Student Data Privacy Regulations Across the U.S.: A Look at How Minnesota, California and Others Handle Privacy

Student data privacy isn’t new but has gained significance since the onset of the COVID-19 pandemic. At the federal level, the laws in place revolve primarily around parental rights and consent, but states are largely on their own when it comes to student data privacy legislation as it relates to state boards of education, local educational agencies (LEAs) and individual schools. 

Below you will find the existing federal legislation and legislation in Minnesota, California, Illinois, and New York to get a sense of what LEAs need to think about as they look to the future. This post is not intended to provide legal advice but rather to shine a light on the different ways student data privacy is being regulated across the United States.

Federal Legislation 

At the federal level, there are three laws that are most referenced when it comes to student privacy and local educational agencies (LEAs).

The Family Educational Rights and Privacy Act (FERPA), was passed in its initial form in 1974. It focuses on the protection of student education records, and grants access rights to parents up until the student reaches the age of 18, at which point the rights transfer to the student.

The Protection of Pupil Rights Amendment (PPRA) is about parental rights to limit the personal information that schools may collect from students. FERPA|Sherpa explains the difference between FERPA and PPRA this way, “FERPA protects information the school already has on record and PPRA protects information that schools do not have but can collect for surveys.”

The Children’s Online Privacy Protection Act (COPPA), focuses on the protection of data for young children by requiring operators of online services, websites, games, or mobile applications to obtain permission from parents before collecting personal information online from children under 13. It applies to schools when they are acting as “agents” of parents by contracting with online services or websites for educational purposes. The Federal Trade Commission, which oversees COPPA, outlines best practices for schools to follow when contracting with a third party website or online services provider but does not mandate compliance.

While the U.S. has not instituted broad regulations on data protection and privacy, such as those that went into effect in Europe under the General Protection Regulation 2016/679 (GDPR), there is buzz that this could happen. California has already passed its own version, the California Consumer Protection Act (CCPA), outlining consumer rights with respect to their personal data that is collected by businesses. While these protections are not specific to students, they will have implications for edtech providers.

State Legislation

At the state level, things get more complex. According to FERPA|Sherpa, which has a helpful sortable chart of state student privacy laws passed between 2013 and 2019, there are 40 states (plus the District of Columbia) with one or more laws on the books related to student privacy, 114 of these laws are applicable to K-12 education. Of these 114 laws, 53 legislate vendors, 71 legislate state educational agencies (SEAs), and 85 legislate local educational agencies (LEAs).   

So, for most states, the answer to the question, “Does my state have any student privacy laws on the books?” is most likely “Yes, and more than one.”

Below, we take a closer look at some recent developments in four states and discuss how they are changing “business-as-usual” for LEAs, schools, and educational technology providers throughout the United States. 

Minnesota

Recently, Minnesota has taken more steps to further the protection of student educational data. With FERPA having originally been passed in 1974, the new House Bill, HF2353, continues to modernize the approach to keep students safe.

The Minnesota Government Data Practices Act, Chapter 13 of Minnesota statutes provides a broad and over-encompassing definition of educational data as a means to protect its students. It states that educational data is any data associated with public educational agencies as it relates to students. A student's private educational data cannot be disclosed to a third party unless permission has been given by a legal guardian or an exception applies.

The new bill also states that all educational data created, received, maintained or disseminated by a technology provider, either intentionally or not, with a contract with a public educational agency or institution is not the technology provider's property. This said, all of a students’ educational data must be destroyed or returned to the public educational institution.

These statutes all serve as a means to bring protection to all students in Minnesota as it correlates with the times and the ongoing growth of edtech use in classrooms. Schools collect plenty of personal and sensitive information about its students and these records should remain safe and under FERPA laws, student data only provides minimal protection. Previously, the Student Data Privacy Act prohibited providers from selling or disseminating student data and HF2353 extends these efforts as technology and use continue to develop.

The COVID-19 virus has also changed how teaching and learning take place, increasing hybrid learning and students using edtech. This directly correlates with an increase in more student data being stored on their devices. The full document of the house bill can be found on the Minnesota legislator's website.

This new bill and laws will be effective for the 2022-2023 school year and beyond.

Minnesota district leaders: LearnPlatform by Instructure is a single system that is set up to help you meet requirements by this deadline. Contact a member of our team now to help.

California

California has several rules on the books concerning student data privacy. The Student Online Personal Information Protection Act (“SOPIPA”) was passed in 2014 and went into effect in 2016. SOPIPA is considered by many to be the most comprehensive student data privacy legislation in the United States that specifically addresses the changing nature of technology usage in schools by putting responsibility for compliance on the edtech industry.

