYY
2015ArkansasHB 1961Would prohibit an operator from using certain information to amass public school student profiles for certain purposes, or selling or disclosing covered information. Would allow the use of recommendation engines.NNNYNN
2014CaliforniaAB 1584Mandates inclusion of certain provisions in an LEAs contract with a cloud service, data management, or education software vendor: student records are property and under control of LEA, how vendor will ensure security of student records, prohibits vendor from using student data for any purpose other than what is in contract, vendor must train individuals in charge of student records, and notification procedures to parents in event of unauthorized disclosure.NYNYNN
2014CaliforniaSB 1177Prohibits K-12 website/application vendors from using, sharing, disclosing, or compiling student information for any purpose other than educational purpose and improving their service; they can't sell the information and must delete the information if the school or district requests. They have to protect the information in a reasonable manner. They can disclose info for legit research purposes as required by state/fed law. They may share aggregated de-identified student info to improve their service.NYNYNN
2016CaliforniaAB2097Relating to Pupil Records: The superintendent is required to assign a student identification number to individuals with exceptional needs for purposes of evaluating special education programs and related services. This bill prohibits school districts from collecting or soliciting social security numbers of the last 4 digits of social security numbers from pupils or their parents or guardians unless otherwise required to do so by state or federal law. This also authorizes the State Dept. of Education to additionally prohibit the collection and solicitation of other PII.NYNNYY
2016CaliforniaAB 2799Privacy: personal information - preschool and prekindergarten purposes. This bill would extend SOPIPA's protections that restricts the use of information about elementary/secondary school students by operators of websites, online services, and applications to preschool and prekindergarten purposesYNNYNN
2016CaliforniaAB2828Personal information: privacy - this bill would would require a person or business conducting business in California, and any agency, that owns or licenses computerized data that includes personal information to disclose a breach of the security of the data to the person whose information was breached.NNNYNN
2018CaliforniaSB 244This amends existing law that provides for the collection of personally identifiable information by educational entities for the purposes of providing specified educational services and benefits. This bill would establish that personal information collected or obtained pursuant to these provisions is confidential, and this information can only be collected, used, and retained to administer the public services or programs for which that information was collected or obtained. The bill prohibits disclosure of personal information to any other person, except as provided.NYYNNY
2014ColoradoHB 1294Requires State Board to: create student data system, create and make publicly available FERPA-compliant policies/procedures, develop data security plan, data retention and disposition policies (including data destruction), ensure validity and other requirements are met before disclosing student data for department-led research and requests from outside the state, and ensure vendor contracts include provisions that safeguard privacy and security. Prohibits collection of health records and biometric information and limits transfer of student data.NYNNYY
2016ColoradoHB1423Student Data Transparency and Security Act: This bill adds to the existing laws re: student data security by adopting additional duties that the SBE, Dept., and school districts/boards of cooperative services/charter schools must comply with to increase transparency and security of the student PII. This requires the SBE to create and make publicly available a data inventory and dictionary that includes individual student PII - the SBE must then develop a security plan with all the basic requirements (compliance standards, audits, breach procedures) and guidance for authorizing access to the student data system.YYNNYY
2016ConnecticutHB5469Would include contract requirements for service providers; Would require breach notification procedures; Would prohibit an online operator from selling student PII or using it for targeted advertising or to amass student profiles except for K-12 school purposes; Would allow the use of data for personalized learning and service provision, maintenance, or improvement; establishes a task force to study issues relating to student data privacy.NYNYYY
2017ConnecticutHB7207An Act making revisions to the Student Data Privacy Act of 2016: This bill requires local or regional boards of education to enter into written contracts with a contractor any time such local or regional board of education shares or provides access to student information, student records, or student generated content with such contractor.NYNYNY
2018ConnecticutHB5170This statute prohibits school employees from taking custody of a student's mobile electronic device for purposes of accessing any data or other content stored upon or accessible from such device, or compel a student to produce, display, share, or provide access to any data or other content stored upon or accessible from such device, with some exceptions.NYNNNY
2018ConnecticutHB5444An Act Concerning Revisions to the Student Data Privacy Act: This bill would create a uniform student data privacy terms-of-service agreement addendum for use in contracts, would require a one-time annual notice relating to contracts entered into by the board of education, would require the Department to provide written guidance on the laws relating to student data privacy, and would authorize the retention of student records required by state and federal law and for purposes of disaster recovery systems.NYNYYY
2019ConnecticutHB6997Prohibits a local or regional board of education from disclosing or otherwise providing a student's parent or guardian who has pending charges of domestic violence against him or her with access to the educational, medical or similar records maintained in such student's cumulative record.YYNNNY
2015DelawareSB 79Requires service providers to: implement security procedures, delete data in reasonable time; prohibits service providers from engaging in targeted advertising, building student profiles, selling student data, disclosing data (unless for listed exceptions); establishes Student Data Privacy Task Force to make recommendations about privacy/student data.NYNYNN
2016DelawareSB 208This bill amends the Student Data Privacy Protection Act that was created last year - it corrects a typographical error and corrects the enactment date (The recipient of the student data disclosed for K-12 school purposes of the internet/mobile application/etc. shall not further disclose the student data unless done to allow or improve the operability and functionality within that student's classroom or school).NYNYNN
2014FloridaSB 188Requires State Board to annually notify parents and students of their FERPA rights. Prohibits collection or retention of information such as political and religious affiliation, voting history, or biometric information of student, sibling, or parent. Prohibits use of a student's SSN as their identification number.NYNNYY
