Principles 10-12: Well-Designed Student Privacy – Public Interest Privacy Center

Pillars 10-12

10. Well-Designed Student Privacy Laws Have Transparency Requirements

Clear, transparent communication between schools and the communities they serve regarding the collection and use of student data is foundational to building and maintaining trust. As education institutions continue to hold vast amounts of sensitive data, it is essential to counteract any skepticism through transparency. When schools embrace transparency in their data-management practices, they cultivate a culture of trust and security. Involving students and parents in this process not only eases concerns but also empowers them. To this end, student privacy legislation should go beyond requiring schools to articulate their privacy policies and which protections for student data are in place. Schools should also be required to explain the purpose for student data collection, whom that data is shared with, and how the sharing relates to enhancing student outcomes. Legislation should also require schools to regularly share information with parents and students about their state (and federal) data privacy rights and whom they can contact with questions or concerns related to student privacy practices.

One method of promoting transparency involves mandating clear communication regarding data collection and usage. This can be achieved through the creation of databases cataloging the types of student data collected, the entities with which this data is shared, and the purposes for these actions. For example, student privacy laws in Oklahoma and Colorado call for the creation of such data inventories, including indexes or dictionaries of data elements (Ok. Stat. tit. 70 § 3-168; Colo. Rev. Stat. § 22-16-104). The resulting databases³⁵ are prime examples of how states can effectively provide the community with large amounts of information in a usable format.

Policymakers must ensure that any transparency requirements in student privacy legislation lead to meaningful community insight, rather than overwhelming information overload. States that have promoted transparency around student data practices, even when not legally required, serve as valuable examples. For example, West Virginia demonstrated the value in transparency by having state education board members attend public forums to inform the community of student privacy efforts and answer questions.³⁶ Louisiana's comprehensive, easy-to-understand Data Governance and Student Privacy Guidebook effectively communicated the Department of Education’s student privacy protection plan through charts, infographics, FAQs, and best practices.³⁷ Meaningful transparency can also be achieved by ensuring that state websites are easy to read and navigate with specific sections for both school employees and parents, such as Wisconsin’s Department of Public Instruction website.³⁸ These measures can be replicated in legislation by requiring a dedicated data privacy section on school or district websites (if the school has one) where information about data collection practices, data sharing, and privacy protections is readily accessible. Policymakers can consider these best practices and look to other states that have already set high standards for transparency in evaluating legislative efforts.

Another method of promoting transparency involves requiring that data governance policies and procedures (discussed above) be publicly accessible. For instance, New York mandates that education agencies publish details of their third-party agreements online (N.Y. Educ. Law § 2-d). Similarly, Colorado requires schools to provide a list of all entities that the schools "contract[ ] with or ha[ve] agreements with and that hold student personally identifiable information and a copy of each contract or agreement." While most states with comparable transparency mandates only require vendor contracts to be posted on school websites, Colorado takes an additional step by requiring disclosure of all involved entities, "including but not limited to vendors, individual researchers, research organizations, institutions of higher education, and government entities" (Colo. Rev. Stat. § 22-16-105).

Louisiana provides another example of promoting transparency, requiring both schools and the state Department of Education to make certain information about student information transfers available either on their website (for the Department) or at the school’s main office (La. Stat. Ann. 1§ 7:3913). For all student information transfers, the following information must be made available:

A profile of each authorized recipient of the information;
A copy of the signed agreement between the department and the authorized recipient;
A complete listing of all data elements authorized to be transferred;
A statement of the intended use of the information, including references to legal authority or legal requirements associated with the transfer of the information;
The name and contact information of the individual serving as the primary point of contact for inquiries about the agreement;
A process by which parents of students attending public schools may register a complaint related to the unauthorized transfer of personally identifiable student information (La. Stat. Ann. § 17:3913).

