State Student Privacy Laws

Over the past 10 years, nearly 150 new state student privacy laws passed in 40+ states.

As schools increasingly rely on digital technologies—from learning management systems to collaborative tools that connect students globally—the collection and use of student data has expanded dramatically. While these technologies can transform education for the better, they also create new privacy risks that can put sensitive student information at risk.

In response to these privacy concerns, state policymakers have taken action at an unprecedented scale: since 2014, over a thousand student privacy bills have been introduced in all 50 states, and state policymakers have passed nearly 150 student privacy laws in 47 states and Washington, DC. This legislative activity represents both tremendous progress and significant challenges—while many states have created robust protections, others have encountered unintended consequences that can actually harm the students these laws were designed to protect.

This webpage is a guide to understanding the complex landscape of state student privacy laws. Whether you're a policymaker, educator, parent, vendor, or privacy advocate, the resources below will help you understand the state student privacy legal landscape. The map and detailed law database provides information on current codified state protections, while our featured publications and curated resources offer deeper insights into navigating existing laws, understanding student, parent, and school rights, and applying best practices.

2025-04-19 v2 State Student Privacy Laws Map

Regulating Education Technology Vendors and Other Third-Parties

A significant portion of state student privacy legislation focuses specifically on regulating the companies that collect and use student data—the education technology vendors, service providers, and other third parties that schools increasingly rely upon. California's Student Online Personal Information Protection Act (SOPIPA) prevents online service providers from using student data for commercial purposes, while allowing specific beneficial uses such as personalized learning. This law has become a model for the regulation of edtech vendors' use of student data. More than 20 states have since adopted similar laws. These vendor-focused laws typically prohibit companies from using student data for non-educational purposes such as building advertising profiles, require written agreements between schools and vendors, mandate data security protections, and establish clear penalties for violations.

The map below shows which states have enacted comprehensive vendor regulation laws, demonstrating the widespread adoption of this legislative approach to protecting student privacy.

2025-04-19 v2 Laws Modeled on SOPIPA Map

Resources by PIPC Staff

The Policymaker's Guide to Student Data Privacy

A short guide providing an overview of the student privacy landscape.

Student Privacy’s History of Unintended Consequences

This law review article examines the passage of the 1974 federal student privacy law, FERPA, and the 100+ student privacy laws passed in states forty years after FERPA’s passage. By analyzing the lessons from FERPA’s first amendment and changes in recent student privacy laws, the article proposes strategies to avoid certain unintended consequences in privacy legislation.

The Pillars of Well-Designed Student Privacy Legislation

In this report, we highlight these common pillars for state-level policymakers who are building their state student privacy protections from the ground up or reviewing their current guardrails to make them better.