No more student data sales by College Board/ACT!

No More Student Data Sales May 6 2024

Here is the presentation we gave on May 6 to parents from states throughout the nation, with tips on how to ensure their children’s data is not sold by the College Board or ACT.  Our spreadsheet with links to state laws where this is illegal for school vendors is here.  A video of the event is available on YouTube; Part I with the presentation, and Part II, with a Q and A.

Here is a template letter that you can use to write to your State Attorney General urging them to stop these vendors from selling student data in violation of your state law, as the NY AG did, is below.

If you are an Illinois resident, here is a form to write to the Illinois AG asking him to enforce Illinois’ state student privacy law, sponsored by Illinois Families for Public Schools.

Please email us if you have any questions at: [email protected]

Also contact us if you are a parent at one of the states that do not have a law prohibiting the sale of student data by the College Board/ACT, or have a state law that allows this with student consent, but without specifying the age of that student.  We can help you file a FERPA complaint to the US Department of Education.

Thanks!  Leonie and Cassie

PCSP comments on how the privacy protections in the proposed COPPA regs should be improved

See below comments that PCSP and attorney Zephyr Teachout submitted to the Federal Trade Commission, urging them to strengthen their proposed student privacy and security regulations for the federal law entitled COPPA, for Children’s Online Privacy Protection Act.  COPPA is one of a few key federal laws that protect student privacy. There has not been a change to the rule implementing COPPA for more than a decade, and the new one will have major implications for data collection for children under age 13 in schools and elsewhere.  Some discussion about the weaknesses in these proposed regs are here; the public comments from over 700 individuals and groups that were due March 11 are posted here.

PCSP comments on FTC proposed COPPA rule change – March 2024

Please urge the FTC to strengthen their new COPPA rule by Monday March 11!!

In December 2023, the Federal Trade Commission announced a proposed change to the rule for the Children’s Online Privacy Protection Act (COPPA) and requested public feedback.

COPPA is one of a few key federal laws that protect student privacy. There has not been a change to the rule implementing COPPA for more than a decade, and the new one will have major implications for data collection for children under age 13 in schools and elsewhere.

The Parent Coalition for Student Privacy will be submitting comments, and we’re encouraging parents and other student privacy advocates to weigh in as well. We are concerned that this change in language will further weaken privacy and security protections for children.  See below for some suggested language to use. The deadline to submit  comments on the proposed changes to the rule closes on Monday March 11th at 11:59pmET

Why is the rule change important?

COPPA only applies to data collected from children under 13, and it only applies to data collection by for-profit companies. But it is enforced by the FTC, and that agency recently has been willing to hold tech companies accountable, especially with respect to children and social media.

Previously, COPPA gave strong rights to parents, requiring parental consent before companies could collect any data directly from children under 13, and giving parents the right to consent to this data collection, review what was collected, and the right to have data deleted.

Then in  guidance in 2019, COPPA said schools could consent to data collection in the place of a parent, but that parents’ rights to control that data were retained even if it was the school that originally consented.

But that was only guidance, which doesn’t have the legal weight of a rule.

What’s the upside of the proposed changes?

The new rule makes it official that schools can authorize collection of data from children—and that collection can only be for an educational purpose, so data can’t be used for advertising, sale, marketing or other commercial purposes. And now schools will need to have written agreement with a company before data can be shared. (That’s a requirement in place in some states, but far from all.)

Those are both good things, especially with the weight of the FTC’s enforcement power behind them.

What’s not good about the proposed changes?

Though it bars the use of personal student data for “commercial purposes” it doesn’t clearly define what that means and would allow it be used to develop new products and services.

There are many other aspects of the new rule that are worrisome and might even weaken existing parent rights under FERPA – the other major federal student privacy law, which is already too weak. Namely, it omits the right for parents to access the data that is held for their children and to challenge it if it is inaccurate.  It is also far too weak regarding data security, data minimization and deletion, and parent notification for data collection and in case of breaches.

There are also no additional protections or parental controls when it comes to the collection by companies of highly sensitive data, including student behavioral, physical, and mental health data, as well as biometric and geolocation data, and no additional controls on surveillance.

Please take the time to submit a comment on this proposed rule change via this interface. In the past, we’ve found that parent voices sometimes matter to federal regulators, and we are hoping that the FTC will hear our concerns and those of other parents who are wary of the rapid proliferation of invasive ed tech in our schools, as well as the widespread and harmful breaches that have followed.

