State Student Privacy Laws

Year PassedStateBILL NUMBERHigh Level SummaryEarly Ed (Y/N)K-12 (Y/N)Higher Ed (Y/N)Legislating Vendors (Y/N)Legislating SEAs (Y/N)Legislating LEAs (Y/N)
2013 Arizona SB 1450 For school districts that release directory information to educational and
occupational/military recruiters, they must provide students with the opportunity to
opt-out of that release. Student transcripts can't be released unless the student
consents in writing.
N Y N N Y Y
2016 Arizona HB2088
HB 2088 prohibits public schools from administering specified assessments or surveys
to students without notifying and obtaining written informed consent from parents
and prescribes penalties for violations.
Y Y N N N Y
2017 Arizona SB1314
Relating to the Student Accountability Information System: This is a general student
privacy bill that would prohibit operators from engaging in targeted advertising,
using information to creates profiles about students, sell or rent student's
information, or disclose covered information, with several exceptions.
N Y N N N N
2018 Arizona HB2088
This bill amends existing statutes to require that a person who conducts business in
the state and that owns, maintains, or licenses unencrypted or underrated
computerized data that includes personal information becomes aware of a security
incident, the person shall conduct a reasonable investigation to promptly determine
whether there has been a security system breach.
N N N N N N
2015 Arkansas HB
1241
Would end the state's contract with PARCC (could be reinstated after 1 year). Would
prohibit the state board or the state Dept. of Ed. from providing access of any
student PII collected at the state level to the federal Dept. of Ed or any Dept. of
Ed program, nor their TA providers, research partners, government assistance
organizations, or program monitors without parental consent.
N N N N Y Y
2015 Arkansas HB
1961
Would prohibit an operator from using certain information to amass public school
student profiles for certain purposes, or selling or disclosing covered information.
Would allow the use of recommendation engines.
N N N Y N N
2014 California AB
1584
Mandates inclusion of certain provisions in an LEAs contract with a cloud service,
data management, or education software vendor: student records are property and
under control of LEA, how vendor will ensure security of student records, prohibits
vendor from using student data for any purpose other than what is in contract,
vendor must train individuals in charge of student records, and notification
procedures to parents in event of unauthorized disclosure.
N Y N Y N N
2014 California SB
1177
Prohibits K-12 website/application vendors from using, sharing, disclosing, or
compiling student information for any purpose other than educational purpose and
improving their service; they can't sell the information and must delete the
information if the school or district requests. They have to protect the information
in a reasonable manner. They can disclose info for legit research purposes as
required by state/fed law. They may share aggregated de-identified student info to
improve their service.
N Y N Y N N
2016 California AB2097
Relating to Pupil Records: The superintendent is required to assign a student
identification number to individuals with exceptional needs for purposes of
evaluating special education programs and related services. This bill prohibits
school districts from collecting or soliciting social security numbers of the last 4
digits of social security numbers from pupils or their parents or guardians unless
otherwise required to do so by state or federal law. This also authorizes the State
Dept. of Education to additionally prohibit the collection and solicitation of other
PII.
N Y N N Y Y
2016 California AB
2799
Privacy: personal information - preschool and prekindergarten purposes. This bill
would extend SOPIPA's protections that restricts the use of information about
elementary/secondary school students by operators of websites, online services, and
applications to preschool and prekindergarten purposes
Y N N Y N N
2016 California AB2828
Personal information: privacy - this bill would would require a person or business
conducting business in California, and any agency, that owns or licenses
computerized data that includes personal information to disclose a breach of the
security of the data to the person whose information was breached.
N N N Y N N
2018 California SB
244
This amends existing law that provides for the collection of personally identifiable
information by educational entities for the purposes of providing specified
educational services and benefits. This bill would establish that personal
information collected or obtained pursuant to these provisions is confidential, and
this information can only be collected, used, and retained to administer the public
services or programs for which that information was collected or obtained. The bill
prohibits disclosure of personal information to any other person, except as
provided.
N Y Y N N Y
2014 Colorado HB
1294
Requires State Board to: create student data system, create and make publicly
available FERPA-compliant policies/procedures, develop data security plan, data
retention and disposition policies (including data destruction), ensure validity and
other requirements are met before disclosing student data for department-led
research and requests from outside the state, and ensure vendor contracts include
provisions that safeguard privacy and security. Prohibits collection of health
records and biometric information and limits transfer of student data.
N Y N N Y Y
2016 Colorado HB1423 Student Data Transparency and Security Act: This bill adds to the existing laws re:
student data security by adopting additional duties that the SBE, Dept., and school
districts/boards of cooperative services/charter schools must comply with to
increase transparency and security of the student PII. This requires the SBE to
create and make publicly available a data inventory and dictionary that includes
individual student PII - the SBE must then develop a security plan with all the
basic requirements (compliance standards, audits, breach procedures) and guidance
for authorizing access to the student data system.
Y Y N N Y Y
2016 Connecticut HB5469
Would include contract requirements for service providers; Would require breach
notification procedures; Would prohibit an online operator from selling student PII
or using it for targeted advertising or to amass student profiles except for K-12
school purposes; Would allow the use of data for personalized learning and service
provision, maintenance, or improvement; establishes a task force to study issues
relating to student data privacy.
N Y N Y Y Y
2017 Connecticut HB7207
An Act making revisions to the Student Data Privacy Act of 2016: This bill requires
local or regional boards of education to enter into written contracts with a
contractor any time such local or regional board of education shares or provides
access to student information, student records, or student generated content with
such contractor.
N Y N Y N Y
2018 Connecticut HB5170
This statute prohibits school employees from taking custody of a student's mobile
electronic device for purposes of accessing any data or other content stored upon or
accessible from such device, or compel a student to produce, display, share, or
provide access to any data or other content stored upon or accessible from such
device, with some exceptions.
N Y N N N Y
2018 Connecticut HB5444
An Act Concerning Revisions to the Student Data Privacy Act: This bill would create
a uniform student data privacy terms-of-service agreement addendum for use in
contracts, would require a one-time annual notice relating to contracts entered into
by the board of education, would require the Department to provide written guidance
on the laws relating to student data privacy, and would authorize the retention of
student records required by state and federal law and for purposes of disaster
recovery systems.