Emerging Best Practice

Student privacy laws can help promote meaningful transparency by requiring schools to use layered privacy notices and just-in-time notices. A layered privacy notice provides high-level information about data privacy practices in a brief initial notice and provides an option for users to easily locate additional information on different topics addressed in the notice if they are interested in learning more. Just-in-time notices provide relevant and focused information at the time that individual pieces of data are collected. This resource from the UK Information Commissioner’s Office provides more information on just-in-time notices.³⁹

11. Well-Designed Student Privacy Laws Have Accountability Mechanisms

It is imperative that state student privacy legislation incorporates accountability measures to ensure ethical, equitable, and intended outcomes. Through such mechanisms, policymakers can take a proactive approach that safeguards against potential discrimination, fostering a culture of transparency and continuous improvement within education privacy.

Well-designed student privacy legislation anticipates the need for adaptability to future technologies and evolving data usage patterns. By incorporating accountability mechanisms for periodic review and revision of legislation, policymakers can address any unintended consequences that may arise, ensuring that the laws remain relevant and effective.

For example, following the enactment of their primary student privacy law in 2015,⁴⁰ Maryland policymakers revisited the issue in 2019 with HB 245, which established the Student Data Privacy Council. The council was tasked with evaluating the impacts of the 2015 law and reviewing “similar laws and best practices in other states” and “developments in technologies as they may relate to student data privacy.” After discovering that each local district had a different interpretation of the SDPA, the Council recommended changes that expanded clarity in the law and developed compliance mechanisms.⁴¹ Maryland’s continued support of the Maryland Student Data Privacy Council exemplifies how ongoing dialogue with stakeholders facilitates adaptability. Such structures enable the collection of valuable feedback, which fosters an environment where revisions are informed by a broad range of perspectives, including those from marginalized communities. These mechanisms ensure that student privacy legislation remains robust and equitable, capable of responding to novel challenges and mitigating disparate impacts on vulnerable populations.

Providing the power to investigate data privacy practices helps bolster accountability and ensure that all data handling is compliant with the law. For example, New York delegates enforcement authority to the chief privacy officer who is empowered to “investigate, visit, examine and inspect the third-party contractor’s facilities and records and obtain documentation from, or require the testimony of, any party relating to” official complaints or allegations of improper education data disclosure (N.Y. Educ. Law § 2-d). This approach supports a proactive approach by providing an opportunity to monitor data handling practices and prevent potential issues from arising.

To further bolster accountability in student privacy protection, student privacy legislation should also include specific auditing and reporting requirements. Regular auditing for compliance helps ensure that schools are following through on their responsibilities to protect student data. Audits can also help identify potential issues that require further action or policy changes. For example, the Alabama state board of education passed a resolution requiring SEAs and LEAs to adopt certain data policies and practices. The resolution also required the SEA to periodically audit and monitor district policies and practices.⁴²

States should also mandate regular privacy reporting metrics at both the SEA and LEA levels, delineating clear guidelines on the frequency and content of these reports and the person or party responsible for reporting. For example, West Virginia requires the Department of Education to annually notify the Governor and legislature of any changes to student data collection practices, as well as the results of all privacy and security audits (W. Va. Code § §18-2-5h).⁴³ Additionally, Utah requires that LEAs annually submit their data governance plan, as well as their required notices, their metadata dictionary, and proof that they implemented a cybersecurity framework to the Board of Education (Utah Admin. Code r. 277-487-3). This level of transparency and reporting provides a clear understanding of how student privacy is being prioritized, allowing for prompt action to address any concerns.

As an additional accountability mechanism, well-designed student privacy legislation also includes incident response requirements. These requirements compel LEAs to establish comprehensive plans that articulate strategies for addressing and remedying data breaches and privacy incidents. Kentucky provides a wonderful example of a state that has taken careful and appropriate action to implement data breach requirements. Following the Kentucky Department of Education’s study on requirements for data security and a notification process when a data breach occurs, the state passed a new law governing incident response that requires districts to implement “reasonable security and breach investigation procedures and practices” in accordance with the Board of Education’s regulations (KY. Rev. Stat. Ann. § 61.932). Kentucky’s approach illustrates how incident response requirements serve not only to hold schools and their vendors accountable for protecting student privacy but also provide a clear roadmap for addressing incidents.

Emerging Best Practice

State policymakers should also build accountability mechanisms into student privacy legislation to address current and emerging privacy concerns related to emerging technologies. For example, incorporating accountability mechanisms for AI used in schools, such as bias auditing requirements, can help to identify AI models and uses that can inadvertently perpetrate or exacerbate systemic inequalities in education.

