Year | State | Bill | Statute | Regulates | High Level Summary |
---|---|---|---|---|---|
2013 | Arizona | SB 1450 | ARS Title 15 § 15-142 | K12 SEA LEA | For school districts that release directory information to educational and occupational/military recruiters, they must provide students with the opportunity to opt-out of that release. Student transcripts can't be released unless the student consents in writing. |
2016 | Arizona | HB2088 | AZ REV ST § 15-117 | Early Ed K12 LEA | HB 2088 prohibits public schools from administering specified assessments or surveys to students without notifying and obtaining written informed consent from parents and prescribes penalties for violations. |
2017 | Arizona | SB1314 | AZ REV ST § 15-1046 | K12 | Relating to the Student Accountability Information System: This is a general student privacy bill that would prohibit operators from engaging in targeted advertising, using information to creates profiles about students, sell or rent student's information, or disclose covered information, with several exceptions |
2018 | Arizona | HB2088 | AZ REV ST § 15-186.01 | Vendors | This bill amends existing statutes to require that a person who conducts business in the state and that owns, maintains, or licenses unencrypted or underrated computerized data that includes personal information becomes aware of a security incident, the person shall conduct a reasonable investigation to promptly determine whether there has been a security system breach. |
2015 | Arkansas | HB 1961 | AR CODE § 6-18-109 | Vendors | Would prohibit an operator from using certain information to amass public school student profiles for certain purposes, or selling or disclosing covered information. Would allow the use of recommendation engines. |
2016 | California | AB2828 | CA CIVIL §1798.29;CA §1798.82 | Vendors | Personal information: privacy - this bill would would require a person or business conducting business in California, and any agency, that owns or licenses computerized data that includes personal information to disclose a breach of the security of the data to the person whose information was breached. |
2014 | California | AB 1584 | CA EDUC § 49073.1 | K12 Vendors | Mandates inclusion of certain provisions in an LEAs contract with a cloud service, data management, or education software vendor: student records are property and under control of LEA, how vendor will ensure security of student records, prohibits vendor from using student data for any purpose other than what is in contract, vendor must train individuals in charge of student records, and notification procedures to parents in event of unauthorized disclosure. |
2014 | California | SB 1177 | CA BUS & PROF § 22584 & CA BUS & PROF § 22585 | K12 Vendors | Prohibits K-12 website/application vendors from using, sharing, disclosing, or compiling student information for any purpose other than educational purpose and improving their service; they can't sell the information and must delete the information if the school or district requests. They have to protect the information in a reasonable manner. They can disclose info for legit research purposes as required by state/fed law. They may share aggregated de-identified student info to improve their service. |
2014 | California | AB1442 | CA EDUC § 49073.6 | K12 Vendors LEA | This bill would require a school to first notify pupils and their parents or guardians, and to provide an opportunity for public comment at a regularly scheduled public meeting before the adoption of a program to gather or maintain in its records any information obtained from social media of any pupil enrolled in the school district and to gather and maintain only information that pertains directly to school safety or to pupil safety, provide a pupil with access to any information about the pupil obtained from social media, and destroy the information gathered from social media and maintained in its records, as provided. If a school district, county office of education, or charter school contracts with a 3rd party to gather information from social media on an enrolled pupil, the bill would prohibit the 3rd party from using the information for purposes other than to satisfy the terms of the contract, prohibit the 3rd party from selling or sharing the information with any person or entity, except as provided, and would provide additional restrictions on the destruction of the information by the 3rd party, as specified. |
2016 | California | AB2097 | CA EDUC § 49076.7 | K12 SEA LEA | Relating to Pupil Records: The superintendent is required to assign a student identification number to individuals with exceptional needs for purposes of evaluating special education programs and related services. This bill prohibits school districts from collecting or soliciting social security numbers of the last 4 digits of social security numbers from pupils or their parents or guardians unless otherwise required to do so by state or federal law. This also authorizes the State Dept. of Education to additionally prohibit the collection and solicitation of other PII. |
2016 | California | AB 2799 | CA BUS & PROF § 22586 | Early Ed Vendors | Privacy: personal information - preschool and prekindergarten purposes. This bill would extend SOPIPA's protections that restricts the use of information about elementary/secondary school students by operators of websites, online services, and applications to preschool and prekindergarten purposes |
2018 | Colorado | HB 1128 | CO REV ST § 6-1-713 | Vendors | Requires notification of security breach as soon as possible and no later than after 30 days. Establishes required information included in breach notifcation. Outlines requirements for the disposal of PII by government entities, including public schools. Requires implementation of security systems to protect PII. |
2016 | Colorado | HB1423 | CO REV ST § 22-16-101-112 | Early Ed K12 SEA LEA | Student Data Transparency and Security Act: This bill adds to the existing laws re: student data security by adopting additional duties that the SBE, Dept., and school districts/boards of cooperative services/charter schools must comply with to increase transparency and security of the student PII. This requires the SBE to create and make publicly available a data inventory and dictionary that includes individual student PII - the SBE must then develop a security plan with all the basic requirements (compliance standards, audits, breach procedures) and guidance for authorizing access to the student data system. |
2018 | Connecticut | HB5170 | Special Act 18-28 | K12 LEA | This statute prohibits school employees from taking custody of a student's mobile electronic device for purposes of accessing any data or other content stored upon or accessible from such device, or compel a student to produce, display, share, or provide access to any data or other content stored upon or accessible from such device, with some exceptions. |
2016 | Connecticut | HB5469 | CT Gen St §10-234aa | K12 Vendors SEA LEA | Would include contract requirements for service providers; Would require breach notification procedures; Would prohibit an online operator from selling student PII or using it for targeted advertising or to amass student profiles except for K-12 school purposes; Would allow the use of data for personalized learning and service provision, maintenance, or improvement; establishes a task force to study issues relating to student data privacy. |
2017 | Connecticut | HB7207 | CT Gen St §10-234bb | K12 Vendors LEA | An Act making revisions to the Student Data Privacy Act of 2016: This bill requires local or regional boards of education to enter into written contracts with a contractor any time such local or regional board of education shares or provides access to student information, student records, or student generated content with such contractor. |
2018 | Connecticut | HB5444 | CT Gen St §10-234bb | K12 Vendors SEA LEA | An Act Concerning Revisions to the Student Data Privacy Act: This bill would create a uniform student data privacy terms-of-service agreement addendum for use in contracts, would require a one-time annual notice relating to contracts entered into by the board of education, would require the Department to provide written guidance on the laws relating to student data privacy, and would authorize the retention of student records required by state and federal law and for purposes of disaster recovery systems. |
2019 | Connecticut | HB6997 | CT PA 19-146 | Early Ed K12 LEA | Prohibits a local or regional board of education from disclosing or otherwise providing a student's parent or guardian who has pending charges of domestic violence against him or her with access to the educational, medical or similar records maintained in such student's cumulative record. |
2015 | Delaware | SB 79 | DE CODE Tit 14 § 8101A - DE CODE Tit 14 § 8106A | K12 Vendors | Requires service providers to: implement security procedures, delete data in reasonable time; prohibits service providers from engaging in targeted advertising, building student profiles, selling student data, disclosing data (unless for listed exceptions); establishes Student Data Privacy Task Force to make recommendations about privacy/student data. |