N Y N Y Y Y
2019 Connecticut HB6997
Prohibits a local or regional board of education from disclosing or otherwise
providing a student's parent or guardian who has pending charges of domestic
violence against him or her with access to the educational, medical or similar
records maintained in such student's cumulative record.
Y Y N N N Y
2015 Delaware SB
79
Requires service providers to: implement security procedures, delete data in
reasonable time; prohibits service providers from engaging in targeted advertising,
building student profiles, selling student data, disclosing data (unless for listed
exceptions); establishes Student Data Privacy Task Force to make recommendations
about privacy/student data.
N Y N Y N N
2016 Delaware SB 208 This bill amends the Student Data Privacy Protection Act that was created last year
- it corrects a typographical error and corrects the enactment date (The recipient
of the student data disclosed for K-12 school purposes of the internet/mobile
application/etc. shall not further disclose the student data unless done to allow or
improve the operability and functionality within that student's classroom or
school).
N Y N Y N N
2014 Florida SB 188
Requires State Board to annually notify parents and students of their FERPA rights.
Prohibits collection or retention of information such as political and religious
affiliation, voting history, or biometric information of student, sibling, or
parent. Prohibits use of a student's SSN as their identification number.
N Y N N Y Y
2017 Florida HB501
An Act relating to public records and public meetings - this bill creates an
exemption from public records requirements for certain records held by a state
university or Florida College System institutions which identify detection,
investigation, or response practices for suspected or confirmed information
technology security incidents and this bill authorizes disclosure of confidential
and exempt information to certain agencies and officers.
N N Y N N N
2018 Florida HB 731
This bill prohibits the state superintendent from storing any PII from students who
are home schooled. District school superintendents are prohibited from including
social security numbers or any other personal information of students in any school
district or school database unless the student chooses to participate in a school
district program or service.
N Y N Y Y N
2013 Georgia Executive
Order
Prohibits the state from collection, tracking, housing, reporting, or sharing no
personally identifiable data on students and/or their families’ religion, political
party affiliation, biometric information, psychometric data and/or voting history
with the federal government. State cannot collect student data for the purpose of
the development of commercial products or services.
N Y N N Y Y
2015 Georgia SB
89
Would implement numerous governance and transparency measures and would prohibit
service providers from using data for commercial purposes.
N Y N Y Y Y
2016 Hawaii SB2607
Limits the ways in which the operator of a website, online service, online
application, or mobile application working with the Dept. of Ed can use student
data. (SOPIPA); they have to have security procedures in place, delete information
in reasonable time; permits operator to disclose information for legitimate research
purposes.
N Y N Y Y N
2014 Idaho SB 1372
Requires State Board to: create student data system, create and make publicly
available FERPA-compliant policies/procedures, develop data security plan, data
retention and disposition policies (including data destruction and penalties for
noncompliance), ensure validity and other requirements are met before disclosing
student data for research, ensure vendor contracts include provisions that safeguard
privacy and security, and notify governor/legislature of changes in data system.
Prohibits collection of health records and biometric information and limits transfer
of student data. Limits transfer of student data.
N Y Y Y Y Y
2015 Idaho HCR 3
Would authorize the Legislative Council to appoint a committee to study the state's
SLDS to determine which data points are necessary for tracking student academic
progress; which data points must be collected and reported at the aggregate level;
which data points should be personally identifiable and why; the extent to which
federal funding is contingent upon the collection and reporting of student data to
the federal government and the cost to the state of declining such funding; and
recommendations on simplifying and minimizing the collection of student data without
compromising essential evaluation of educational efficacy, protecting student
privacy by limiting the collection of PII, and the cost/benefit of declining federal
funds.
N Y Y (but only study of) N Y Y
2017 Illinois SB887
This bill allows the Board of Higher Education to collect a fee to cover the cost of
processing and handling individual student-level data requests pursuant to an
approved data sharing agreement. This fee does not apply to entities complying with
State or federal-mandated reporting. This bill also would prohibit the Board from
providing personally identifiable information on individual students except in the
case where an approved data sharing agreement is signed that includes specific
requirements for safeguarding the privacy and security of any personally
identifiable information in compliance with FERPA.
N N Y N N N
2017 Illinois SB1796
Student Online Personal Protection Act: this Act is intended to ensure that student
data will be protected when it is collected by educational technology companies and
that the data may be used for beneficial purposes such as providing personalized
learning and innovative educational technologies. This law amends the Illinois
School Student Records Act and makes a technical change in a Section concerning the
short title.
N Y N Y N N
2014 Indiana HB
1003
Among non-student data privacy related information, this bill changes the state's
longitudinal data system (IDS) to the 'network of knowledge' to collect information
from educational institutions at all levels. Data should include information about
student progress and outcomes. Prohibits collection and storage of discipline,
juvenile, criminal, and medical records. Requires the network to comply with FERPA
and create a data security plan that must include breach, retention, and disposition
procedures. Requires the network to have research approval procedures and report to
governor and legislative council about data collection changes and overview of
yearly studies.
N Y N N Y Y
2018 Iowa HF2354 An
Act relating to student personal information protection: This bill creates a
general student privacy law - which would prohibit operators from knowingly
engaging in targeted advertising, using information to amass a profile about a
student, sell student's information, or disclose covered information, with
several exceptions.
N Y N Y N N
2014 Kansas SB
367
Allows for disclosure of student data to authorized personnel from educational
agency, student/parent, and state board of regents. Lists requirements for a
data-sharing agreement. Only allows aggregate data to be disclosed for research.
Prohibits school districts from collecting biometric data and conducting survey on
life-styles (sex history, religion, etc.) unless consent given in writing. Requires
educational agency to create privacy policy and notify parents and student if there
is a breach. Requires board to submit yearly report to governor and legislature on
changes in data collection and summary of audits.
N Y Y N Y Y
2016 Kansas HB2008 (S
sub)
Creating the Student Online Personal Protection Act: An operator is prohibited from
engaging in targeted advertising on the operator's educational online product if the
target of the advertising is based on any information, including student information
and persistent unique identifiers. Operators are prohibited from using information
to create student profiles as well as prohibited from selling or renting student
information to a third party.
