States continue to build on their efforts and introduce laws to protect student data privacy.
For the fourth straight year, state legislatures have passed bills to protect student data privacy, bringing the total number of laws on the books to 74.
Lawmakers in 15 states approved 19 bills this year, slightly down from a high of 28 in 2015. The majority of these bills govern online school providers, increase transparency in state and local student data management, and add data protection responsibilities to school districts, according to a September analysis from the Data Quality Campaign, a national nonprofit focused on the use of student data.
This legislative trend started with a single bill passed in Oklahoma, the Student Data Accessibility, Transparency and Accountability Act of 2013. House Bill 1989 required the State Board of Education to publish a data inventory and dictionary of the types of student data it collected, create policies that govern data sharing and design a data security plan, among other actions.
The next year, state governors signed 26 student data privacy bills into law, kicking off a three-year sustained effort to tackle the issue. In September 2014, California Gov. Jerry Brown signed the landmark Student Online Personal Information Protection Act (SOPIPA), which imposed the toughest regulations yet on online service providers that accessed student data. This bill prohibited them from using student information to create a profile of K-12 students, target advertising to them, sell their information or disclose it for reasons not covered by the law. It also required operators to establish reasonable security measures to protect the information and delete the data upon a school or district's request.
Since SOPIPA passed, states across the country have used it as a model to develop their own legislation over the last two years. This year alone, about seven state bills that governors signed into law incorporated some of its language and ideas. For example, California's Assembly Bill 2799 extended SOPIPA's provisions to govern preschool and pre-kindergarten data.
"Parents want to know that their kids are safe in whatever activity they're engaged in," said Paige Kowalski, executive vice president for the Data Quality Campaign. "Protection shouldn't kick in when you start kindergarten, nor should it end when you graduate high school."
Speaking of parents, Arizona and Utah passed bills this year that required local and regional education boards to receive written parental consent before they can administer personal surveys to students with non-academic questions about topics like mental health and medical history. Oklahoma law now calls for parental notice when student records are destroyed, and Connecticut requires local and regional education boards to notify parents electronically every time they sign a new contract with a company that will have access to student data.
Connecticut and Colorado both passed comprehensive legislation that states should pay attention to, privacy experts say.
"They're really fascinating models because you can tell that the legislators tried very hard to achieve this balance between privacy and allowing the use of data and technology," said Amelia Vance, director of education data and technology at the National Association of State Boards of Education.
Connecticut's bill requires local and regional boards of education to create contracts with any companies that they share data with and spells out what should be in them. It also includes provisions governing online service providers modeled on SOPIPA. But its notification provision could give parents a deluge of information that doesn't actually increase transparency of data use or parental rights, Vance said.
Colorado legislators also called for the Education Department and local education providers to post their data sharing agreements online along with a list of who has access to student data. It distinguishes between service providers that have contracts with a district and those that educators use individually without a contract.
In addition, the law orders education providers and service providers to share on their websites what student personally identifiable information they collect, how they use it and how it's shared. And the state department is required to create and update sample student information privacy and protection policies that schools need to adopt.
"On one hand, building up capacity is very important," Vance said. "Requiring that local and state agencies protect privacy is important. But without some sort of resources attached to a bill, it's very difficult if not impossible for state and local agencies to actually fulfill the privacy protections required."
Overall, with the exception of Vermont, every state and the District of Columbia has at least introduced student data privacy legislation. Three states — Arizona, Hawaii and Pennsylvania — passed their first law on the topic this year, according to the Data Quality Campaign's analysis.
But the actions won't make a difference if states and school districts don't train educators about how to protect student privacy. "I wouldn't want the security of their data to rest on assumptions that people will always use common sense," said Thomas Murray, director of innovation for Future Ready Schools at the Alliance for Excellent Education.
That's why it's important for training to happen consistently at the local level and to ensure teachers know where to find information about privacy policies and procedures, he said. Legislators explicitly included training in a number of states, including Colorado, Hawaii, Kansas, New Jersey, Rhode Island, West Virginia and Wyoming, Vance said.
Next year, policy watchers expect to see more laws that tackle student privacy across home and school, including school-issued laptops and social media accounts, Vance said. Nine states introduced legislation based on American Civil Liberties Union (ACLU) model language, but none of them have passed so far this year. The District of Columbia is still considering a bill with similar provisions, and the ACLU could introduce a revised version of its language next year.
"The biggest difference that I think is going to continue to have reverberations down the road is the new bills that focus on privacy beyond data," Vance said.