State Student Privacy Laws

YearStateBillStatuteRegulatesHigh Level Summary
2013ArizonaSB 1450ARS Title 15 § 15-142K12 SEA LEAFor school districts that release directory information to educational and occupational/military recruiters, they must provide students with the opportunity to opt-out of that release. Student transcripts can't be released unless the student consents in writing.
2016ArizonaHB2088AZ REV ST § 15-117Early Ed K12 LEAHB 2088 prohibits public schools from administering specified assessments or surveys to students without notifying and obtaining written informed consent from parents and prescribes penalties for violations.
2017ArizonaSB1314AZ REV ST § 15-1046K12Relating to the Student Accountability Information System: This is a general student privacy bill that would prohibit operators from engaging in targeted advertising, using information to creates profiles about students, sell or rent student's information, or disclose covered information, with several exceptions
2018ArizonaHB2088AZ REV ST § 15-186.01VendorsThis bill amends existing statutes to require that a person who conducts business in the state and that owns, maintains, or licenses unencrypted or underrated computerized data that includes personal information becomes aware of a security incident, the person shall conduct a reasonable investigation to promptly determine whether there has been a security system breach.
2015ArkansasHB 1961AR CODE § 6-18-109VendorsWould prohibit an operator from using certain information to amass public school student profiles for certain purposes, or selling or disclosing covered information. Would allow the use of recommendation engines.
2016CaliforniaAB2828CA CIVIL §1798.29;CA §1798.82VendorsPersonal information: privacy - this bill would would require a person or business conducting business in California, and any agency, that owns or licenses computerized data that includes personal information to disclose a breach of the security of the data to the person whose information was breached.
2014CaliforniaAB 1584CA EDUC § 49073.1K12 VendorsMandates inclusion of certain provisions in an LEAs contract with a cloud service, data management, or education software vendor: student records are property and under control of LEA, how vendor will ensure security of student records, prohibits vendor from using student data for any purpose other than what is in contract, vendor must train individuals in charge of student records, and notification procedures to parents in event of unauthorized disclosure.
2014CaliforniaSB 1177CA BUS & PROF § 22584 & CA BUS & PROF § 22585K12 VendorsProhibits K-12 website/application vendors from using, sharing, disclosing, or compiling student information for any purpose other than educational purpose and improving their service; they can't sell the information and must delete the information if the school or district requests. They have to protect the information in a reasonable manner. They can disclose info for legit research purposes as required by state/fed law. They may share aggregated de-identified student info to improve their service.
2014CaliforniaAB1442CA EDUC § 49073.6K12 Vendors LEAThis bill would require a school to first notify pupils and their parents or guardians, and to provide an opportunity for public comment at a regularly scheduled public meeting before the adoption of a program to gather or maintain in its records any information obtained from social media of any pupil enrolled in the school district and to gather and maintain only information that pertains directly to school safety or to pupil safety, provide a pupil with access to any information about the pupil obtained from social media, and destroy the information gathered from social media and maintained in its records, as provided. If a school district, county office of education, or charter school contracts with a 3rd party to gather information from social media on an enrolled pupil, the bill would prohibit the 3rd party from using the information for purposes other than to satisfy the terms of the contract, prohibit the 3rd party from selling or sharing the information with any person or entity, except as provided, and would provide additional restrictions on the destruction of the information by the 3rd party, as specified.
2016CaliforniaAB2097CA EDUC § 49076.7K12 SEA LEARelating to Pupil Records: The superintendent is required to assign a student identification number to individuals with exceptional needs for purposes of evaluating special education programs and related services. This bill prohibits school districts from collecting or soliciting social security numbers of the last 4 digits of social security numbers from pupils or their parents or guardians unless otherwise required to do so by state or federal law. This also authorizes the State Dept. of Education to additionally prohibit the collection and solicitation of other PII.
2016CaliforniaAB 2799CA BUS & PROF § 22586Early Ed VendorsPrivacy: personal information - preschool and prekindergarten purposes. This bill would extend SOPIPA's protections that restricts the use of information about elementary/secondary school students by operators of websites, online services, and applications to preschool and prekindergarten purposes
2018ColoradoHB 1128CO REV ST § 6-1-713VendorsRequires notification of security breach as soon as possible and no later than after 30 days. Establishes required information included in breach notifcation. Outlines requirements for the disposal of PII by government entities, including public schools. Requires implementation of security systems to protect PII.
2016ColoradoHB1423CO REV ST § 22-16-101-112Early Ed K12 SEA LEAStudent Data Transparency and Security Act: This bill adds to the existing laws re: student data security by adopting additional duties that the SBE, Dept., and school districts/boards of cooperative services/charter schools must comply with to increase transparency and security of the student PII. This requires the SBE to create and make publicly available a data inventory and dictionary that includes individual student PII - the SBE must then develop a security plan with all the basic requirements (compliance standards, audits, breach procedures) and guidance for authorizing access to the student data system.
2018ConnecticutHB5170Special Act 18-28K12 LEAThis statute prohibits school employees from taking custody of a student's mobile electronic device for purposes of accessing any data or other content stored upon or accessible from such device, or compel a student to produce, display, share, or provide access to any data or other content stored upon or accessible from such device, with some exceptions.
2016ConnecticutHB5469CT Gen St §10-234aaK12 Vendors SEA LEAWould include contract requirements for service providers; Would require breach notification procedures; Would prohibit an online operator from selling student PII or using it for targeted advertising or to amass student profiles except for K-12 school purposes; Would allow the use of data for personalized learning and service provision, maintenance, or improvement; establishes a task force to study issues relating to student data privacy.
2017ConnecticutHB7207CT Gen St §10-234bbK12 Vendors LEAAn Act making revisions to the Student Data Privacy Act of 2016: This bill requires local or regional boards of education to enter into written contracts with a contractor any time such local or regional board of education shares or provides access to student information, student records, or student generated content with such contractor.
2018ConnecticutHB5444CT Gen St §10-234bbK12 Vendors SEA LEAAn Act Concerning Revisions to the Student Data Privacy Act: This bill would create a uniform student data privacy terms-of-service agreement addendum for use in contracts, would require a one-time annual notice relating to contracts entered into by the board of education, would require the Department to provide written guidance on the laws relating to student data privacy, and would authorize the retention of student records required by state and federal law and for purposes of disaster recovery systems.
2019ConnecticutHB6997CT PA 19-146Early Ed K12 LEAProhibits a local or regional board of education from disclosing or otherwise providing a student's parent or guardian who has pending charges of domestic violence against him or her with access to the educational, medical or similar records maintained in such student's cumulative record.