SOPIPA expressly prohibits operators of a website, online service, or mobile application used primarily for K-12 school purposes from commercializing the collection of covered student data - either by selling it, using it to target advertisements to students or their families, or collecting it for any other noneducational purpose. It applies to any edtech company regardless of whether they have a contract in place with the school or district. It also removes the idea of consent, meaning parents and students cannot consent to a company’s use of a student’s personal information for commercial purposes.

An in-depth overview of SOPIPA and what it means for districts, parents and edtech providers is available on Common Sense Media’s website. The Electronic Privacy Information Center provides a good discussion of ways other states can build on the SOPIPA foundation when formulating their own student data privacy protections.

Illinois

In August 2019, Illinois Governor J.B. Pritzker signed House Bill 3606, the Student Online Personal Protection Act of 2019 (SOPPA), which replaced the original law signed in 2017. It went into effect on July 1, 2021. Largely seen as a response to large scale data breaches, HB3606 focuses on transparency in how student information is used, puts more control over data use in parents’ hands, and requires actions by educational technology companies (“operators”), schools, districts and the state board of education.

In particular, the law stipulates that data can only be collected by schools if related to school activities and that students’ personally identifiable information (PII) may only be used for beneficial purposes. The law cites “providing personalized learning and “innovative technologies” as examples of beneficial purposes.

A high-level yet comprehensive summary of all of the changes and what districts did to comply can be found in this online legislative brief published by the Learning Technology Center, an Illinois State Board of Education program supporting public pre-Kindergarten through 12th grade districts, schools and educators.

New York

New York Education Law 2-d is focused on the privacy and security of student PII as well as some PII related to classroom teachers and principals. It went into effect in 2014 and mandates each educational agency develop a Parents’ Bill of Rights for Data Privacy and Security (“Parents’ Bill of Rights”), publish it on their website, and include it with every contract the agency enters into with a third party who receives student data. In addition, the education agency must appoint a Chief Privacy Officer and certain provisions for contracts with service providers are outlined.

The Board of Regents in New York State went on to adopt Part 121 of the Regulations of the Commissioner of Education, which implemented Education Law Section 2-d (Ed Law 2-d). A few additional requirements included the adoption of a data security and privacy standard by the NY State Education Department, the creation of a data security and privacy plan, the designation by every educational agency, including schools districts, of one or more employees as data protection officers, and requirements for third-party contractors. Educational agencies are not the only ones impacted by Ed Law 2-d. Third-party contractors and their subcontractors are also required to meet certain standards for data security and privacy or risk a civil penalty.

Next Steps for LEAs

As seen through the examples above, many states are requiring LEAs to have a contract or data privacy agreement on file with any product company (“third party contractor”) that handles student data. These contracts are intended to ensure that third party contractors comply with whatever the state requires. Data privacy agreements (DPAs) done with the help of the Student Data Privacy Consortium (SDPC), part of Access 4 Learning Community, have helped to create a standard language for consortia to use with vendors to ensure compliance with specific state regulations.

Transparency with parents and communication about which third party contractors have access to student data is critical. Although California does not require a list of edtech tools used in a classroom to be produced, it is still considered best practice to do so and is required in both Illinois and New York. This requirement means that LEAs must know what’s being used across their district, regardless of whether a tool is accessed for free or through a paid license. Ensuring educators know what tools are approved for use (and with which groups of students) is the first step; communicating this information to parents follows from there.

States, including Illinois and New York, are requiring LEAs to have someone on staff be given responsibility for ensuring student data privacy compliance, whether they are named a “Chief Privacy Officer” or something different. Often, this requirement does not necessitate hiring a new employee but rather designating an existing employee as responsible for ensuring compliance with state regulations.

LEAs benefit from having a single system of record for all existing educational technology approved for use and actually in use within a district and a means for sharing that inventory with stakeholders, including classroom educators and parents. Gaining visibility into what edtech tools are being used across an LEA is the essential first step. They need to outline and follow clear processes for vetting and approving products and contracting with third parties, even if a product is free, should that product handle student PII.

LearnPlatform offers a single system to meet compliance. The platform combines insights from trusted third parties, such as Common Sense Education, Project Unicorn, SDPC, TrustEd Apps and Student Data Privacy Pledge, with functionality that allows LEAs to configure, automate, and align business processes around product requests and approvals with state-specific privacy requirements as well as more easily communicate with teachers and parents.

If you’d like to see how LearnPlatform by Instructure can support your district in meeting compliance, request a demo here.