Here’s some suggested language you can use or adapt, but please feel free to alter the language in any way you like.  thanks!  Leonie and Cassie

Re: COPPA Proposed Rule, 16 CFR part 312, Document 89 FR 2034

I am submitting this comment as a {parent, teacher, privacy advocate}. I support the goal of clarifying and strengthening the protection of children’s privacy in a school context, and  agree that schools should only allow data to be collected from children by companies that have a written agreement with the school. I also agree that data collected from children in school should only be used for educational purposes.

However, I am concerned that the definition of school-authorized educational purpose could allow companies to make use of children’s data for developing and improving products. That’s not acceptable.  Moreover, if schools can now authorize companies to collect data from children, parents must still have at least as much control over their child’s data as they do under FERPA,including the right to inspect, challenge and amend their children’s information if it is inaccurate.

There must be strong data security safeguards as well,  at minimum including independent security audits and encryption in motion and at rest, given the frequent and widespread occurrence of hacking and data breaches in our schools.  Without effective data security there can be no data privacy. 

Finally, in all cases, schools should be required to notify parents directly about what companies are collecting what type of data from their children, how that data is being used and that it will be deleted after it is no longer needed for educational purposes.  And in the case of the collection of biometric and geolocation data, and the use of invasive surveillance programs in schools, parents need and deserve the right of prior notification and consent as well.

[Include, if you can, an anecdote about what’s happening in your school or district—do parents know what software is being used, are they asked for consent, and how out of control this data collection has become collected data from your child, etc.]

Yours sincerely, name and address.

Advocacy Orgs To Illinois AG: Stop College Board From Selling Student Data

Press release cross-posted here.

On February 26, 2024, nine state and national advocacy organizations, including privacy, consumer and government watchdogs, sent a letter to the Illinois Attorney General Kwame Raoul calling on him to follow the lead of New York Attorney General Letitia James and end the College Board’s illegal practice of selling Illinois students’ personal data. Full press release below.


February 27, 2024

Cassie Creswell
Illinois Families for Public Schools


Yesterday, nine state and national advocacy organizations, including privacy, consumer and government watchdogs, called on Illinois Attorney General Kwame Raoul to follow the lead of New York Attorney General Letitia James and end the College Board’s illegal practice of selling Illinois students’ personal data.

The groups, including Parent Coalition for Student Privacy, Illinois Families for Public Schools, Citizen Action Illinois, Electronic Frontier Foundation (EFF), Electronic Privacy Information Center (EPIC), Fairplay, Good Government Illinois, Student Data Privacy Project, and Surveillance Resistance Lab, sent a letter to urge the Illinois Attorney General to enforce Illinois’ student privacy law with respect to the ongoing illegal sales of Illinois’ public school students’ personal data by the College Board, a multi-million dollar state vendor.

Two weeks ago, the New York Attorney General announced a consent decree with the College Board that fined the test vendor $750,000 and prohibited them from any further sale of student data collected via the administration of tests in school, a practice that has been illegal under New York state law since 2014. Now, in the letter to AG Raoul, the nine organizations said, “We hope that you agree that Illinois students deserve the same protections that New York students now enjoy.”

Illinois Families for Public Schools executive director Cassie Creswell said, “As a public school parent, I am appalled that the College Board has been profiting off the sale of Illinois children’s personal data for decades, a practice that has been illegal for school or district vendors ever since our student privacy law was passed in 2017. Student data shouldn’t be commercially exploited at all.”

Leonie Haimson, the co-chair of the Parent Coalition for Student Privacy said, “Thanks to New York Attorney General Letitia James, the College Board will no longer be able to sell personal data collected from New York students via the PSAT, SAT and AP exams given in school. The College Board made $28 million selling New York student data they collected via in-school PSAT and SAT exams during the years 2018 through 2022 alone—not counting the millions more they likely made from selling the data of AP students. God knows how much they’ve made from illegally selling the data of Illinois students over the last seven years. It is past time for the Attorney General Kwame Raoul to step up and protect student privacy going forward, as Attorney General Letitia James has done.”

Via the administration of its tests during the school day, the College Board has access to the personal data of hundreds of thousands of Illinois students, including their names, addresses, ethnicity and race, economic status, test score ranges, and other personal information, some of which they collect from students before the administration of these tests or online when students create accounts on the College Board’s website. This data is sold by the College Board, for anywhere from $2,575 for 5000 student records up to $540,000 for an unlimited number of records, via their Student Search Service.