2015DelawareSB 79DE CODE Tit 14 § 8101A - DE CODE Tit 14 § 8106AK12 VendorsRequires service providers to: implement security procedures, delete data in reasonable time; prohibits service providers from engaging in targeted advertising, building student profiles, selling student data, disclosing data (unless for listed exceptions); establishes Student Data Privacy Task Force to make recommendations about privacy/student data.
2016DelawareSB 208DE CODE Tit 6 § 1204CK12 VendorsThis bill amends the Student Data Privacy Protection Act that was created last year - it corrects a typographical error and corrects the enactment date (The recipient of the student data disclosed for K-12 school purposes of the internet/mobile application/etc. shall not further disclose the student data unless done to allow or improve the operability and functionality within that student's classroom or school).
2016District of ColumbiaB21-0578DC CODE § 38-831.01-DC CODE § 38-831.05Early Ed K12 Vendors SEA LEABill 21-0578, the Protecting Students Digital Privacy Act of 2016, requires that any contract or agreement between a local education agency and a student information system provider shall expressly authorize and require the provider to establish, implement, and maintain appropriate security measures to protect student data; prohibits an educational institution or 1-to-1 device provider that provides a technological device to a student for overnight or home use from accessing or tracking the device except in limited circumstances; prohibits an educational institution from requiring or coercing a student or prospective student to disclose the user name and password to a personal social media account; and prohibits school employees from accessing or compelling a student to produce data stored upon, or accessible from a student's personal technological device except in limited circumstances.
2014FloridaSB 188FL ST § 1002.22K12 SEA LEARequires State Board to annually notify parents and students of their FERPA rights. Prohibits collection or retention of information such as political and religious affiliation, voting history, or biometric information of student, sibling, or parent. Prohibits use of a student's SSN as their identification number.
2018FloridaHB 731FL ST § 1002.41 K12 Vendors SEAThis bill prohibits the state superintendent from storing any PII from students who are home schooled. District school superintendents are prohibited from including social security numbers or any other personal information of students in any school district or school database unless the student chooses to participate in a school district program or service.
2023FloridaHB662K12, LEAStudent Online Personal Information Protection; Prohibits operators of websites, online services, and mobile applications from using targeted advertising on students using its product. The bill would also prohibit operators from using student information to build a profile for targeted advertising on any other site, service, or application or for any other noneducational purpose. The bill also prohibits operators from selling, sharing, or renting a student's information.
2015GeorgiaSB 89GA CODE § 20-2-660 - GA CODE § 20-2-668K12 Vendors SEA LEAWould implement numerous governance and transparency measures and would prohibit service providers from using data for commercial purposes.
2016HawaiiSB2607HI REV ST § 302A-500K12 Vendors SEALimits the ways in which the operator of a website, online service, online application, or mobile application working with the Dept. of Ed can use student data. (SOPIPA); they have to have security procedures in place, delete information in reasonable time; permits operator to disclose information for legitimate research purposes.
2015IdahoHCR 3N/AK12 SEA LEAWould authorize the Legislative Council to appoint a committee to study the state's SLDS to determine which data points are necessary for tracking student academic progress; which data points must be collected and reported at the aggregate level; which data points should be personally identifiable and why; the extent to which federal funding is contingent upon the collection and reporting of student data to the federal government and the cost to the state of declining such funding; and recommendations on simplifying and minimizing the collection of student data without compromising essential evaluation of educational efficacy, protecting student privacy by limiting the collection of PII, and the cost/benefit of declining federal funds.
2014IdahoSB 1372ID ST § 33-133K12 Higher ED Vendors SEA LEARequires State Board to: create student data system, create and make publicly available FERPA-compliant policies/procedures, develop data security plan, data retention and disposition policies (including data destruction and penalties for noncompliance), ensure validity and other requirements are met before disclosing student data for research, ensure vendor contracts include provisions that safeguard privacy and security, and notify governor/legislature of changes in data system. Prohibits collection of health records and biometric information and limits transfer of student data. Limits transfer of student data.
2017IllinoisSB887IL ST CH 110 § 205/9.36.Higher EDThis bill allows the Board of Higher Education to collect a fee to cover the cost of processing and handling individual student-level data requests pursuant to an approved data sharing agreement. This fee does not apply to entities complying with State or federal-mandated reporting. This bill also would prohibit the Board from providing personally identifiable information on individual students except in the case where an approved data sharing agreement is signed that includes specific requirements for safeguarding the privacy and security of any personally identifiable information in compliance with FERPA.
2017IllinoisSB1796IL ST CH 105 § 85/1 - IL ST CH 105 § 85/99K12 VendorsStudent Online Personal Protection Act: this Act is intended to ensure that student data will be protected when it is collected by educational technology companies and that the data may be used for beneficial purposes such as providing personalized learning and innovative educational technologies. This law amends the Illinois School Student Records Act and makes a technical change in a Section concerning the short title.
2018IowaHF2354IA CODE § 279.71K12 VendorsAn Act relating to student personal information protection: This bill creates a general student privacy law - which would prohibit operators from knowingly engaging in targeted advertising, using information to amass a profile about a student, sell student's information, or disclose covered information, with several exceptions.
2014KansasSB 367KS ST § 72-6312 - KS ST § 72-6320K12 Higher ED SEA LEAAllows for disclosure of student data to authorized personnel from educational agency, student/parent, and state board of regents. Lists requirements for a data-sharing agreement. Only allows aggregate data to be disclosed for research. Prohibits school districts from collecting biometric data and conducting survey on life-styles (sex history, religion, etc.) unless consent given in writing. Requires educational agency to create privacy policy and notify parents and student if there is a breach. Requires board to submit yearly report to governor and legislature on changes in data collection and summary of audits.
2016KansasHB2008 (S sub)KS ST § 72-6331 - KS ST § 72-6334K12 VendorsCreating the Student Online Personal Protection Act: An operator is prohibited from engaging in targeted advertising on the operator's educational online product if the target of the advertising is based on any information, including student information and persistent unique identifiers. Operators are prohibited from using information to create student profiles as well as prohibited from selling or renting student information to a third party.
2019KansasHB2209KSA § 75-4101Higher EDProvides that the state board of regents may purchase cybersecurity insurance as it deems necessary to protect student records, labor information and other statutorily protected data that the board maintains, independent of the committee on surety bonds and insurance. Provides that“cybersecurity insurance" includes, but is not limited to, first-party coverage against losses such as data destruction, denial of service attacks, theft, hacking and liability coverage guaranteeing compensation for damages from errors such as the failure to safeguard data.
2014KentuckyHB 232KY REV ST § 365.734.K12 Vendors LEAMandates businesses that handle personally identifiable information to notify owners of that PII "in the most expedient time possible and without unreasonable delay" of any security breach. Limits a cloud computing service's use of student data to maintaining company's "integrity" and prohibits use of student data for advertising or commercial purposes. Cloud is allowed to help schools conduct research within boundaries of FERPA.