2016 | Delaware | SB 208 | DE CODE Tit 6 § 1204C | K12 Vendors | This bill amends the Student Data Privacy Protection Act that was created last year - it corrects a typographical error and corrects the enactment date (The recipient of the student data disclosed for K-12 school purposes of the internet/mobile application/etc. shall not further disclose the student data unless done to allow or improve the operability and functionality within that student's classroom or school). |
2016 | District of Columbia | B21-0578 | DC CODE § 38-831.01-DC CODE § 38-831.05 | Early Ed K12 Vendors SEA LEA | Bill 21-0578, the Protecting Students Digital Privacy Act of 2016, requires that any contract or agreement between a local education agency and a student information system provider shall expressly authorize and require the provider to establish, implement, and maintain appropriate security measures to protect student data; prohibits an educational institution or 1-to-1 device provider that provides a technological device to a student for overnight or home use from accessing or tracking the device except in limited circumstances; prohibits an educational institution from requiring or coercing a student or prospective student to disclose the user name and password to a personal social media account; and prohibits school employees from accessing or compelling a student to produce data stored upon, or accessible from a student's personal technological device except in limited circumstances. |
2014 | Florida | SB 188 | FL ST § 1002.22 | K12 SEA LEA | Requires State Board to annually notify parents and students of their FERPA rights. Prohibits collection or retention of information such as political and religious affiliation, voting history, or biometric information of student, sibling, or parent. Prohibits use of a student's SSN as their identification number. |
2018 | Florida | HB 731 | FL ST § 1002.41 | K12 Vendors SEA | This bill prohibits the state superintendent from storing any PII from students who are home schooled. District school superintendents are prohibited from including social security numbers or any other personal information of students in any school district or school database unless the student chooses to participate in a school district program or service. |
2023 | Florida | HB662 | K12, LEA | Student Online Personal Information Protection; Prohibits operators of websites, online services, and mobile applications from using targeted advertising on students using its product. The bill would also prohibit operators from using student information to build a profile for targeted advertising on any other site, service, or application or for any other noneducational purpose. The bill also prohibits operators from selling, sharing, or renting a student's information. | |
2015 | Georgia | SB 89 | GA CODE § 20-2-660 - GA CODE § 20-2-668 | K12 Vendors SEA LEA | Would implement numerous governance and transparency measures and would prohibit service providers from using data for commercial purposes. |
2016 | Hawaii | SB2607 | HI REV ST § 302A-500 | K12 Vendors SEA | Limits the ways in which the operator of a website, online service, online application, or mobile application working with the Dept. of Ed can use student data. (SOPIPA); they have to have security procedures in place, delete information in reasonable time; permits operator to disclose information for legitimate research purposes. |
2015 | Idaho | HCR 3 | N/A | K12 SEA LEA | Would authorize the Legislative Council to appoint a committee to study the state's SLDS to determine which data points are necessary for tracking student academic progress; which data points must be collected and reported at the aggregate level; which data points should be personally identifiable and why; the extent to which federal funding is contingent upon the collection and reporting of student data to the federal government and the cost to the state of declining such funding; and recommendations on simplifying and minimizing the collection of student data without compromising essential evaluation of educational efficacy, protecting student privacy by limiting the collection of PII, and the cost/benefit of declining federal funds. |
2014 | Idaho | SB 1372 | ID ST § 33-133 | K12 Higher ED Vendors SEA LEA | Requires State Board to: create student data system, create and make publicly available FERPA-compliant policies/procedures, develop data security plan, data retention and disposition policies (including data destruction and penalties for noncompliance), ensure validity and other requirements are met before disclosing student data for research, ensure vendor contracts include provisions that safeguard privacy and security, and notify governor/legislature of changes in data system. Prohibits collection of health records and biometric information and limits transfer of student data. Limits transfer of student data. |
2017 | Illinois | SB887 | IL ST CH 110 § 205/9.36. | Higher ED | This bill allows the Board of Higher Education to collect a fee to cover the cost of processing and handling individual student-level data requests pursuant to an approved data sharing agreement. This fee does not apply to entities complying with State or federal-mandated reporting. This bill also would prohibit the Board from providing personally identifiable information on individual students except in the case where an approved data sharing agreement is signed that includes specific requirements for safeguarding the privacy and security of any personally identifiable information in compliance with FERPA. |
2017 | Illinois | SB1796 | IL ST CH 105 § 85/1 - IL ST CH 105 § 85/99 | K12 Vendors | Student Online Personal Protection Act: this Act is intended to ensure that student data will be protected when it is collected by educational technology companies and that the data may be used for beneficial purposes such as providing personalized learning and innovative educational technologies. This law amends the Illinois School Student Records Act and makes a technical change in a Section concerning the short title. |
2018 | Iowa | HF2354 | IA CODE § 279.71 | K12 Vendors | An Act relating to student personal information protection: This bill creates a general student privacy law - which would prohibit operators from knowingly engaging in targeted advertising, using information to amass a profile about a student, sell student's information, or disclose covered information, with several exceptions. |
2014 | Kansas | SB 367 | KS ST § 72-6312 - KS ST § 72-6320 | K12 Higher ED SEA LEA | Allows for disclosure of student data to authorized personnel from educational agency, student/parent, and state board of regents. Lists requirements for a data-sharing agreement. Only allows aggregate data to be disclosed for research. Prohibits school districts from collecting biometric data and conducting survey on life-styles (sex history, religion, etc.) unless consent given in writing. Requires educational agency to create privacy policy and notify parents and student if there is a breach. Requires board to submit yearly report to governor and legislature on changes in data collection and summary of audits. |
2016 | Kansas | HB2008 (S sub) | KS ST § 72-6331 - KS ST § 72-6334 | K12 Vendors | Creating the Student Online Personal Protection Act: An operator is prohibited from engaging in targeted advertising on the operator's educational online product if the target of the advertising is based on any information, including student information and persistent unique identifiers. Operators are prohibited from using information to create student profiles as well as prohibited from selling or renting student information to a third party. |
2019 | Kansas | HB2209 | KSA § 75-4101 | Higher ED | Provides that the state board of regents may purchase cybersecurity insurance as it deems necessary to protect student records, labor information and other statutorily protected data that the board maintains, independent of the committee on surety bonds and insurance. Provides that“cybersecurity insurance" includes, but is not limited to, first-party coverage against losses such as data destruction, denial of service attacks, theft, hacking and liability coverage guaranteeing compensation for damages from errors such as the failure to safeguard data. |
2014 | Kentucky | HB 232 | KY REV ST § 365.734. | K12 Vendors LEA | Mandates businesses that handle personally identifiable information to notify owners of that PII "in the most expedient time possible and without unreasonable delay" of any security breach. Limits a cloud computing service's use of student data to maintaining company's "integrity" and prohibits use of student data for advertising or commercial purposes. Cloud is allowed to help schools conduct research within boundaries of FERPA. |