Illinois’ student data privacy law, passed in 2017 and known as the Student Online Personal Protection Act, or SOPPA, prohibits school, district and state vendors from selling student data collected in school, but has yet to be enforced in Illinois, one of at least 20 states with a similar prohibition on the books.

The State’s existing almost $55 million contract with the College Board for SAT and PSAT tests was signed in 2018, after the passage of SOPPA, but it explicitly allows the College Board to sell student data acquired under the contract. Illinois also pays the College Board fees for Advanced Placement tests for low-income students, and school districts across the state have individual contracts with the College Board for additional administrations of the SAT, PSAT and AP tests.

Illinois public high schools must give the SAT and PSAT to comply with state and federal law, and students must take the SAT to receive a diploma from a public high school in Illinois.

The current contract between the State and the College Board expires on June 30 this year. The Illinois State Board of Education released a request for proposal in December 2023 for a new contract, and it is likely that the College Board will again be chosen as the vendor for the state high school assessment.

In 2019, eight state legislators asked the Illinois AG Kwame Raoul to investigate the College Board’s data sales and whether they were in violation of SOPPA. Individual Illinois parents also filed complaints with the AG about their children’s data being sold. At the time, the AG’s Office said they were “looking into” the issue, but no actions resulted. In summer 2022, the AG’s Office falsely told the Chicago Tribune they were not “aware of any SOPPA violations being reported to the office.”

In May 2018, the US Department of Education issued guidance specifically warning local and state education agencies about the various legal problems involving potential violations of federal student privacy law surrounding the collection and sale of this personal data, when college admissions exams, including the SAT and ACT, are administered in schools.

About Illinois Families for Public Schools

Illinois Families for Public Schools (IL-FPS) is a statewide, grassroots, non-profit 501c4 advocacy group founded in 2016. IL-FPS is the voice of public school families in Springfield and across the state, advocating to defend and improve Illinois public schools. More at

About the Parent Coalition for Student Privacy

The Parent Coalition for Student Privacy (PCSP) is a national grassroots advocacy organization, founded in 2014, which built on the success of parent advocates to stop the creation of inBloom, a national database of K-12 student data to be used for commercial purposes. PCSP includes parents from nearly every state and assists families in addressing individual and systemic threats to student privacy. More information at


Victory at last! NY Attorney General enforces law and makes College Board stop selling student data!

Last week, Tish James, the NY State Attorney General, won two big victories against businesses engaged in fraudulent and deceptive practices.  As was widely reported, the Trump Organization was fined more than $550 M and Trump himself was barred from engaging in business in NY for the next three years.   Yet the Attorney General’s victory over another huge business venture engaged in illegal practices was far less covered in the media, and in NYC, among local outlets, only the Daily News reported on it.

This other victory was a consent decree that the College Board signed with the AG office, in which the College Board agreed to stop the sale of personal student data of New York public school students, along with paying a fine of $750,000 – which is modest compared with the tens of millions of dollars the College Board has made from illegally selling this data over the last ten years.  Here is the press release from the AG office, dated Tuesday February 13; here is an article in Reuters.

For decades, the College Board has been selling student names, addresses, test scores, and whatever other personal information that students have provided them,  when they sign up for a College Board account and the Student Search program. According to the AG press release, in 2019 alone, the College Board improperly shared the information of more than 237,000 New York students.  Since New York’s student privacy law, Education §2-d, calls for a fine of up to $10 per student, the penalty for selling student data during that one year alone could have equaled more than $2 million.

And yet for years, on their website and elsewhere, the College Board has also  falsely claimed they weren’t selling student data.  Instead they called  it “licensing” data, a distinction without a difference.  For years, they also claimed that they never sold student scores, though that was false as well, as they do sell student scores within a range.

The College Board urges millions of students to sign up for their Student Search program, with all sorts of unfounded and deceptive claims, including that it will help them get into better schools or receive scholarships.  The reality is that their personal data is sold to over 1,000 colleges, programs and other companies – the names of which they refuse to disclose — who use it for marketing purposes and may even resell it to even less reputable businesses.