2015LouisianaHB 718LA REV STAT Tit. 17, § 3913 & LA REV STAT Tit. 17, § 3914K12 Higher ED Vendors SEA LEAWould expand the parties districts can contract with for data services. Would leave the majority of the 2014 law's provisions in place, but would allow access in accordance with local school board policy and would prohibit any contractor from using student data for predictive modeling to limit a student's opportunities.
2014LouisianaHB 340LA REV STAT Tit. 51, § 1954Early Ed K12 Higher ED SEA LEAProhibits public or private educational institutions (and employers) from requesting login information from students or prospectives (and employees) to their personal online account that is not used for school-related communications. Prohibits the educational institution from chastising student in any way for failure to disclose.
2014LouisianaHB 946 (became HB 1076)LA REV STAT Tit. 17, § 3914K12 Vendors SEA LEAProhibits school system employees from collecting lifestyle information (political belief, sexual behavior, etc.) from students without parental consent. Lists exceptions to sharing PII. Requires Department to develop system of student ID numbers. Limits who can access computers that store student data to authorized individuals. Restricts use of predictive modeling that may limit student's learning. Allows for transfer of student data to contracted vendors but also lists contract requirements: inclusion of privacy compliance standards, audits conducted under direction of local school superintendent, breach and notice procedure, and storage/deletion policy; places $10,000 fine on violation of the contract requirements. Prohibits school system or private entity from selling student data for use in advertising unless its permitted per a contract. Establishes requirements for consent forms to be given to parents to allow collection of PII. Requires postsecondary institutions to delete all data collected 5 years after student graduates.
2014LouisianaHB 1283LA REV STAT Tit. 17, § 3913K12 SEA LEARequires Dept. of Ed. to include information about the transfer of PII on its website regarding: who receives the PII, copy of agreement between department and recipient of PII, what data is actually transferred, statement of intended use of PII, contact person for questions, and how parents can register complaint for unauthorized transfer.
2016LouisianaSB270LA REV STAT Tit. 17, § 3914.K12 SEA LEARelative to Student Data Privacy: The Dept. of Ed. is required to provide each city, parish, or other local public school system with information, that could include personally identifiable student information, as the school system deems necessary to verify the enrollment and residency status of each student who resides within the geographic boundaries of the school system but who is enrolled in a public school outside of the jurisdiction of the local public school system. The school system must keep information strictly confidential and shall use the information for no other purpose than verifying student enrollment and residency.
2018LouisianaHB716LA REV STAT Tit. 17, § 3914Higher ED SEAThis bill would allow an official or employee of the state Dept. of Ed. to share student information with certain postsecondary education institutions conducting academic research provided the person and the department have entered into a memorandum of understanding.
2018LouisianaHB387LA REV STAT Tit. 17, § 406.9.Early Ed K12 LEARevises the Parents' Bill of Rights for Public Schools: This bill would amend existing law to provide parents with the right to receive a photocopy of their child's school records, at no charge within 10 days of requesting. Further, "academic records" is now defined to include interim or benchmark assessments..
2014MaineLD 1194N/AK12 Higher ED SEA LEAInstructs the Joint Standing Committee to research concerns associated with access and privacy of social media accounts, personal email accounts, and cloud services that hold personal information (employees) and student data. Instructs Committee to draft recommendation for legislation that limits access to these accounts and provides for remedies to violations.
2015MaineHP 53 (LD59)ME REV ST Tit. 20-A, § 6001Early Ed K12 SEA LEAWould direct the Commissioner of Education to develop FERPA-aligned rules governing student data not already governed under law and determine penalties for violations of such rules.
2015MaineSP 183ME REV ST Tit. 20-A, § 951 - ME REV ST Tit. 20-A, § 953K12 Vendors LEAWould require school service providers to provide clear info on the student data they collect and how the data are maintained and used, maintain a privacy policy and provide notice before making any changes, maintain a security program, facilitate access and correction of student personal data, collect and use student data with parental consent or for teacher/school authorized purposes, obtain consent for using data in a way "inconsistent" with the privacy policy or authorized purpose. Would prevent a school service provider from using data for behaviorally targeting advertisements to students (except for advertising based on the current visit), creating a student profile except for K-12 school purposes, or retain information except as authorized or with consent.
2017MaineLD678ME REV ST Tit. 20-A, § 6001-CK12 LEAThis bill specifies if a public or private school requests a student's social security number, the public school or private school shall inform the parent or guardian of the student for what purpose the social security number will be used and provide the parent, guardian, or student the opportunity to opt out of providing the social security number. Also provides for the deletion of the social security number upon departure.
2017MaineLD1616ME REV ST Tit. 20-A, § 953K12 Vendors SEA LEAThis Act corrects errors and inconsistencies in Maine laws - this bill allows operators to disclose student data: if another provision of federal or state law requires the operator to disclose the student data and the operator complies with applicable requirements of federal and state law in protecting and disclosing that information; for legitimate research purposes; and to a state agency, school administrative unit, or school for kindergarten to grade 12 purposes, as permitted by state or federal law.
2015MarylandHB 298MD CODE, EDUC § 4-131Early Ed K12 Vendors LEAWould prohibit an operator in contract or agreement with a public school or district Prek-12 use from using certain information to amass student profiles for certain purposes, or selling or disclosing covered information.
2017MarylandHB 680Section 24–702 and 24–703(g) and (h)
Early Ed K12 Higher ED SEA LEAMaryland Longitudinal Data System: Lengthens the period of time that MLDS can use linked data from 5 years to 20 years.
2017MarylandSB 1165Section 24–702 and 24–703(g) and (h)
Early Ed K12 Higher ED Vendors SEAAn Act concerning Maryland Longitudinal Data System: The Maryland Longitudinal Data System is a statewide data system that contains individual-level student data and workforce data from all levels of education and the State's workforce and allows the center to organize, manage, disaggregate, and analyze individual student data. Through this bill, the linkage of student data and workforce data for the purposes of the Longitudinal Data System shall be limited to no longer than 20 years from the date of latest attendance in any educational institution in the State.
2018MarylandHB568Md. Code, ED § 7-2101K12 SEA LEAThis bill requires the State Dept. of Ed., in consultation with the Department of Information Technology and county boards of education, to develop and update certain best practices for county boards to manage and maintain data privacy and security practices in the processing of student data and personally identifiable information across the county board's information technology and records management systems.
2018MarylandHB1254MD CODE, EDUC § 7-306K12 SEA LEAThis bill amends existing law to require the State Dept. of Ed. to disaggregate certain data in any student discipline data report in a certain manner - this data shall be disaggregated by race, ethnicity, gender, disability status, eligibility for free or reduced price meals or an equivalent measure of socioeconomic status, and English language proficiency. This bill would also require that special education data in student discipline data reports be disaggregated. Further, the Dept. is required to collect certain data on alternative school discipline practices.
