The Center for Democracy & Technology, along with the law firm BakerHostetler, developed a state-by-state compendium of privacy laws relating to the collection, use, and sharing of student data.
While the practice of collecting data about students is not new–schools have been gathering and reporting test scores, grades, retention records, and the like for years–the means by which student data is collected, the types of data collected, and the entities that ultimately have access to this data have expanded dramatically, the report explains.
In order to understand the laws on a state level, as well as in a regional and national context, let’s look at each state and regional individually, using the United States Census Bureau’s four statistical regions–the Northeast, Midwest, South, and West.
- Alaska–When it comes to sharing student data with third parties, Alaska only allows student data to be shared with third parties when it’s required by the Family Educational Rights and Privacy Act (FERPA). In terms of data minimization, the report explains that in the context of education for children with disabilities and gifted children, if a record containing personally identifiable information is not needed to provide educational services, “The district shall destroy the record upon request of the parent. A record of the child’s name, address, telephone number, grades, attendance record, classes attended, grade level completed, and year completed must be maintained indefinitely.” Alaska doesn’t appear to require de-identification or aggregation of data. Additionally, while Alaska doesn’t have education-specific data security requirements, it does, according to the report, charge its state agencies to establish procedures that will “protect any confidential, privileged, proprietary, or security information.”
- Arizona–The state offers appropriate definitions for key data privacy terms. The Grand Canyon State says, according to the report, that student transcripts are not to be released to representatives of postsecondary institutions, the militia of Arizona, or the armed services of the United States without student consent. The report also explains that Arizona’s department of education specifically “may contract with a third party” to develop and implement an education learning and accountability system to maintain and report student-level data. The state does carve out limited exceptions to releasing student data, including when required by FERPA and for the department of juvenile corrections. Arizona uses FERPA’s requirements for data maintenance and disclosure. The state also requires the use of a unique “pupil identifier” in its database that is “not identifiable by anyone other than officials maintaining the education database,” as well as requiring security protocols to be followed carefully.
- California–California offers perhaps the most lengthy definitions of any state in the nation. The state requires data be kept confidential except under highly specific situations. Additionally, to release any minor student’s data, parents are required to provide written consent with specific language stipulated in the statutes. For research purposes, school districts are allowed to provide “statistical data from which no pupil may be identified” to public agencies, private nonprofit colleges, universities, or educational research and development organizations. Additionally, school districts may enter into a contract with a third party to provide services, including cloud-based services, or to provide digital educational software, as long as specific contract stipulations are included. The report also explains that school districts manage pupil records according to State Board of Education regulations. The state also has requirements concerning data gathered via social media. Information gathered from social media must be destroyed within one year after a pupil turns 18 or within one year after the pupil is no longer enrolled in the school district, county office of education, or charter school, whichever occurs first. While the Golden State doesn’t require de-identification, there are definitions of de-identified information in the statues.
- Colorado–Colorado offers strong definitions for key terms and requires that schools keep personal information confidential. Additionally, in terms of dealing with third parties, the report explains that the state board of education has to implement guidelines regarding how information may be shared with a third party, “including by instituting requirements on the recipient entities to not share students’ personally identifiable information with any further third parties and to destroy the personally identifiable information when it is no longer needed.” The school also has policies on data retention limits, security protocols, and requiring information to be presented in aggregate in government-mandated reports.
- Hawaii–While Hawaii defines educational record, it doesn’t appear to offer a definition for student data. The state requires schools to keep data secure and private, with limited exceptions. Schools are allowed to delete data when it is no longer appropriate, relevant, or required under department rules. The Aloha State does not appear to have codified a security program or specific security protocols. In terms of de-identification or aggregation of data, Hawaii appears to only have codified rules for charter schools. The report explains that performance provisions within the charter contract are to be based on a performance framework that includes indicators such as student academic proficiency and growth, attendance, and postsecondary readiness. This framework “shall require the disaggregation of all student performance data by major student subgroups.”
