In addition to the federal student privacy laws, at least 40 states have passed student privacy laws in recent years since the controversy over inBloom Inc. first erupted in 2013.
Here is a comprehensive list with links to 99 state student privacy laws passed between 2014 and 2018 that were analyzed for our State Privacy report card. More details concerning the history and some individual state laws are below.
In 2014, 110 bills were introduced on student data privacy in 36 states, with 24 signed into law. In 2015, more than 180 student privacy bills were introduced, of which 28 became laws. In 2016, 34 states introduced 112 bills, of which 18 passed in 15 states, according to the Data Quality Campaign. In 2017, 36 states introduced 95 bills and approved 31 new laws addressing the use and protection of student data.
- First, check out the January 2018 State Student Privacy Report Card, created by our Parent Coalition and the Network for Public Education, along with an interactive map that grades every one of the fifty states on its student privacy laws in seven categories: Transparency, Parental and Student Rights; Limitations on Commercial Use of Data; Data Security Requirements; Oversight, Enforcement, and Penalties for Violations, Parties Covered and Other, a catch-all for provisions that did not fit into any of the above categories. Here is a technical appendix that explains our methodology in more detail.
- In preparing the report, we created a downloadable matrix with links to the 99 state student privacy laws that were approved between 2013 and 2018, which also specifies how many points we awarded to each of them and in what category. If you’d like to check out which student privacy laws your state has passed, this is a good place to start.
- Snell and Wilner summarized some notable state student privacy laws in Feb. 2017.
- You can click here to view student privacy legislation passed in 2017, according to the Data Quality Campaign.
- An earlier 2016 state-by-state summary is available in the State Student Privacy Law Compendium , a joint project between Center for Democracy & Technology (CDT) and BakerHostetler.
- In 2015, the Software & Information Industry Association posted a Comparison Chart of 2015 State Laws modeled after the CA law SOPIPA (see below) and a Comparison Chart of 2014 Laws .
Links to some specific state laws are below. Longer descriptions are from the National Conference of State Legislatures. You should check out their website as well as here for updates.
- California : SB 1177 or Student Online Personal Information Protection Act (SOPIPA) (2014). Summary by Cooley LLP. SOPIPA prohibits an operator of a website, online service, online application or mobile application from knowingly engaging in targeted advertising to students or their parents or legal guardians. These services and applications also may not use covered information to amass a profile about a K-12 student, sell a student’s information or disclose covered information. The law also addresses security procedures and practices of covered information in order to protect information from unauthorized access, destruction, use, modification or disclosure. A very comprehensive guide was released in Nov. 2016 by the CA Attorney General office on SOPIPA as well as the two other CA student privacy laws listed below. Also see the Data Privacy Guide (2015) on CA student privacy laws, produced by CETPA, the CCSESA and Fagen Friedman & Fulfrost.
- California: AB-1584 (2014) Pupil records: privacy: 3rd-party contracts: digital storage services and digital educational software. Now incorporated as CA Education Code Section 49073.1
- California: AB-2799 (2016) Privacy: personal information: preschool and prekindergarten purposes. Applies student privacy protections to preschool personal data.
- Colorado: HB14-1294 (2014); the Student Data Privacy Act, requires the State Board of Education to publish an inventory of the individual student data currently in the student data system as required by state and federal education mandates, as well as any student data proposed for inclusion in this system. It prohibits the Department of Education from providing individual student data to other organizations or agencies outside the state except under specified circumstances.
- Colorado: HB16-1423 (2016); Summary by Mintz Levin.
- Connecticut: Public Act 16-189 ( 2016); Summary by Shipman & Goodwin LLP.
- Georgia: SB 89 (2015), the Student Data Privacy, Accessibility and Transparency Act, requires an inventory of data elements being collected, including a reason for why each is collected; gives parents rights to review their child’s education record and requires schools to provide electronic copies of student records to their parents upon request; requires development of a data security plan for the state data system; requires technology providers working with schools to develop appropriate security procedures and prohibits them from selling personal information about students or using it for targeted advertising; and provides for the Department of Education to designate a Chief Privacy Officer.
- Idaho: SB 1372 (2014), the Student Data Accessibility, Transparency and Accountability Act of 2014, requires the State Board of Education to create, publish and make publicly available a data inventory that defines individual student data fields included in the student data system. The index must include any individual student data required to be reported by state and federal education mandates; any individual student data proposed for inclusion in the student data system with a statement explaining the reason for inclusion; and any individual student data collected or maintained with no current purpose or reason. The board is required to ensure that any contracts that govern databases, online services, assessments or instructional supports that include student data and are outsourced to private vendors, include express provisions that safeguard privacy and security, contain the restrictions on secondary uses of student data, and provide for data destruction. The act also includes penalties for noncompliance.
- Illinois: Illinois School Student Records Act (ISSRA) (105 ILCS 10/1) (1975) : an older law which notably allows for a private right of action if a student’s privacy rights are violated by a school or district. More on this law here.
- Kentucky: HB232-14RS (2014) ; Summary by Jackson Lewis.
- Louisiana: HB 718 (2015); Summary by SIIA.
- Oklahoma: HB 1989 (2013), the Student Data Accessibility, Transparency and Accountability Act, requires public reporting of which student data are collected by the state, mandates creation of a statewide student data security plan, and limits the data that can be collected on individual students and how that data can be shared. It establishes new limits on the transfer of student data to federal, state, or local agencies and organizations outside Oklahoma. It also restricts the state from requesting delinquency records, criminal records, medical and health records, social security numbers and biometric information as part of student data collected from local schools and districts.
- Rhode Island: HB 7124 (2014) limits the use of student data and information obtained by cloud computing service providers when providing services to K-12 educational institutions. It also prohibits the use of such data for commercial purposes, including advertising that benefits the service provider.
- West Virginia: HB 4316 (2014) outlines state, district and school responsibilities for data inventory and provides for a data governance officer. It requires the State Board of Education to develop guidelines for school districts, requiring them to notify parents of their right to request student information and allow parents to access data specific to their child’s educational record; ensure security when providing student data to parents; make sure student data is provided only to authorized individuals; and detail the time frame within which record requests must be provided.
State Social Media Legislation
Illinois (allows schools to request access to personal accounts)
Illinois (bill introduced requiring schools districts to seek a court order to access personal accounts)