2016MichiganSB 510MI COMP LAWS § 388.1291-1295K12 VendorsAn operator shall not knowingly engage in targeted advertising on the operator's site, service, or application if any of the information provided includes covered information and persistent unique identifiers. Further an operator may not use the information to amass a profile about a student except in furtherance of K-12 school purposes. Finally, an operator may not sell or rent a student's information, including covered information. There are certain exceptions under this bill where information may be disclosed (including in furtherance of the K-12 school purpose of the site, etc). An operator is required to implement and maintain reasonable security procedures and practices and delete a student's covered information if the K-12 school or school district requests deletion.
2016MichiganS33MI COMP LAWS § 380.1136K12 SEAInitial bill language replaced with Substitute S-2. Would prohibit the Dept. of Ed. from selling or providing any pupil education record information to a for-profit business entity with the exception of an educational management organization. The Department could not disclose any information concerning a pupil that is collected or created except in accordance with a policy adopted and made publicly available by the State Board that clearly stated the criteria for disclosure. The Department would have to ensure that any contract with a vendor that allowed access to education records expressly required the vendor to protect the privacy of education records and provided express penalties for noncompliance. If the Department provided any collected or created information to a person other than the pupil's school district, intermediate school district, PSA or its authorizing body or the pupil's parent or legal guardian, the Department would have to disclose to the parent or guardian within 30 days the specific info disclosed, the name and contact information of each person to which the information was disclosed, and the reason for disclosure.
2022MinnesotaHF2353MN ST § 13.32.K12 Vendors LEAThis bill amends Minnesota Statutes 2020, section 13.32, subdivision 1. This bill specifies that all educational data created, received or maintained by a technology provider through a contract with a public educational agency or institution are not the technology provider's property. This bill provides for actions that must be taken when a breach of security of data occurs. This bill also places limits on the technology provider and disclosure or use of educational data, including prohibiting the sale, share, or dissemination of the data and use of data for any commercial purpose including marketing to students or parents. The bill also imposes several requirements on schools, including providing annual notice to parents and students of each edtech provider with access to student PII. Outside of specific exceptions schools and technology providers must not electronically access or monitor school issued device location, internet activity, keystrokes, camera or audio.
2014MissouriHB 1490MO REV ST § 161.096K12 Vendors SEA LEAMandates state board to create rules on data accessibility, transparency, and accountability and a LDS; policies to comply with FERPA; policies to approve research and data requests; develop data security plan; privacy and security audits; breach planning and notification procedures; data retention and disposition policies; data security policies (encryption and employee training); requirements for vendor contracts (vendor can't sell or use student data in advertising). Prohibits collection of individual student data (criminal record, mental/health, biometric, etc.).
2018MissouriHB 1606MO REV ST § 161.1475K12 LEAIn the event of a breach of data maintained in electronic form that includes personal information of a student, a school district shall send written notification to the parent or legal guardian of an affected student. Notification of a breach of personal information of a student shall also be sent to the department of elementary and secondary education and the state auditor.
2019MontanaHB 745MT CODE § 20-7-1325Early Ed K12 Vendors SEA LEAProvides that an operator may not knowingly engage in any of the following activities with respect to the operator's K-12 online application: engage in targeted advertising on the operator's K-12 online application; or target advertising on any other site, service, or application when the targeting of the advertising is based on any information, including protected information and persistent unique identifiers, that the operator has acquired because of the use of the operator's K-12 online application; use information, including persistent unique identifiers, created or gathered by the operator's K-12 online application to amass a profile about a pupil, except in furtherance of K-12 school purposes; sell a pupil's information, including protected information. This prohibition does not apply to the purchase, merger, or other type of acquisition of an operator by another entity, provided that the operator or successor entity continues to be subject to the provisions of this section with respect to previously acquired pupil information. Provides that a school district may, pursuant to a policy adopted by its trustees, enter into a contract with a third party to: provide services, including cloud-based services, for the digital storage, management, and retrieval of pupil records; or provide digital educational software that authorizes a third-party provider of digital educational software to access, store, and use pupil records in accordance with the contractual provisions listed in subsection (2).
2017NebraskaLB 512NE REV ST § 79-2,153 - NE REV ST § 79-2,155K12 VendorsThis bill creates the Student Online Personal Protection Act - this is a general privacy statute that would prohibit operators from knowingly engaging in targeted advertising, or amassing profiles about students, and it prohibits selling or renting a student's covered information.
2013NebraskaLB 262Neb. Rev. Stat. § 79-2,104K12 SEA LEAAllows student, parents, teachers, and admin. access to the student's files and records. Parents must provide consent for anyone else to have access to the files/records. Discipline information must be destroyed after three years of a student's absence from the school. Permits sharing of information between school districts and the State Board of Ed.
2015NevadaSB 463NV REV ST § 388.282 - 296Early Ed K12 Vendors SEA LEAWould require school service providers to provide clear info on the student data they collect and how the data are maintained and used, maintain a privacy policy and provide notice before making any changes, maintain a security program, facilitate access and correction of student personal data, collect and use student data with parental consent or for teacher/school authorized purposes. Would prevent a school service provider from using data for behaviorally targeting advertisements to students, creating a student profile without consent or authorization, or retain information except as authorized or with consent. Would require annual PD on services and their data security.
2015NevadaAB 221NV REV ST § 388.268-273K12 Vendors SEA LEAWould require the state and districts to create public data inventories and would require certain provisions in contracts with service providers. Would require state and district reporting on changes to data collection or management. Would instruct the state to develop a security policy and charge districts with complying. Would instruct the state to create rules around teacher use of online services.
2017NevadaAB 7NV REV ST § 388.283K12 VendorsThis bill amends existing statute to provide that a "school service" is an internet website, online service, or mobile application that: collects or maintains personally identifiable information concerning a pupil, is used primarily for educational purposes, and is designed and marketed for use in public schools and is used at the direction of teachers and other educational personnel. It does not include anything designed or marketed for use by a general audience, an internal database, system, or program maintained or operated by a school district, charter school, or university school for profoundly gifted pupils, or a school service for which a school service provider has been designated as a school official under FERPA.
2019NevadaSB403NRS §34 388.2955Early Ed K12 Vendors SEA LEARevises the prohibition on targeted advertising by a school service provider to prohibit the school service provider from engaging in targeted advertising within its school service or on any other Internet website, online service or mobile application if the targeted advertising is based upon information gathered from its school service. Authorizes a school service provider to use the personally identifiable information of a pupil to perform certain research which is required or authorized by federal or state law. Authorizes a school service provider to use aggregated, de-identified information derived from the personally identifiable information of pupils to develop and improve the products of the school service provider. Requires a public school to provide information regarding the risks associated with the collection of covered information of a pupil to a pupil or the parent or legal guardian of a pupil before the public school allows the pupil to use any school service or provides any item of technology to the pupil
2014New HampshireHB 1587N.H. Rev. Stat. § 189:67Early Ed K12 Vendors SEA LEARestricts the collection of certain type of data on students and their families to be stored on SLDS. Schools can release student name or identifier to testing agency only to identify the test taker but cannot give student PI to testing entity to perform a test analysis. Testing entity must destroy data as soon as test taker is identified.
