Pillars 1-3

    The Pillars of Well-Designed Student Privacy Legislation

    Well-designed student privacy laws have similar building blocks: they are well-thought out, clear, and intentional in their approach to addressing student privacy. When crafted with precision, legislation avoids ambiguity, misinterpretations, and mitigates unintended consequences, thereby ensuring robust protections and fostering a learning environment in which students can thrive without compromising their privacy and security. In this section, we provide insights into the foundational pillars of well-designed legislation and how state policymakers have incorporated these practices into effective state laws.

    1. Well-Designed Student Privacy Laws Are Designed to Address Specific, Defined Problems

    Identifying the actual problem at hand is a fundamental though easily overlooked step in tailoring successful student privacy legislation, as it ensures that protections are precisely targeted and effectively mitigate the specific issues. When student privacy bills first started being introduced, many state legislatures hastily passed reactionary laws in response to student privacy concerns without fully understanding or addressing the underlying issues. For example, in 2015 New Hampshire passed student privacy legislation that banned the recording of classroom lessons unless certain conditions (including holding a public hearing) were met.11

    While the law was crafted for the laudable purpose of protecting the privacy of teachers and students, policymakers had not considered that recording lessons can be part of a student’s individual education plan (IEP) and a requirement for multiple teacher certification programs. The result was significant confusion about what was and was not allowable until the law was clarified through an amendment passed in the following year. By passing a law with a broadly written, blanket prohibition, policymakers protected teachers and students from recordings for disruptive purposes, but at the expense of recordings for legitimate and necessary purposes.

    While there is often immense pressure to take immediate action following highly publicized incidents or in response to growing concerns about privacy and security, knee-jerk reactions have not created well-designed student privacy legislation. Rather, state policymakers can best mitigate potential unintended consequences and avoid re-legislating when they take the time to understand existing protections and identify genuine gaps, consider evidence-based solutions, and narrowly tailor legislative language from the outset to address those issues.

    Most of the bills introduced early in 2014 focused on protections for school- and state-collected student data, largely reiterating what was already required under FERPA. However, as the year progressed, there was a notable shift toward regulating service providers who receive student data when providing services for schools. This change was largely driven by the recognition that FERPA only indirectly regulated vendors and growing concerns over the risks posed by commercialization of student data. In late 2014, this growing awareness culminated in the enactment of California’s Student Online Personal Information Protection Act (SOPIPA), which swiftly began to serve as model legislation for other states. The year after SOPIPA was passed, 25 states introduced legislation that was modeled after the law. Now, more than half of all states have passed SOPIPA-inspired legislation to regulate vendors. However, as noted in Data Quality Campaign’s 2015 Student Data Privacy Legislation report, while these bills draw from SOPIPA, “many states made alterations to fit their own needs and to reflect an evolution in thinking through many of the most complex and nuanced aspects of the original law.”12

    Utah demonstrated the benefits of careful planning, taking a methodical approach rather than hastily reacting to pressure. When student privacy was a hot topic between 2014 and 2016, Utah dedicated over a year to craft legislation. The legislature passed a law tasking the State Board of Education with developing key recommendations to update existing privacy laws. The Board of Education, with help from outside experts, presented its report to the legislature, which included many of the key recommendations in the final legislation.13

    This collaboration and deliberation with the Board of Education contributed to Utah’s immense success in the implementation of its student privacy protections.

    By approaching student privacy carefully and with adequate information, policymakers can resolve specific student privacy challenges while avoiding unintended consequences that limit beneficial educational data sharing or impede the basic functions of schools.

    2. Well-Designed Student Privacy Laws Have Clearly Stated Goals and Intent

    Well-designed student privacy laws clearly state their goals and intent, thereby reducing the chance of ambiguity or misinterpretations of the legislative language. When policymakers’ objectives in passing legislation are unclear, it can create confusion and obstacles in effectively implementing student privacy protections. This may leave students vulnerable to risks and privacy violations or potentially subject to overly restrictive interpretations of the law. Clarity allows for consistent application of policies and procedures, promoting both fairness and equity among all parties involved. This approach also allows policymakers to highlight the benefits of using student data responsibly, reminding stakeholders that the overarching aim of education-related decisions is to enhance educational outcomes.

