Pillars 4-6

    4. Well-Designed Student Privacy Laws Have Definitions That Are Clear and Complete

    Policymakers must ensure that student privacy legislation is built on a solid foundation of clearly defined terms in order to avoid confusion and to ensure uniform compliance. Ambiguous or missing terms and definitions leave room for potential misinterpretation of student privacy requirements, which can inadvertently result in policies and practices that either do not adequately protect student privacy or are overly restrictive and unnecessarily limit beneficial data sharing. By providing explicit, unambiguous definitions for all significant terms within student privacy legislation, policymakers can promote shared understanding of student privacy  requirements and ultimately encourage greater adherence to privacy protections.

    This can be accomplished in multiple ways, such as referencing definitions in other laws, especially well-known federal laws such as FERPA. For example, Michigan Compiled Laws Sec. 380.1136(7)(h) states, “(h) ‘Personally identifiable information’ means that term as defined in 34 CFR 99.3,” referencing how the term is defined in FERPA regulations. Policymakers may also choose to directly incorporate definitional language from federal laws, making minor adjustments to reflect specific terminology or processes used in their state. For example, Idaho uses the following definition for “personally identifiable information,” which reflects how FERPA regulations define the term, but includes slight terminology changes (indicated in bold):

    (h)  "Personally identifiable data," "personally identifiable student data" or "personally identifiable information" includes, but is not limited to: the student’s name; the name of the student’s parent or other family members; the address of the student or student’s family; a personal identifier, such as the student’s social security number, student education unique identification number or biometric record; other indirect identifiers, such as the student’s date of birth, place of birth and mother’s maiden name; and other information that, alone or in combination, is linked or linkable to a specific student that would allow a reasonable person in the school community, who does not have personal knowledge of the relevant circumstances, to identify the student with reasonable certainty or information requested by a person who the educational agency or institution reasonably believes knows the identity of the student to whom the education record relates (Idaho Code 33-133)

    Policymakers may also opt to significantly modify established federal definitions, or they may choose to create entirely new definitions to better align with the bill's goals. For example, Utah has divided their definitions into “necessary student data” and “optional student data” to fit the intended scope, specifically listing twenty-six categories of student information included in the definition of “necessary student data”:

    (12) "Necessary student data" means data required by state statute or federal law to conduct the regular activities of an education entity, including:

    (a) name;

    (b) date of birth;

    (c) sex;

    (d) parent contact information;

    (e) custodial parent information;

    (f) contact information;

    (g) a student identification number;

    (h) local, state, and national assessment results or an exception from taking a local, state, or national assessment;

    (i) courses taken and completed, credits earned, and other transcript information;

    (j) course grades and grade point average;

    (k) grade level and expected graduation date or graduation cohort;

    (l) degree, diploma, credential attainment, and other school exit information;

    (m) attendance and mobility;

    (n) drop-out data;

    (o) immunization record or an exception from an immunization record;

    (p) race;

    (q) ethnicity;

    (r) tribal affiliation;

    (s) remediation efforts;

    (t) an exception from a vision screening required under Section 53G-9-404 or information collected from a vision screening described in Section 53G-9-404;

    (u) information related to the Utah Registry of Autism and Developmental Disabilities, described in Section 26B-7-115;

    (v) student injury information;

    (w) a disciplinary record created and maintained as described in Section 53E-9-306;

    (x) juvenile delinquency records;

    (y) English language learner status; and

    (z) child find and special education evaluation data related to initiation of an IEP.

    (13) (a) "Optional student data" means student data that is not:

    (i) necessary student data; or

    (ii) student data that an education entity may not collect under Section 53E-9-305.

    (b) "Optional student data" includes:

    (i) information that is:

    (A) related to an IEP or needed to provide special needs services; and

    (B) not necessary student data;

    (ii) biometric information; and

    (iii) information that is not necessary student data and that is required for a student to participate in a federal or other program. (Utah Code Ann. § 53E-9-301)

    Regardless of whether state policymakers choose to use existing definitions or to create their own, the definitions used in well-designed student privacy legislation must be thoughtfully crafted to accurately encompass the intended scope and goals of the bill at hand.

    Additionally, policymakers should regularly review and update the definitions in their student privacy laws when necessary, as new applications of the law and use cases may create new interpretations of these terms or alter the scope of student privacy legislation in the future. For example, the Maryland State Department of Education’s 2020 Student Data Privacy Council Report contains an appendix (pages 25–27) illustrating proposed definitional changes to update the terms “Covered Information,” “Operator,” “Persistent Unique Identifier,” and “Targeted Advertising” according to “Council discussions and workgroup members’ expertise and knowledge of other state laws.”15 Many of these recommended changes were enacted in 2022 by SB 325.

    5. Well-Designed Student Privacy Laws Identify Who Must Comply

    Entities subject to student privacy legislation may include schools, districts, third-party vendors, researchers, other organizations that collect, access, or use student data, or any combination of these groups. Policymakers must clearly identify who is regulated by student privacy legislation to ensure that all relevant parties are aware of their rights and responsibilities to safeguard student data. Specifically, legislation should spell out the responsibilities of Local Education Agencies (LEAs), State Education Agencies (SEAs), and the agencies operating State Data Systems or State Longitudinal Data Systems (SLDS) agencies (if they operate independently from SEAs).

