The Center for Democracy & Technology, along with the law firm BakerHostetler, developed a state-by-state compendium of privacy laws relating to the collection, use, and sharing of student data.
While the practice of collecting data about students is not new–schools have been gathering and reporting test scores, grades, retention records, and the like for years–the means by which student data is collected, the types of data collected, and the entities that ultimately have access to this data have expanded dramatically, the report explains.
In order to understand the laws on a state level, as well as in a regional and national context, let’s look at each state and regional individually, using the United States Census Bureau’s four statistical regions–the Northeast, Midwest, South, and West.
- Alabama–There doesn’t seem to be a general definition of what constitutes an education record in the state, according to the report. However, the state does offer a definition when specifically discussing the children of members of the armed services. Additionally, Alabama law does not appear to directly address sharing student data with third parties. Overall, state law comes up lacking when addressing student data. The state doesn’t have a specific data retention limit in its statute, it does not appear to require de-identification or aggregation of data, or mandate a security program or specific security protocols.
- Arkansas–The state does provide a definition of student data; however, concerning educational record, the report notes that no clear definition is given, but each school district must maintain a permanent student record as outlined by the state Department of Education. Arkansas’ Student Online Personal Information Protection Act limits the use and dissemination of student data by owners (or “operators”) of Internet websites, online services, and online and mobile applications that are designed, marketed, and used primarily for public school purposes and are operating in that capacity. Additionally, the report notes that disclosure limitations do not apply if parties have the “affirmative consent” of the school, student, parent or guardian, in response to clear and conspicuous notice of the use or disclosure. The state’s statutes also provide for security protocols, but do not require de-identification or aggregation of data. Additionally, the report notes that limits on data retention are unclear.
- Delaware–Delaware gives detailed definitions for both educational records and student data. Third parties are also excluded from using student data for targeted advertising, as well as from using information gathered to amass a profile of a student except in furtherance of K-12 school purposes, selling student data, or otherwise disclosing student data. While there are security protocols and data retention rules, there are no requirements to de-identify data.
- Florida–Florida uses FERPA’s (Family Educational Rights and Privacy Act) definition of educational record and provides its own, detailed definition of student record. The state also provides rules on security protocols and data minimization; however, the de-identification and aggregation of data is not codified.
- Georgia–The state provides definitions for both educational record and student data and also requires that schools keep data private and confidential–unless required by law or court order to share the data. The state also provides for security protocols, data disposal policies, and the de-identification and aggregation of data.
- Kentucky–Kentucky gives lengthy and detailed definitions for both educational record and student data. The state does require that student data be kept confidential except in limited circumstances. For instance, the state is allowed to release limited data to military recruitment officials, and parents of minor students. The state also provides specific time frames for when data must be disposed of, including print, digital, and auditory records. Kentucky requires security protocols to be followed and requires the de-identification of data.
- Louisiana–The report notes that while educational record is used in the statutes, it is undefined by the state. The state does provide a definition for student data. Schools must keep data confidential. Additionally, the statutes require that no city, parish, or other local public school system, local or state governmental agency, public or private entity, or any person with access to personally identifiable student information shall sell, transfer, share, or process any student data for use in commercial advertising, or marketing, or any other commercial purpose. Additionally, the report explains that no person or public or private entity shall access a public school computer system on which student information is stored. The state does provide limited exceptions to these rules, including complying with a court order or providing student data with a parent or student’s permission. The state also provides guidance for data disposal for schools and contractors, as well as security protocols. The Bayou State also requires each local public school board to assign a unique student identification number to every student enrolled in a public elementary or secondary school that students shall have their entire tenure in Louisiana public elementary and secondary schools.
- Maryland–Maryland provides definitions for both educational record and student data. The state also requires they be kept confidential and prohibits contractors from selling data or using it in targeted advertising. Contractors are only allowed to share data when it’s for the purpose of the site or application in question. Additionally, whoever the contractor shares the data with must agree to keep it confidential. The state also provides for security protocols, data disposal rules, and requirements for de-identification and aggregation.
- Mississippi–The state does provide a definition for educational record, and while it doesn’t provide a specific one for student data, much of what is typically defined as student data is lumped in with educational record. In terms of sharing student data, the school boards of all school districts have the power to delegate, privatize, or otherwise enter into a contract with private entities for the operation of any and all functions of nonacademic school process, procedures and operations including data processing and student records. Similarly, the report notes that the State Longitudinal Data System Governing Board is authorized to contract with a third party to manage and maintain the system and to ensure the policies and procedures developed by the board are enforced. While the state does have data disposal policies and data security protocols, it does not have requirements regarding de-identification or aggregation of data.