Many colleges also use the data to get more students to apply, merely to boost their selectivity rate and number of rejections, which then give them a higher ranking, a ruse reported in the Wall Street Journal and elsewhere. Though the College Board refuses to disclose how much they profit by this sale, it is likely more than $100 million a year nationally.  They used to charge about 50 cents a name, but currently they charge up to a half million dollars a  year or more to organizations that want access to this data.

Ever since the Education §2-d  was passed in 2014, as a result of the inBloom controversy, the sale of  personal student data by schools, districts, and their vendors has been absolutely banned.  Since that time, New York parents along with the Parent Coalition for Student Privacy, which I co-chair, have been urging city and state officials to include an explicit prohibition against this invasive and illegal practice in their contracts with the company, and yet up to now, the city and state have refused to do so.

After the law was passed, it would be nearly five years for the New York State Education Department to draft regulations to implement it.  Meanwhile, in In July 2018, an article in the NY Times revealed that an unnamed organization to which College Board had sold student data had resold it to a for-profit company that markets expensive programs to families of dubious value, and that this practice likely contributed to a thriving and largely unregulated commercial market in student data.

The article described how thousands of students attended a “Congress of Future Science and Technology Leaders” costing $985, and pointed out how much of the confidential data sold by College Board was  harvested through surveys administered to students right before they take the PSATs and SATs, or when they register for the test online.

The College Board not only refused to make it clear to students that providing this personal data was voluntary, but much of the data requested was protected by a federal law called the PPRA, or the Protection of Pupil Rights Amendment, meaning that students could not be asked these questions without explicit parental consent or opt out. We had warned about this earlier in a blog post in 2017, and complained about it to the US Department of Education, which  released guidance warning districts not to allow the College Board to continue this practice in May 2018.

In  2018, NYSED finally released proposed regulations for Education §2-d for public comment.  The organization I co-chair, the Parent Coalition for Student Privacy, along with the statewide coalition New York State Allies for Public Education (NYSAPE), submitted recommendations on how to strengthen and clarify those regulations, as did more than 240 parents and privacy advocates.

Yet behind the scenes, the College Board was lobbying hard to persuade State Education Department officials  to weaken the law with regulations that would include a special exemption to allow them to continue selling student data, with or without parental consent.  Through a Freedom of Information Law request, we later received emails sent by the Board to then-Commissioner Mary Beth Elia and her successor, Beth Berlin,  in 2018 and 2019, urging them create loophole for this purpose.  They pointed out that 80% of students do opt into the sharing of their data, including their GPAs, ethnicity, educational interests and the like.

They claimed that asking for parent consent before they shared the data would  cause 4,000 fewer New York high school graduates to attend four-year colleges every year – though they never backed up that claim.  They cited an unpublished study that showed that if a student had their data shared through the Student Search process, their probability of enrolling in the college that had received that data was increased by 22 percent – without even attempting to argue that this college would be of any higher quality than any other that had not purchased their data.  Moreover, when we finally got access to the study, a footnote revealed that this 22% increase only reflected an actual increase of .02 percentage points over the usual rate of .1%, since so few students actually did attend the colleges to which their data was sold.

In any case, the College Board’s lobbying efforts nearly worked, as on July 10, 2019, in the middle of summer, then- Chief Privacy Officer of State Ed Temitope Akinyemi released revised regulations for the law, without the knowledge of the state’s Data Privacy Advisory Board, on which I sit.  These regulations contained a special loophole for the College Board that would allow the continuing sale of the data as long as there was parental “consent.”  I, along with other parents stepped in to protest, and many parents sent in comments to the State, urging them to omit this unwarranted and damaging change in the regulations. Ad our Parent Coalition and NYSAPE wrote in a letter to NYSED after the new draft regulations were revealed,

“To create a new, huge loophole in the law that would allow the College Board, ACT or any other contractor or subcontractor to sell student data and/or use it for marketing purposes, by making the untenable claim that such sale or marketing purpose is not truly marketing if there is consent, is a drastic weakening of the law which should NOT be contemplated….

If the College Board lobbyists or its supporters would like to eliminate the prohibition of the sale or marketing of student personal data in the law, they should go to the Legislature and ask that it be amended. This should not be done through regulations or by attempting to redefine the meaning of the term “marketing.” 

