States Strengthen Safeguards to Protect Student Data

• By Sri Ravipati
• 09/27/16

Student data privacy legislation has been a priority for lawmakers over the last three years. In 2016, most of the states that passed a student data privacy law had previously passed similar laws, indicating that states are building on prior efforts. So far this year, 36 states have introduced 112 bills addressing student data. Of those bills, 14 states passed 16 new student data privacy laws, according to a new analysis from the Data Quality Campaign (DQC).

The report, “Student Data Privacy Legislation: A Summary of 2016 State Legislation,” examines the approach states took in 2016 to safeguard students’ personal information. For the most part, legislation in 2016 has focused on third-party service providers and improving safeguards for how states and districts manage student data.

Bills introduced in 2016 focused on the same core issues as in 2015: governance, or the decision-making process of student data; transparency of data practices; and activities of third-party providers that can access student information.

According to the report, states have introduced bills that take the following actions:

• 52 bills (nearly half) governed the data of online service providers;
• 42 bills outline requirements for contracts between service providers and states or districts;
• 69 bills contained transparency provisions, usually giving parents more insight into the data that is collected; and
• 44 bills granted new responsibilities for safeguarding data to local education agencies.

While they focused on the same core issues, states considered new approaches this year. The report highlights two legislative strategies in particular: a prohibitive approach and a governance approach. A prohibitive approach involves halting the collection of certain types of data (like biometric data, for example) or a certain data use (such as predictive analytics). DQC found that 80 of the 112 bills that were introduced this year use this approach, which was close to the same number as 2015.

A governance approach, on the other hand, involves amending or establishing procedures, roles, responsibilities and supports to data is used properly. This year, 92 of 112 bills (or 82 percent) were introduced using a governance approach, seeing an increase over last year (67 percent).

Furthermore, the DQC found that the primary issue for privacy legislation concerned data that is shared between public education institutions and third-party service providers. California was the first state to pass legislation “that directly governs the activities of these service providers” with its 2014 Student Online Personal Information Protection Act (SOPIPA). Of the 52 bills that addressed governing data of online service providers, 36 bills contained provisions that modeled off of California’s SOPIPA, including a Colorado law that placed new, “far-reaching” restrictions on school service providers. The report highlights the Student Data Transparency and Security Act, stating that the law “may become a model for other states.”

The full report is available on the Data Quality Campaign site.