The Pillars of Well-Designed Student Privacy Legislation
June 2024
Jessica Arciniega, Katherine Kalpos, Morgan Sexton, and Amelia Vance
CC BY-NC 4.0
Introduction
A previous wave of state student privacy bills arose Over a decade ago, a wave of state student privacy bills arose on the heels of high-profile data breaches and growing concerns about privacy in general. In 2014, 36 states introduced 110 student privacy bills, with a high-water mark of 180 student privacy bills introduced in 49 states in 2015.1 Since then, over a thousand student privacy bills have been introduced in all 50 states, 146 passing into law. 2
Much of the earlier legislation reiterated provisions already in the Family Educational Rights and Privacy Act (FERPA), the federal law regulating student privacy. Others built on FERPA’s protections by adding additional data governance and data sharing provisions for schools,3or instead focused on establishing requirements and direct liability for education technology (edtech) vendors. Both of these approaches remain important today, as states continue to make progress by strengthening student privacy protections and incorporating stricter accountability measures for all relevant parties. Additionally, hindsight now offers valuable lessons on how to tailor legislative language to better avoid unintended consequences. Building on lessons learned from the past decade, state legislators can implement the common building blocks of well-designed student data privacy legislation that represent a blend of best practices and reflections on past missteps when adapting legislative language to keep pace with evolving technology and data uses.
We applaud the dedication of policymakers who have worked hard to create state-level protections that safeguard students’ data while enabling students to benefit from the incorporation of modern technologies and data sharing practices. At the same time, we encourage policymakers in states that have already enacted student privacy laws to continue engaging with these issues in order to improve existing legislation as unintended consequences are discovered and new considerations arise. The law, uses of data, and technological development are not static. In today's constantly evolving digital and educational landscape, it is crucial for privacy safeguards in existing legislation to keep pace with emerging risks and modern realities. There is a pressing need for all state policymakers, even those in states that have already enacted student privacy laws, to continually refine and enhance the privacy guardrails that protect student data.
Crafting well-designed student privacy legislation is no easy task. We’ve seen quite a few bills that, while well-intentioned, have created negative unintended consequences for schools and the students they’re meant to protect. This is exacerbated by the constant evolution of technology and how data is used in education, as the rapid pace of digital innovation has made it exponentially harder for policymakers to anticipate how even the most well-designed legislative safeguards will protect student data over time. Combined with recent concerns about emerging technologies such as artificial intelligence (AI), school safety, students' mental health, and academic freedom, the many considerations involved in protecting student data can feel especially daunting for policymakers.
This report aims to make the complex process of drafting and refining student privacy legislation easier for state policymakers. Well-designed state privacy laws share common features that establish the necessary guardrails to protect student data while not hindering the use of emerging technologies or data uses and sharing in schools that create better outcomes for students. In this report, we highlight these common pillars for state-level policymakers who are building their state student privacy protections from the ground up or reviewing their current guardrails to make them better.
Well-designed student privacy laws:
- are designed to address specific, defined problems
- have clearly stated goals and intent
- are crafted in consultation with stakeholders
- have definitions that are clear and complete
- identify who must comply
- designate responsible parties
- provide resources
- have clear data governance requirements and restrictions
- facilitate safe use of data
- have transparency requirements
- have accountability mechanisms
- have enforcement mechanisms
This report highlights principles and success stories from states across the nation and provides a reference for other states seeking to improve their student privacy protections. Our goal is to arm policymakers with the knowledge and tools necessary to advocate for, carefully craft, and continually improve state student privacy legislation that builds on effective legislation nationwide. By incorporating proven approaches and best practices, policymakers designing and improving their own privacy legislation have the opportunity to learn and take inspiration from other states’ success stories. Doing so will enable policymakers not only to tailor student privacy protections to students' current needs, but also to anticipate and mitigate future risks in ways that safeguard students' well-being today and for years to come.
How To Use This Resource
This report outlines the foundational elements of strong student privacy laws. It begins with an overview of the current student privacy landscape, starting with sectoral federal laws most relevant to student privacy, followed by a description of the evolving state legislative landscape. We then dive into the twelve building blocks of well-designed student privacy bills, featuring examples of how states have successfully incorporated each concept into their own bills.
The Student Privacy Landscape
To fully grasp the significance of the state student privacy legislation highlighted in this paper, we must first look at the broader legal landscape of student privacy protections. We begin by providing a brief overview of the environment in which state student privacy bills operate.