2015New HampshireHB 322NH Rev Stat § 189:66 K12 SEA LEAWould require the state Dept. of Ed to create data security and breach notification policies. Plan must include audits, notification of breach procedures, and data retention and deletion policies. Would require the Dept. of Ed to produce a public annual data security breach report. Data referred to herein covers both student and teacher data. Dept. of Ed must ensure students and parents are aware of their rights regarding amending and disclosure of student data and right to file FERPA complaint.
2015New HampshireHB 507NH Rev Stat § 189:68K12 SEA LEAWould prohibit a school or district form disclosing student or teacher PII to any testing entity performing test-data analysis. Except as permitted in state code, would prohibit the disclosure of student or teacher PII in the SLDS or any department data system to any entity other than the student or teacher's school district. Would prohibit the recording of a classroom without consent or school board approval.
2015New HampshireHB 520NH Rev Stat § 189:68-aK12 VendorsWould prohibit an operator from using certain information to amass student profiles for certain purposes, or selling or disclosing covered information.
2016New HampshireHB1372NH Rev Stat § 189:68K12 LEAProhibits recording a classroom for the purpose of teacher evaluation without school board approval after a public hearing and without written consent of teacher and parents of each student. Does not prohibit recording a classroom for a student with a disability whose IEP includes such recordings, for use of student instructional purposes, or for instruction of teacher interns.
2016New HampshireHB1497NH Rev Stat § 189:67K12 Vendors LEAAn Act Relative to the Limits on the Disclosure of Information Used on College Entrance Exams: this bill requires school districts to destroy personal information of students following the completion and verification of certain tests. This bill also gives students taking college entrance exams the option to have all their personal information destroyed by the testing entity following the completion and verification of the test. This bill specifies that schools may disclose studentsÂ’ names, unique pupil identifiers, but not both, and birth date for the sole purpose of identifying the test taker. there is an exception when this is collected in conjunction with the SAT or ACT. This information then shall be destroyed as soon as verification of test takers is complete. Students taking the ACT or SAT, when that test is used for the state assessment, may opt to have all personal information destroyed by the testing agency.
2018New HampshireHB1551NH Rev Stat § 186-C:10-aK12 LEAThis bill adds a new section to existing statute specifying that upon a student's graduation from high school, his or her parents may request the LEA in writing to have the student's records and final individualized education program destroyed at that time or request that the records be retained until the student's 26th birthday. Absent any request by the student's parents at the time of graduation, the LEA shall destroy a student's records and final individualized education program within a reasonable time after the student's 26th birthday, provided all records be destroyed by a student's 30th birthday.
2018New HampshireHB1612NH Rev Stat § 189:66 K12 Vendors LEAThis bill amends an existing privacy statute: This bill would now require each LEA to create and make publicly available an index of data elements containing definitions of certain individual student personally-identifiable data fields; develop a data security plan; make publicly available students' and parents' rights under FERPA; requires school districts that use digital badges to obtain the written consent of a parent or legal guardian; modifies certain requirements for contracting with operators of Internet websites.
2020New JerseyA4978N.J.S. 56 § 8-215K12 Vendors LEAProhibits online education services from disclosing student educational records, amassing profiles of student data for non-educational purposes, and requires deletion of data in certain instances.
2021New YorkAB A6787DNY STATE TECH § 106-BK12 SEA LEAImposes a ban on the purchase and use of biometric identification technologies. Requires a study.
2014New YorkSB 6356NY EDUC §2-CK12 SEA LEAEducation agency can decide not to provide a service provider PII for the purposes of creating a data system or have that information deleted upon request to the Dept.; Dept. and Ed. Commissioner cannot provide any PII to a service provider.
2014New YorkSB 6356NY EDUC §2-DK12 Vendors SEA LEAMandates appointment of a Chief Privacy Officer whose duties include: assisting in data breaches, implementing privacy practices, designing data request procedure, reviewing Dept. proposals on student or teacher data. Mandates publication of a Parents Bill of Rights for Data Privacy and that it is included in all contracts with service providers (lists requirements of the Bill of Rights). Mandates provisions for contracts with service providers.
2014North CarolinaSB 815N.C. Gen. Stat. § 115C-402.5K12 Vendors SEA LEARequires state board to create data system and data security plan with all the basic guidelines; privacy policies that comply with FERPA; prohibits transfer of data unless authorized by law; contracts with vendors have to include specific provisions; board must report to governor/leg. annually regarding change in data collection; prohibits collection of biometric and lifestyle information from students. Requires boards to notify parents annually about student records, opt-out opportunities for disclosure of information, and their rights under state and federal law.
2016North CarolinaHB632 (2015)NC GEN ST § 115C-401.2K12Prohibits Internet/application service providers to K-12 schools from engaging in targeted advertising based on covered information, using information to amass a profile aside from furthering K-12 purposes, selling student information, disclosing covered information (except for listed exceptions). Requires service provider to implement security procedures and delete covered information upon request school or local board of education. Provides cause of action for violation of the terms.
2017North DakotaSB 2295ND CENT CODE § 44-04-18.28K12 Higher ED SEAA bill relating to the exemption of state university and college title IX records from public disclosure: This bill exempts university research records and student personally identifiable information from public disclosure. This however, does not apply to a student record or other information disclosed by an institution under the control of the state board of higher education to the statewide longitudinal data system. Further, any record relating to a complaint or investigation under title IX of the Education Amendments of 1972 at an institution under the control of the state board of higher education is an exempt record.
2013OklahomaHB 1989OK 70 O.S. § 3-168K12 Vendors SEA LEAMandates the State Board to create and make publicly available an inventory of student data and for what purposes data is collected. Limits reasons for the State to transfer student data. Mandates State Board to create data security plan which includes privacy and security audits, breach procedures, and data retention and disposition policies. Governs privacy provisions in vendor contracts. Annually update the Governor and Legislature on a variety of updates, changes, and security audits in regards to new student data in the system.
2016OklahomaHB2784K12 LEAStudent Records: The Board of Education of each school district is required to compile and maintain temporary and permanent records of students enrolled and must regulate access, disclosure, or communication of information contained in the student records in a manner consistent with state and federal law
2017OklahomaHB 150670 O.S. Supp. 2016, Section 24-114K12 SEA LEAThe board of education of each school district in Oklahoma shall compile and maintain both temporary and permanent records of students enrolled in the district and regulate access, disclosure or communication of information contained in the student records in a manner consistent with state and federal law. This bill specifies that all documents and information in student records may be stored either electronically or in paper format, and be either in a single or multiple file format.