2015 | Louisiana | HB 718 | LA REV STAT Tit. 17, § 3913 & LA REV STAT Tit. 17, § 3914 | K12 Higher ED Vendors SEA LEA | Would expand the parties districts can contract with for data services. Would leave the majority of the 2014 law's provisions in place, but would allow access in accordance with local school board policy and would prohibit any contractor from using student data for predictive modeling to limit a student's opportunities. |
2014 | Louisiana | HB 340 | LA REV STAT Tit. 51, § 1954 | Early Ed K12 Higher ED SEA LEA | Prohibits public or private educational institutions (and employers) from requesting login information from students or prospectives (and employees) to their personal online account that is not used for school-related communications. Prohibits the educational institution from chastising student in any way for failure to disclose. |
2014 | Louisiana | HB 946 (became HB 1076) | LA REV STAT Tit. 17, § 3914 | K12 Vendors SEA LEA | Prohibits school system employees from collecting lifestyle information (political belief, sexual behavior, etc.) from students without parental consent. Lists exceptions to sharing PII. Requires Department to develop system of student ID numbers. Limits who can access computers that store student data to authorized individuals. Restricts use of predictive modeling that may limit student's learning. Allows for transfer of student data to contracted vendors but also lists contract requirements: inclusion of privacy compliance standards, audits conducted under direction of local school superintendent, breach and notice procedure, and storage/deletion policy; places $10,000 fine on violation of the contract requirements. Prohibits school system or private entity from selling student data for use in advertising unless its permitted per a contract. Establishes requirements for consent forms to be given to parents to allow collection of PII. Requires postsecondary institutions to delete all data collected 5 years after student graduates. |
2014 | Louisiana | HB 1283 | LA REV STAT Tit. 17, § 3913 | K12 SEA LEA | Requires Dept. of Ed. to include information about the transfer of PII on its website regarding: who receives the PII, copy of agreement between department and recipient of PII, what data is actually transferred, statement of intended use of PII, contact person for questions, and how parents can register complaint for unauthorized transfer. |
2016 | Louisiana | SB270 | LA REV STAT Tit. 17, § 3914. | K12 SEA LEA | Relative to Student Data Privacy: The Dept. of Ed. is required to provide each city, parish, or other local public school system with information, that could include personally identifiable student information, as the school system deems necessary to verify the enrollment and residency status of each student who resides within the geographic boundaries of the school system but who is enrolled in a public school outside of the jurisdiction of the local public school system. The school system must keep information strictly confidential and shall use the information for no other purpose than verifying student enrollment and residency. |
2018 | Louisiana | HB716 | LA REV STAT Tit. 17, § 3914 | Higher ED SEA | This bill would allow an official or employee of the state Dept. of Ed. to share student information with certain postsecondary education institutions conducting academic research provided the person and the department have entered into a memorandum of understanding. |
2018 | Louisiana | HB387 | LA REV STAT Tit. 17, § 406.9. | Early Ed K12 LEA | Revises the Parents' Bill of Rights for Public Schools: This bill would amend existing law to provide parents with the right to receive a photocopy of their child's school records, at no charge within 10 days of requesting. Further, "academic records" is now defined to include interim or benchmark assessments.. |
2014 | Maine | LD 1194 | N/A | K12 Higher ED SEA LEA | Instructs the Joint Standing Committee to research concerns associated with access and privacy of social media accounts, personal email accounts, and cloud services that hold personal information (employees) and student data. Instructs Committee to draft recommendation for legislation that limits access to these accounts and provides for remedies to violations. |
2015 | Maine | HP 53 (LD59) | ME REV ST Tit. 20-A, § 6001 | Early Ed K12 SEA LEA | Would direct the Commissioner of Education to develop FERPA-aligned rules governing student data not already governed under law and determine penalties for violations of such rules. |
2015 | Maine | SP 183 | ME REV ST Tit. 20-A, § 951 - ME REV ST Tit. 20-A, § 953 | K12 Vendors LEA | Would require school service providers to provide clear info on the student data they collect and how the data are maintained and used, maintain a privacy policy and provide notice before making any changes, maintain a security program, facilitate access and correction of student personal data, collect and use student data with parental consent or for teacher/school authorized purposes, obtain consent for using data in a way "inconsistent" with the privacy policy or authorized purpose. Would prevent a school service provider from using data for behaviorally targeting advertisements to students (except for advertising based on the current visit), creating a student profile except for K-12 school purposes, or retain information except as authorized or with consent. |
2017 | Maine | LD678 | ME REV ST Tit. 20-A, § 6001-C | K12 LEA | This bill specifies if a public or private school requests a student's social security number, the public school or private school shall inform the parent or guardian of the student for what purpose the social security number will be used and provide the parent, guardian, or student the opportunity to opt out of providing the social security number. Also provides for the deletion of the social security number upon departure. |
2017 | Maine | LD1616 | ME REV ST Tit. 20-A, § 953 | K12 Vendors SEA LEA | This Act corrects errors and inconsistencies in Maine laws - this bill allows operators to disclose student data: if another provision of federal or state law requires the operator to disclose the student data and the operator complies with applicable requirements of federal and state law in protecting and disclosing that information; for legitimate research purposes; and to a state agency, school administrative unit, or school for kindergarten to grade 12 purposes, as permitted by state or federal law. |
2015 | Maryland | HB 298 | MD CODE, EDUC § 4-131 | Early Ed K12 Vendors LEA | Would prohibit an operator in contract or agreement with a public school or district Prek-12 use from using certain information to amass student profiles for certain purposes, or selling or disclosing covered information. |
2017 | Maryland | HB 680 | Section 24–702 and 24–703(g) and (h) | Early Ed K12 Higher ED SEA LEA | Maryland Longitudinal Data System: Lengthens the period of time that MLDS can use linked data from 5 years to 20 years. |
2017 | Maryland | SB 1165 | Section 24–702 and 24–703(g) and (h) | Early Ed K12 Higher ED Vendors SEA | An Act concerning Maryland Longitudinal Data System: The Maryland Longitudinal Data System is a statewide data system that contains individual-level student data and workforce data from all levels of education and the State's workforce and allows the center to organize, manage, disaggregate, and analyze individual student data. Through this bill, the linkage of student data and workforce data for the purposes of the Longitudinal Data System shall be limited to no longer than 20 years from the date of latest attendance in any educational institution in the State. |
2018 | Maryland | HB568 | Md. Code, ED § 7-2101 | K12 SEA LEA | This bill requires the State Dept. of Ed., in consultation with the Department of Information Technology and county boards of education, to develop and update certain best practices for county boards to manage and maintain data privacy and security practices in the processing of student data and personally identifiable information across the county board's information technology and records management systems. |
2018 | Maryland | HB1254 | MD CODE, EDUC § 7-306 | K12 SEA LEA | This bill amends existing law to require the State Dept. of Ed. to disaggregate certain data in any student discipline data report in a certain manner - this data shall be disaggregated by race, ethnicity, gender, disability status, eligibility for free or reduced price meals or an equivalent measure of socioeconomic status, and English language proficiency. This bill would also require that special education data in student discipline data reports be disaggregated. Further, the Dept. is required to collect certain data on alternative school discipline practices. |
2016 | Michigan | SB 510 | MI COMP LAWS § 388.1291-1295 | K12 Vendors | An operator shall not knowingly engage in targeted advertising on the operator's site, service, or application if any of the information provided includes covered information and persistent unique identifiers. Further an operator may not use the information to amass a profile about a student except in furtherance of K-12 school purposes. Finally, an operator may not sell or rent a student's information, including covered information. There are certain exceptions under this bill where information may be disclosed (including in furtherance of the K-12 school purpose of the site, etc). An operator is required to implement and maintain reasonable security procedures and practices and delete a student's covered information if the K-12 school or school district requests deletion. |