12. Well-Designed Privacy Laws Have Enforcement Mechanisms

By providing consequences for violating student privacy protections, state policymakers can help to deter student privacy violations while instilling confidence that violations will be remedied. Robust enforcement mechanisms not only make student privacy legislation more effective, but also demonstrate commitment to protecting students' personal information. However, it is important to acknowledge that enforcement remains an area where progress is still needed. Despite the presence of various enforcement mechanisms across legislation in different states for multiple years, our research has rarely found enforcement agencies proactively using the legislation to uphold student privacy protections.

One reason enforcement methods may rarely be used relates to the resource intensive nature of enforcement. Many districts and state agencies may lack the necessary financial and human resources to carry out enforcement actions. Audits, investigations, and other legal challenges require staff with specialized knowledge of privacy laws and data security, and training these individuals is costly and time-consuming. Another reason may be attributed to the severity of some penalties, as state agencies may hesitate to fully embrace mechanisms where the only available remedies are hefty fines or lengthy bans from working with a district. Furthermore, when state legislation is too vague or confusing, regulators may choose to pursue a violator under an alternative statute which is clearer and easier to enforce, such as COPPA.

Enforcement mechanisms in well-designed legislation include clear, transparent processes for how potential violations may be reported and for how reports will be addressed. These processes can involve a designated oversight body or committee responsible for investigating complaints and holding those who are found to have violated student privacy rights accountable for their actions. For example, New York provides the Chief Privacy Officer with investigative authority for contractors’ violations and provides a list of penalties that may be imposed depending on the severity of the breach (N.Y. Educ.Law § 2-d). The potential penalties include prohibiting the third party from accessing student data for a number of years and requiring the third party to implement training on student privacy protections.

These mechanisms of enforcement and consequences may differ for third-party vendor violations. For example, Montana’s student privacy legislation stipulates that operators are subject to fines of $200 to $500 (Mont. Code Ann. § 20-7-1325). Laws modeled after SOPIPA illustrate additional methods of enforcement, such as Vermont providing that a vendor who violates the law “commits an unfair and deceptive act in commerce” (Vt. Stat. Ann. tit. 9 § 2443f) and North Carolina stating that “A parent, K‑12 school, teacher, local board of education, or the State Board of Education may report an alleged violation of this section to the Attorney General…[who,] upon ascertaining that an operator has violated this section, may bring a civil action seeking injunctive and other equitable relief.” (N.C. Gen. Stat. § 115C‑401.2).

Colorado has a unique approach: schools that find evidence of an on-demand provider having failed to adhere to legal obligations or their privacy policy are “strongly encouraged to cease using or refuse to use” the provider’s services. Furthermore, a school must “maintain on its website a list of any school service on-demand providers that it ceases using or refuses to use” (Colo. Rev. Stat. § 22-16-107). This effectively creates a central list of vendors that have violated student privacy, allowing other schools to exercise caution before engaging with such vendors. Although the legislation has been in place since 2016, we have not seen Colorado exercise this enforcement measure despite the legislation’s clarity and ease (just a parental complaint can start the process) of enforcement requirements. Given the specificity of this provision and the apparent ease with which it can be used, Colorado’s lack of enforcement raises additional questions about why enforcement mechanisms in student privacy legislation are seldom used. Further research is needed to understand why these laws are not frequently enforced.

Not all enforcement mechanisms need to be punitive to be effective, as seen through the U.S. Department of Education’s approach to FERPA enforcement. At times it may be more beneficial to actively collaborate with the party who has violated student privacy rather than simply imposing fines without addressing the root cause of the issue. Student privacy bills that allow a cooperative approach to enforcement can lead to better long-term solutions to protect student data. For example, West Virginia stipulates that if the State Department of Education determines that an educational agency or institution, contractor, researcher, or other party did not comply with applicable regulations, the Department provides a notice to the violating parties that does the following:

Includes specific instructions that will enable the party to comply;
Offers specific training, coaching, resources, and other technical assistance to support compliance;
Provides a reasonable period of time, given all the circumstances of the situation, during which the party may work toward voluntary compliance;
Establishes interim dates for reporting and verifying progress toward voluntary compliance (W. Va. Code R. § 126-94-29).