N Y N Y N N
2019 Kansas HB2209
Provides that the state board of regents may purchase cybersecurity insurance as it
deems necessary to protect student records, labor information and other statutorily
protected data that the board maintains, independent of the committee on surety
bonds and insurance. Provides that“cybersecurity insurance" includes, but is not
limited to, first-party coverage against losses such as data destruction, denial of
service attacks, theft, hacking and liability coverage guaranteeing compensation for
damages from errors such as the failure to safeguard data.
N N Y N N N
2014 Kentucky HB
232
Mandates businesses that handle personally identifiable information to notify owners
of that PII "in the most expedient time possible and without unreasonable delay" of
any security breach. Limits a cloud computing service's use of student data to
maintaining company's "integrity" and prohibits use of student data for advertising
or commercial purposes. Cloud is allowed to help schools conduct research within
boundaries of FERPA.
N Y N Y N Y
2014 Louisiana HB
340
Prohibits public or private educational institutions (and employers) from requesting
login information from students or prospectives (and employees) to their personal
online account that is not used for school-related communications. Prohibits the
educational institution from chastising student in any way for failure to disclose.
Y Y Y N Y Y
2014 Louisiana HB 946 (became
HB 1076)
Prohibits school system employees from collecting lifestyle information (political
belief, sexual behavior, etc.) from students without parental consent. Lists
exceptions to sharing PII. Requires Department to develop system of student ID
numbers. Limits who can access computers that store student data to authorized
individuals. Restricts use of predictive modeling that may limit student's learning.
Allows for transfer of student data to contracted vendors but also lists contract
requirements: inclusion of privacy compliance standards, audits conducted under
direction of local school superintendent, breach and notice procedure, and
storage/deletion policy; places $10,000 fine on violation of the contract
requirements. Prohibits school system or private entity from selling student data
for use in advertising unless its permitted per a contract. Establishes requirements
for consent forms to be given to parents to allow collection of PII. Requires
postsecondary institutions to delete all data collected 5 years after student
graduates.
N Y N Y Y Y
2014 Louisiana HB
1283
Requires Dept. of Ed. to include information about the transfer of PII on its
website regarding: who receives the PII, copy of agreement between department and
recipient of PII, what data is actually transferred, statement of intended use of
PII, contact person for questions, and how parents can register complaint for
unauthorized transfer.
N Y N N Y Y
2015 Louisiana HB
718
Would expand the parties districts can contract with for data services. Would leave
the majority of the 2014 law’s provisions in place, but would allow access in
accordance with local school board policy and would prohibit any contractor from
using student data for predictive modeling to limit a student's opportunities.
N Y Y Y Y Y
2016 Louisiana SB270
Relative to Student Data Privacy: The Dept. of Ed. is required to provide each city,
parish, or other local public school system with information, that could include
personally identifiable student information, as the school system deems necessary to
verify the enrollment and residency status of each student who resides within the
geographic boundaries of the school system but who is enrolled in a public school
outside of the jurisdiction of the local public school system. The school system
must keep information strictly confidential and shall use the information for no
other purpose than verifying student enrollment and residency.
N Y N N Y Y
2018 Louisiana HB716 This bill would allow an official or employee of the state Dept. of Ed. to share
student information with certain postsecondary education institutions conducting
academic research provided the person and the department have entered into a
memorandum of understanding.
N N Y N Y N
2018 Louisiana HB387
Revises the Parents' Bill of Rights for Public Schools: This bill would amend
existing law to provide parents with the right to receive a photocopy of their
child's school records, at no charge within 10 days of requesting. Further,
"academic records" is now defined to include interim or benchmark assessments..
Y Y N N N Y
2014 Maine LD
1194
Instructs the Joint Standing Committee to research concerns associated with access
and privacy of social media accounts, personal email accounts, and cloud services
that hold personal information (employees) and student data. Instructs Committee to
draft recommendation for legislation that limits access to these accounts and
provides for remedies to violations.
N Y Y N Y Y
2015 Maine HP
53
Would direct the Commissioner of Education to develop FERPA-aligned rules governing
student data not already governed under law and determine penalties for violations
of such rules.
Y Y N N Y Y
2015 Maine HP
872
Would provide for the confidentiality of assessment data and allow the dissemination
of PII with consent only. Would withdraw from Smarter Balanced (or any Common
Core-aligned assessment) and require the state Dept. of Ed to "adopt a method of
education assessment" that does not collect or disseminate personal data or
attributes of students.
N Y N Y Y Y
2015 Maine SP
183
Would require school service providers to provide clear info on the student data
they collect and how the data are maintained and used, maintain a privacy policy and
provide notice before making any changes, maintain a security program, facilitate
access and correction of student personal data, collect and use student data with
parental consent or for teacher/school authorized purposes, obtain consent for using
data in a way "inconsistent" with the privacy policy or authorized purpose. Would
prevent a school service provider from using data for behaviorally targeting
advertisements to students (except for advertising based on the current visit),
creating a student profile except for K-12 school purposes, or retain information
except as authorized or with consent.
N Y N Y N Y
2017 Maine LD678
This bill specifies if a public or private school requests a student's social
security number, the public school or private school shall inform the parent or
guardian of the student for what purpose the social security number will be used and
provide the parent, guardian, or student the opportunity to opt out of providing the
social security number. Also provides for the deletion of the social security number
upon departure.
N Y N N N Y
2017 Maine LD1616
This Act corrects errors and inconsistencies in Maine laws - this bill allows
operators to disclose student data: if another provision of federal or state law
requires the operator to disclose the student data and the operator complies with
applicable requirements of federal and state law in protecting and disclosing that
information; for legitimate research purposes; and to a state agency, school
administrative unit, or school for kindergarten to grade 12 purposes, as permitted
by state or federal law.
N Y N Y Y Y
2015 Maryland HB
298
Would prohibit an operator in contract or agreement with a public school or district
Prek-12 use from using certain information to amass student profiles for certain
purposes, or selling or disclosing covered information.
Y Y N Y N Y
2017 Maryland HB 680 Maryland Longitudinal Data System: Lengthens the period of time that MLDS can use
linked data from 5 years to 20 years.
Y Y Y N Y Y
2017 Maryland SB
1165
An Act concerning Maryland Longitudinal Data System: The Maryland Longitudinal Data
System is a statewide data system that contains individual-level student data and
workforce data from all levels of education and the State's workforce and allows the
center to organize, manage, disaggregate, and analyze individual student data.
