Lessons 3-5

    Lesson 3: More Transparency = More Trust

    Building parents’ support for quality data care and use is not possible without transparency about what data are collected. States and districts must clearly convey to families and the public what data are being collected and for what purpose, who gets to see them, and what happens to them once the student leaves the system.14 In the more than 300 bills addressing student data privacy to reach state legislatures in the past three years, very few require that schools, districts, and the state put forward understandable information for the general public.

    A few recently passed state laws have addressed transparency in three key ways: requiring that the SEA create a publicly available list of collected data, occasionally with a description of why it is collected; requiring the SEA or SBE to create and make available policies and procedures used by the state to comply with the Family Educational Rights and Privacy Act (FERPA) and other relevant federal privacy laws; and mandating that the state governor and legislature be notified about potential new data elements and any exceptions to the law granted within the past year.15

    Yet even documents created in the name of transparency generally are long, technical lists and descriptions of data elements that are difficult for privacy experts, let alone parents, to parse. “The easiest way to find information would be to Google so as to get the links to either the school or state info,” said Olga Garcia-Kaplan, a parent who blogs about student data privacy on FERPA|SHERPA. “Unfortunately, most school and board of education websites are difficult to navigate, and the information is either buried deep in a section or is just not there. Parents don’t have time to read through unreasonably long and complicated privacy policies to decipher whether their children’s information is being handled responsibly. Parents cannot and should not be privacy auditors, and data inventories and privacy policies should have a concise and easy-to-understand summary of the privacy policies and best practices used to safeguard student data and its use.”16


    Audrey Watters, an education journalist, suggested some ways to improve transparency in a 2014 article. Watters recommended that schools place transparency resources such as contracts, lists of tools, and terms-of-service agreements in an organized, accessible place on the school or district’s website. She emphasized the importance of using clear language, avoiding jargon when talking about data and privacy policies, and keeping the information up to date. Most important, she advised, this website ought to provide a way for parents to contact a school or district representative with questions or concerns.

    Some states have gone beyond what their state law requires to create a real regime of transparency. The Colorado Department of Education was one of the first states to release fact sheets for parents and other stakeholders on topics such as data use, what Colorado collects, and how those data are protected. The West Virginia State Board of Education held public forums around the state to answer community members’ questions on this topic.17 The Louisiana Department of Education released a thorough but understandable guide laying out Louisiana’s plan to protect student privacy. It included easy-to-understand charts, infographics, FAQs, and best practices. The Wisconsin Department of Education’s website is easy to read and navigate, and it also provides sections for districts, schools, and parents (see box 4).

    [BOX 4]

    Website Transparency

    Most states could improve (or create) websites and thus transparency on student data privacy. A survey of 50 states revealed the following:

    • 15 SEAs do not have webpages that address student data privacy.
    • 16 websites have information that parents can easily understand.
    • 8 have FAQs, 7 have information specifically for schools or districts.
    • 6 only have information on FERPA. 
    • 5 have information that would help with staff training.

    Source: Jordan Koch, Survey of SEA Websites on Student Data Privacy, Alexandria, VA, National Association of State Boards of Education, February 27–28, 2016.

    A recent task force report from the Aspen Institute describes what is necessary to build the trust necessary for learning, particularly around data-driven education. A key characteristic for a trusting environment is transparency that “enable[s] learners and other stakeholders to clearly understand who is participating,what the norms and protections are, what data is collected and how it is used.”18

    Lesson Learned

    States ought to go beyond what is required by most current laws so trust can be established between parents and schools on student data privacy. Because they are already frequently in charge of student privacy work in their state, SBEs can take a leading role in advocating for easy-to-understand information that helps parents and others learn how data are being used and protected. They can also act by example: Most have their own websites. Particularly for state boards that have authority over student data privacy, providing web links and information on student data privacy is key for transparency.

    Lesson 4: Early Adopters Can Shape the Second Generation of Laws, and Other States Should Learn from Them

    Most states that passed student data privacy laws in the past two years based their legislation on two models: the Student DATA Act in Oklahoma and the Student Online Personal Information Protection Act (SOPIPA) in California. These two laws were the first of their kind. Oklahoma’s law was written and passed in 2013, when student data privacy was major news for the first time. Its governance focused provisions regulate schools, districts, and the SEA. California’s law, by contrast, focuses on the operators of online educational services. Instead of restricting the school’s collection of information, SOPIPA and companion bill AB 1584 restrict what companies can do with the information they obtain through their contracts with schools.

    Oklahoma’s law limits the student data districts can give to the SEA, restricts access to student data, defines circumstances in which data can leave the state, and requires the SEA to develop a data security plan.19 The law charged the state board of education with creating data confidentiality standards for student personally identifiable information and prohibited sharing certain data—including Social Security numbers, religion, political party affiliation, or biometric information—with the state or federal government. Nine other states have passed laws based on Oklahoma’s.