2017FloridaHB501An Act relating to public records and public meetings - this bill creates an exemption from public records requirements for certain records held by a state university or Florida College System institutions which identify detection, investigation, or response practices for suspected or confirmed information technology security incidents and this bill authorizes disclosure of confidential and exempt information to certain agencies and officers.NNYNNN
2018FloridaHB 731This bill prohibits the state superintendent from storing any PII from students who are home schooled. District school superintendents are prohibited from including social security numbers or any other personal information of students in any school district or school database unless the student chooses to participate in a school district program or service.NYNYYN
2013GeorgiaExecutive OrderProhibits the state from collection, tracking, housing, reporting, or sharing no personally identifiable data on students and/or their families’ religion, political party affiliation, biometric information, psychometric data and/or voting history with the federal government. State cannot collect student data for the purpose of the development of commercial products or services.NYNNYY
2015GeorgiaSB 89Would implement numerous governance and transparency measures and would prohibit service providers from using data for commercial purposes.NYNYYY
2016HawaiiSB2607Limits the ways in which the operator of a website, online service, online application, or mobile application working with the Dept. of Ed can use student data. (SOPIPA); they have to have security procedures in place, delete information in reasonable time; permits operator to disclose information for legitimate research purposes.NYNYYN
2014IdahoSB 1372Requires State Board to: create student data system, create and make publicly available FERPA-compliant policies/procedures, develop data security plan, data retention and disposition policies (including data destruction and penalties for noncompliance), ensure validity and other requirements are met before disclosing student data for research, ensure vendor contracts include provisions that safeguard privacy and security, and notify governor/legislature of changes in data system. Prohibits collection of health records and biometric information and limits transfer of student data. Limits transfer of student data.NYYYYY
2015IdahoHCR 3Would authorize the Legislative Council to appoint a committee to study the state's SLDS to determine which data points are necessary for tracking student academic progress; which data points must be collected and reported at the aggregate level; which data points should be personally identifiable and why; the extent to which federal funding is contingent upon the collection and reporting of student data to the federal government and the cost to the state of declining such funding; and recommendations on simplifying and minimizing the collection of student data without compromising essential evaluation of educational efficacy, protecting student privacy by limiting the collection of PII, and the cost/benefit of declining federal funds.NYY (but only study of)NYY
2017IllinoisSB887This bill allows the Board of Higher Education to collect a fee to cover the cost of processing and handling individual student-level data requests pursuant to an approved data sharing agreement. This fee does not apply to entities complying with State or federal-mandated reporting. This bill also would prohibit the Board from providing personally identifiable information on individual students except in the case where an approved data sharing agreement is signed that includes specific requirements for safeguarding the privacy and security of any personally identifiable information in compliance with FERPA.NNYNNN
2017IllinoisSB1796Student Online Personal Protection Act: this Act is intended to ensure that student data will be protected when it is collected by educational technology companies and that the data may be used for beneficial purposes such as providing personalized learning and innovative educational technologies. This law amends the Illinois School Student Records Act and makes a technical change in a Section concerning the short title.NYNYNN
2014IndianaHB 1003Among non-student data privacy related information, this bill changes the state's longitudinal data system (IDS) to the 'network of knowledge' to collect information from educational institutions at all levels. Data should include information about student progress and outcomes. Prohibits collection and storage of discipline, juvenile, criminal, and medical records. Requires the network to comply with FERPA and create a data security plan that must include breach, retention, and disposition procedures. Requires the network to have research approval procedures and report to governor and legislative council about data collection changes and overview of yearly studies.NYNNYY
2018IowaHF2354An Act relating to student personal information protection: This bill creates a general student privacy law - which would prohibit operators from knowingly engaging in targeted advertising, using information to amass a profile about a student, sell student's information, or disclose covered information, with several exceptions.NYNYNN
2014KansasSB 367Allows for disclosure of student data to authorized personnel from educational agency, student/parent, and state board of regents. Lists requirements for a data-sharing agreement. Only allows aggregate data to be disclosed for research. Prohibits school districts from collecting biometric data and conducting survey on life-styles (sex history, religion, etc.) unless consent given in writing. Requires educational agency to create privacy policy and notify parents and student if there is a breach. Requires board to submit yearly report to governor and legislature on changes in data collection and summary of audits.NYYNYY
2016KansasHB2008 (S sub)Creating the Student Online Personal Protection Act: An operator is prohibited from engaging in targeted advertising on the operator's educational online product if the target of the advertising is based on any information, including student information and persistent unique identifiers. Operators are prohibited from using information to create student profiles as well as prohibited from selling or renting student information to a third party.NYNYNN
2019KansasHB2209Provides that the state board of regents may purchase cybersecurity insurance as it deems necessary to protect student records, labor information and other statutorily protected data that the board maintains, independent of the committee on surety bonds and insurance. Provides that“cybersecurity insurance" includes, but is not limited to, first-party coverage against losses such as data destruction, denial of service attacks, theft, hacking and liability coverage guaranteeing compensation for damages from errors such as the failure to safeguard data.NNYNNN
2014KentuckyHB 232Mandates businesses that handle personally identifiable information to notify owners of that PII "in the most expedient time possible and without unreasonable delay" of any security breach. Limits a cloud computing service's use of student data to maintaining company's "integrity" and prohibits use of student data for advertising or commercial purposes. Cloud is allowed to help schools conduct research within boundaries of FERPA.NYNYNY
2014LouisianaHB 340Prohibits public or private educational institutions (and employers) from requesting login information from students or prospectives (and employees) to their personal online account that is not used for school-related communications. Prohibits the educational institution from chastising student in any way for failure to disclose.YYYNYY