- Idaho–The state offers strong definitions for key terms and requires student data be kept private and limited to only board of education and school employees, as well as parents and other parties when necessary or legally required. In terms of third parties, the report notes that the BOE shall ensure that all school districts, schools, and other similar institutions contractually bind vendors to the use of aggregate data, or to use individual students’ data only in specific ways, and only with written permission from a student’s parent or legal guardian. The state also provides for data retention policies as well as security protocols in its statutes.
- Montana–The Treasure State provides a definition for educational record, but doesn’t provide one for student data. The state does require that student data be kept private and specifically stipulates that the superintendent of public instruction may not share, sell, or otherwise release personally identifiable information to any for-profit business, nonprofit organization, public-private partnership, governmental unit, or other entity unless the student’s parent has provided written consent specifying the data to be released, the reason for the release, and the recipient to whom the data may be released. The state also offers data retention schedules and security protocols. However, there is no statute on de-identification or aggregation of data.
- Nevada–Nevada aligns its definition of educational record with FERPA and doesn’t provide a definition of student data. Schools must keep collected data secure and private. Additionally, third parties are not allowed to use data to engage in targeted advertising, nor to sell the data to other companies. Statutes also provide policies for data retention and disposal. The Silver State also enumerates security protocols and requires that data be used in aggregate for reports, as well as by third parties looking to demonstrate the effectiveness of their products to potential new customers.
- New Mexico–New Mexico offers a brief definition of educational record and no definition for student data. The state prohibits schools from selling a student’s data to commercial enterprises, and requires schools to comply with FERPA. While New Mexico does have security protocols and requires de-identification and aggregation of data, it doesn’t have statutes on data retention and disposal.
- Oregon–Oregon provides highly detailed and specific definitions for key student data privacy language. Oregon also prohibits schools from disclosing personally identifiable data, except in limited circumstances, including parents of K-12 students, law enforcement, and medical professionals. Additionally, operators of websites, online services, or applications directed at K-12 school purposes may not engage in targeted advertising in the website, online service, or application, target advertising on any other site, service, or application where the targeting is based on information acquired through the use of the operator’s services, sell a student’s information or otherwise disclose a student’s information, according to the report. Oregon also has regulations regarding disposal of student data, security policies, and de-identification and aggregation of data for reporting and research.
- Utah–Utah uses the phrase “Student Achievement Backpack,” which encompasses all student data from when they first start school to when they graduate high school. The state offers a strong definition that encompasses all sensitive data. Currently, it’s not specified if data may be shared with third parties. In addition, the report explains, where the board enters into a results-based contract with a private entity to fund education, the contract must include that the private entity is not eligible to receive or view any personally identifiable student data of students funded through a results-based contract. However, the state doesn’t have requirements for data minimization or de-identification. The report notes, though, that Utah does have requirements regarding security measures in the state.
- Washington–Washington does offer substantive definitions of educational records and student data. Additionally, all pupil records maintained by a public school shall be confidential, with limited exceptions. According to the report, school service providers are required to delete student personal information within a reasonable period of time if the school requests it, with very limited exceptions. The state also has strong security protocols and requires de-identification and aggregation of data.
- Wyoming–The state doesn’t offer any definitions for educational records or student data. While there isn’t a specific statute prohibiting the sharing of student data with third parties, the Cowboy State does require the State Superintendent to establish a state security plan that prohibits the sale of student data to private entities or organizations. The superintendent’s data security plan encompasses a wide array of student data issues, including data retention and disposal, as well as data safeguards. One thing that is lacking in the state is language regarding the de-identification or aggregation of data.
Also in This Report:
Alabama, Arkansas, Delaware, Florida, Georgia, Kentucky, Louisiana, Maryland, Mississippi, North Carolina, Oklahoma, South Carolina, Tennessee, Texas, Virginia, Washington, D.C., West Virginia
Illinois, Indiana, Iowa, Kansas, Michigan, Minnesota, Missouri, Nebraska, North Dakota, Ohio, South Dakota, Wisconsin
Connecticut, Maine, Massachusetts, New Hampshire, New Jersey, New York, Pennsylvania, Rhode Island, Vermont