2016 | Michigan | S33 | MI COMP LAWS § 380.1136 | K12 SEA | Initial bill language replaced with Substitute S-2. Would prohibit the Dept. of Ed. from selling or providing any pupil education record information to a for-profit business entity with the exception of an educational management organization. The Department could not disclose any information concerning a pupil that is collected or created except in accordance with a policy adopted and made publicly available by the State Board that clearly stated the criteria for disclosure. The Department would have to ensure that any contract with a vendor that allowed access to education records expressly required the vendor to protect the privacy of education records and provided express penalties for noncompliance. If the Department provided any collected or created information to a person other than the pupil's school district, intermediate school district, PSA or its authorizing body or the pupil's parent or legal guardian, the Department would have to disclose to the parent or guardian within 30 days the specific info disclosed, the name and contact information of each person to which the information was disclosed, and the reason for disclosure. |
2022 | Minnesota | HF2353 | MN ST § 13.32. | K12 Vendors LEA | This bill amends Minnesota Statutes 2020, section 13.32, subdivision 1. This bill specifies that all educational data created, received or maintained by a technology provider through a contract with a public educational agency or institution are not the technology provider's property. This bill provides for actions that must be taken when a breach of security of data occurs. This bill also places limits on the technology provider and disclosure or use of educational data, including prohibiting the sale, share, or dissemination of the data and use of data for any commercial purpose including marketing to students or parents. The bill also imposes several requirements on schools, including providing annual notice to parents and students of each edtech provider with access to student PII. Outside of specific exceptions schools and technology providers must not electronically access or monitor school issued device location, internet activity, keystrokes, camera or audio. |
2014 | Missouri | HB 1490 | MO REV ST § 161.096 | K12 Vendors SEA LEA | Mandates state board to create rules on data accessibility, transparency, and accountability and a LDS; policies to comply with FERPA; policies to approve research and data requests; develop data security plan; privacy and security audits; breach planning and notification procedures; data retention and disposition policies; data security policies (encryption and employee training); requirements for vendor contracts (vendor can't sell or use student data in advertising). Prohibits collection of individual student data (criminal record, mental/health, biometric, etc.). |
2018 | Missouri | HB 1606 | MO REV ST § 161.1475 | K12 LEA | In the event of a breach of data maintained in electronic form that includes personal information of a student, a school district shall send written notification to the parent or legal guardian of an affected student. Notification of a breach of personal information of a student shall also be sent to the department of elementary and secondary education and the state auditor. |
2019 | Montana | HB 745 | MT CODE § 20-7-1325 | Early Ed K12 Vendors SEA LEA | Provides that an operator may not knowingly engage in any of the following activities with respect to the operator's K-12 online application: engage in targeted advertising on the operator's K-12 online application; or target advertising on any other site, service, or application when the targeting of the advertising is based on any information, including protected information and persistent unique identifiers, that the operator has acquired because of the use of the operator's K-12 online application; use information, including persistent unique identifiers, created or gathered by the operator's K-12 online application to amass a profile about a pupil, except in furtherance of K-12 school purposes; sell a pupil's information, including protected information. This prohibition does not apply to the purchase, merger, or other type of acquisition of an operator by another entity, provided that the operator or successor entity continues to be subject to the provisions of this section with respect to previously acquired pupil information. Provides that a school district may, pursuant to a policy adopted by its trustees, enter into a contract with a third party to: provide services, including cloud-based services, for the digital storage, management, and retrieval of pupil records; or provide digital educational software that authorizes a third-party provider of digital educational software to access, store, and use pupil records in accordance with the contractual provisions listed in subsection (2). |
2017 | Nebraska | LB 512 | NE REV ST § 79-2,153 - NE REV ST § 79-2,155 | K12 Vendors | This bill creates the Student Online Personal Protection Act - this is a general privacy statute that would prohibit operators from knowingly engaging in targeted advertising, or amassing profiles about students, and it prohibits selling or renting a student's covered information. |
2013 | Nebraska | LB 262 | Neb. Rev. Stat. § 79-2,104 | K12 SEA LEA | Allows student, parents, teachers, and admin. access to the student's files and records. Parents must provide consent for anyone else to have access to the files/records. Discipline information must be destroyed after three years of a student's absence from the school. Permits sharing of information between school districts and the State Board of Ed. |
2015 | Nevada | SB 463 | NV REV ST § 388.282 - 296 | Early Ed K12 Vendors SEA LEA | Would require school service providers to provide clear info on the student data they collect and how the data are maintained and used, maintain a privacy policy and provide notice before making any changes, maintain a security program, facilitate access and correction of student personal data, collect and use student data with parental consent or for teacher/school authorized purposes. Would prevent a school service provider from using data for behaviorally targeting advertisements to students, creating a student profile without consent or authorization, or retain information except as authorized or with consent. Would require annual PD on services and their data security. |
2015 | Nevada | AB 221 | NV REV ST § 388.268-273 | K12 Vendors SEA LEA | Would require the state and districts to create public data inventories and would require certain provisions in contracts with service providers. Would require state and district reporting on changes to data collection or management. Would instruct the state to develop a security policy and charge districts with complying. Would instruct the state to create rules around teacher use of online services. |
2017 | Nevada | AB 7 | NV REV ST § 388.283 | K12 Vendors | This bill amends existing statute to provide that a "school service" is an internet website, online service, or mobile application that: collects or maintains personally identifiable information concerning a pupil, is used primarily for educational purposes, and is designed and marketed for use in public schools and is used at the direction of teachers and other educational personnel. It does not include anything designed or marketed for use by a general audience, an internal database, system, or program maintained or operated by a school district, charter school, or university school for profoundly gifted pupils, or a school service for which a school service provider has been designated as a school official under FERPA. |
2019 | Nevada | SB403 | NRS §34 388.2955 | Early Ed K12 Vendors SEA LEA | Revises the prohibition on targeted advertising by a school service provider to prohibit the school service provider from engaging in targeted advertising within its school service or on any other Internet website, online service or mobile application if the targeted advertising is based upon information gathered from its school service. Authorizes a school service provider to use the personally identifiable information of a pupil to perform certain research which is required or authorized by federal or state law. Authorizes a school service provider to use aggregated, de-identified information derived from the personally identifiable information of pupils to develop and improve the products of the school service provider. Requires a public school to provide information regarding the risks associated with the collection of covered information of a pupil to a pupil or the parent or legal guardian of a pupil before the public school allows the pupil to use any school service or provides any item of technology to the pupil |