2014LouisianaHB 946 (became HB 1076)Prohibits school system employees from collecting lifestyle information (political belief, sexual behavior, etc.) from students without parental consent. Lists exceptions to sharing PII. Requires Department to develop system of student ID numbers. Limits who can access computers that store student data to authorized individuals. Restricts use of predictive modeling that may limit student's learning. Allows for transfer of student data to contracted vendors but also lists contract requirements: inclusion of privacy compliance standards, audits conducted under direction of local school superintendent, breach and notice procedure, and storage/deletion policy; places $10,000 fine on violation of the contract requirements. Prohibits school system or private entity from selling student data for use in advertising unless its permitted per a contract. Establishes requirements for consent forms to be given to parents to allow collection of PII. Requires postsecondary institutions to delete all data collected 5 years after student graduates.NYNYYY
2014LouisianaHB 1283Requires Dept. of Ed. to include information about the transfer of PII on its website regarding: who receives the PII, copy of agreement between department and recipient of PII, what data is actually transferred, statement of intended use of PII, contact person for questions, and how parents can register complaint for unauthorized transfer.NYNNYY
2015LouisianaHB 718Would expand the parties districts can contract with for data services. Would leave the majority of the 2014 law’s provisions in place, but would allow access in accordance with local school board policy and would prohibit any contractor from using student data for predictive modeling to limit a student's opportunities.NYYYYY
2016LouisianaSB270Relative to Student Data Privacy: The Dept. of Ed. is required to provide each city, parish, or other local public school system with information, that could include personally identifiable student information, as the school system deems necessary to verify the enrollment and residency status of each student who resides within the geographic boundaries of the school system but who is enrolled in a public school outside of the jurisdiction of the local public school system. The school system must keep information strictly confidential and shall use the information for no other purpose than verifying student enrollment and residency.NYNNYY
2018LouisianaHB716This bill would allow an official or employee of the state Dept. of Ed. to share student information with certain postsecondary education institutions conducting academic research provided the person and the department have entered into a memorandum of understanding.NNYNYN
2018LouisianaHB387Revises the Parents' Bill of Rights for Public Schools: This bill would amend existing law to provide parents with the right to receive a photocopy of their child's school records, at no charge within 10 days of requesting. Further, "academic records" is now defined to include interim or benchmark assessments..YYNNNY
2014MaineLD 1194Instructs the Joint Standing Committee to research concerns associated with access and privacy of social media accounts, personal email accounts, and cloud services that hold personal information (employees) and student data. Instructs Committee to draft recommendation for legislation that limits access to these accounts and provides for remedies to violations.NYYNYY
2015MaineHP 53Would direct the Commissioner of Education to develop FERPA-aligned rules governing student data not already governed under law and determine penalties for violations of such rules.YYNNYY
2015MaineHP 872Would provide for the confidentiality of assessment data and allow the dissemination of PII with consent only. Would withdraw from Smarter Balanced (or any Common Core-aligned assessment) and require the state Dept. of Ed to "adopt a method of education assessment" that does not collect or disseminate personal data or attributes of students.NYNYYY
2015MaineSP 183Would require school service providers to provide clear info on the student data they collect and how the data are maintained and used, maintain a privacy policy and provide notice before making any changes, maintain a security program, facilitate access and correction of student personal data, collect and use student data with parental consent or for teacher/school authorized purposes, obtain consent for using data in a way "inconsistent" with the privacy policy or authorized purpose. Would prevent a school service provider from using data for behaviorally targeting advertisements to students (except for advertising based on the current visit), creating a student profile except for K-12 school purposes, or retain information except as authorized or with consent.NYNYNY
2017MaineLD678This bill specifies if a public or private school requests a student's social security number, the public school or private school shall inform the parent or guardian of the student for what purpose the social security number will be used and provide the parent, guardian, or student the opportunity to opt out of providing the social security number. Also provides for the deletion of the social security number upon departure.NYNNNY
2017MaineLD1616This Act corrects errors and inconsistencies in Maine laws - this bill allows operators to disclose student data: if another provision of federal or state law requires the operator to disclose the student data and the operator complies with applicable requirements of federal and state law in protecting and disclosing that information; for legitimate research purposes; and to a state agency, school administrative unit, or school for kindergarten to grade 12 purposes, as permitted by state or federal law.NYNYYY
2015MarylandHB 298Would prohibit an operator in contract or agreement with a public school or district Prek-12 use from using certain information to amass student profiles for certain purposes, or selling or disclosing covered information.YYNYNY
2017MarylandHB 680Maryland Longitudinal Data System: Lengthens the period of time that MLDS can use linked data from 5 years to 20 years.YYYNYY
2017MarylandSB 1165An Act concerning Maryland Longitudinal Data System: The Maryland Longitudinal Data System is a statewide data system that contains individual-level student data and workforce data from all levels of education and the State's workforce and allows the center to organize, manage, disaggregate, and analyze individual student data. Through this bill, the linkage of student data and workforce data for the purposes of the Longitudinal Data System shall be limited to no longer than 20 years from the date of latest attendance in any educational institution in the State.YYYYYN
2018MarylandHB568This bill requires the State Dept. of Ed., in consultation with the Department of Information Technology and county boards of education, to develop and update certain best practices for county boards to manage and maintain data privacy and security practices in the processing of student data and personally identifiable information across the county board's information technology and records management systems.NYNNYY
2018MarylandHB1254This bill amends existing law to require the State Dept. of Ed. to disaggregate certain data in any student discipline data report in a certain manner - this data shall be disaggregated by race, ethnicity, gender, disability status, eligibility for free or reduced price meals or an equivalent measure of socioeconomic status, and English language proficiency. This bill would also require that special education data in student discipline data reports be disaggregated. Further, the Dept. is required to collect certain data on alternative school discipline practices.NYNNYY