- North Carolina–North Carolina provides definitions for both educational records and student data in its statutes. Additionally, the state requires data be kept confidential and prohibits third parties from selling any student data they possess as a result of contracted work with schools, unless they receive written permission from a student’s parent. The state also provides data minimization rules, security protocols, and guidelines for de-identification and aggregation of data.
- Oklahoma–The Sooner State offers definitions for both educational record and student data, with student data having a lengthy and detailed definition. The state also requires that schools comply with FERPA regulations and bars schools from entering into any agreement to sell student data to any creditor for purposes of marketing consumer credit to students. The Board of Education is required to develop data retention and disposal policies. However, schools are also required to file and permanently retain the original copy of individual scholastic and other permanent student records. Oklahoma also required the BoE and schools to maintain security protocols to keep student data secure. Additionally, the state required the BoE to ensure that any contracts that govern databases, assessments, or instructional supports that include student or de-identified data and are outsourced to private vendors include express provisions that safeguard privacy and security and include penalties for noncompliance.
- South Carolina–South Carolina offers no defined terms in its statutes, though it does prohibit the government from sharing student data with third parties and requires security protocols to be followed. There are no regulations regarding the disposal of student data, though it is required to be de-identified and used in aggregate in certain reporting circumstances.
- Tennessee–The state offers lengthy definitions of descriptions of educational records and student data. Additionally, it also protects data from being released to third parties, except in necessary circumstances. Additionally, whenever data is used for research or reports, it must be de-identified and used in aggregate. The Volunteer State also has strong security protocols to protect data and has strict requirements about how and when to dispose of student data.
- Texas–Texas pulls its definition of education records directly from FERPA. However, concerning the idea of student data it’s unclear as Texas’ definition. According to the report, it seems to include course or grade completion, teachers of record, assessment of instrument results, receipt of special education services, and personal graduation plan. The state is also prevented from sharing data except in limited circumstances. The state also has strong regulations for data minimization, security protocols, and de-identification policies.
- Virginia–Virginia has lengthy regulations governing student data, with strong definitions for both educational records and student data. The state also prohibits the release of student data to third parties unless it’s de-identified information for research, or to a state or Federal employee such as a law enforcement officer or social worker. Additionally, the state specifically prohibits school service providers from using or sharing student personal information for behaviorally targeted advertisements to students, using or sharing student personal information to create a personal profile other than for supporting purposes. There are laws in place for the retention and disposal of student data, as well as security protocol and de-identification and aggregation requirements.
- Washington, D.C.–The District of Columbia provides no definitions for educational records or student data. The report notes that no specific statute prohibits the sharing of student data with third parties. However, the District does require that the Office of the State Superintendent of Education develop and implement “a longitudinal educational data warehouse system” that maintains the confidentiality of individual student and staff data, in accordance with D.C. and Federal confidentiality laws, rules, and regulations, according to the report. The District doesn’t provide data retention guidelines, nor specify security protocols.
- West Virginia–According to the report, educational records do not include teacher notes (not shared with others), law enforcement records, employment records, records by a health professional created in connection with provision of treatment to a student, and records of an educational agency or institution that contain only information related to a person after that person is no longer a student at the educational agency or institution, such as alumni records. The state does require data be kept confidential from third parties except for limited exceptions, including parents, medical emergencies, law enforcement officers, and in the event of an emergency. When it comes to disposing of student data, school boards are allowed to do as they wish. The report explains that an educational institution is not precluded from destroying records and may do so under certain circumstances. The report also explains that a school district has the responsibility to immediately respond to any data privacy or security incidents or breaches and report such incidents to the appropriate authorities. When the state is required to release public reports or student data by law, the information will also be presented in aggregate.
Also in This Report:
Alaska, Arizona, California, Colorado, Hawaii, Idaho, Montana, Nevada, New Mexico, Oregon, Utah, Washington, Wyoming
Illinois, Indiana, Iowa, Kansas, Michigan, Minnesota, Missouri, Nebraska, North Dakota, Ohio, South Dakota, Wisconsin
Connecticut, Maine, Massachusetts, New Hampshire, New Jersey, New York, Pennsylvania, Rhode Island, Vermont