New State Laws Reveal a Shift in Thinking on Student Data Privacy

Posted by Matt Berringer on March 3, 2016

Student Privacy Shift

Key Takeaways for District Leaders

  • Student privacy is important for schools but state regulations are shifting from prohibition to governance.
  • States are shifting the responsibility for ensuring the proper use of student data from school districts to service providers.
  • Laws like SOPIPA can help prevent companies from using student data for marketing purposes but district leaders should still look for vendors with a track record of protecting student privacy.
  • The Student Privacy Pledge is one way vendors can help districts know more about their commitment to student data privacy.

While U.S. states continue to focus on how best to ensure the privacy of student information in the digital age, a new analysis by the Data Quality Campaign (DQC) suggests the focus of this conversation is shifting in ways that have important implications for K-12 schools.

Forty-six states introduced a total of 182 bills that addressed student data privacy in 2015, and 15 states passed 28 student data privacy laws, the DQC says. That’s up from 110 bills and 24 new student data privacy laws in 2014.

Shifting From Prohibition to Governance

But the DQC analysis reveals that states are shifting their focus from taking a prohibitive approach—that is, preventing the collection of certain types or uses of data—to more of a governance approach, by establishing procedures, roles, and responsibilities to make sure student information is used appropriately.

What’s more, states are shifting the responsibility for ensuring the proper use of student data from school districts to service providers.

Consider these numbers:

  • Of the 24 student data privacy laws that states passed in 2014, 20 included prohibitive rules (83 percent) and 15 included governance provisions (63 percent). Of the 28 laws passed in 2015, 15 included prohibitive rules (53 percent) and 24 included governance provisions (86 percent).
  • In 2014, 12 state laws established data privacy requirements for vendors and nine established requirements for school districts. In 2015, 13 state laws imposed new requirements on vendors and seven imposed requirements on districts.
  • The shift in responsibility from school districts to vendors is even more evident when considering all of the legislation introduced. In 2014, 39 of the 110 student data privacy bills that were introduced would have imposed new requirements for vendors (35 percent), and 28 proposed new requirements for schools (25 percent). In 2015, 69 of the 182 bills introduced targeted vendors (38 percent) and 23 targeted schools (13 percent).

The Student Online Personal Information Protection Act

Many states are modeling their student data privacy legislation after California’s landmark 2014 law, the Student Online Personal Information Protection Act (SOPIPA). SOPIPA “governs the activities of online service providers, rather than the state agencies or districts that may contract with them,” the DQC notes.

California’s law prohibits online service providers from selling student data and using this information to target advertising to students or to create a profile on students for a non-educational purpose. It also requires online service providers to maintain adequate security measures and to delete student information at the request of a school or district.

Twenty-five states introduced bills modeled after SOPIPA in 2015, the DQC says—and ten states passed new laws modeled after the legislation.

What do these trends mean for school districts? State governments are recognizing the importance of data collection in helping schools personalize learning for every student—and they’re looking for ways to protect student information without compromising how data can be used to improve instruction.

Learn how to balance student data privacy with increased student achievement.

Shifting Responsibility from Districts to Vendors

State lawmakers also are shifting the onus from districts to their service providers to make sure student information, typically housed in student information systems, is used appropriately. Laws like these can help prevent companies from using student data for marketing purposes, but K-12 chief technology officers and technology directors should still be careful when choosing service providers and should look for providers with a proven track record of safeguarding student privacy.

The Student Privacy Pledge

To help districts know more about vendors with regard to student data privacy, the Future of Privacy Forum (FPF) and the Software & Information Industry Association (SIIA) introduced the Student Privacy Pledge to safeguard student privacy.

According to the pledge school service providers are accountable to:

  • Not sell student information
  • Not behaviorally target advertising
  • Use data for authorized education purposes only
  • Not change privacy policies without notice and choice
  • Enforce strict limits on data retention
  • Support parental access to, and correction of errors in, their children’s information
  • Provide comprehensive security standards
  • Be transparent about collection and use of data

As of February 2016, more than 200 companies had signed the pledge, including SunGard K-12.

Learn how to maintain student data privacy in a digital age.

Dennis Pierce-footer

Topics: Superintendents, Privacy, CTO, EdTech News and Info, California, Dennis Pierce