2016MichiganS33Initial bill language replaced with Substitute S-2. Would prohibit the Dept. of Ed. from selling or providing any pupil education record information to a for-profit business entity with the exception of an educational management organization. The Department could not disclose any information concerning a pupil that is collected or created except in accordance with a policy adopted and made publicly available by the State Board that clearly stated the criteria for disclosure. The Department would have to ensure that any contract with a vendor that allowed access to education records expressly required the vendor to protect the privacy of education records and provided express penalties for noncompliance. If the Department provided any collected or created information to a person other than the pupil's school district, intermediate school district, PSA or its authorizing body or the pupil's parent or legal guardian, the Department would have to disclose to the parent or guardian within 30 days the specific info disclosed, the name and contact information of each person to which the information was disclosed, and the reason for disclosure.NYNNYN
2016MichiganSB 510An operator shall not knowingly engage in targeted advertising on the operator's site, service, or application if any of the information provided includes covered information and persistent unique identifiers. Further an operator may not use the information to amass a profile about a student except in furtherance of K-12 school purposes. Finally, an operator may not sell or rent a student's information, including covered information. There are certain exceptions under this bill where information may be disclosed (including in furtherance of the K-12 school purpose of the site, etc). An operator is required to implement and maintain reasonable security procedures and practices and delete a student's covered information if the K-12 school or school district requests deletion.NYNYNN
2014MissouriHB 1490Mandates state board to create rules on data accessibility, transparency, and accountability and a LDS; policies to comply with FERPA; policies to approve research and data requests; develop data security plan; privacy and security audits; breach planning and notification procedures; data retention and disposition policies; data security policies (encryption and employee training); requirements for vendor contracts (vendor can't sell or use student data in advertising). Prohibits collection of individual student data (criminal record, mental/health, biometric, etc.).NYNYYY
2019MontanaHB 745Provides that an operator may not knowingly engage in any of the following activities with respect to the operator's K-12 online application: engage in targeted advertising on the operator's K-12 online application; or target advertising on any other site, service, or application when the targeting of the advertising is based on any information, including protected information and persistent unique identifiers, that the operator has acquired because of the use of the operator's K-12 online application; use information, including persistent unique identifiers, created or gathered by the operator's K-12 online application to amass a profile about a pupil, except in furtherance of K-12 school purposes; sell a pupil's information, including protected information. This prohibition does not apply to the purchase, merger, or other type of acquisition of an operator by another entity, provided that the operator or successor entity continues to be subject to the provisions of this section with respect to previously acquired pupil information. Provides that a school district may, pursuant to a policy adopted by its trustees, enter into a contract with a third party to: provide services, including cloud-based services, for the digital storage, management, and retrieval of pupil records; or provide digital educational software that authorizes a third-party provider of digital educational software to access, store, and use pupil records in accordance with the contractual provisions listed in subsection (2).YYNYYY
2013NebraskaLB 262Allows student, parents, teachers, and admin. access to the student's files and records. Parents must provide consent for anyone else to have access to the files/records. Discipline information must be destroyed after three years of a student's absence from the school. Permits sharing of information between school districts and the State Board of Ed.NYNNYY
2017NebraskaLB 512This bill creates the Student Online Personal Protection Act - this is a general privacy statute that would prohibit operators from knowingly engaging in targeted advertising, or amassing profiles about students, and it prohibits selling or renting a student's covered information.NYNYNN
2017NebraskaAB 7This bill amends existing statute to provide that a "school service" is an internet website, online service, or mobile application that: collects or maintains personally identifiable information concerning a pupil, is used primarily for educational purposes, and is designed and marketed for use in public schools and is used at the direction of teachers and other educational personnel. It does not include anything designed or marketed for use by a general audience, an internal database, system, or program maintained or operated by a school district, charter school, or university school for profoundly gifted pupils, or a school service for which a school service provider has been designated as a school official under FERPA.NYNYNN
2015NevadaSB 463Would require school service providers to provide clear info on the student data they collect and how the data are maintained and used, maintain a privacy policy and provide notice before making any changes, maintain a security program, facilitate access and correction of student personal data, collect and use student data with parental consent or for teacher/school authorized purposes. Would prevent a school service provider from using data for behaviorally targeting advertisements to students, creating a student profile without consent or authorization, or retain information except as authorized or with consent. Would require annual PD on services and their data security.YYNYYY
2015NevadaAB 221Would require the state and districts to create public data inventories and would require certain provisions in contracts with service providers. Would require state and district reporting on changes to data collection or management. Would instruct the state to develop a security policy and charge districts with complying. Would instruct the state to create rules around teacher use of online services.NYNYYY
2019NevadaSB403Revises the prohibition on targeted advertising by a school service provider to prohibit the school service provider from engaging in targeted advertising within its school service or on any other Internet website, online service or mobile application if the targeted advertising is based upon information gathered from its school service. Authorizes a school service provider to use the personally identifiable information of a pupil to perform certain research which is required or authorized by federal or state law. Authorizes a school service provider to use aggregated, de-identified information derived from the personally identifiable information of pupils to develop and improve the products of the school service provider. Requires a public school to provide information regarding the risks associated with the collection of covered information of a pupil to a pupil or the parent or legal guardian of a pupil before the public school allows the pupil to use any school service or provides any item of technology to the pupilYYNYYY
