The Patchwork of State Student Privacy Laws

An Interview with the Center for Democracy & Technology's Michelle De Mooy

• By David Raths
• 10/13/16

To help school administrators, families, technology companies and state legislators sort through the patchwork quilt of state legislation on student privacy, the Center for Democracy & Technology (CDT), an advocacy group, has developed a state-by-state survey of student privacy laws in partnership with the law firm BakerHostetler.

THE Journal recently spoke with Michelle De Mooy, the acting director of CDT's Privacy & Data Project, about the survey's findings. In its review on student privacy legislation in all 50 states and the District of Columbia, CDT found that California is the model in terms of comprehensiveness, with clear requirements about data retention limits and data security programs. "California's Student Online Personal Information Protection Act is definitely a model for updated student privacy protection, we think," said De Mooy.

CDT's study looked at how state laws define education records and use limitations regarding sharing student data with third parties such as advertisers.
It found that states use different definitions of what types of personally identifiable information can be collected or stored, De Mooy said, and a wide variety of regulations determining the roles of the school administrators and other third parties in terms of access to student data and what they are allowed to do with it.

For instance, in the case of a state such as Alabama, there is no definition for what educational records are. "We think that is part of the problem," De Mooy said. "State legislators are trying to address the concerns that parents and administrators have, but when you don't have common definitions, that creates an interoperability problem in terms of the laws."

Although a federal Student Digital Privacy and Parental Rights Act was introduced in the U.S. Congress in 2015, it did not become law. In the absence of a comprehensive federal student privacy law, CDT is seeking to clarify how widespread the variations are in state law.

"When we were putting together our advocacy strategy around student privacy, we realized that privacy legislation is passing in the states, but that there was no resource to look at how states are interpreting different governance frameworks and the Department of Education's role, so we decided to create one," De Mooy said. She added that student privacy regulation is actually one area where CDT and educational technology vendors are on the same page, "because when the laws are confusing, it is hard for them to be compliant."

The survey found that state laws vary on how charter schools can store and report data. "A lot of charter schools are interested in using technology in the curriculum or in the administration, and that is not a bad thing. It is just a matter of making sure that these standards for privacy and security are very high," De Mooy said.

In most states, it was not clear if there was any complaint process for concerned parents or students. "There is some transparency in educational technology, De Mooy noted, "but how people can look at information and correct it, amend it or ask questions about it is almost never clear and sometimes relies almost solely on commercial entities' terms of service. That is an important issue."

The survey found that state laws requiring school districts to have chief privacy officers were not widespread yet.

De Mooy said that a few educational technology vendors have run into problems when students and parents weren't aware of how the data was being used. "Using the data for marketing is always at the top of the list of things they don't want it to be used for."