Through this bill, the linkage of student data and workforce data for the purposes
of the Longitudinal Data System shall be limited to no longer than 20 years from the
date of latest attendance in any educational institution in the State.
Y Y Y Y Y N
2018 Maryland HB568 This
bill requires the State Dept. of Ed., in consultation with the Department of
Information Technology and county boards of education, to develop and update
certain best practices for county boards to manage and maintain data privacy and
security practices in the processing of student data and personally identifiable
information across the county board's information technology and records
management systems.
N Y N N Y Y
2018 Maryland HB1254
This bill amends existing law to require the State Dept. of Ed. to disaggregate
certain data in any student discipline data report in a certain manner - this data
shall be disaggregated by race, ethnicity, gender, disability status, eligibility
for free or reduced price meals or an equivalent measure of socioeconomic status,
and English language proficiency. This bill would also require that special
education data in student discipline data reports be disaggregated. Further, the
Dept. is required to collect certain data on alternative school discipline
practices.
N Y N N Y Y
2016 Michigan S33
Initial bill language replaced with Substitute S-2. Would prohibit the Dept. of
Ed. from selling or providing any pupil education record information to a for-profit
business entity with the exception of an educational management organization. The
Department could not disclose any information concerning a pupil that is collected
or created except in accordance with a policy adopted and made publicly available by
the State Board that clearly stated the criteria for disclosure. The Department
would have to ensure that any contract with a vendor that allowed access to
education records expressly required the vendor to protect the privacy of education
records and provided express penalties for noncompliance. If the Department provided
any collected or created information to a person other than the pupil's school
district, intermediate school district, PSA or its authorizing body or the pupil's
parent or legal guardian, the Department would have to disclose to the parent or
guardian within 30 days the specific info disclosed, the name and contact
information of each person to which the information was disclosed, and the reason
for disclosure.
N Y N N Y N
2016 Michigan SB
510
An operator shall not knowingly engage in targeted advertising on the operator's
site, service, or application if any of the information provided includes covered
information and persistent unique identifiers. Further an operator may not use the
information to amass a profile about a student except in furtherance of K-12 school
purposes. Finally, an operator may not sell or rent a student's information,
including covered information. There are certain exceptions under this bill where
information may be disclosed (including in furtherance of the K-12 school purpose of
the site, etc). An operator is required to implement and maintain reasonable
security procedures and practices and delete a student's covered information if the
K-12 school or school district requests deletion.
N Y N Y N N
2014 Missouri HB
1490
Mandates state board to create rules on data accessibility, transparency, and
accountability and a LDS; policies to comply with FERPA; policies to approve
research and data requests; develop data security plan; privacy and security audits;
breach planning and notification procedures; data retention and disposition
policies; data security policies (encryption and employee training); requirements
for vendor contracts (vendor can't sell or use student data in advertising).
Prohibits collection of individual student data (criminal record, mental/health,
biometric, etc.).
N Y N Y Y Y
2019 Montana HB
745
Provides that an operator may not knowingly engage in any of the following
activities with respect to the operator's K-12 online application: engage in
targeted advertising on the operator's K-12 online application; or target
advertising on any other site, service, or application when the targeting of the
advertising is based on any information, including protected information and
persistent unique identifiers, that the operator has acquired because of the use of
the operator's K-12 online application; use information, including persistent unique
identifiers, created or gathered by the operator's K-12 online application to amass
a profile about a pupil, except in furtherance of K-12 school purposes; sell a
pupil's information, including protected information. This prohibition does not
apply to the purchase, merger, or other type of acquisition of an operator by
another entity, provided that the operator or successor entity continues to be
subject to the provisions of this section with respect to previously acquired pupil
information. Provides that a school district may, pursuant to a policy adopted by
its trustees, enter into a contract with a third party to: provide services,
including cloud-based services, for the digital storage, management, and retrieval
of pupil records; or provide digital educational software that authorizes a
third-party provider of digital educational software to access, store, and use pupil
records in accordance with the contractual provisions listed in subsection (2).
Y Y N Y Y Y
2013 Nebraska LB
262
Allows student, parents, teachers, and admin. access to the student's files and
records. Parents must provide consent for anyone else to have access to the
files/records. Discipline information must be destroyed after three years of a
student's absence from the school. Permits sharing of information between school
districts and the State Board of Ed.
N Y N N Y Y
2017 Nebraska LB
512
This bill creates the Student Online Personal Protection Act - this is a general
privacy statute that would prohibit operators from knowingly engaging in targeted
advertising, or amassing profiles about students, and it prohibits selling or
renting a student's covered information.
N Y N Y N N
2017 Nebraska AB
7
This bill amends existing statute to provide that a "school service" is an internet
website, online service, or mobile application that: collects or maintains
personally identifiable information concerning a pupil, is used primarily for
educational purposes, and is designed and marketed for use in public schools and is
used at the direction of teachers and other educational personnel. It does not
include anything designed or marketed for use by a general audience, an internal
database, system, or program maintained or operated by a school district, charter
school, or university school for profoundly gifted pupils, or a school service for
which a school service provider has been designated as a school official under
FERPA.
N Y N Y N N
2015 Nevada SB
463
Would require school service providers to provide clear info on the student data
they collect and how the data are maintained and used, maintain a privacy policy and
provide notice before making any changes, maintain a security program, facilitate
access and correction of student personal data, collect and use student data with
parental consent or for teacher/school authorized purposes. Would prevent a school
service provider from using data for behaviorally targeting advertisements to
students, creating a student profile without consent or authorization, or retain
information except as authorized or with consent. Would require annual PD on
services and their data security.
Y Y N Y Y Y
2015 Nevada AB
221
Would require the state and districts to create public data inventories and would
require certain provisions in contracts with service providers. Would require state
and district reporting on changes to data collection or management. Would instruct
the state to develop a security policy and charge districts with complying. Would
instruct the state to create rules around teacher use of online services.
