The 2015 legislative session was another big year for states as they sought to deal with student data privacy from a number of different angles.
This year, 46 states introduced 182 student data privacy bills — 72 more than last year's bill count. Of the bills that were introduced, 15 states passed 28 laws, about on par with last year's results.
Six of these bills were based on California's Student Online Personal Information Protection Act (SOPIPA), which Gov. Jerry Brown signed into law on Sept. 29, 2014. This law addresses operators of websites, online services or online and mobile applications. It specifically prohibits these operators from targeting advertising to students or parents, creating profiles of K-12 students based on protected data, and selling or disclosing information covered by the law. The law also requires website or service operators to implement security procedures and practices that protect information and delete it when requested.
Privacy advocates hailed SOPIPA as one of the strongest data privacy bills to come from last year's legislative sessions because of its focus on how online service providers treat student data. So it's not surprising that Arkansas, Delaware, Georgia, Maryland, New Hampshire and Oregon followed California's lead. They each put their own spin on the bills based on what their legislatures wanted to address.
Delaware, Georgia and Arkansas are long-time leaders in smart data use. The laws they passed this year establish governance structures and strengthen data protection.
"It's encouraging to see so many states take such a careful approach," said Rachel Anderson, a senior associate for policy and advocacy at the Data Quality Campaign who crunched the legislative numbers. Along with other states, Delaware created a privacy task force to recommend a governance framework for data privacy with SB 79. States that are creating these advisory groups recognize that they need to engage stakeholders, consult with experts and figure out how to move forward with this complex issue, Anderson said. Because these issues are so complicated, a lot of states are taking a few tries to pass legislation, including Minnesota, which considered a student data backpack bill this year. Georgia instructs the state school superintendent in SB 89 to designate a chief privacy officer who will be responsible for data privacy and security policy. A number of other states also either called for a chief privacy officer or assigned those responsibilities to someone else. "As great as the legislation that many states are implementing, just by nature of the way that technology develops, they're still going to keep seeing new questions," Anderson said. The Georgia Department of Education plans to develop model student data privacy policies for local school boards. The Georgia bill also is explicit about two things it does not do: 1. It does not prevent education boards or departments from recommending educational materials to students as long as they don't receive compensation for giving those recommendations. 2. It also doesn't prohibit website or service operators from marketing educational products to parents as long as they don't do so by using student data obtained without parental permission. Arkansas took a similar approach with its disclaimers. HB 1961 doesn't prevent operators from using recommendation engines to suggest additional content or services to students within the service they're using, as long as third parties don't influence those recommendations. The bills based on SOPIPA clearly spelled out that none of their provisions prevented operators from using student data for adaptive or personalized learning experiences. Virginia also passed a strong governance bill, HB 2350, which calls for a chief data security officer and model security plans for school divisions. Virginia and New Hampshire passed the greatest number of student data privacy bills this session with four apiece, while Maine and Utah each passed three. This legislative session, four bills were based on the Student User Privacy in Education Rights Act (SUPER), which has its roots in the Student Privacy Pledge that the education technology industry created. Companies that take the pledge commit to 12 provisions such as not selling student data, not building student profiles for their own purposes and disclosing how they use student data. Microsoft wrote the sample language, and then Maine, Nevada, Virginia and Washington adopted that language in one of their bills. Check out the map below to see which states passed bills related to student data privacy this legislative session.