In the first of its kind, the Parent Coalition for Student Privacy and the Network for Public Education released a report card that grades all fifty states on their student privacy laws, focusing on 99 laws passed since 2013 in 39 states plus the District of Columbia.
The State Student Privacy Report Card awards points to every state in each of the following five categories, aligned with the core principles put forward by the Parent Coalition for Student Privacy:Transparency, Parental and Student Rights; Limitations on Commercial Use of Data; Data Security Requirements; and Oversight, Enforcement, and Penalties for Violations.
Two more categories were added: Parties Covered and Regulated and Other, a catch-all for provisions that did not fit into any of the above categories, such as prohibiting school employees from receiving compensation for recommending the use of specific education technology products and services.
Ever since the controversy erupted in 2013 over the $100 million data collection corporation called inBloom, parents have clamored for stronger privacy protections for their children than currently provided by federal law. The primary federal student privacy law known as FERPA was passed over forty-five years ago and has been weakened by regulation over time to allow for the sharing of personal student data by schools and vendors without parent knowledge or consent. State legislators have tried to fill some of the many gaps in FERPA, and to require more transparency, security, enforcement, and the rights of parents and students to control their own data.
Yet no state earned an “A” overall for its laws, as no state yet protects student privacy to the degree necessary in each of these areas we analyzed. Colorado earned the highest average grade of “B.” Three states – New York, Tennessee and New Hampshire– received the second highest average grade of “B-“. Eleven states received the lowest grades of “F” because they have no student privacy laws: Alabama, Alaska, Massachusetts, Minnesota, Mississippi, Montana, New Jersey, New Mexico, South Carolina, Vermont and Wisconsin. An interactive map showing the overall grades of each state and in each of the categories is posted below.
The report tracks specific versions of state laws over time. For example, many state privacy laws enacted since 2013 were modeled after the California’s 2014 law known as the Student Online Personal Information Protection Act (SOPIPA). While California barred all school vendors from selling student data, eight states subsequently passed laws that allowed the College Board and the ACT to do so. Laws with specific loopholes to allow these companies to sell student data were enacted in Arizona, Colorado, District of Columbia, Nebraska, North Carolina, Texas, Utah and Virginia --presumably because of these companies’ lobbying efforts.
The issue of data security is also critical. FERPA contains no specific protections against data breaches and hacking, nor does it require families be notified when inadvertent disclosures occur. In recent years, the number of data breaches from schools and vendors have skyrocketed, and some districts have been targeted by hackers with attempted blackmail and extortion. Congress must strengthen and update FERPA, but meanwhile, this report card can serve as a guide to parents and advocates as to which state laws should be strengthened and in which specific ways.
The report is posted here, along with a technical appendix that includes a more detailed account of how each law was evaluated is here. We also provide a downloadable matrix with links to each of the state laws that were analyzed, accounting for every point awarded in every category.