Cooperative approaches to enforcement, such as West Virginia’s, not only encourage a positive working relationship between all parties involved, but also prioritize finding effective solutions for protecting student privacy. Such approaches ensure that violators are held accountable but also provide support to help ensure that student data will be protected in the future, which can lead to better long-term solutions for protecting student privacy.

While harsh penalties such as a private right of action against schools might seem like a strong deterrent against privacy violations, they can pose significant challenges in practice. Litigation can be immensely time-consuming and expensive, diverting critical resources and funds from education into legal defense or settlements. This not only impacts a school's financial health but can also detract from its primary mission of providing quality education. Additionally, imposing harsh consequences such as fines or even jail time on school personnel can prevent schools from functioning effectively and divert resources away from students. Therefore, fostering a culture of compliance through guidance, support, and corrective measures rather than punitive litigation may prove to be a more effective strategy in safeguarding student privacy.

Conclusion

States play a crucial role in protecting students’ privacy. Given the ever-changing landscape of technology and education, state policymakers must continuously refine and strengthen their privacy laws to safeguard student data both now and in the future. Policymakers must monitor emerging technologies, especially those that include AI, and consider how student privacy legislation can be revised to address novel uses of student data. For example, existing legislation may need to be amended to restrict the use of student data to train algorithms or to require algorithmic impact assessments when technologies that incorporate AI are used in schools. What constitutes ideal, well-designed legislation today may differ from that of the future, not because the standards for protection change, but because distinct issues related to emerging technologies will require unique legislative solutions as we learn more about evolving practices. As these issues are investigated further, policymakers should take note of these developments and how well-designed protections may address them.

Emerging Trend

Future well-designed student privacy bills might include requirements for vendors to conduct privacy and/or algorithmic impact assessments. These assessments typically evaluate the nature, scope, context, and purposes of processing personal data, as well as the risks and implications for individuals’ rights. Required by the General Data Protection Regulation (GDPR) in Europe,⁴⁵ impact assessments are increasingly becoming standard in US state consumer privacy and AI-regulating laws.⁴⁶ As general privacy legislation continues to require impact assessments, it is likely that they may become a common prerequisite for vendors handling student data.

Effective state student privacy legislation reflects common elements that prioritize the protection of sensitive information. Such privacy bills address specific problems, engage diverse stakeholders throughout the legislative life cycle, establish clear objectives, provide comprehensive definitions, and specify who is regulated. Moreover, well-designed bills provide necessary resources, designate responsible parties, and establish data governance requirements, transparency measures, and accountability mechanisms. These building blocks provide a solid foundation for robust student privacy legislation. By drawing on successful strategies used in states across the country over the past decade, policymakers can create or improve their state’s student privacy legislation, thus ensuring the security of students' information and promoting transparency, accountability, and trust in education for years to come.

Pillars 7-9

All Resources

Endnotes

^1.See State Student Privacy Laws, Student Privacy Compass, https://studentprivacycompass.org/state-laws/.

^2. Id.

^3. When we refer to “schools” in this publication, we are including Local Education Agencies (LEAs). While most legislation discussed refers to K-12, some legislation includes or is limited to higher education institutions.

^4. 20 U.S.C. § 1232g

^5. 20 U.S.C. § 1232h

^6. For more information on PPRA, see Arciniega, Kalpos, and Vance, Mitigating Risks in Student Surveys: A Comprehensive Overview of PPRA, Public Interest Privacy Center (June 2024), https://publicinterestprivacy.org/ppra-student-surveys.

^7. 15 U.S.C. §§ 6501-1606.

^8. For more insights on FERPA and the challenges of applying it in the digital age, see PIPC’s Fixing FERPA resource series: Fixing FERPA, Public Interest Privacy Center (June 2024), https://publicinterestprivacy.org/fixing-ferpa/

^9. See Amelia Vance and Casey Waughn, Student Privacy’s History of Unintended Consequences, 44 Seton Hall Legis. J. 515, 535 (2020).