2014 | New Hampshire | HB 1587 | N.H. Rev. Stat. § 189:67 | Early Ed K12 Vendors SEA LEA | Restricts the collection of certain type of data on students and their families to be stored on SLDS. Schools can release student name or identifier to testing agency only to identify the test taker but cannot give student PI to testing entity to perform a test analysis. Testing entity must destroy data as soon as test taker is identified. |
2015 | New Hampshire | HB 322 | NH Rev Stat § 189:66 | K12 SEA LEA | Would require the state Dept. of Ed to create data security and breach notification policies. Plan must include audits, notification of breach procedures, and data retention and deletion policies. Would require the Dept. of Ed to produce a public annual data security breach report. Data referred to herein covers both student and teacher data. Dept. of Ed must ensure students and parents are aware of their rights regarding amending and disclosure of student data and right to file FERPA complaint. |
2015 | New Hampshire | HB 507 | NH Rev Stat § 189:68 | K12 SEA LEA | Would prohibit a school or district form disclosing student or teacher PII to any testing entity performing test-data analysis. Except as permitted in state code, would prohibit the disclosure of student or teacher PII in the SLDS or any department data system to any entity other than the student or teacher's school district. Would prohibit the recording of a classroom without consent or school board approval. |
2015 | New Hampshire | HB 520 | NH Rev Stat § 189:68-a | K12 Vendors | Would prohibit an operator from using certain information to amass student profiles for certain purposes, or selling or disclosing covered information. |
2016 | New Hampshire | HB1372 | NH Rev Stat § 189:68 | K12 LEA | Prohibits recording a classroom for the purpose of teacher evaluation without school board approval after a public hearing and without written consent of teacher and parents of each student. Does not prohibit recording a classroom for a student with a disability whose IEP includes such recordings, for use of student instructional purposes, or for instruction of teacher interns. |
2016 | New Hampshire | HB1497 | NH Rev Stat § 189:67 | K12 Vendors LEA | An Act Relative to the Limits on the Disclosure of Information Used on College Entrance Exams: this bill requires school districts to destroy personal information of students following the completion and verification of certain tests. This bill also gives students taking college entrance exams the option to have all their personal information destroyed by the testing entity following the completion and verification of the test. This bill specifies that schools may disclose studentsÂ’ names, unique pupil identifiers, but not both, and birth date for the sole purpose of identifying the test taker. there is an exception when this is collected in conjunction with the SAT or ACT. This information then shall be destroyed as soon as verification of test takers is complete. Students taking the ACT or SAT, when that test is used for the state assessment, may opt to have all personal information destroyed by the testing agency. |
2018 | New Hampshire | HB1551 | NH Rev Stat § 186-C:10-a | K12 LEA | This bill adds a new section to existing statute specifying that upon a student's graduation from high school, his or her parents may request the LEA in writing to have the student's records and final individualized education program destroyed at that time or request that the records be retained until the student's 26th birthday. Absent any request by the student's parents at the time of graduation, the LEA shall destroy a student's records and final individualized education program within a reasonable time after the student's 26th birthday, provided all records be destroyed by a student's 30th birthday. |
2018 | New Hampshire | HB1612 | NH Rev Stat § 189:66 | K12 Vendors LEA | This bill amends an existing privacy statute: This bill would now require each LEA to create and make publicly available an index of data elements containing definitions of certain individual student personally-identifiable data fields; develop a data security plan; make publicly available students' and parents' rights under FERPA; requires school districts that use digital badges to obtain the written consent of a parent or legal guardian; modifies certain requirements for contracting with operators of Internet websites. |
2020 | New Jersey | A4978 | N.J.S. 56 § 8-215 | K12 Vendors LEA | Prohibits online education services from disclosing student educational records, amassing profiles of student data for non-educational purposes, and requires deletion of data in certain instances. |
2021 | New York | AB A6787D | NY STATE TECH § 106-B | K12 SEA LEA | Imposes a ban on the purchase and use of biometric identification technologies. Requires a study. |
2014 | New York | SB 6356 | NY EDUC §2-C | K12 SEA LEA | Education agency can decide not to provide a service provider PII for the purposes of creating a data system or have that information deleted upon request to the Dept.; Dept. and Ed. Commissioner cannot provide any PII to a service provider. |
2014 | New York | SB 6356 | NY EDUC §2-D | K12 Vendors SEA LEA | Mandates appointment of a Chief Privacy Officer whose duties include: assisting in data breaches, implementing privacy practices, designing data request procedure, reviewing Dept. proposals on student or teacher data. Mandates publication of a Parents Bill of Rights for Data Privacy and that it is included in all contracts with service providers (lists requirements of the Bill of Rights). Mandates provisions for contracts with service providers. |
2014 | North Carolina | SB 815 | N.C. Gen. Stat. § 115C-402.5 | K12 Vendors SEA LEA | Requires state board to create data system and data security plan with all the basic guidelines; privacy policies that comply with FERPA; prohibits transfer of data unless authorized by law; contracts with vendors have to include specific provisions; board must report to governor/leg. annually regarding change in data collection; prohibits collection of biometric and lifestyle information from students. Requires boards to notify parents annually about student records, opt-out opportunities for disclosure of information, and their rights under state and federal law. |
2016 | North Carolina | HB632 (2015) | NC GEN ST § 115C-401.2 | K12 | Prohibits Internet/application service providers to K-12 schools from engaging in targeted advertising based on covered information, using information to amass a profile aside from furthering K-12 purposes, selling student information, disclosing covered information (except for listed exceptions). Requires service provider to implement security procedures and delete covered information upon request school or local board of education. Provides cause of action for violation of the terms. |
2017 | North Dakota | SB 2295 | ND CENT CODE § 44-04-18.28 | K12 Higher ED SEA | A bill relating to the exemption of state university and college title IX records from public disclosure: This bill exempts university research records and student personally identifiable information from public disclosure. This however, does not apply to a student record or other information disclosed by an institution under the control of the state board of higher education to the statewide longitudinal data system. Further, any record relating to a complaint or investigation under title IX of the Education Amendments of 1972 at an institution under the control of the state board of higher education is an exempt record. |
2013 | Oklahoma | HB 1989 | OK 70 O.S. § 3-168 | K12 Vendors SEA LEA | Mandates the State Board to create and make publicly available an inventory of student data and for what purposes data is collected. Limits reasons for the State to transfer student data. Mandates State Board to create data security plan which includes privacy and security audits, breach procedures, and data retention and disposition policies. Governs privacy provisions in vendor contracts. Annually update the Governor and Legislature on a variety of updates, changes, and security audits in regards to new student data in the system. |
2016 | Oklahoma | HB2784 | K12 LEA | Student Records: The Board of Education of each school district is required to compile and maintain temporary and permanent records of students enrolled and must regulate access, disclosure, or communication of information contained in the student records in a manner consistent with state and federal law | |
2017 | Oklahoma | HB 1506 | 70 O.S. Supp. 2016, Section 24-114 | K12 SEA LEA | The board of education of each school district in Oklahoma shall compile and maintain both temporary and permanent records of students enrolled in the district and regulate access, disclosure or communication of information contained in the student records in a manner consistent with state and federal law. This bill specifies that all documents and information in student records may be stored either electronically or in paper format, and be either in a single or multiple file format. |