Sectoral Federal Student and Child Privacy Protections
Federal privacy laws in the United States take a sectoral rather than comprehensive approach. This results in a patchwork of protections whereby the same data may be entitled to different protections depending on the specific sector in which it is held. In the education sector, there are multiple federal laws that play a role in establishing key student privacy protections:
- The Family Educational Rights and Privacy Act (FERPA).4FERPA is the primary federal law establishing student privacy rights in the education system. It requires schools to protect the privacy of students' personally identifiable information (PII) in education records and to give parents and eligible students certain rights, such as the right to access education records. FERPA applies directly to all educational agencies and institutions that receive federal funding.
- The Protection of Pupil Rights Amendment (PPRA).5 PPRA establishes parental engagement requirements for certain data collection from students (mostly in the form of surveys) and requires schools to give parents access to instructional materials upon request. PPRA applies directly to all educational agencies and institutions that receive federal funding.6
- The Children’s Online Privacy Protection Act (COPPA).7 COPPA establishes parental consent requirements before personal information can be collected online from children under 13. COPPA does not directly regulate schools; however, it establishes privacy safeguards in the education sector by directly regulating technology providers used by schools, such as educational technology companies.
Despite foundational federal privacy laws like these, many gaps remain in federal privacy protections for student data. For example, consider how the privacy safeguards associated with a student’s use of an educational app may vary depending on where and why it is used. FERPA protections apply when a student uses an educational app in the classroom or to complete homework assigned by their teacher. However, the moment a student uses the same educational app for other reasons (such as for fun or at their parents' request), FERPA no longer applies to protect the privacy of the information collected by this use. While COPPA may partially fill this gap in protection, COPPA applies only to information collected from children under 13, and COPPA allows certain protections for children under 13 to be waived with parental consent. As a result, gaps in sectoral federal protections can leave many students vulnerable to potential privacy violations without their parents even realizing it.
Additionally, there are ongoing concerns about whether existing federal student and child privacy laws effectively safeguard student privacy in the digital age. For example, FERPA’s student privacy protections are often criticized as being outdated. When FERPA was first enacted in 1974, no one anticipated the widespread use of edtech and its associated data collection in modern classrooms. And the rules and guidance that are regularly added to FERPA to account for emerging technologies have only made it more difficult for educators to navigate FERPA in practice.8
The Wave of State Student Privacy Laws
In light of such gaps and concerns surrounding existing federal student and child privacy protections, many states passed their own legislation. Over a thousand student privacy bills have been introduced over the past 10 years, and nearly 150 of these bills have been enacted in 47 states and Washington, DC. While FERPA serves as the baseline for protecting student privacy, states are continuously building on FERPA’s requirements to more comprehensively safeguard student data.
State student privacy legislation has covered a wide range of topics, such as regulating edtech vendors, setting additional requirements for different data collection and uses, and increasing district transparency. Overall, we have seen states pass legislation with vastly different levels of success, ranging from legislation that is well-designed with robust protections to others that have left open potential loopholes or threatened teachers and other actors with overly restrictive consequences.8
A Decade of Student Privacy Lessons
The potential consequences of enacting student privacy legislation that is not well-designed can be dire for students. For example, Louisiana's 2015 student privacy bill created punitive measures for educators and school officials who violated student privacy–even if they did so accidentally. Not only were the measures harsh, but the bill’s language was vague, making it hard to interpret which data sharing practices were permissible. This ambiguity created a chilling effect whereby school officials were apprehensive to share student data, even for legitimate purposes. As a result, schools were not able to share student information with the state scholarship fund. Thankfully, the law was at least partially rolled back the next year.9
Louisiana faced severe challenges during the pandemic when overly-strict student privacy laws prevented the state from providing meals to students in need. Because its student privacy law did not allow sharing student data across data systems, the state was unable to identify which students received free or reduced-cost meals. As a result, many students who depended on these meals were left without support when schools shifted to virtual learning.10 This is another unfortunate but prime example of how poorly crafted legislation can unintentionally harm the very students it aims to protect.
To prevent unintended consequences, policymakers must carefully consider student privacy bills before passing them and to continue refining these bills after they are in effect. It is also important to recognize the role that states have played in responding to emerging issues by creating crucial protections much faster than any federal regulations have done. States have the opportunity to continue leading these efforts to ensure that privacy protections are maintained in the face of evolving technology. By examining successful provisions from state legislation across the country, states can craft and improve their current legislation to better protect student privacy.