^10. Kowalski, Lesson from the State of Louisiana — If Your Student Privacy Laws Are Making Kids Go Hungry, There’s a Problem, The 74 (Dec. 2020), https://www.the74million.org/article/kowalski-lesson-from-the-state-of-louisiana-if-your-student-privacy-laws-are-making-kids-go-hungry-theres-a-problem.

^11. Vance, Policymaking on Education Data Privacy: Lessons Learned, 2 Education Leaders Report 2, National Association of State Boards of Education (Apr. 2016), https://nasbe.nyc3.digitaloceanspaces.com/2020/01/Policymaking-on-Education-Data-Privacy_Lessons-Learned.pdf [hereinafter Vance, Lessons Learned].

^12. Student Data Privacy Legislation: What Happened in 2015, and What Is Next?, Data Quality Campaign (Sept. 2015), https://dataqualitycampaign.org/wp-content/uploads/2016/03/DQC-Student-Data-Laws-2015-Sept23.pdf

^13. Sanchez, A Case Study in K-12 Privacy Best Practices: Utah, Future of Privacy Forum (Sept. 2022), https://studentprivacycompass.org/resource/utah-case-study [hereinafter Utah Case Study]

^14.The council established by HB 245 was terminated in 2021, but was reestablished and was given an expanded purview by HB 325 in 2022, https://mgaleg.maryland.gov/mgawebsite/Legislation/Details/SB0325?ys=2022RS&search=True

^15.Student Data Privacy Council, Student Data Privacy Council Report (HB 245), Maryland State Department of Education (Dec. 2020), https://msa.maryland.gov/megafile/msa/speccol/sc5300/sc5339/000113/025000/025037/20210181e.pdf [hereinafter Maryland Student Data Privacy Council Report]

^16.Data Privacy Guidebook: Privacy Guidelines and Practical Tips, California Education Technology Professionals Association (CETPA), the California County Superintendents Educational Services Association (CCSESA) and Fagen Friedman & Fulfrost (2015), https://cacountysupts.org/wp-content/uploads/2015/09/Data-Privacy-Guidebook.pdf.

^17.Stipulated Order for Permanent Injunction and Civil Penalty Judgment, United States of America v. Edmodo, LLC, Case No. 23-cv-2495 TSH (June 2023), https://www.ftc.gov/system/files/ftc_gov/pdf/Edmodo-Dkt15%28Order%20Signed%20by%20the%20Court%29.pdf.

^18.For more information, see New York’s Regional Information Centers, https://www.boces.org/about-rics.

^19.Utah Case Study.

^20.Maryland Student Data Privacy Council Report.

^21.Department of Education’s Privacy Technical Assistance Center (PTAC), https://www.studentprivacy.ed.gov.

^22.Data Governance Program Handbook Version 5.0, Kansas State Department of Education (March 2014), https://www.ksde.org/Portals/0/Data%20Media%20Reports/KSDE%20Data%20Governance%20Program%20Ver%205.0.pdf.

^23.Data Management Council, Model Student Data Privacy and Security Policy, Idaho State Board of Education (Aug. 2014), https://boardofed.idaho.gov/resources/model-student-data-privacy-and-security-policy.

^24.Data Governance Manual, Raytown Quality Schools (2022), https://resources.finalsite.net/images/v1694613351/raytownschoolsorg/tzxparpvcrv1j2j2k31o/RQSDataGovernancePlan.pdf.

^25.Vance, Lessons Learned, at 11.

^26.See Kalpos, Sexton, Vance, & Waughn, Fixing FERPA: Enhancing EdTech Accountability, Public Interest Privacy Center (June 2024), https://publicinterestprivacy.org/edtech-data-sharing.

^27.Student Data Privacy Consortium, https://privacy.a4l.org/.

^28.Student Data Privacy Consortium

^29.National Data Privacy Agreement, Student Data Privacy Consortium, https://privacy.a4l.org/national-dpa.