2024 | Oklahoma | HB 1506 | 70 O.S. Supp. 2016, Section 24-114 | K12 LEA | Student communication; requiring certain communication with student to include student's parent or guardian |
2015 | Oregon | HB 3953 | OR REV ST § 326.565 | K12 SEA LEA | Would require the state board to develop rules around when education records can be transferred by a school. Would allow parents "the right to limit the collection, storage, use and transmittal of academic information and personally identifiable data." Would allow parents to opt-out of statewide summative assessments. Would require information on summative assessments administered, their purpose, information for the student on the assessment and its use, and who has access to the data. |
2015 | Oregon | SB 187 | OR REV ST § 336.184 | K12 Vendors | Would prohibit an online service operator from using student data for commercial or secondary purposes while allowing for recommendation engines, personalized learning, and service improvement. |
2014 | Rhode Island | HB 7124 | RI Gen. Laws § 16-103-2 | Early Ed K12 Higher ED | Prohibits public or private educational institutions (and employers) from requesting login information from students or prospectives (and employees) to their personal online account that is not used for school-related communications. Prohibits the educational institution from chastising student in any way for failure to disclose. Prohibits the educational institution from requesting student log into an account in presence of school administration or staff and from adding school administration or staff as a contract on the account as a condition of participating in an extracurricular activity. |
2014 | South Carolina | HB 3893 | SC Code Ann. §59-1-490 | K12 SEA LEA | Dept. of Ed. cannot collect student data from students or families unless it is to comply with IDEA. The Dept. has to have a data management system to which only authorized individuals can access. Dept. must also have data request procedures |
2014 | South Dakota | SB 63 | SDCL §13-3-51 | K12 SEA LEA | Mandates Dept. of Ed. to create uniform system to gather and report educational data for the purposes of evaluating educational progress. Dept. must write annual report on progress and submit it to legislature, school districts, and public. Schools can't collect lifestyle information unless adult student or parent provides consent. Prohibits Dept. to report PII to US Dept. of Ed. but can provide aggregated information. |
2014 | Tennessee | SB 1835 (HB 1549) | TCA § 49-1-309 | K12 Vendors SEA LEA | Data collected for the use of or testing under educational standards adopted by the board can only be used to track the academic progress and needs of students. Prohibits collection of and sharing with the federal government any personally identifiable data and lifestyle information of students and their families (including biometric and psychometric); prohibits collection of student data for commercial or political purposes. |
2016 | Tennessee | HB 1931 (SB 1900) | TCA § 49-1-702 | Early Ed K12 Higher ED Vendors LEA | Would prohibit the the principal/designee from identifying the victim of harassment, intimidation, bullying, or cyber-bullying from being identified in a public report (Draft #2). Data collected for the use of or testing under educational standards adopted by the board can only be used to track the academic progress and needs of students. Prohibits collection of and sharing with the federal government any personally identifiable data and lifestyle information of students and their families (including biometric and psychometric); prohibits collection of student data for commercial or political purposes. (Final codified version) |
2017 | Texas | HB 2087 | TX EDUC § 32.151 - TX EDUC § 32.157 | K12 Vendors LEA | This bill relates to restricting the use of covered information, including student personally identifiable information, by an operator of a website, online service, online application, or mobile application for a school purpose. |
2015 | Texas | HB 4046 | TX GOVT § 552.114 | Early Ed K12 Higher ED LEA | Defines student record to include information an applicant sends for admission or transfer to a school. Would allow information to be redacted without requesting a decision from the AG. Would allow schools to release data upon request of a student or parent for admission processes. |
2023 | Texas | HB18 | Texas Education Code, Chapter 32 | K12, LEA | Requires the SEA to adopt standards for LEA electronic devices and software applications that (1) minimize students data collection (2) require informed parental consent for a student's use of a software application, with limited exceptions. (3) ensure software applications do not conduct mental health assessments without informed parental consent; (4) ensure that parents are provided the resources to understand cybersecurity and online safety risks. (5) specify periods of time during which a student electronic device must be deactivated in the interest of student safety; (7) consider appropriate restrictions on student electronic device access to social media websites or applications; (8) require a district or school, before using a social media application for an educational purpose, to determine that an alternative application that is more secure and provides the same educational functionality as the social media application is unavailable for that educational purpose; (9) consider the required use of an Internet filter capable of notifying appropriate school administrators, who are then required to notify the student's parent, if a student accesses Inappropriate content |
2022 | Maryland | HB769 | K12, LEA | Student Data Privacy – Protections, Digital Tools, and Student Data Privacy Council : Adds definition of persistent unique ID, removed requirement to publish a list of digital tools |
|
2019 | Texas | SB 820 | TX EDUC § 11.175 | Early Ed K12 LEA | Requires that each school district shall develop and maintain a cybersecurity framework for: (1)the securing of district cyber infrastructure against cyber attacks and other cybersecurity incidents; and (2)cybersecurity risk assessment and mitigation planning. (c)school district’s cybersecurity framework must be consistent with the information security standards for institutions of higher education adopted by the Department of Information Resources under Chapters 2054 and 2059, Government Code. Provides that (d)the superintendent of each school district shall designate a cybersecurity coordinator to serve as a liaison between the district and the agency in cybersecurity matters.(e)The district’s cybersecurity coordinator shall report to the agency any cyber attack, attempted cyber attack, or other cybersecurity incident against the district cyber infrastructure as soon as practicable after the discovery of the attack or incident. |
2022 | Utah | SB226 | Utah Code §53B-28-501-Utah Code §53B-28-505 | Higher ED Vendors SEA | This bill enacts and amends provisions related to higher education data privacy and governance. Transfers the Utah Data Resource Center (center) from the Department of Workforce Services to the Utah System of Higher Education; expands the duties of the center by requiring the center to collect and promoteaccess to data from institutions of higher education and collaborate with the Boardof Higher Education and the State Board of Education to coordinate access to certain student identifier information; requires the commissioner of higher education to: appoint a director of the center to serve as chair of the Utah Data Research Advisory Board and appoint the member who represents the center to the School Readiness Board; requires the center to include information regarding the center's activities and accomplishments in the center's annual report to the Legislature; provides for higher education student data protection at the state and institution of higher education (institution) levels; requires the state privacy officer to establish a privacy advisory group; enacts requirements for data protection and maintenance for the Utah Board of Higher Education, institutions, and third-party contractors; creates requirements for a third-party contractor's use of student data; creates penalties for an institution that contracts with a third-party contractor that permits unauthorized collecting, sharing, or use of student data. |
2015 | Utah | HB 163 | Utah Code § 53E-9-202 | K12 SEA LEA | Would require an education entity to notify the parent if there is a release of the student's PII due to a security breach. |
2015 | Utah | SB 204 | Utah Code § 53G-6-801 | K12 SEA LEA | Would allow a parent to opt-out of any federally or state mandated assessment or an assessment that requires use of a state assessment system or software that is provided or paid for by the state. Would require the State Board to publish a list of state assessments, state assessment systems, and software that qualify under the bill. |