2024OklahomaHB 150670 O.S. Supp. 2016, Section 24-114K12 LEAStudent communication; requiring certain communication with student to include student's parent or guardian
2015OregonHB 3953OR REV ST § 326.565K12 SEA LEAWould require the state board to develop rules around when education records can be transferred by a school. Would allow parents "the right to limit the collection, storage, use and transmittal of academic information and personally identifiable data." Would allow parents to opt-out of statewide summative assessments. Would require information on summative assessments administered, their purpose, information for the student on the assessment and its use, and who has access to the data.
2015OregonSB 187OR REV ST § 336.184K12 VendorsWould prohibit an online service operator from using student data for commercial or secondary purposes while allowing for recommendation engines, personalized learning, and service improvement.
2014Rhode IslandHB 7124RI Gen. Laws § 16-103-2Early Ed K12 Higher EDProhibits public or private educational institutions (and employers) from requesting login information from students or prospectives (and employees) to their personal online account that is not used for school-related communications. Prohibits the educational institution from chastising student in any way for failure to disclose. Prohibits the educational institution from requesting student log into an account in presence of school administration or staff and from adding school administration or staff as a contract on the account as a condition of participating in an extracurricular activity.
2014South CarolinaHB 3893SC Code Ann. §59-1-490K12 SEA LEADept. of Ed. cannot collect student data from students or families unless it is to comply with IDEA. The Dept. has to have a data management system to which only authorized individuals can access. Dept. must also have data request procedures
2014South DakotaSB 63SDCL §13-3-51K12 SEA LEAMandates Dept. of Ed. to create uniform system to gather and report educational data for the purposes of evaluating educational progress. Dept. must write annual report on progress and submit it to legislature, school districts, and public. Schools can't collect lifestyle information unless adult student or parent provides consent. Prohibits Dept. to report PII to US Dept. of Ed. but can provide aggregated information.
2014TennesseeSB 1835 (HB 1549)TCA § 49-1-309K12 Vendors SEA LEAData collected for the use of or testing under educational standards adopted by the board can only be used to track the academic progress and needs of students. Prohibits collection of and sharing with the federal government any personally identifiable data and lifestyle information of students and their families (including biometric and psychometric); prohibits collection of student data for commercial or political purposes.
2016TennesseeHB 1931 (SB 1900)TCA § 49-1-702Early Ed K12 Higher ED Vendors LEAWould prohibit the the principal/designee from identifying the victim of harassment, intimidation, bullying, or cyber-bullying from being identified in a public report (Draft #2). Data collected for the use of or testing under educational standards adopted by the board can only be used to track the academic progress and needs of students. Prohibits collection of and sharing with the federal government any personally identifiable data and lifestyle information of students and their families (including biometric and psychometric); prohibits collection of student data for commercial or political purposes. (Final codified version)
2017TexasHB 2087TX EDUC § 32.151 - TX EDUC § 32.157K12 Vendors LEAThis bill relates to restricting the use of covered information, including student personally identifiable information, by an operator of a website, online service, online application, or mobile application for a school purpose.
2015TexasHB 4046TX GOVT § 552.114Early Ed K12 Higher ED LEADefines student record to include information an applicant sends for admission or transfer to a school. Would allow information to be redacted without requesting a decision from the AG. Would allow schools to release data upon request of a student or parent for admission processes.
2023TexasHB18Texas Education Code, Chapter 32K12, LEARequires the SEA to adopt standards for LEA electronic devices and software applications that (1) minimize students data collection (2) require informed parental consent for a student's use of a software application, with limited exceptions. (3) ensure software applications do not conduct mental health assessments without informed parental consent; (4) ensure that parents are provided the resources to understand cybersecurity and online safety risks. (5) specify periods of time during which a student electronic device must be deactivated in the interest of student safety; (7) consider appropriate restrictions on student electronic device access to social media websites or applications; (8) require a district or school, before using a social media application for an educational purpose, to determine that an alternative application that is more secure and provides the same educational functionality as the social media application is unavailable for that educational purpose; (9) consider the required use of an Internet filter capable of notifying appropriate school administrators, who are then required to notify the student's parent, if a student accesses Inappropriate content
2022MarylandHB769 K12, LEAStudent Data Privacy – Protections, Digital Tools, and Student Data Privacy Council
: Adds definition of persistent unique ID, removed requirement to publish a list of digital tools
2019TexasSB 820TX EDUC § 11.175Early Ed K12 LEARequires that each school district shall develop and maintain a cybersecurity framework for: (1)the securing of district cyber infrastructure against cyber attacks and other cybersecurity incidents; and (2)cybersecurity risk assessment and mitigation planning. (c)school district’s cybersecurity framework must be consistent with the information security standards for institutions of higher education adopted by the Department of Information Resources under Chapters 2054 and 2059, Government Code. Provides that (d)the superintendent of each school district shall designate a cybersecurity coordinator to serve as a liaison between the district and the agency in cybersecurity matters.(e)The district’s cybersecurity coordinator shall report to the agency any cyber attack, attempted cyber attack, or other cybersecurity incident against the district cyber infrastructure as soon as practicable after the discovery of the attack or incident.
2022UtahSB226Utah Code §53B-28-501-Utah Code §53B-28-505Higher ED Vendors SEAThis bill enacts and amends provisions related to higher education data privacy and governance. Transfers the Utah Data Resource Center (center) from the Department of Workforce Services to the Utah System of Higher Education;
expands the duties of the center by requiring the center to collect and promoteaccess to data from institutions of higher education and collaborate with the Boardof Higher Education and the State Board of Education to coordinate access to certain student identifier information;
requires the commissioner of higher education to: appoint a director of the center to serve as chair of the Utah Data Research Advisory Board and appoint the member who represents the center to the School Readiness Board;
requires the center to include information regarding the center's activities and accomplishments in the center's annual report to the Legislature; provides for higher education student data protection at the state and institution of higher education (institution) levels;
requires the state privacy officer to establish a privacy advisory group;
enacts requirements for data protection and maintenance for the Utah Board of Higher Education, institutions, and third-party contractors;
creates requirements for a third-party contractor's use of student data; creates penalties for an institution that contracts with a third-party contractor that permits unauthorized collecting, sharing, or use of student data.
2015UtahHB 163Utah Code § 53E-9-202K12 SEA LEAWould require an education entity to notify the parent if there is a release of the student's PII due to a security breach.