2014New HampshireHB 1587Restricts the collection of certain type of data on students and their families to be stored on SLDS. Schools can release student name or identifier to testing agency only to identify the test taker but cannot give student PI to testing entity to perform a test analysis. Testing entity must destroy data as soon as test taker is identified.YYNYYY
2015New HampshireHB 206Would require school districts to adopt a policy governing the administration of non-academic surveys or questionnaires to students (surveys that elicit information about a student's social behavior, family life, religion, politics, sexual orientation, sexual activity, drug use, and other information not related to student's academics). The policy would allow parents to opt out of participation in any survey on "sensitive" or nonacademic data.YYNNYY
2015New HampshireHB 322Would require the state Dept. of Ed to create data security and breach notification policies. Plan must include audits, notification of breach procedures, and data retention and deletion policies. Would require the Dept. of Ed to produce a public annual data security breach report. Data referred to herein covers both student and teacher data. Dept. of Ed must ensure students and parents are aware of their rights regarding amending and disclosure of student data and right to file FERPA complaint.NYNNYY
2015New HampshireHB 507Would prohibit a school or district form disclosing student or teacher PII to any testing entity performing test-data analysis. Except as permitted in state code, would prohibit the disclosure of student or teacher PII in the SLDS or any department data system to any entity other than the student or teacher's school district. Would prohibit the recording of a classroom without consent or school board approval.NYNNYY
2015New HampshireHB 520Would prohibit an operator from using certain information to amass student profiles for certain purposes, or selling or disclosing covered information.NYNYNN
2016New HampshireHB1372Prohibits recording a classroom for the purpose of teacher evaluation without school board approval after a public hearing and without written consent of teacher and parents of each student. Does not prohibit recording a classroom for a student with a disability whose IEP includes such recordings, for use of student instructional purposes, or for instruction of teacher interns.NYNNNY
2016New HampshireHB1497An Act Relative to the Limits on the Disclosure of Information Used on College Entrance Exams: this bill requires school districts to destroy personal information of students following the completion and verification of certain tests. This bill also gives students taking college entrance exams the option to have all their personal information destroyed by the testing entity following the completion and verification of the test. This bill specifies that schools may disclose students’ names, unique pupil identifiers, but not both, and birth date for the sole purpose of identifying the test taker. there is an exception when this is collected in conjunction with the SAT or ACT. This information then shall be destroyed as soon as verification of test takers is complete. Students taking the ACT or SAT, when that test is used for the state assessment, may opt to have all personal information destroyed by the testing agency.NYNYNY
2016New HampshireHB 301 (2015)Would establish a committee to study the state's SLDS and any other database that contains student-level data; committee shall assemble a dictionary of data elements collected; committee shall review the technical specifications given to contracts who designed and built each database; committee shall study the scope, use, and security of district databases and privacy policiesNYNNYN
2018New HampshireHB1551This bill adds a new section to existing statute specifying that upon a student's graduation from high school, his or her parents may request the LEA in writing to have the student's records and final individualized education program destroyed at that time or request that the records be retained until the student's 26th birthday. Absent any request by the student's parents at the time of graduation, the LEA shall destroy a student's records and final individualized education program within a reasonable time after the student's 26th birthday, provided all records be destroyed by a student's 30th birthday.NYNNNY
2018New HampshireSB1612This bill amends an existing privacy statute: This bill would now require each LEA to create and make publicly available an index of data elements containing definitions of certain individual student personally-identifiable data fields; develop a data security plan; make publicly available students' and parents' rights under FERPA; requires school districts that use digital badges to obtain the written consent of a parent or legal guardian; modifies certain requirements for contracting with operators of Internet websites.NYNYNY
2014New YorkSB 6356 (same as AB 8556)Education agency can decide not to provide a service provider PII for the purposes of creating a data system or have that information deleted upon request to the Dept.; Dept. and Ed. Commissioner cannot provide any PII to a service provider. Mandates appointment of a Chief Privacy Officer whose duties include: assisting in data breaches, implementing privacy practices, designing data request procedure, reviewing Dept. proposals on student or teacher data. Mandates publication of a Parents Bill of Rights for Data Privacy and that it is included in all contracts with service providers (lists requirements of the Bill of Rights). Mandates provisions for contracts with service providers.YYNYYY
2014North CarolinaSB 815Requires state board to create data system and data security plan with all the basic guidelines; privacy policies that comply with FERPA; prohibits transfer of data unless authorized by law; contracts with vendors have to include specific provisions; board must report to governor/leg. annually regarding change in data collection; prohibits collection of biometric and lifestyle information from students. Requires boards to notify parents annually about student records, opt-out opportunities for disclosure of information, and their rights under state and federal law.NYNYYY
2016North CarolinaHB10302016 Appropriations Act: A private college or university that discloses personally identifiable information in student data or records according to the terms of a written agreement with a State agency, local school administrative unit, community college, constituent institution of the University of NC, or the NC Independent Colleges and Universities, in compliance with FERPA, shall not be liable for a breach of confidentiality, disclosure, use, retention, or destruction of the student data or records, if the breach, disclosure, use, retention, or destruction results from actions or omissions of either: (1) the NC Independent Colleges and Universities, the State agency, local school administrative unit, community college, or constituent institution of the University of NC to which the data was provided, or (2) persons provided access to the data or records by those entities. Also mandates institutions of higher education to transfer student data according the Govt. Data Analytics Center. Mandates a study to be conducted by the Dept. of Public Instruction regarding cybersecurity in public schools and allows them to request security policies from schools.NYYNYY
2016North CarolinaHB632 (2015)Prohibits Internet/application service providers to K-12 schools from engaging in targeted advertising based on covered information, using information to amass a profile aside from furthering K-12 purposes, selling student information, disclosing covered information (except for listed exceptions). Requires service provider to implement security procedures and delete covered information upon request school or local board of education. Provides cause of action for violation of the terms.NYNNNN