N Y N Y Y Y
2019 Nevada SB403
Revises the prohibition on targeted advertising by a school service provider to
prohibit the school service provider from engaging in targeted advertising within
its school service or on any other Internet website, online service or mobile
application if the targeted advertising is based upon information gathered from its
school service. Authorizes a school service provider to use the personally
identifiable information of a pupil to perform certain research which is required or
authorized by federal or state law. Authorizes a school service provider to use
aggregated, de-identified information derived from the personally identifiable
information of pupils to develop and improve the products of the school service
provider. Requires a public school to provide information regarding the risks
associated with the collection of covered information of a pupil to a pupil or the
parent or legal guardian of a pupil before the public school allows the pupil to use
any school service or provides any item of technology to the pupil
Y Y N Y Y Y
2014 New Hampshire HB 1587
Restricts the collection of certain type of data on students and their families to
be stored on SLDS. Schools can release student name or identifier to testing agency
only to identify the test taker but cannot give student PI to testing entity to
perform a test analysis. Testing entity must destroy data as soon as test taker is
identified.
Y Y N Y Y Y
2015 New Hampshire HB
206
Would require school districts to adopt a policy governing the administration of
non-academic surveys or questionnaires to students (surveys that elicit information
about a student's social behavior, family life, religion, politics, sexual
orientation, sexual activity, drug use, and other information not related to
student's academics). The policy would allow parents to opt out of participation in
any survey on "sensitive" or nonacademic data.
Y Y N N Y Y
2015 New Hampshire HB 322
Would require the state Dept. of Ed to create data security and breach
notification policies. Plan must include audits, notification of breach procedures,
and data retention and deletion policies. Would require the Dept. of Ed to produce a
public annual data security breach report. Data referred to herein covers both
student and teacher data. Dept. of Ed must ensure students and parents are aware of
their rights regarding amending and disclosure of student data and right to file
FERPA complaint.
N Y N N Y Y
2015 New Hampshire HB
507
Would prohibit a school or district form disclosing student or teacher PII to any
testing entity performing test-data analysis. Except as permitted in state code,
would prohibit the disclosure of student or teacher PII in the SLDS or any
department data system to any entity other than the student or teacher's school
district. Would prohibit the recording of a classroom without consent or school
board approval.
N Y N N Y Y
2015 New Hampshire HB
520
Would prohibit an operator from using certain information to amass student profiles
for certain purposes, or selling or disclosing covered information.
N Y N Y N N
2016 New Hampshire HB1372
Prohibits recording a classroom for the purpose of teacher evaluation without school
board approval after a public hearing and without written consent of teacher and
parents of each student. Does not prohibit recording a classroom for a student with
a disability whose IEP includes such recordings, for use of student instructional
purposes, or for instruction of teacher interns.
N Y N N N Y
2016 New Hampshire HB1497
An Act Relative to the Limits on the Disclosure of Information Used on College
Entrance Exams: this bill requires school districts to destroy personal information
of students following the completion and verification of certain tests. This bill
also gives students taking college entrance exams the option to have all their
personal information destroyed by the testing entity following the completion and
verification of the test. This bill specifies that schools may disclose students’
names, unique pupil identifiers, but not both, and birth date for the sole purpose
of identifying the test taker. there is an exception when this is collected in
conjunction with the SAT or ACT. This information then shall be destroyed as soon as
verification of test takers is complete. Students taking the ACT or SAT, when that
test is used for the state assessment, may opt to have all personal information
destroyed by the testing agency.
N Y N Y N Y
2016 New Hampshire HB
301 (2015)
Would establish a committee to study the state's SLDS and any other database that
contains student-level data; committee shall assemble a dictionary of data elements
collected; committee shall review the technical specifications given to contracts
who designed and built each database; committee shall study the scope, use, and
security of district databases and privacy policies
N Y N N Y N
2018 New Hampshire HB1551
This bill adds a new section to existing statute specifying that upon a student's
graduation from high school, his or her parents may request the LEA in writing to
have the student's records and final individualized education program destroyed at
that time or request that the records be retained until the student's 26th birthday.
Absent any request by the student's parents at the time of graduation, the LEA shall
destroy a student's records and final individualized education program within a
reasonable time after the student's 26th birthday, provided all records be destroyed
by a student's 30th birthday.
N Y N N N Y
2018 New Hampshire SB1612
This bill amends an existing privacy statute: This bill would now require each LEA
to create and make publicly available an index of data elements containing
definitions of certain individual student personally-identifiable data fields;
develop a data security plan; make publicly available students' and parents' rights
under FERPA; requires school districts that use digital badges to obtain the written
consent of a parent or legal guardian; modifies certain requirements for contracting
with operators of Internet websites.
N Y N Y N Y
2020 New Jersey A4978
Prohibits online education services from disclosing student educational records,
amassing profiles of student data for non-educational purposes, and requires
deletion of data in certain instances.
N Y N Y N Y
2014 New York SB
6356 (same as AB 8556)
Education agency can decide not to provide a service provider PII for the purposes
of creating a data system or have that information deleted upon request to the
Dept.; Dept. and Ed. Commissioner cannot provide any PII to a service provider.
Mandates appointment of a Chief Privacy Officer whose duties include: assisting in
data breaches, implementing privacy practices, designing data request procedure,
reviewing Dept. proposals on student or teacher data. Mandates publication of a
Parents Bill of Rights for Data Privacy and that it is included in all contracts
with service providers (lists requirements of the Bill of Rights). Mandates
provisions for contracts with service providers.
Y Y N Y Y Y
2014 North Carolina SB
815
Requires state board to create data system and data security plan with all the basic
guidelines; privacy policies that comply with FERPA; prohibits transfer of data
unless authorized by law; contracts with vendors have to include specific
provisions; board must report to governor/leg. annually regarding change in data
collection; prohibits collection of biometric and lifestyle information from
students. Requires boards to notify parents annually about student records, opt-out
opportunities for disclosure of information, and their rights under state and
federal law.
N Y N Y Y Y
2016 North Carolina HB1030
2016 Appropriations Act: A private college or university that discloses personally
identifiable information in student data or records according to the terms of a
written agreement with a State agency, local school administrative unit, community
college, constituent institution of the University of NC, or the NC Independent
Colleges and Universities, in compliance with FERPA, shall not be liable for a
breach of confidentiality, disclosure, use, retention, or destruction of the student
data or records, if the breach, disclosure, use, retention, or destruction results
from actions or omissions of either: (1) the NC Independent Colleges and
Universities, the State agency, local school administrative unit, community college,
or constituent institution of the University of NC to which the data was provided,
or (2) persons provided access to the data or records by those entities. Also
mandates institutions of higher education to transfer student data according the
Govt. Data Analytics Center. Mandates a study to be conducted by the Dept. of Public
Instruction regarding cybersecurity in public schools and allows them to request
security policies from schools.