    When multiple parties are regulated under the same student privacy bill, it is crucial for policymakers to clearly delineate which requirements apply to each regulated party. This helps to prevent not only confusion among regulated parties, but also inconsistent application of student privacy protections in practice. For example, Colorado’s Student Data Transparency and Security Act includes separate sections outlining specific requirements for schools, the state board of education, and school service contract providers. It also requires specific privacy protections be included in written agreements  for conducting research on behalf of the state Department of Education using student personally identifiable information. (Colo. Rev. Stat. §§ 22-16-104-110)

    It is especially important that vendor responsibilities be unambiguous. California’s SOPIPA illustrates how state laws can create comprehensive requirements for vendors that supplement the responsibilities of educational agencies or institutions, specifically establishing that:

    • “Operators cannot target advertising on their website or any other website using information acquired from students.
    • Operators cannot create a profile for a student, except for school purposes.
    • Operators cannot sell a student’s information.
    • Operators cannot disclose student information, unless for legal, regulatory, judicial, safety, or operational improvement reasons.
    • Operators must protect student information through reasonable security procedures and practices.
    • Operators must delete school- or district-controlled student information when requested by schools or districts.
    • Operators must disclose student information: when required by law; for legitimate research purposes; or for school purposes to educational agencies.”16

    Specifying vendor responsibilities prevents edtech vendors from shifting their data management responsibilities back to educational institutions––a common practice that the Federal Trade Commission (FTC) recently clarified is impermissible (see the FTC's settlement order with Edmodo for more information). This is essential in the event of data breaches. For example, Minnesota specifies that third parties handling student data on behalf of schools are required to comply with the state’s general data breach law and must report any breaches to the school (Minn. Stat. § 13.32).

    It is also important for student privacy legislation to specify whether the law applies to higher education institutions (HEIs) and entities handling their data, as they often have different considerations for student privacy compared to K–12 schools. Well-designed student privacy legislation explicitly states when certain provisions apply to HEIs and their vendors, such as Kentucky’s requirement that HEIs and their vendors have data breach procedures (KY. Rev. Stat. Ann. § 61.932) and Maryland’s requirement for HEIs to enact privacy and security programs on their systems of record (HB 1122).

    6. Well-Designed Student Privacy Laws Designate Responsible Parties

    Well-crafted state student privacy legislation clearly outlines the responsibilities of all relevant parties. Such clarity in roles ensures enhanced accountability and transparency, leading to more efficient processes and effective use of resources while avoiding overlapping efforts. Specifically, each agency and institution should be required to identify the parties responsible for fulfilling the requirements under student privacy legislation (hereafter referred to as “privacy leaders”). Privacy leaders must be responsible for implementation, interpretation, and accountability.

    Appointed privacy leaders promote visibility and accountability for not only adhering to the state’s privacy protections, but also for developing a culture of privacy within the education agency or institution. Several states, including Utah (Utah Code Ann. § 53E-9-301), New York (N.Y. Educ. Law § 2-D), and Virginia (Va. Code Ann. § 22.1-20.2), require the appointment of a chief privacy officer at the state education agency. Mandated appointment of privacy leaders signals the importance of student privacy and responsible data practices for each agency and institution while also ensuring that education agencies and institutions have a resource to obtain guidance that is aligned with the broader mission of the state.

    Another approach relies on data privacy and security experts to interpret legislative requirements and address questions. These privacy leaders have the expertise to determine answers to stakeholder concerns and provide essential guidance and resources to comply with the law. For example, many of New York’s educational service agencies have regional experts who focus on data privacy and security.18 These experts field questions and concerns from school districts, advise stakeholders, and act as strategic leaders on their behalf, educating stakeholders on issues they do not normally think about simply because they lack the expertise.

    Privacy leaders do not need to be individually appointed officers, but may be an education data oversight and governance board tasked with ensuring that responsible state actors at each participating state agency and institution assist, collaborate, and ensure consistency in data privacy and security practices. This approach may be especially useful in smaller districts that do not have the capacity to hire a chief privacy officer; rather, they might have a group that meets regularly to discuss privacy strategy.

    It is equally important to have responsible parties that operate more locally, focusing on a specific subset of educational institutions. While a chief privacy officer is in the best position to oversee student privacy overall and states should strive to have a chief privacy officer at each tier, such a position may not be realistic at a more local level. For example, Alaska requires districts to explicitly “assign to one employee the duty to protect the confidentiality of any personally identifiable information” (Alaska Admin. Code tit. 4 § 52.765). These smaller, more focused bodies can look at specific issues, allowing for a deeper understanding of the nuances surrounding student data privacy. Overall, responsible parties designated by well-crafted student privacy bills provide necessary oversight and guidance to ensure that student privacy is prioritized throughout educational institutions at all levels.