Federal data security and privacy laws like FERPA, COPPA, CIPA, PPRA, and others provide a layer of protection for students and minors. But most people agree that these regulations are outdated and don’t go far enough to protect student data privacy and security in schools.
Given the reports of ransomware, cyber attacks, and EdTech security risks exposing student data, most states are no longer wondering why student data privacy laws are important. Instead of waiting for Congress to take action, state student data privacy laws are protecting student identities and taxpayer funds. As of 2019, 40 states had passed 116 laws since 2013 regarding data privacy and data loss prevention regulations in K-12 schools.
The Student Privacy Compass website, formerly known as FERPA Sherpa, is an excellent resource for finding student data privacy information. The site publishes a report called the State Student Privacy Report Card authored by the Parent Coalition for Student Privacy and The Network for Public Education.
The Student Privacy Compass website also provides detailed information concerning state student data privacy laws on a per-state basis.
This is not a comprehensive list of all states that have passed their own student data privacy and security regulations. But, we believe, these are four states that are leading the way in terms of state student data privacy laws.
Texas passed Senate Bill 820 in 2019. It is a sweeping piece of legislation that describes a structure school districts must develop to ensure cyber safety and student data privacy. To maintain compliance, school districts must develop and maintain a cybersecurity framework that will:
In January 2020, the New York State Education Department adopted regulations to implement the New York State Education Law Section 2-d. The regulations guide schools and their third-party contractors to strengthen data privacy and security to protect student data.
These regulations cover a variety of topics including:
In 2015, the state of Virginia passed HB 2350. This bill requires that the Department of Education work with the Virginia Information Technologies Agency to develop a model data security plan. The plan would be used by school districts to implement policies and procedures to protect student data and data systems.
The Department of Education was also tasked with designating a chief data security officer to work with local school divisions as they developed and implemented policies to protect student and district data.
No article on state student data privacy laws would be complete without a discussion of laws in the state of California. In 2014, California passed the Student Online Personal Information Protection Act (SOPIPA), also known as SB 1177. It was widely considered to be the first in the nation for states enacting contemporary student privacy regulations. California lawmakers’ concern over student data privacy has prompted them to pass six related bills between 2014 and 2018.
The SOPIPA law focuses on student data privacy and 3rd party apps. It governs the way in which online service providers and apps can collect and use student data. Service providers:
The issue of cyber safety and student data privacy is always an important one for K-12 school districts. Today, the issue is made more complex when you consider ensuring student data privacy in remote learning.
There is no student data privacy without data security. One area of privacy and security that is a great concern for school technology staff is the district’s use of 3rd party applications. While schools are using more and more EdTech and cloud apps to innovate learning, OAuth EdTech security risks expose data in a number of ways.
Some states, as mentioned above, have passed laws requiring schools to vet 3rd party apps and vendors for security and data privacy compliance. Other school IT teams are taking that responsibility on whether or not they’re required to.
Here, you can download our EdTech Vendor Security & Compliance Evaluation Checklist to help you evaluate third-party apps and other types of EdTech your teachers or students request. The checklist also provides standards that you can use in your evaluation along with your own requirements.