In 2014, at least 16 states enacted laws regulating the privacy of student information. The trend is continuing in 2015, as at least 165 state student privacy bills have been introduced thus far, six of which have already been enacted in Virginia and Utah. As new state laws continue to be layered upon existing federal obligations such as the Family Educational Rights and Privacy Act (“FERPA”) and the Children’s Online Privacy Protection Act (“COPPA”), schools, districts, ed tech companies, and other service providers face an increasingly complex regulatory regime.
The new state requirements vary, in some cases restricting the type of information that may be collected from students, while in other cases strictly limiting the ways in which student data may be used or disclosed, or requiring transparency regarding data collection, use, and disclosure practices, notification to parents in the event of a data breach, certain levels of security for student information, vendor contract terms imposing such requirements, or some combination of these and other requirements. Many but not all of the new laws apply only to data stored in the statewide longitudinal data system (“SLDS”).
In most cases, the new requirements apply to schools and school districts. However, many laws also require that schools and school districts include specific privacy and data protection terms in their contracts with ed tech companies and other service providers that may have access to student data. In addition, California’s Student Online Personal Information Protection Act, which was enacted in 2014 and becomes effective January 1, 2016, extends directly to operators of websites, online services, or online or mobile applications with actual knowledge that the site, service, or application is used primarily for K-12 school purposes and was designed and marketed for K-12 school purposes. The California Act restricts such operators from knowingly engaging in targeted advertising, amassing a profile about a K-12 student except in furtherance of K-12 school purposes, selling a student’s information, or disclosing student information other than for certain specified purposes.
Schools, districts, ed tech companies, and other service providers should monitor the new requirements, as well as relevant contractual obligations, to ensure that their privacy and data protection policies, procedures, and practices comply with the increasingly complex statutory and regulatory requirements applicable to student data.