    Two states, Nebraska and Idaho, have exemplified how to explicitly state their goals and intentions in student privacy legislation. For example, Nebraska Revised Statute 79-2,104 includes the following language, which clearly shows policymakers’ desire to facilitate as much student data sharing as possible to advance education in Nebraska:  

    The Legislature finds and declares that the sharing of student data, records, and information among school districts, educational service units, learning communities, and the State Department of Education, to the fullest extent practicable and permitted by law, is vital to advancing education in this state. Whenever applicable law permits the sharing of such student data, records, and information, each school district, educational service unit, and learning community shall comply unless otherwise prohibited by law. The State Board of Education shall adopt and promulgate rules and regulations providing for and requiring the uniform sharing of student data, records, and information among school districts, educational service units, learning communities, and the department.

    Similarly, Senate Bill No. 1372 (which created Idaho Code Section 33-133) contains the following statement from Idaho policymakers acknowledging the great potential for student data to advance educational goals while conveying their intent to protect student privacy:

    It is the intent of the Legislature to help ensure that student information is safeguarded and that privacy is honored, respected and protected. The Legislature also acknowledges that student information is a vital resource for teachers and school staff in planning responsive education programs and services, scheduling students into appropriate classes and completing reports for educational agencies…The Legislature firmly believes that while student information is important for educational purposes, it is also critically important to ensure that student information is protected, safeguarded and kept private and used only by appropriate educational authorities and then, only to serve the best interests of the student. To that end, this act will help ensure that student information is protected and expectations of privacy are honored.

    3. Well-Designed Student Privacy Laws Are Crafted in Consultation with Stakeholders

    Thoughtful stakeholder engagement is essential throughout the entire life cycle of successful student privacy legislation. This includes the initial creation of the bill and ongoing engagement to assess implementation or necessary changes. Collaborating with a diverse range of stakeholders enables policymakers to gain a more comprehensive understanding of the issues, tailor legislative language to avoid unintended consequences, and evaluate enacted legislation’s impact. Well-designed student privacy legislation is created as a result of policymakers collaborating with the people directly impacted by such legislation––including not just educators and school administrators but also students, parents, technology personnel, and edtech vendors. These stakeholders can provide valuable insight and feedback on the potential consequences of proposed legislation and can inspire solutions to continue refining student privacy protections once they have been implemented. By incorporating their input, policymakers can craft legislation in a more equitable manner that takes an evidence-based approach to addressing student privacy challenges.

    Some states have formed councils made up of representatives from diverse stakeholder groups to ensure that informed perspectives across stakeholder groups are considered. For example, Maryland’s Student Data Privacy Council exemplifies how to incorporate a broad range of stakeholder voices. Created by HB 245,14the council must consist of a variety of members, including representatives from the following groups:

    • Maryland legislature;
    • State superintendent of schools;
    • Secretary of information technology;
    • Public School Superintendents’ Association of Maryland;
    • Maryland Association of Boards of Education;
    • Maryland State Education Association;
    • Maryland PTA.

    The council must also include the following representatives:

    • School data privacy officer;
    • School information technology officer;
    • Representative of a company, trade association, or group who has professional experience in the area of student data privacy or online educational technology services;
    • Member of the academic community studying K–12 student data privacy;
    • Advocate for student data privacy without a professional relationship to a provider of online educational technology services;
    • Attorney knowledgeable in the laws and regulations pertaining to local school systems;
    • School-based administrator from a Maryland public school;
    • Teacher from a Maryland public school.

    Utah Code Ann. 53E-9-302 established several advisory groups composed of diverse stakeholders. Utah also illustrates how to incorporate feedback from stakeholders throughout the life cycle of student privacy legislation. Utah Code Ann. 53E-9-302 established several advisory groups composed of diverse stakeholders. The policy advisory group is required to review and make recommendations on, among other things, “enacted or proposed legislation.” Another key component is the requirement that the student data users advisory group “provide[ ] feedback and suggestions on the practicality of actions” proposed by the other working groups. By creating advisory groups such as these, state policymakers can ensure that stakeholder feedback will inform the entire process of crafting student privacy legislation, from creation to revision.

    Regardless of the methods used to integrate stakeholder feedback, fostering open communication and collaboration is essential to the process of creating well-designed legislation, evaluating legislative impacts, and continuously fine-tuning student privacy protections.