2015UtahSB 204Utah Code § 53G-6-801 K12 SEA LEAWould allow a parent to opt-out of any federally or state mandated assessment or an assessment that requires use of a state assessment system or software that is provided or paid for by the state. Would require the State Board to publish a list of state assessments, state assessment systems, and software that qualify under the bill.
2016UtahHB358Utah Code § 53E-9-301K12 Vendors SEA LEAEstablishes that "a student own's the student's PII"; Would require the state board to establish a student data policy advisory group to discuss and make recommendations regarding enacted or proposed legislation and state and local student data protection policies in the state; Would require state board to establish a student data governance advisory group that performs duties related to state and local data protection; Would require the state board to establish a student data users advisory group composed of members who use student data at the local level and provides feedback and suggestion on the practicality of actions proposed by the student data policy advisory group and the student data governance advisory group; Would prohibit collection of SSN by an edu entity; Defines 'permanent record'; Would require the board to make rules regarding using and expunging student data; Prohibits educational entity from sharing student PII except as provided in FERPA and this bill
2017UtahSB102Utah Code § 53F-5-201K12 LEAThis bill provides that local school boards or charter schools governing boards must require public schools to make lists of individuals who are authorized to access education records. Further, local school and charter governing boards must provide training on student privacy laws and require individuals who are authorized to access education records to complete training on student privacy laws. Finally, this bill would prohibit local school boards and charter school governing boards, public schools, or school employees from sharing an education record with a school employee who is not authorized without written consent.
2017UtahSB 163Utah Code § 53E-9-305K12 Vendors SEA LEAThis bill modifies provisions of the Student Data Protection Act.; expands and clarifies the definition of targeted advertising; deletes the requirement that any education entity that collects student data shall prepare and distribute to parents and students a student data disclosure statement that states that parents and students are responsible for the collection, use, or sharing of student data; permits a third-party contractor to identify for a student nonprofit institutions of higher education or scholarship providers that are seeking students who meet specific criteria.
2018UtahSB207Utah Code § 53E-9-301K12 SEA LEAThis bill amends provisions related to student data protection. This bill would establish who may access a student's student data. Further, the board is required to make rules to define a significant data breach. This bill also amends existing statute regarding collection notice statements. Finally, this bill would prohibit education entities, including student data manager, from sharing personally identifiable student data without written consent.
2019UtahHB 27Utah Code §53E-9-301K12 Higher ED SEAUpdates public education definitions, modifies that the student data manager shall share student data with the state board rather than just "the board"
2019UtahHB 28Utah Code §53G-3-202K12 Higher ED SEAUpdates public education definitions, modifies that the student data manager shall share student data with the state board rather than just "the board"
2019UtahSB164Utah Code §53E-9-305K12 Higher ED Vendors SEA LEARepeals provisions related to the State Board of Education sharing student data with the Utah Registry of Autism and Developmental Disabilities and repeals provisions related to the State Board of Education sharing student data with the State Board of Regents.
2020UtahSB 166UT 53E-1-203Early Ed K12 SEARequires law enforcement to provide and validate information necessary for the state board to complete a required report on incidents that occur on school grounds; clarifies requirements regarding the content of privacy notices; exempts schools from certain contractual provisions related to sharing directory information if the directory information is shared in accordance with federal law; binds other government agencies that contract on behalf of education entities to the same requirements as education entities; clarifies that education entities may obtain written authorization to waive a provision of a contract with a third-party contractor related to a student's student data; and requires information related to suspension or expulsion to appear in a student's cumulative folder.
2018VirginiaHB1VA CODE §§22.1-287,K12 Higher ED SEA LEAClarifies that the definition of "scholastic records" in the Virginia Freedom of Information Act includes directory information, but also provides that such directory information may be released to the public only if the student who is the subject of such information, or the student's parent or legal guardian if the student is less than 18 years of age, has expressly consented, in writing, to the release of such information. Amends §§ 22.1-287, 22.1-287.1, and 23.1-405 of the Code of Virginia
2014VirginiaSB 242VA Code § 23.1-405Higher EDA private or public institution of higher education can request from students who are committed to attend or currently attend their complete student record, including mental health record. No public institution of higher education shall sell students' personal information to any person.
2015VirginiaHB 1334VA Code § 22.1. Education § 22.1-289.01K12 SEAWould require the state Dept. of Ed to develop and make publicly available policies to ensure state and local compliance with FERPA and state privacy laws (including policies around access to PII and review of requests from public and private entities) and require parental notification in instances of possible disclosures of electronic records in violation of FERPA or other federal or state law and remedial measures being taken.
2015VirginiaHB 1612VA Code § 22.1. Education § 22.1-289.01K12 Vendors LEAWould require school service providers to provide clear info on the student data they collect and how the data are maintained and used, maintain a privacy policy and provide notice before making any changes, maintain a security program, facilitate access and correction of student personal data, collect and use student data with parental consent or for teacher/school authorized purposes, obtain consent for using data in a way "inconsistent" with the privacy policy or authorized purpose. Would prevent a school service provider from using data for behaviorally targeting advertisements to students, creating a student profile without consent or authorization, or retain information except as authorized or with consent.
2015VirginiaHB 1698VA Code § 22.1-79.3 K12 LEAWould require parental notice before the administration of any survey on "sensitive" topics, an explanation of privacy measures, and the right to exempt their child from participating.
2015VirginiaHB 2350VA Code Title 22.1. Education § 22.1-20.2.K12 SEA LEAWould direct the state Dept. of Ed and the Virginia Information Technologies Agency to develop a model data security plan for districts to implement policies and procedures related to the protection of student data and data systems. Would require the Dept. of Ed to designate a chief data security officer to assist local school divisions with the development or implementation of policies around data security and data use.
2016VirginiaSB 438VA Code § 22.1. Education § 22.1-289.01Higher EDThis bill prohibits a public or private institution of higher education from requiring a student to disclose the username or password to any of such studentÂ’s personal social media accounts. It also prohibits a public institution of higher education from selling student PII.
2016VirginiaHB519VA Code § 22.1. Education § 22.1-289.01K12 Vendors LEAWould require school-affiliated entities (e.g. alumni associations, PTAs, scholarship organizations) to provide information on the student PII they collect and maintain and implement privacy and security policies. Would prohibit these entities from selling student PII or collecting, using, or disclosing it without consent.
2016VirginiaHB 749VA Code § 22.1. Education § 22.1-289.01K12 VendorsSchool Service Providers: Makes several changes to the provisions relating to the protection of student personal information by school service providers, including (i) providing that student personal information does not include information that is publicly available; (ii) defining "targeted advertising" as advertising that is presented to a student and selected on the basis of information obtained or inferred over time from such student's online behavior, use of applications, or sharing of student personal information and prohibiting school service providers from knowingly using or sharing any student personal information for the purpose of targeted advertising for students in operating a school service pursuant to a contract with a local school division; and (iii) clarifying that other provisions of law do not prohibit school service providers from performing certain acts, including disclosing student personal information to ensure legal or regulatory compliance, protect against liability, protect the security or integrity of its school service, respond to or participate in judicial process, or protect the safety of school service users or other individuals.