2015North DakotaSB 2326Would require the development of terms of access to data in the SLDS, the implementation of privacy and security measures including audits, breach notification procedures, staff training for those with access to the SLDS. Would require state and district data inventories, why data are collected, and who can access them. House version: would prohibit most data sharing without consent of the board. Would require audits and data governance through a SLDS committee.NYYNYY
2017North DakotaSB 2295A bill relating to the exemption of state university and college title IX records from public disclosure: This bill exempts university research records and student personally identifiable information from public disclosure. This however, does not apply to a student record or other information disclosed by an institution under the control of the state board of higher education to the statewide longitudinal data system. Further, any record relating to a complaint or investigation under title IX of the Education Amendments of 1972 at an institution under the control of the state board of higher education is an exempt record.NYYNYN
2014OhioHB 487Mandates state board to adopt data system- among basic requirements, annually reporting data to public, safeguards for confidentiality; iterates numerous specific information that must be in the data system (costs, graduation rates, extracurricular information, information about staff) and assignment of student ID number. Allows dept. to sanction or takeaway funds from districts that do not adequately report information or conform to data requirements and supervise the data system thereafter.NYNNYY
2013OklahomaHB 1989Mandates the State Board to create and make publicly available an inventory of student data and for what purposes data is collected. Limits reasons for the State to transfer student data. Mandates State Board to create data security plan which includes privacy and security audits, breach procedures, and data retention and disposition policies. Governs privacy provisions in vendor contracts. Annually update the Governor and Legislature on a variety of updates, changes, and security audits in regards to new student data in the system.NYNYYY
2016OklahomaHB2784Student Records: The Board of Education of each school district is required to compile and maintain temporary and permanent records of students enrolled and must regulate access, disclosure, or communication of information contained in the student records in a manner consistent with state and federal lawNYNNNY
2017OklahomaHB 1506The board of education of each school district in Oklahoma shall compile and maintain both temporary and permanent records of students enrolled in the district and regulate access, disclosure or communication of information contained in the student records in a manner consistent with state and federal law. This bill specifies that all documents and information in student records may be stored either electronically or in paper format, and be either in a single or multiple file format.NYNNYY
2015OregonHB 2655Would require the state board to develop rules around when education records can be transferred by a school. Would allow parents "the right to limit the collection, storage, use and transmittal of academic information and personally identifiable data." Would allow parents to opt-out of statewide summative assessments. Would require information on summative assessments administered, their purpose, information for the student on the assessment and its use, and who has access to the data.NYNNYY
2015OregonSB 187Would prohibit an online service operator from using student data for commercial or secondary purposes while allowing for recommendation engines, personalized learning, and service improvement.NYNYNN
2014Rhode IslandHB 7124Prohibits public or private educational institutions (and employers) from requesting login information from students or prospectives (and employees) to their personal online account that is not used for school-related communications. Prohibits the educational institution from chastising student in any way for failure to disclose. Prohibits the educational institution from requesting student log into an account in presence of school administration or staff and from adding school administration or staff as a contract on the account as a condition of participating in an extracurricular activity.YYYNNN
2014South CarolinaHB 3893Dept. of Ed. cannot collect student data from students or families unless it is to comply with IDEA. The Dept. has to have a data management system to which only authorized individuals can access. Dept. must also have data request proceduresNYNNYY
2014South DakotaSB 63Mandates Dept. of Ed. to create uniform system to gather and report educational data for the purposes of evaluating educational progress. Dept. must write annual report on progress and submit it to legislature, school districts, and public. Schools can't collect lifestyle information unless adult student or parent provides consent. Prohibits Dept. to report PII to US Dept. of Ed. but can provide aggregated information.NYNNYY
2014TennesseeSB 1835 (HB 1549)Data collected for the use of or testing under educational standards adopted by the board can only be used to track the academic progress and needs of students. Prohibits collection of and sharing with the federal government any personally identifiable data and lifestyle information of students and their families (including biometric and psychometric); prohibits collection of student data for commercial or political purposes.NYNYYY
2014TennesseeHB 4046(HA0885)Data collected for the use of or testing under educational standards adopted by the board can only be used to track the academic progress and needs of students. Prohibits collection of and sharing with the federal government any personally identifiable data and lifestyle information of students and their families (including biometric and psychometric); prohibits collection of student data for commercial or political purposes.YYYNNY
2016TennesseeHB 1931Same as SB 1900; Would prohibit the the principal/designee from identifying the victim of harassment, intimidation, bullying, or cyber-bullying from being identified in a public report. .YYYNNY
2018TennesseeHB 2087This bill creates additional privacy protections for students' education and health records and prohibits release of student records, including participation in a personal analysis, an evaluation, or a survey not directly related to academic instruction, in certain circumstances without parents' informed written consent. This bill will amend existing statute to specifically require LEAs and schools to take all measures to protect personally identifiable information. Note: This bill amends several sections of current Tennessee statutesNYNNYY
2015TexasHB 4046Defines student record to include information an applicant sends for admission or transfer to a school. Would allow information to be redacted without requesting a decision from the AG. Would allow schools to release data upon request of a student or parent for admission processes.YYYNNY
2017TexasHB 2087This bill relates to restricting the use of covered information, including student personally identifiable information, by an operator of a website, online service, online application, or mobile application for a school purpose.NYNYNY