I then wrote an oped  that was published in the Washington Post on Sept. 11, 2019, with the headline Is New York state about to gut its student data privacy law?”  In the oped, I pointed out how the data that was sold could relate to the students’ “academic and extracurricular interests, career and field of study interests, family income, and religious preferences.” A longer and more specific list of data was listed on the webpage aimed at purchasers, revealing that, depending on the test taken, the data could include student email addresses, ethnicity, GPA, sports, or “educational aspirations.”  One had to dig even deeper into a SAT registration booklet, to discover that while their child’s “actual test scores” were not sold to third parties, “Colleges participating in Student Search … can ask for names of students within certain score ranges [emphasis mine].”

After the Washington Post oped was published,  Betty Rosa, then the Regents Chancellor and now the Commissioner of Education, sprang into action.  She called  for a special meeting in Albany to take place on September 19, with top SED officials, including then-Acting Commissioner Shannon Tahoe, the Chief Privacy Officer, and representatives from the College Board, as well as Lisa Rudley of NY State Allies for Public Education and me.  We were each requested to provide a one-pager beforehand, with our points about whether the regs should be altered to allow the continuation of this practice clearly laid out. (Mine is here.)

When the meeting was held, we argued these issues for about an hour, in a dark conference room in the State Education building.  The representatives from the College Board  maintained that they provided this data to organizations and colleges for purely charitable reasons, to help ensure that underserved students had more opportunities. Lisa and I argued among other things that the sale of this data merely contributed to an expensive marketing arms race between colleges, similar to that engaged in by drug companies,  that wasted millions of dollars that could be far spent on authentic outreach to students and/or improving the quality of education they provide.

Chancellor Rosa then asked us if there were any conditions under which it would be acceptable for the College Board to continue sharing this data with third parties.  I responded under three conditions:  One, that the Board disclose the names of all the organizations with whom they shared the data, (which to this day they still refuse to do); two, if parents were asked  and gave informed consent for this disclosure, including a clear and precise list of all the data elements the Board intended to share; and three, if the Board shared the information with these institutions for free, rather than for sale – which they should be willing to do, if their motives were as charitable as they claimed.

Chancellor Rosa then turned to the College Board, and asked them  if they’d be willing to comply with those conditions, and without even a moment of pause, they said no.  That was the end of the meeting.  A few weeks later, SED again revised the language of the proposed regulations and took out the special loophole that had previously been inserted to allow the College Board to sell data.

And yet the illegal collection of sensitive student data and its sale by College Board continued in New York State and elsewhere.  In October 2019, we wrote a blog post about this, including a fact sheet for parents, warning them to urge their kids not to answer any of the optional questions before taking these exams, and informing them that all that was required to be filled out was  their name, date of birth and  gender.  We also warned them about the Student Search program, and advised them not to allow their children to sign up for this program, unless they wanted their names and test scores to be sold.

The College Board then sent me a letter, demanding I  correct specific statements in our fact sheet, including the following.  While they had asked students about their “religion activities”, a topic which is illegal without parental consent, they had recently altered this question to inquire about their “religious interests” instead.  You can see their letter, my response, and their reply here.

In any case, the NYC Department of Education continued to ignore our entreaties and continued to sign larger and larger multi-million dollar contracts with the College Board every few years, for the PSAT, SAT and AP tests, without any prohibition against selling the personal student data they received as a result.

Similarly, many other districts in New York State continued to do so as well, without any apparent interest in trying to stop this illegal practice. We asked the State Education Department’s new CPO to put out guidance on the subject,  and to the Attorney General office to enforce the law, even posting a petition in November 2021 asking Tish James to intervene, that received more than 700 signatures, all to no avail. Since there is no private right of action in the student privacy law, meaning parents could not sue for this ongoing violation of their children’s privacy, we were stymied.

Instead, the College Board devised new evasive tricks, requiring students to sign up for their own accounts on the College Board website to take these exams and/or access their scores, even when these exams were administered by their schools with district funds.  When they did sign up, students were then asked to sign a waiver, saying that they “do so in their personal capacities, not as Students of School,” apparently in order to protect the College Board from liability in having to comply with the state laws in New York and elsewhere that prohibit school vendors from selling student data.

More bad publicity for College Board followed.  Consumer Reports revealed how they used trackers on their website, sending information about students’ online activity to advertising platforms at companies such as Facebook and Google. We followed up with a post on our Parent Coalition for Privacy website, in which Cheri Kiesecker documented how the company utilized hidden analytics tools, recording everything a user does on its website, including keystrokes and “behavior tagging”.