N Y Y N Y Y
2016 North Carolina HB632
(2015)
Prohibits Internet/application service providers to K-12 schools from engaging in
targeted advertising based on covered information, using information to amass a
profile aside from furthering K-12 purposes, selling student information, disclosing
covered information (except for listed exceptions). Requires service provider to
implement security procedures and delete covered information upon request school or
local board of education. Provides cause of action for violation of the terms.
N Y N N N N
2015 North Dakota SB
2326
Would require the development of terms of access to data in the SLDS, the
implementation of privacy and security measures including audits, breach
notification procedures, staff training for those with access to the SLDS. Would
require state and district data inventories, why data are collected, and who can
access them. House version: would prohibit most data sharing without consent of the
board. Would require audits and data governance through a SLDS committee.
N Y Y N Y Y
2017 North Dakota SB
2295
A bill relating to the exemption of state university and college title IX records
from public disclosure: This bill exempts university research records and student
personally identifiable information from public disclosure. This however, does not
apply to a student record or other information disclosed by an institution under the
control of the state board of higher education to the statewide longitudinal data
system. Further, any record relating to a complaint or investigation under title IX
of the Education Amendments of 1972 at an institution under the control of the state
board of higher education is an exempt record.
N Y Y N Y N
2014 Ohio HB
487
Mandates state board to adopt data system- among basic requirements, annually
reporting data to public, safeguards for confidentiality; iterates numerous specific
information that must be in the data system (costs, graduation rates,
extracurricular information, information about staff) and assignment of student ID
number. Allows dept. to sanction or takeaway funds from districts that do not
adequately report information or conform to data requirements and supervise the data
system thereafter.
N Y N N Y Y
2013 Oklahoma HB
1989
Mandates the State Board to create and make publicly available an inventory of
student data and for what purposes data is collected. Limits reasons for the State
to transfer student data. Mandates State Board to create data security plan which
includes privacy and security audits, breach procedures, and data retention and
disposition policies. Governs privacy provisions in vendor contracts. Annually
update the Governor and Legislature on a variety of updates, changes, and security
audits in regards to new student data in the system.
N Y N Y Y Y
2016 Oklahoma HB2784
Student Records: The Board of Education of each school district is required to
compile and maintain temporary and permanent records of students enrolled and must
regulate access, disclosure, or communication of information contained in the
student records in a manner consistent with state and federal law
N Y N N N Y
2017 Oklahoma HB
1506
The board of education of each school district in Oklahoma shall compile and
maintain both temporary and permanent records of students enrolled in the district
and regulate access, disclosure or communication of information contained in the
student records in a manner consistent with state and federal law. This bill
specifies that all documents and information in student records may be stored either
electronically or in paper format, and be either in a single or multiple file
format.
N Y N N Y Y
2015 Oregon HB
2655
Would require the state board to develop rules around when education records can be
transferred by a school. Would allow parents "the right to limit the collection,
storage, use and transmittal of academic information and personally identifiable
data." Would allow parents to opt-out of statewide summative assessments. Would
require information on summative assessments administered, their purpose,
information for the student on the assessment and its use, and who has access to the
data.
N Y N N Y Y
2015 Oregon SB
187
Would prohibit an online service operator from using student data for commercial or
secondary purposes while allowing for recommendation engines, personalized learning,
and service improvement.
N Y N Y N N
2014 Rhode Island HB
7124
Prohibits public or private educational institutions (and employers) from requesting
login information from students or prospectives (and employees) to their personal
online account that is not used for school-related communications. Prohibits the
educational institution from chastising student in any way for failure to disclose.
Prohibits the educational institution from requesting student log into an account in
presence of school administration or staff and from adding school administration or
staff as a contract on the account as a condition of participating in an
extracurricular activity.
Y Y Y N N N
2014 South Carolina HB 3893
Dept. of Ed. cannot collect student data from students or families unless it is to
comply with IDEA. The Dept. has to have a data management system to which only
authorized individuals can access. Dept. must also have data request procedures
N Y N N Y Y
2014 South Dakota SB
63
Mandates Dept. of Ed. to create uniform system to gather and report educational data
for the purposes of evaluating educational progress. Dept. must write annual report
on progress and submit it to legislature, school districts, and public. Schools
can't collect lifestyle information unless adult student or parent provides consent.
Prohibits Dept. to report PII to US Dept. of Ed. but can provide aggregated
information.
N Y N N Y Y
2014 Tennessee SB
1835 (HB 1549)
Data collected for the use of or testing under educational standards adopted by the
board can only be used to track the academic progress and needs of students.
Prohibits collection of and sharing with the federal government any personally
identifiable data and lifestyle information of students and their families
(including biometric and psychometric); prohibits collection of student data for
commercial or political purposes.
N Y N Y Y Y
2014 Tennessee HB
4046(HA0885)
Data collected for the use of or testing under educational standards adopted by the
board can only be used to track the academic progress and needs of students.
Prohibits collection of and sharing with the federal government any personally
identifiable data and lifestyle information of students and their families
(including biometric and psychometric); prohibits collection of student data for
commercial or political purposes.
Y Y Y N N Y
2016 Tennessee HB
1931
Same as SB 1900; Would prohibit the the principal/designee from identifying the
victim of harassment, intimidation, bullying, or cyber-bullying from being
identified in a public report. .
Y Y Y N N Y
2018 Tennessee HB
2087
This bill creates additional privacy protections for students' education and health
records and prohibits release of student records, including participation in a
personal analysis, an evaluation, or a survey not directly related to academic
instruction, in certain circumstances without parents' informed written consent.
This bill will amend existing statute to specifically require LEAs and schools to
take all measures to protect personally identifiable information. Note: This bill
amends several sections of current Tennessee statutes
N Y N N Y Y
2015 Texas HB
4046
Defines student record to include information an applicant sends for admission or
transfer to a school. Would allow information to be redacted without requesting a
decision from the AG. Would allow schools to release data upon request of a student
or parent for admission processes.
Y Y Y N N Y
2017 Texas HB
2087
This bill relates to restricting the use of covered information, including student
personally identifiable information, by an operator of a website, online service,
online application, or mobile application for a school purpose.