2016 | Utah | HB358 | Utah Code § 53E-9-301 | K12 Vendors SEA LEA | Establishes that "a student own's the student's PII"; Would require the state board to establish a student data policy advisory group to discuss and make recommendations regarding enacted or proposed legislation and state and local student data protection policies in the state; Would require state board to establish a student data governance advisory group that performs duties related to state and local data protection; Would require the state board to establish a student data users advisory group composed of members who use student data at the local level and provides feedback and suggestion on the practicality of actions proposed by the student data policy advisory group and the student data governance advisory group; Would prohibit collection of SSN by an edu entity; Defines 'permanent record'; Would require the board to make rules regarding using and expunging student data; Prohibits educational entity from sharing student PII except as provided in FERPA and this bill |
2017 | Utah | SB102 | Utah Code § 53F-5-201 | K12 LEA | This bill provides that local school boards or charter schools governing boards must require public schools to make lists of individuals who are authorized to access education records. Further, local school and charter governing boards must provide training on student privacy laws and require individuals who are authorized to access education records to complete training on student privacy laws. Finally, this bill would prohibit local school boards and charter school governing boards, public schools, or school employees from sharing an education record with a school employee who is not authorized without written consent. |
2017 | Utah | SB 163 | Utah Code § 53E-9-305 | K12 Vendors SEA LEA | This bill modifies provisions of the Student Data Protection Act.; expands and clarifies the definition of targeted advertising; deletes the requirement that any education entity that collects student data shall prepare and distribute to parents and students a student data disclosure statement that states that parents and students are responsible for the collection, use, or sharing of student data; permits a third-party contractor to identify for a student nonprofit institutions of higher education or scholarship providers that are seeking students who meet specific criteria. |
2018 | Utah | SB207 | Utah Code § 53E-9-301 | K12 SEA LEA | This bill amends provisions related to student data protection. This bill would establish who may access a student's student data. Further, the board is required to make rules to define a significant data breach. This bill also amends existing statute regarding collection notice statements. Finally, this bill would prohibit education entities, including student data manager, from sharing personally identifiable student data without written consent. |
2019 | Utah | HB 27 | Utah Code §53E-9-301 | K12 Higher ED SEA | Updates public education definitions, modifies that the student data manager shall share student data with the state board rather than just "the board" |
2019 | Utah | HB 28 | Utah Code §53G-3-202 | K12 Higher ED SEA | Updates public education definitions, modifies that the student data manager shall share student data with the state board rather than just "the board" |
2019 | Utah | SB164 | Utah Code §53E-9-305 | K12 Higher ED Vendors SEA LEA | Repeals provisions related to the State Board of Education sharing student data with the Utah Registry of Autism and Developmental Disabilities and repeals provisions related to the State Board of Education sharing student data with the State Board of Regents. |
2020 | Utah | SB 166 | UT 53E-1-203 | Early Ed K12 SEA | Requires law enforcement to provide and validate information necessary for the state board to complete a required report on incidents that occur on school grounds; clarifies requirements regarding the content of privacy notices; exempts schools from certain contractual provisions related to sharing directory information if the directory information is shared in accordance with federal law; binds other government agencies that contract on behalf of education entities to the same requirements as education entities; clarifies that education entities may obtain written authorization to waive a provision of a contract with a third-party contractor related to a student's student data; and requires information related to suspension or expulsion to appear in a student's cumulative folder. |
2018 | Virginia | HB1 | VA CODE §§22.1-287, | K12 Higher ED SEA LEA | Clarifies that the definition of "scholastic records" in the Virginia Freedom of Information Act includes directory information, but also provides that such directory information may be released to the public only if the student who is the subject of such information, or the student's parent or legal guardian if the student is less than 18 years of age, has expressly consented, in writing, to the release of such information. Amends §§ 22.1-287, 22.1-287.1, and 23.1-405 of the Code of Virginia |
2014 | Virginia | SB 242 | VA Code § 23.1-405 | Higher ED | A private or public institution of higher education can request from students who are committed to attend or currently attend their complete student record, including mental health record. No public institution of higher education shall sell students' personal information to any person. |
2015 | Virginia | HB 1334 | VA Code § 22.1. Education § 22.1-289.01 | K12 SEA | Would require the state Dept. of Ed to develop and make publicly available policies to ensure state and local compliance with FERPA and state privacy laws (including policies around access to PII and review of requests from public and private entities) and require parental notification in instances of possible disclosures of electronic records in violation of FERPA or other federal or state law and remedial measures being taken. |
2015 | Virginia | HB 1612 | VA Code § 22.1. Education § 22.1-289.01 | K12 Vendors LEA | Would require school service providers to provide clear info on the student data they collect and how the data are maintained and used, maintain a privacy policy and provide notice before making any changes, maintain a security program, facilitate access and correction of student personal data, collect and use student data with parental consent or for teacher/school authorized purposes, obtain consent for using data in a way "inconsistent" with the privacy policy or authorized purpose. Would prevent a school service provider from using data for behaviorally targeting advertisements to students, creating a student profile without consent or authorization, or retain information except as authorized or with consent. |
2015 | Virginia | HB 1698 | VA Code § 22.1-79.3 | K12 LEA | Would require parental notice before the administration of any survey on "sensitive" topics, an explanation of privacy measures, and the right to exempt their child from participating. |
2015 | Virginia | HB 2350 | VA Code Title 22.1. Education § 22.1-20.2. | K12 SEA LEA | Would direct the state Dept. of Ed and the Virginia Information Technologies Agency to develop a model data security plan for districts to implement policies and procedures related to the protection of student data and data systems. Would require the Dept. of Ed to designate a chief data security officer to assist local school divisions with the development or implementation of policies around data security and data use. |
2016 | Virginia | SB 438 | VA Code § 22.1. Education § 22.1-289.01 | Higher ED | This bill prohibits a public or private institution of higher education from requiring a student to disclose the username or password to any of such studentÂ’s personal social media accounts. It also prohibits a public institution of higher education from selling student PII. |
2016 | Virginia | HB519 | VA Code § 22.1. Education § 22.1-289.01 | K12 Vendors LEA | Would require school-affiliated entities (e.g. alumni associations, PTAs, scholarship organizations) to provide information on the student PII they collect and maintain and implement privacy and security policies. Would prohibit these entities from selling student PII or collecting, using, or disclosing it without consent. |
2016 | Virginia | HB 749 | VA Code § 22.1. Education § 22.1-289.01 | K12 Vendors | School Service Providers: Makes several changes to the provisions relating to the protection of student personal information by school service providers, including (i) providing that student personal information does not include information that is publicly available; (ii) defining "targeted advertising" as advertising that is presented to a student and selected on the basis of information obtained or inferred over time from such student's online behavior, use of applications, or sharing of student personal information and prohibiting school service providers from knowingly using or sharing any student personal information for the purpose of targeted advertising for students in operating a school service pursuant to a contract with a local school division; and (iii) clarifying that other provisions of law do not prohibit school service providers from performing certain acts, including disclosing student personal information to ensure legal or regulatory compliance, protect against liability, protect the security or integrity of its school service, respond to or participate in judicial process, or protect the safety of school service users or other individuals. |