2019TexasSB 820Requires that each school district shall develop and maintain a cybersecurity framework for: (1)the securing of district cyber infrastructure against cyber attacks and other cybersecurity incidents; and (2)cybersecurity risk assessment and mitigation planning. (c)school district’s cybersecurity framework must be consistent with the information security standards for institutions of higher education adopted by the Department of Information Resources under Chapters 2054 and 2059, Government Code. Provides that (d)the superintendent of each school district shall designate a cybersecurity coordinator to serve as a liaison between the district and the agency in cybersecurity matters.(e)The district’s cybersecurity coordinator shall report to the agency any cyber attack, attempted cyber attack, or other cybersecurity incident against the district cyber infrastructure as soon as practicable after the discovery of the attack or incident.YYNMNY
2015UtahHB 68Would require the State Board to make recommendations to the Legislature on updating student privacy laws in statute and in board rule (with input from educators, parents, other stakeholders). Recommendations would address data security, communicating to parents how data are used, processes for data disclosure to other education agencies, other states, and third parties (including contact requirements and prohibitions against using data for non-education services and commercial purposes), Would require the State Board to designate a chief privacy officer.NYNYYN
2015UtahHB 163Would require an education entity to notify the parent if there is a release of the student's PII due to a security breach.NYNNYY
2015UtahSB 204Would allow a parent to opt-out of any federally or state mandated assessment or an assessment that requires use of a state assessment system or software that is provided or paid for by the state. Would require the State Board to publish a list of state assessments, state assessment systems, and software that qualify under the bill.NYNNYY
2016UtahHB358Establishes that "a student own's the student's PII"; Would require the state board to establish a student data policy advisory group to discuss and make recommendations regarding enacted or proposed legislation and state and local student data protection policies in the state; Would require state board to establish a student data governance advisory group that performs duties related to state and local data protection; Would require the state board to establish a student data users advisory group composed of members who use student data at the local level and provides feedback and suggestion on the practicality of actions proposed by the student data policy advisory group and the student data governance advisory group; Would prohibit collection of SSN by an edu entity; Defines 'permanent record'; Would require the board to make rules regarding using and expunging student data; Prohibits educational entity from sharing student PII except as provided in FERPA and this billNYNYYY
2017UtahSB102This bill provides that local school boards or charter schools governing boards must require public schools to make lists of individuals who are authorized to access education records. Further, local school and charter governing boards must provide training on student privacy laws and require individuals who are authorized to access education records to complete training on student privacy laws. Finally, this bill would prohibit local school boards and charter school governing boards, public schools, or school employees from sharing an education record with a school employee who is not authorized without written consent.NYNNNY
2017UtahSB 163This bill modifies provisions of the Student Data Protection Act.; expands and clarifies the definition of targeted advertising; deletes the requirement that any education entity that collects student data shall prepare and distribute to parents and students a student data disclosure statement that states that parents and students are responsible for the collection, use, or sharing of student data; permits a third-party contractor to identify for a student nonprofit institutions of higher education or scholarship providers that are seeking students who meet specific criteria.NYNYYY
2018UtahSB207This bill amends provisions related to student data protection. This bill would establish who may access a student's student data. Further, the board is required to make rules to define a significant data breach. This bill also amends existing statute regarding collection notice statements. Finally, this bill would prohibit education entities, including student data manager, from sharing personally identifiable student data without written consent. NYNNYY
2019UtahHB 27Updates public education definitions, modifies that the student data manager shall share student data with the state board rather than just "the board"NYYNYN
2019UtahHB 28Updates public education definitions, modifies that the student data manager shall share student data with the state board rather than just "the board"NYYNYN
2019UtahSB164Repeals provisions related to the State Board of Education sharing student data with the Utah Registry of Autism and Developmental Disabilities and repeals provisions related to the State Board of Education sharing student data with the State Board of Regents.NYYYYY
2014VirginiaSB 242A private or public institution of higher education can request from students who are committed to attend or currently attend their complete student record, including mental health record. No public institution of higher education shall sell students' personal information to any person.NNYNNN
2015VirginiaHB 1334Would require the state Dept. of Ed to develop and make publicly available policies to ensure state and local compliance with FERPA and state privacy laws (including policies around access to PII and review of requests from public and private entities) and require parental notification in instances of possible disclosures of electronic records in violation of FERPA or other federal or state law and remedial measures being taken.NYNNYN
2015VirginiaHB 1612Would require school service providers to provide clear info on the student data they collect and how the data are maintained and used, maintain a privacy policy and provide notice before making any changes, maintain a security program, facilitate access and correction of student personal data, collect and use student data with parental consent or for teacher/school authorized purposes, obtain consent for using data in a way "inconsistent" with the privacy policy or authorized purpose. Would prevent a school service provider from using data for behaviorally targeting advertisements to students, creating a student profile without consent or authorization, or retain information except as authorized or with consent.NYNYNY
2015VirginiaHB 1698Would require parental notice before the administration of any survey on "sensitive" topics, an explanation of privacy measures, and the right to exempt their child from participating.NYNNNY
2015VirginiaHB 2350Would direct the state Dept. of Ed and the Virginia Information Technologies Agency to develop a model data security plan for districts to implement policies and procedures related to the protection of student data and data systems. Would require the Dept. of Ed to designate a chief data security officer to assist local school divisions with the development or implementation of policies around data security and data use.NYNNYY
2016VirginiaSB 438This bill prohibits a public or private institution of higher education from requiring a student to disclose the username or password to any of such student’s personal social media accounts. It also prohibits a public institution of higher education from selling student PII.NNYNNN
2016VirginiaHB519Would require school-affiliated entities (e.g. alumni associations, PTAs, scholarship organizations) to provide information on the student PII they collect and maintain and implement privacy and security policies. Would prohibit these entities from selling student PII or collecting, using, or disclosing it without consent.NYNYNY