She also pointed out how with their ill-gotten gains, the College Board had accumulated assets at that time of more than $1.1 billion, much of it invested in off-shore bank accounts, and paid its CEO, David Coleman, over $1.5 million per year.  More recently, in 2022,  according to its  IRS 990, Coleman was paid more than $2.1 million per year in salary and benefits, while the Board’s President, Jeremy Singer was paid more than $1.8 million per year.  The organization also provides first-class or charter travel to key employees or officers, according to Pro Publica, unusual for an education non-profit.

Then in January of 2022, we got a big break.  It was announced that Tish James had asked Zephyr Teachout, a renowned anti-trust attorney, to take a leave from her faculty position at Fordham Law to work at the AG office for a year, as a “special advisor and senior counsel for economic justice.”  Zephyr had run for Governor  in 2014 and for Attorney General in 2018 and was highly respected for her progressive positions on a range of issues, including education and privacy.

I reached out to Zephyr with my concerns about the College Board, and starting in the summer and fall of 2022, the AG office began investigating this issue.  According to last week’s press release, the College Board stopped selling the data collected in schools via PSAT and SAT exams some time in 2022 after their investigation had begun, but continued selling student data collected via AP exams through 2023.

In July of 2023, the Panel for Educational Policy approved a DOE $18 million five-year contract with the College Board for PSAT/SAT exams and other materials.  In the Request for Authorization document posted  on the DOE website, a section at the end entitled “Vendor Responsibility” that described just a few of the lawsuits filed against the College Board contained this statement:

In October 2022, the NYAG’s requested information from College Board to assess its compliance with Education Law section 2-D and information relating to its financial aid products. College Board advised that the matters are on-going and continues to cooperate with NYAG.

I heard nothing more about the issue for another seven months. Then last week, while lying in bed, listening to the radio in the morning on February 14 – yes Valentine’s Day – the WNYC announcer briefly reported on this consent decree.

So after ten years of advocacy, we seemed to have achieved the goal of halting this illegal practice by  the College Board, at least in NY state.  Yet a few questions and concerns remain, including how the Attorney General’s office intends to enforce this prohibition.

Moreover, the privacy addendum for the DOE contract with the College Board, called the “Parent Bill of Rights”[PBOR]  posted on the DOE website still does not fully comply to the law.  It says that the company, its subcontractors and others with whom it discloses this data will not encrypt student data “where data cannot reasonably be encrypted”, even though encryption at all times is required by Education §2-d.  This is a serious violation of the law and risks damaging breaches, as have occurred too many times with DOE vendors.

Education §2-d also requires that data minimization and deletion be specified in all contracts, yet the DOE PBOR for the AP exam says the company  will delete data acquired through the exam only “when all NYC DOE schools and/or offices cease using College Board’s products/services,” which could be never. The PBOR for the SAT/PSAT is even worse, as it specifies no actual date that any student data will ever be deleted. As we saw with the Illuminate breach, when nearly the data of nearly a million current and former NYC students was breached, lax data deletion contracts has allowed DOE vendors to retain the data of students far too long, even those who have long graduated from high school and left the system. It is critical that both the  encryption and data deletion provisions in the College Board contracts with DOE be strengthened and enforced.

Three other points of warning to parents: There is a bill that was submitted in the State Legislature in 2021, and resubmitted this session by Senator Sanders and Assemblymember Hyndman, S4203 and A2388 that would amend the law to allow the College Board to keep selling students data.  We wrote a memo in opposition to this bill in 2021.  If you are a constituent of either of these legislators, please urge them to withdraw this bill.

Secondly, if your child has taken or intends to take the SAT exam outside of the school day, separate from the school context, this consent decree will not stop the sale of their data, as the state student privacy law only covers the practices of public schools, districts, and their vendors.  So if you do not  want your child’s personal info to be sold, including their names, scores, ethnicity, etc., to organizations and colleges, including those that may be score-optional, make sure your child does not sign up for the Student Search program.

Finally, as of 2019, there were at least twenty other states which have the same prohibition against selling student data by school and district vendors, including California, Illinois, and others. Here and below is the list of such states, along with the state law that prohibited this and the year that it was passed, according to the State Student Privacy Report Card, published by the Parent Coalition and the Network for Public Education.

If you are a parent of a high school student in one of these states, please reach out to us at [email protected] with your concerns, as we plan to contact the Attorneys General of these states to urge them to act as Tish James has now done, to halt this damaging and illegal practice, and hopefully impose even bigger fines.  Thanks!