    SOPIPA, passed in 2014, keeps companies from selling information they gain through their K-12 school soft ware or from using that information to target advertising to a California student or parent, either on the educational website or on another site, service, or application. The companies are also prohibited from using student information “to amass a profile about a K-12 student except in furtherance of K-12 school purposes.”20 The companies may use student information for adaptive learning or any other legitimate school purposes and may use deidentified student information to improve or demonstrate their services. The bill went into effect on January 1, 2016. Since then, 10 states have passed laws based on SOPIPA.

    The California companion bill, AB 1584, which was introduced and passed in 2014, governed schools’ ability to contract with outside vendors. This law requires that all such contracts include provisions specifying that pupil information continues to be the property of the school, guaranteeing that companies will ensure the security and confidentiality of the information, and describing how the school and the vendor will work together to ensure FERPA compliance. Any contract that fails to meet these provisions will be rendered void.

    Lesson Learned

    The early adopters provide a valuable model for other states. In this case, model legislation in Oklahoma and California was adopted in many states, and even bills not explicitly modeling those laws incorporated many elements from SOPIPA and the Student DATA Act. As the student data privacy discussion continues, SBEs should pay close attention to bills that raise new student privacy issues. For example, the ACLU’s model student data privacy omnibus of bills, at least one of which was introduced in nine states in 2016, raises the issue of student privacy on one-to-one devices. Proactive board members and other state policymakers will examine these types of bills to determine whether accidental harms could result and how to minimize them, and they will work to get well-vetted bills through the legislature.

    Lesson 5: First Adopters Should Look at Second-Generation Laws and Revisit Existing Legislation

    While the Student DATA Act and SOPIPA provided a starting point, many states continue to refine their legislation to address needs of their state’s particular educational and policy environment. Georgia, for example, adopted a bill in 2015 that drew on both Student DATA Act and SOPIPA. In addition, the law included provisions on training state, district, and school staff to protect data privacy, added training to the responsibilities of the state chief privacy officer, and included training as part of the state’s data security plan. The legislation also expanded and clarified provisions of the original Oklahoma and California laws. Georgia’s law has been hailed by many as a new best-practice model.

    Combining model laws from other states is just one way states can keep their laws up to date. Some have done this piecemeal. For example, Oklahoma has amended its original law through the legislature a few times since enacting the Student DATA Act. SOPIPA formally became law only in January 2016, and few of the laws based on SOPIPA have been fully implemented, so there has been little chance to improve the law. However, many organizations and companies have already expressed confusion about certain terms in SOPIPA, indicating that there is room for clarification.

    For example, SOPIPA banned “targeted advertising” but does not define it, and many districts and companies do not know what it means. This term would most likely apply to advertising for a baseball game that is delivered to a student because they had written an essay about baseball. But beyond those obvious examples, the term’s ramifications are uncertain. Many websites and online services—Amazon. com, Khan Academy, MOOC providers, Netflix, or the New York Times website— offer “recommendations” after a user reads an article, takes a class, watches a movie, or looks at a book. These recommendations can be useful: A person who enjoyed an online class on the mathematics of juggling might also enjoy a class on probability; a book recommendation could allow discovery of a new author. It is not clear whether the ban on targeted advertising encompasses these “recommendation engines.”

    Two 2016 bills that appeared likely to pass in Virginia and Utah take different approaches to fixing this issue. Virginia HB 749, awaiting the governor’s signature at this writing, amends its SOPIPA-style law to define “targeted advertising,” while Utah HB 358 specifically allows vendors to use “recommendation engines” and then defines that term. California and other states that have adopted laws similar to SOPIPA would do well to follow their example.


    One great example of a state taking the time to reexamine their laws to ensure the best balance between privacy and good data use is found in a 2015 law passed in Delaware. The Student Data Privacy Protection Act, SB 79, created a task force to study and report on what should be included in a new law that would regulate the data security and privacy responsibilities of the state’s SEA. To ensure that a wide range of views are represented, the task force includes representatives from the state board, the SEA, the attorney general’s office, the head of the state school board association and school officers association, the PTA, and two industry representatives.21 Similarly, Maryland has a pending bill that would establish a council to study and make recommendations regarding the development and implementation of the student privacy law they passed in 2015.22

    Lesson Learned

    Laws can and should be improved and enhanced. SBEs would be wise to use their influence and ability to make new rules to ensure that student privacy laws and regulations are updated so they adequately balance privacy and the use of data in education and so the schools, districts, and SEA personnel who implement them also understand their intent.