2016VirginiaHB 749School Service Providers: Makes several changes to the provisions relating to the protection of student personal information by school service providers, including (i) providing that student personal information does not include information that is publicly available; (ii) defining "targeted advertising" as advertising that is presented to a student and selected on the basis of information obtained or inferred over time from such student's online behavior, use of applications, or sharing of student personal information and prohibiting school service providers from knowingly using or sharing any student personal information for the purpose of targeted advertising for students in operating a school service pursuant to a contract with a local school division; and (iii) clarifying that other provisions of law do not prohibit school service providers from performing certain acts, including disclosing student personal information to ensure legal or regulatory compliance, protect against liability, protect the security or integrity of its school service, respond to or participate in judicial process, or protect the safety of school service users or other individuals.NYNYNN
2016VirginiaHB 750Student personal information: Excludes any website, mobile application, or online service that is used for the purposes of college and career readiness assessment from the definition of “school service,” thus relieving providers of such websites, mobile applications, and online services from the obligation to provide various protections for student personal information collected through such websites, mobile applications, and online services. Each school service provider under this bill is required to provide clear information about the types of student personal information it collects through any school service and how it uses and shares such student personal information.NYNYNN
2017VirginiaSB951School Service Provider: student access to collected personal information: This bill requires school service providers to provide each student's parent with access to a downloadable electronic copy of any student personal information pertaining to such student that has been collected, maintained, used, or shared by the school service provider. Contracts between local school boards and school service providers may require that such copy be in a machine-readable format.NYNYNY
2018VirginiaHB1Clarifies that the definition of "scholastic records" in the Virginia Freedom of Information Act includes directory information, but also provides that such directory information may be released to the public only if the student who is the subject of such information, or the student's parent or legal guardian if the student is less than 18 years of age, has expressly consented, in writing, to the release of such information. NYYNYY
2019VirginiaHB2449Scholastic records; disclosure of directory information. Provides that a school or institution of higher education may disclose certain directory information of a student to certain internal persons for educational purposes or internal business if the student has not opted out of such disclosure. Under current law, such disclosures require written consent. The bill also provides an exception for state and federal law requirements from the prohibition of such disclosures.NYYYYY
2015WashingtonSB 5419 (HB 1495)Would require service providers to provide clear privacy policies and notice of any policy changes. Would require service providers to have a security plan. Would prohibit service providers from selling student information or from using it for targeted advertising, creating a profile, or any purpose not agreed to without consent.[Senate version of HB 1495]NYNYNN
2016Washington, DCB21-0578Bill 21-0578, the “Protecting Students Digital Privacy Act of 2016,” requires that any contract or agreement between a local education agency and a student information system provider shall expressly authorize and require the provider to establish, implement, and maintain appropriate security measures to protect student data; prohibits an educational institution or 1-to-1 device provider that provides a technological device to a student for overnight or home use from accessing or tracking the device except in limited circumstances; prohibits an educational institution from requiring or coercing a student or prospective student to disclose the user name and password to a personal social media account; and prohibits school employees from accessing or compelling a student to produce data stored upon, or accessible from a student’s personal technological device except in limited circumstances.YYNYYY
2014West VirginiaHB 4316Mandates the Dept. of Ed. to create data system, create and make publicly available policies that comply with FERPA, restrict access to the data system to authorized staff, notify parents of inter-agency sharing agreements and give parents opportunity to opt-out of sharing their student's data, develop data request procedures, develop data security plan with the basic requirements (compliance, audits, breach procedures, data retention/disposition, employee training), ensure vendor contracts have express provisions that safeguard privacy and security and penalties for noncompliance, notify governor/legislature of updates to data collection and audits. Prohibits collection of lifestyle information and reporting to state any biometric information. Mandates appointment of data governance manager and lists responsibilities. Development of guidance for districts to notify and deal with parental requests to access student data.NYNNYY
2016West VirginiaHB4261Student Data Accessibility, Transparency, and Accountability Act: A bill relating to student data - this bill prohibits the sale of transfer of student data to vendors and other profit making entities. Provides for certain exceptions including when the department enters a contract that governs student or redacted data with a contractor for the purpose of state level reporting; in the event the ACT or SAT tests are adopted as the state summative assessment, allows the ACT or College Board to use certain information; requiring written consent if information classified as confidential is required.NYYNYN
2014WyomingSF 79Mandates Dept. of Enterprise Technology Services and State Superintendent to establish criteria for education data mgmt. system on education accountability and assessment, teacher certification, and school finances. Also mandates creation of data security plan with all the basic requirements; policies that comply with FERPA; prohibits sale of student data to private entities.NYNNYY
2017WyomingHB0008This Act would amend requirements of the State Superintendent and Department of Enterprise Technology Services regarding the state data security plan. This would ensure privacy of student data collected - this would require certain policies for the collection, access, privacy, security, and use of student data by school districts.NYNNYY
2017WyomingHB0009Student Electronic Writings and Other Electronic Communications - Expectation of Privacy. No ownership rights to any electronic writing or other electronic communication created by a student shall be conveyed, transferred, or otherwise affected solely as a result of the writing or other communication being stored on an electronic device paid for in whole or part by the university or transmitted or stored on the university's network.NNYNNN
 
Updated 8/6/2019This chart was developed with the input of the Data Quality Campaign, Foresight Law+Policy, the National Association of State Boards of Education, and the Future of Privacy Forum.