2016 | Virginia | HB 750 | VA Code § 22.1. Education § 22.1-289.01 | K12 Vendors | Student personal information: Excludes any website, mobile application, or online service that is used for the purposes of college and career readiness assessment from the definition of “school service,” thus relieving providers of such websites, mobile applications, and online services from the obligation to provide various protections for student personal information collected through such websites, mobile applications, and online services. Each school service provider under this bill is required to provide clear information about the types of student personal information it collects through any school service and how it uses and shares such student personal information. |
2017 | Virginia | SB951 | VA Code § 22.1. Education § 22.1-289.01 | K12 Vendors LEA | School Service Provider: student access to collected personal information: This bill requires school service providers to provide each student's parent with access to a downloadable electronic copy of any student personal information pertaining to such student that has been collected, maintained, used, or shared by the school service provider. Contracts between local school boards and school service providers may require that such copy be in a machine-readable format. |
2019 | Virginia | HB2449 | VA Code §23.1-405 | K12 Higher ED Vendors SEA LEA | Scholastic records; disclosure of directory information. Provides that a school or institution of higher education may disclose certain directory information of a student to certain internal persons for educational purposes or internal business if the student has not opted out of such disclosure. Under current law, such disclosures require written consent. The bill also provides an exception for state and federal law requirements from the prohibition of such disclosures. |
2022 | Virginia | SB 764ER | VA CODE §§ 2.2-603, 2.2-2009, and 2.2-5514 | N K12 Higher ED SEA LEA | Every public body shall report all (i) known incidents that threaten the security of the Commonwealth's data or communications or result in exposure of data protected by federal or state laws and (ii) other incidents compromising the security of the public body's information technology systems with the potential to cause major disruption to normal activities of the public body or other public bodies. Such reports shall be made to the Virginia Fusion Intelligence Center within 24 hours from when the incident was discovered. The Virginia Fusion Intelligence Center shall share such reports with the Chief Information Officer, as described in § 2.2-2005, or his designee at the Virginia Information Technologies Agency, promptly upon receipt. |
2015 | Washington | SB 5419 (HB 1495) | WV CODE § 18-2-5h | K12 Vendors | Would require service providers to provide clear privacy policies and notice of any policy changes. Would require service providers to have a security plan. Would prohibit service providers from selling student information or from using it for targeted advertising, creating a profile, or any purpose not agreed to without consent.[Senate version of HB 1495] |
2016 | West Virginia | HB4261 | WV CODE §18-2-5h | K12 Higher ED SEA | Student Data Accessibility, Transparency, and Accountability Act: A bill relating to student data - this bill prohibits the sale of transfer of student data to vendors and other profit making entities. Provides for certain exceptions including when the department enters a contract that governs student or redacted data with a contractor for the purpose of state level reporting; in the event the ACT or SAT tests are adopted as the state summative assessment, allows the ACT or College Board to use certain information; requiring written consent if information classified as confidential is required. |
2014 | West Virginia | HB 4316 | WV Code § 18-2-5h | K12 SEA LEA | Mandates the Dept. of Ed. to create data system, create and make publicly available policies that comply with FERPA, restrict access to the data system to authorized staff, notify parents of inter-agency sharing agreements and give parents opportunity to opt-out of sharing their student's data, develop data request procedures, develop data security plan with the basic requirements (compliance, audits, breach procedures, data retention/disposition, employee training), ensure vendor contracts have express provisions that safeguard privacy and security and penalties for noncompliance, notify governor/legislature of updates to data collection and audits. Prohibits collection of lifestyle information and reporting to state any biometric information. Mandates appointment of data governance manager and lists responsibilities. Development of guidance for districts to notify and deal with parental requests to access student data. |
2014 | Wyoming | SF 79 | WY Stat. § 21-2-202 | K12 SEA LEA | Mandates Dept. of Enterprise Technology Services and State Superintendent to establish criteria for education data mgmt. system on education accountability and assessment, teacher certification, and school finances. Also mandates creation of data security plan with all the basic requirements; policies that comply with FERPA; prohibits sale of student data to private entities. |
2017 | Wyoming | HB0008 | WY ST § 21-2-202 | K12 SEA LEA | This Act would amend requirements of the State Superintendent and Department of Enterprise Technology Services regarding the state data security plan. This would ensure privacy of student data collected - this would require certain policies for the collection, access, privacy, security, and use of student data by school districts. |
2017 | Wyoming | HB0009 | WY ST § 21-17-124 | Higher ED | Student Electronic Writings and Other Electronic Communications - Expectation of Privacy. No ownership rights to any electronic writing or other electronic communication created by a student shall be conveyed, transferred, or otherwise affected solely as a result of the writing or other communication being stored on an electronic device paid for in whole or part by the university or transmitted or stored on the university's network. |
2021 | Virginia | HB2031 | VA 15.2-1723.2 | Higher ED | Facial recognition technology; authorization of use by local law-enforcement agencies and campus police departments at public institutions of higher education. Provides that no local law-enforcement agency or campus police department shall purchase or deploy facial recognition technology, defined in the bill, unless such purchase or deployment is expressly authorized by statute. The bill prohibits a local law-enforcement agency or campus police department at a public institution of higher education currently using facial recognition technology from continuing to use such technology without such authorization effective until July 1, 2026. |
2024 | Ohio | SB29 | OH Section 3319.325 | K12 LEA | SB 29 prohibits schools and their technology providers from accessing or monitoring: A school-issued device's: location-tracking features; or audio or visual receiving, transmitting, or recording features, or student interactions with school-issued devices, such as their keystrokes and web browsing. School districts must provide parents and students with a specified annual notice of any education technology provider contracts that affect a student's educational records and include contact information for questions or concerns and offer parents and students contract inspection opportunities. Contracts between school districts and technology providers must Ensure appropriate security safeguards to protect educational records. In addition an education technology provider must comply with the data collection, use, and protection requirements and limitations imposed on school districts by Ohio R.C. 1347.01 to 1347.99 as if it was a school district itself. After discovering a data breach affecting educational records, disclose information necessary for the school district to fulfill its data breach notification obligations under Ohio R.C. 1347.12. Destroy or return educational records within 90 days of contract expiration unless renewal is reasonably anticipated. Key restrictions prohibit technology providers from using educational records for any commercial purpose other than the contracted services. Selling, sharing, or disseminating educational records except as part of a valid assignment or delegation of their contracts or if a listed exception applies. Technology providers may use de-identified, aggregated records for limited product and service development, maintenance, support, and operations purposes. |
2020 | Vermont | S110 | VT Title 9 Chapter 62 Subchapter 3A | K12 Vendors | Modeled on California’s Student Online Personal Information Protection Act – this section of the bill prevents educational technology companies from using information collected about students for non-educational purposes. |