^30.For more information on the benefits of student data, see the following resources from the Data Quality Campaign: People Need Access to Data, https://dataqualitycampaign.org/our-work/people-need-access-to-data; When Researchers Have Access to Data; Students Succeed, https://dataqualitycampaign.org/resource/researchers-access-data-students-succeed; You Need Data to Personalize Learning, https://dataqualitycampaign.org/resource/you-need-data-personalize-learning; How Data Empowers Parents, https://dataqualitycampaign.org/resource/data-empowers-parents; Mr. Maya’s Data-Rich Year, https://dataqualitycampaign.org/resource/mr-mayas-data-rich-year; Ms. Bullen’s Data-Rich Year, https://dataqualitycampaign.org/resource/infographic-ms-bullens-data-rich-year.

^31.Zeide, 19 Times Data Analysis Empowered Students and Schools: Which Students Succeed and Why?, Future of Privacy Forum (March 2016), https://fpf.org/wp-content/uploads/2016/03/Final_19Times-Data_Mar2016-1.pdf, at page 7.

^32.Seeskin, Nagaoka, & Duncan, Chicago Makes Data the Centerpiece of a Districtwide Improvement Strategy, Data Quality Campaign (Nov. 2018), https://dataqualitycampaign.org/chicago-makes-data-the-centerpiece-of-a-district-wide-improvement-strategy.

^33.Katelyn Lee and Susan Therriault, Harnessing the Potential of Statewide Longitudinal Data Systems to Support College and Career Readiness, American Institutes for Research (Nov. 2016), https://ccrscenter.org/sites/default/files/AskCCRS_SLDS.pdf, at page 6.

^34.Alexander & Chatis, SLDS Spotlight: Texas’s Education Research Centers, Institute of Education Sciences (May 2017), https://slds.ed.gov/services/PDCService.svc/GetPDCDocumentFile?fileId=26865; Eklund et al., Research Request Processes; Lessons Learned and Outcomes, SLDS Grant Program, Institute of Education Sciences (Nov. 2018), https://slds.ed.gov/#communities/pdc/documents/17610.

^35.Wave Requirements Version 1.12, Oklahoma State Department of Education (Last Updated March 2023), https://sde.ok.gov/wave-requirements#27%C2%A0Data%20Types%20are%20sent%20to%20the%20Wave; Data Elements, Colorado Department of Education, https://eddataportal.info/cde.

^36.Vance, West Virginia’s Steady Course on Student Data Privacy, National Association of State Boards of Education (Feb. 2016), https://nasbe.nyc3.digitaloceanspaces.com/2016/02/Vance_WV-final.pdf.

^37.Louisiana’s Data Governance & Student Privacy Guidebook, Louisiana Department of Education (May 2018), https://www.louisianabelieves.com/docs/default-source/data-management/student-privacy-planning-guide-(web).pdf?sfvrsn=19848c1f_18.

^38.Student Data Privacy Main Menu, Wisconsin Department of Public Instruction, https://dpi.wi.gov/wise/data-privacy.

^39.What methods can we use to provide privacy information?, Information Commissioner’s Office, https://ico.org.uk/for-organisations/uk-gdpr-guidance-and-resources/individual-rights/the-right-to-be-informed/what-methods-can-we-use-to-provide-privacy-information/#how2

^40.The Student Data Privacy Act of 2015 (established by HB 298) created Md. Code Ann., Educ. § 4-131.

^41.Maryland Student Data Privacy Council Report.

^42.Vance, Lessons Learned, at 5 (Alabama passed resolution on file with author).

^43.The Department of Education noted that “the threat and occurrence of data breaches has only increased” since the first study. Data Security and Breach Notification Best Practice Guide V2.2, Kentucky Department of Education (Sept. 2015), https://www.education.ky.gov/districts/tech/Documents/DataSecurityandBreachNotificationBestPracticeGuide.pdf

^44.GDPR art. 35

^45.For example, California, Virginia, Colorado, and Connecticut consumer privacy laws require data protection assessments. Colorado also recently passed SB 24-205, which requires developers of high-risk artificial intelligence systems to use reasonable care to avoid algorithmic discrimination. Additionally, a recent bill in Connecticut requires ongoing assessments of systems that employ AI and are in use by state agencies to ensure that the system will not result in unlawful discrimination or disparate impact (SB 1103).