On January 1, 2016, “ SOPIPA”—the recently passed California student data privacy law that defines how edtech companies can use student data became effective. About 25 other states have passed similar laws that are already in effect, or will become effective. At the same time, more than 200 school service providers have now signed the Student Privacy Pledge, a legally enforceable commitment which has language closely aligned with these laws.
With the beginning of a new year and the expectation of another busy legislative cycle for privacy laws at both state and federal levels, it’s a good time for parents, school administrators and school service providers to take inventory on which companies and services are covered by these standards and understand what they actually require.
Student Privacy Protection Act (H.R. 3157)
This bill would update and amend FERPA, and was introduced by Rep. Todd Rokita (R-IN) with important co-sponsorship from Reps. John Kline (R-MN) and Robert “Bobby” Scott (D-VA), the chairman and ranking minority member, respectively, of the House education committee. Rep. Marcia Fudge (D-OH) is also an original co-sponsor. Much of this bill mirrors current FERPA language, or is conceptually similar but updated to reflect current recordkeeping practices, but it also contains new requirements and restrictions in several key areas. Specifically, it imposes additional requirements for sharing student data with third party vendors performing school services and entities that perform college testing and financial aid analyses, including requiring education agencies/institutions to ensure such vendors have appropriate information security practices, requiring them to enter into written agreements with the vendors and mandating that such agreements are made available to parents. Additional key proposed changes from current law include: an express prohibition on the use of student information initially obtained to provide schools services for marketing or direct advertising to those students (with certain exceptions); a mandate to designate the school official responsible for education records security and establish a data breach notification policy; and a requirement that each State educational authority verify that institutions and local educational agencies under its jurisdiction have complied with the notice and procedural requirements of FERPA and certify to the U.S. Department of Education (the “Department”) that such institutions and agencies are in compliance.
So far this year, we’ve seen 94 student data privacy bills in 31 states (see our further analysis here). With 34 state legislatures still in session, we anticipate that several more bills will be signed into law in the coming months. While the stream of state legislation has certainly slowed compared to 2014 and 2015, we’re encouraged to see states building on their previous efforts—and those of their peers—to be thoughtful about protecting student privacy while still allowing for the use of data to support student learning.