2016VirginiaHB 750VA Code § 22.1. Education § 22.1-289.01K12 VendorsStudent personal information: Excludes any website, mobile application, or online service that is used for the purposes of college and career readiness assessment from the definition of “school service,” thus relieving providers of such websites, mobile applications, and online services from the obligation to provide various protections for student personal information collected through such websites, mobile applications, and online services. Each school service provider under this bill is required to provide clear information about the types of student personal information it collects through any school service and how it uses and shares such student personal information.
2017VirginiaSB951VA Code § 22.1. Education § 22.1-289.01K12 Vendors LEASchool Service Provider: student access to collected personal information: This bill requires school service providers to provide each student's parent with access to a downloadable electronic copy of any student personal information pertaining to such student that has been collected, maintained, used, or shared by the school service provider. Contracts between local school boards and school service providers may require that such copy be in a machine-readable format.
2019VirginiaHB2449VA Code §23.1-405K12 Higher ED Vendors SEA LEAScholastic records; disclosure of directory information. Provides that a school or institution of higher education may disclose certain directory information of a student to certain internal persons for educational purposes or internal business if the student has not opted out of such disclosure. Under current law, such disclosures require written consent. The bill also provides an exception for state and federal law requirements from the prohibition of such disclosures.
2022VirginiaSB 764ERVA CODE §§ 2.2-603, 2.2-2009, and 2.2-5514 N K12 Higher ED SEA LEAEvery public body shall report all (i) known incidents that threaten the security of the Commonwealth's data or communications or result in exposure of data protected by federal or state laws and (ii) other incidents compromising the security of the public body's information technology systems with the potential to cause major disruption to normal activities of the public body or other public bodies. Such reports shall be made to the Virginia Fusion Intelligence Center within 24 hours from when the incident was discovered. The Virginia Fusion Intelligence Center shall share such reports with the Chief Information Officer, as described in § 2.2-2005, or his designee at the Virginia Information Technologies Agency, promptly upon receipt.
2015WashingtonSB 5419 (HB 1495)WV CODE § 18-2-5hK12 VendorsWould require service providers to provide clear privacy policies and notice of any policy changes. Would require service providers to have a security plan. Would prohibit service providers from selling student information or from using it for targeted advertising, creating a profile, or any purpose not agreed to without consent.[Senate version of HB 1495]
2016West VirginiaHB4261WV CODE §18-2-5hK12 Higher ED SEAStudent Data Accessibility, Transparency, and Accountability Act: A bill relating to student data - this bill prohibits the sale of transfer of student data to vendors and other profit making entities. Provides for certain exceptions including when the department enters a contract that governs student or redacted data with a contractor for the purpose of state level reporting; in the event the ACT or SAT tests are adopted as the state summative assessment, allows the ACT or College Board to use certain information; requiring written consent if information classified as confidential is required.
2014West VirginiaHB 4316WV Code § 18-2-5hK12 SEA LEAMandates the Dept. of Ed. to create data system, create and make publicly available policies that comply with FERPA, restrict access to the data system to authorized staff, notify parents of inter-agency sharing agreements and give parents opportunity to opt-out of sharing their student's data, develop data request procedures, develop data security plan with the basic requirements (compliance, audits, breach procedures, data retention/disposition, employee training), ensure vendor contracts have express provisions that safeguard privacy and security and penalties for noncompliance, notify governor/legislature of updates to data collection and audits. Prohibits collection of lifestyle information and reporting to state any biometric information. Mandates appointment of data governance manager and lists responsibilities. Development of guidance for districts to notify and deal with parental requests to access student data.
2014WyomingSF 79WY Stat. § 21-2-202K12 SEA LEAMandates Dept. of Enterprise Technology Services and State Superintendent to establish criteria for education data mgmt. system on education accountability and assessment, teacher certification, and school finances. Also mandates creation of data security plan with all the basic requirements; policies that comply with FERPA; prohibits sale of student data to private entities.
2017WyomingHB0008WY ST § 21-2-202K12 SEA LEAThis Act would amend requirements of the State Superintendent and Department of Enterprise Technology Services regarding the state data security plan. This would ensure privacy of student data collected - this would require certain policies for the collection, access, privacy, security, and use of student data by school districts.
2017WyomingHB0009WY ST § 21-17-124Higher EDStudent Electronic Writings and Other Electronic Communications - Expectation of Privacy. No ownership rights to any electronic writing or other electronic communication created by a student shall be conveyed, transferred, or otherwise affected solely as a result of the writing or other communication being stored on an electronic device paid for in whole or part by the university or transmitted or stored on the university's network.
2021VirginiaHB2031VA 15.2-1723.2

Higher EDFacial recognition technology; authorization of use by local law-enforcement agencies and campus police departments at public institutions of higher education. Provides that no local law-enforcement agency or campus police department shall purchase or deploy facial recognition technology, defined in the bill, unless such purchase or deployment is expressly authorized by statute. The bill prohibits a local law-enforcement agency or campus police department at a public institution of higher education currently using facial recognition technology from continuing to use such technology without such authorization effective until July 1, 2026.
2024OhioSB29OH Section 3319.325K12 LEASB 29 prohibits schools and their technology providers from accessing or monitoring:
A school-issued device's: location-tracking features; or audio or visual receiving, transmitting, or recording features, or student interactions with school-issued devices, such as their keystrokes and web browsing.
School districts must provide parents and students with a specified annual notice of any education technology provider contracts that affect a student's educational records and include contact information for questions or concerns and offer parents and students contract inspection opportunities.
Contracts between school districts and technology providers must Ensure appropriate security safeguards to protect educational records. In addition an education technology provider must comply with the data collection, use, and protection requirements and limitations imposed on school districts by Ohio R.C. 1347.01 to 1347.99 as if it was a school district itself. After discovering a data breach affecting educational records, disclose information necessary for the school district to fulfill its data breach notification obligations under Ohio R.C. 1347.12. Destroy or return educational records within 90 days of contract expiration unless renewal is reasonably anticipated.
Key restrictions prohibit technology providers from using educational records for any commercial purpose other than the contracted services. Selling, sharing, or disseminating educational records except as part of a valid assignment or delegation of their contracts or if a listed exception applies.
Technology providers may use de-identified, aggregated records for limited product and service development, maintenance, support, and operations purposes.
2020VermontS110VT Title 9 Chapter 62 Subchapter 3AK12 VendorsModeled on California’s Student Online Personal Information Protection Act – this section of the bill prevents educational technology companies from using information collected about students for non-educational purposes.