N Y N Y N Y
2019 Texas SB
820
Requires that each school district shall develop and maintain a cybersecurity
framework for: (1)the securing of district cyber infrastructure against cyber
attacks and other cybersecurity incidents; and (2)cybersecurity risk assessment and
mitigation planning. (c)school district’s cybersecurity framework must be consistent
with the information security standards for institutions of higher education adopted
by the Department of Information Resources under Chapters 2054 and 2059, Government
Code. Provides that (d)the superintendent of each school district shall designate a
cybersecurity coordinator to serve as a liaison between the district and the agency
in cybersecurity matters.(e)The district’s cybersecurity coordinator shall report to
the agency any cyber attack, attempted cyber attack, or other cybersecurity incident
against the district cyber infrastructure as soon as practicable after the discovery
of the attack or incident.
Y Y N M N Y
2015 Utah HB
68
Would require the State Board to make recommendations to the Legislature on updating
student privacy laws in statute and in board rule (with input from educators,
parents, other stakeholders). Recommendations would address data security,
communicating to parents how data are used, processes for data disclosure to other
education agencies, other states, and third parties (including contact requirements
and prohibitions against using data for non-education services and commercial
purposes), Would require the State Board to designate a chief privacy officer.
N Y N Y Y N
2015 Utah HB
163
Would require an education entity to notify the parent if there is a release of the
student's PII due to a security breach.
N Y N N Y Y
2015 Utah SB
204
Would allow a parent to opt-out of any federally or state mandated assessment or an
assessment that requires use of a state assessment system or software that is
provided or paid for by the state. Would require the State Board to publish a list
of state assessments, state assessment systems, and software that qualify under the
bill.
N Y N N Y Y
2016 Utah HB358 Establishes that "a student own's the student's PII"; Would require the state board
to establish a student data policy advisory group to discuss and make
recommendations regarding enacted or proposed legislation and state and local
student data protection policies in the state; Would require state board to
establish a student data governance advisory group that performs duties related to
state and local data protection; Would require the state board to establish a
student data users advisory group composed of members who use student data at the
local level and provides feedback and suggestion on the practicality of actions
proposed by the student data policy advisory group and the student data governance
advisory group; Would prohibit collection of SSN by an edu entity; Defines
'permanent record'; Would require the board to make rules regarding using and
expunging student data; Prohibits educational entity from sharing student PII except
as provided in FERPA and this bill
N Y N Y Y Y
2017 Utah SB102 This bill provides that local school boards or charter schools governing boards must
require public schools to make lists of individuals who are authorized to access
education records. Further, local school and charter governing boards must provide
training on student privacy laws and require individuals who are authorized to
access education records to complete training on student privacy laws. Finally, this
bill would prohibit local school boards and charter school governing boards, public
schools, or school employees from sharing an education record with a school employee
who is not authorized without written consent.
N Y N N N Y
2017 Utah SB
163
This bill modifies provisions of the Student Data Protection Act.; expands and
clarifies the definition of targeted advertising; deletes the requirement that any
education entity that collects student data shall prepare and distribute to parents
and students a student data disclosure statement that states that parents and
students are responsible for the collection, use, or sharing of student data;
permits a third-party contractor to identify for a student nonprofit institutions of
higher education or scholarship providers that are seeking students who meet
specific criteria.
N Y N Y Y Y
2018 Utah SB207 This
bill amends provisions related to student data protection. This bill would
establish who may access a student's student data. Further, the board is
required to make rules to define a significant data breach. This bill also
amends existing statute regarding collection notice statements. Finally, this
bill would prohibit education entities, including student data manager, from
sharing personally identifiable student data without written consent.

N Y N N Y Y
2019 Utah HB 27 Updates public education definitions, modifies that the student data manager shall
share student data with the state board rather than just "the board"
N Y Y N Y N
2019 Utah HB 28 Updates public education definitions, modifies that the student data manager shall
share student data with the state board rather than just "the board"
N Y Y N Y N
2019 Utah SB164 Repeals
provisions related to the State Board of Education sharing student data with the
Utah Registry of Autism and Developmental Disabilities and repeals provisions
related to the State Board of Education sharing student data with the State
Board of Regents.
N Y Y Y Y Y
2020 Utah SB 166 Requires
law enforcement to provide and validate information necessary for the state
board to complete a required report on incidents that occur on school grounds;
clarifies requirements regarding the content of privacy notices; exempts schools
from certain contractual provisions related to sharing directory information if
the directory information is shared in accordance with federal law; binds other
government agencies that contract on behalf of education entities to the same
requirements as education entities; clarifies that education entities may obtain
written authorization to waive a provision of a contract with a third-party
contractor related to a student's student data; and requires information related
to suspension or expulsion to appear in a student's cumulative folder.

Y Y N N Y N
2014 Virginia SB 242
A private or public institution of higher education can request from students who
are committed to attend or currently attend their complete student record, including
mental health record. No public institution of higher education shall sell students'
personal information to any person.
N N Y N N N
2015 Virginia HB 1334
Would require the state Dept. of Ed to develop and make publicly available
policies to ensure state and local compliance with FERPA and state privacy laws
(including policies around access to PII and review of requests from public and
private entities) and require parental notification in instances of possible
disclosures of electronic records in violation of FERPA or other federal or state
law and remedial measures being taken.
N Y N N Y N
2015 Virginia HB 1612
Would require school service providers to provide clear info on the student data
they collect and how the data are maintained and used, maintain a privacy policy and
provide notice before making any changes, maintain a security program, facilitate
access and correction of student personal data, collect and use student data with
parental consent or for teacher/school authorized purposes, obtain consent for using
data in a way "inconsistent" with the privacy policy or authorized purpose. Would
prevent a school service provider from using data for behaviorally targeting
advertisements to students, creating a student profile without consent or
authorization, or retain information except as authorized or with consent.
N Y N Y N Y
2015 Virginia HB 1698
Would require parental notice before the administration of any survey on "sensitive"
topics, an explanation of privacy measures, and the right to exempt their child from
participating.
N Y N N N Y
2015 Virginia HB 2350
Would direct the state Dept. of Ed and the Virginia Information Technologies Agency
to develop a model data security plan for districts to implement policies and
procedures related to the protection of student data and data systems. Would require
the Dept. of Ed to designate a chief data security officer to assist local school
divisions with the development or implementation of policies around data security
and data use.
N Y N N Y Y
2016 Virginia SB
438
This bill prohibits a public or private institution of higher education from
requiring a student to disclose the username or password to any of such student’s
personal social media accounts. It also prohibits a public institution of higher
education from selling student PII.
N N Y N N N
2016 Virginia HB519
Would require school-affiliated entities (e.g. alumni associations, PTAs,
scholarship organizations) to provide information on the student PII they collect
and maintain and implement privacy and security policies. Would prohibit these
entities from selling student PII or collecting, using, or disclosing it without
consent.
N Y N Y N Y
2016 Virginia HB 749 School Service Providers: Makes several changes to the provisions relating to the
protection of student personal information by school service providers, including
(i) providing that student personal information does not include information that is
publicly available; (ii) defining "targeted advertising" as advertising that is
presented to a student and selected on the basis of information obtained or inferred
over time from such student's online behavior, use of applications, or sharing of
student personal information and prohibiting school service providers from knowingly
using or sharing any student personal information for the purpose of targeted
advertising for students in operating a school service pursuant to a contract with a
local school division; and (iii) clarifying that other provisions of law do not
prohibit school service providers from performing certain acts, including disclosing
student personal information to ensure legal or regulatory compliance, protect
against liability, protect the security or integrity of its school service, respond
to or participate in judicial process, or protect the safety of school service users
or other individuals.
N Y N Y N N
2016 Virginia HB 750 Student personal information: Excludes any website, mobile application, or online
service that is used for the purposes of college and career readiness assessment
from the definition of “school service,” thus relieving providers of such websites,
mobile applications, and online services from the obligation to provide various
protections for student personal information collected through such websites, mobile
applications, and online services. Each school service provider under this bill is
required to provide clear information about the types of student personal
information it collects through any school service and how it uses and shares such
student personal information.
N Y N Y N N
2017 Virginia SB951 School Service Provider: student access to collected personal information: This bill
requires school service providers to provide each student's parent with access to a
downloadable electronic copy of any student personal information pertaining to such
student that has been collected, maintained, used, or shared by the school service
provider. Contracts between local school boards and school service providers may
require that such copy be in a machine-readable format.
N Y N Y N Y
2018 Virginia HB1 Clarifies
that the definition of "scholastic records" in the Virginia Freedom of
Information Act includes directory information, but also provides that such
directory information may be released to the public only if the student who is
the subject of such information, or the student's parent or legal guardian if
the student is less than 18 years of age, has expressly consented, in writing,
to the release of such information.
N Y Y N Y Y
2019 Virginia HB2449 Scholastic records; disclosure of directory information. Provides that a school or
institution of higher education may disclose certain directory information of a
student to certain internal persons for educational purposes or internal business if
the student has not opted out of such disclosure. Under current law, such
disclosures require written consent. The bill also provides an exception for state
and federal law requirements from the prohibition of such disclosures.
N Y Y Y Y Y
2015 Washington SB 5419
(HB 1495)
Would require service providers to provide clear privacy policies and notice of any
policy changes. Would require service providers to have a security plan. Would
prohibit service providers from selling student information or from using it for
targeted advertising, creating a profile, or any purpose not agreed to without
consent.[Senate version of HB 1495]
N Y N Y N N
2016 Washington, DC B21-0578
Bill 21-0578, the “Protecting Students Digital Privacy Act of 2016,” requires that
any contract or agreement between a local education agency and a student information
system provider shall expressly authorize and require the provider to establish,
implement, and maintain appropriate security measures to protect student data;
prohibits an educational institution or 1-to-1 device provider that provides a
technological device to a student for overnight or home use from accessing or
tracking the device except in limited circumstances; prohibits an educational
institution from requiring or coercing a student or prospective student to disclose
the user name and password to a personal social media account; and prohibits school
employees from accessing or compelling a student to produce data stored upon, or
accessible from a student’s personal technological device except in limited
circumstances.
Y Y N Y Y Y
2014 West Virginia HB
4316
Mandates the Dept. of Ed. to create data system, create and make publicly available
policies that comply with FERPA, restrict access to the data system to authorized
staff, notify parents of inter-agency sharing agreements and give parents
opportunity to opt-out of sharing their student's data, develop data request
procedures, develop data security plan with the basic requirements (compliance,
audits, breach procedures, data retention/disposition, employee training), ensure
vendor contracts have express provisions that safeguard privacy and security and
penalties for noncompliance, notify governor/legislature of updates to data
collection and audits. Prohibits collection of lifestyle information and reporting
to state any biometric information. Mandates appointment of data governance manager
and lists responsibilities. Development of guidance for districts to notify and deal
with parental requests to access student data.
N Y N N Y Y
2016 West Virginia HB4261
Student Data Accessibility, Transparency, and Accountability Act: A bill relating to
student data - this bill prohibits the sale of transfer of student data to vendors
and other profit making entities. Provides for certain exceptions including when the
department enters a contract that governs student or redacted data with a contractor
for the purpose of state level reporting; in the event the ACT or SAT tests are
adopted as the state summative assessment, allows the ACT or College Board to use
certain information; requiring written consent if information classified as
confidential is required.
N Y Y N Y N
2014 Wyoming SF
79
Mandates Dept. of Enterprise Technology Services and State Superintendent to
establish criteria for education data mgmt. system on education accountability and
assessment, teacher certification, and school finances. Also mandates creation of
data security plan with all the basic requirements; policies that comply with FERPA;
prohibits sale of student data to private entities.
N Y N N Y Y
2017 Wyoming HB0008 This Act would amend requirements of the State Superintendent and Department of
Enterprise Technology Services regarding the state data security plan. This would
ensure privacy of student data collected - this would require certain policies for
the collection, access, privacy, security, and use of student data by school
districts.
N Y N N Y Y
2017 Wyoming HB0009 Student Electronic Writings and Other Electronic Communications - Expectation of
Privacy. No ownership rights to any electronic writing or other electronic
communication created by a student shall be conveyed, transferred, or otherwise
affected solely as a result of the writing or other communication being stored on an
electronic device paid for in whole or part by the university or transmitted or
stored on the university's network.
N N Y N N N