EPIC - State Student Privacy Policy

State Student Privacy Policy

Introduction

Student Privacy image The Family Educational Rights and Privacy Act of 1974 (FERPA) establishes baseline privacy protection for educational records. But lax enforcement coupled with the growth of student data collection had led many states to enact stronger safeguards. EPIC is a leader in the student privacy field and sued the Department of Education for weakening FERPA. EPIC recently proposed a Student Privacy Bill of Rights.

Exemplary Laws
California's Student Online Personal Information Protection Act ("SOPIPA")

Enacted in 2014, California's Student Online Personal Information Protection Act ("SOPIPA") is a comprehensive student privacy law. SOPIPA applies to K-12 websites and mobile applications. The law:

prohibits K-12 mobile and online service operators from using student information to target advertisements to students;
prohibits online service providers from creating K-12 student profiles for commercial purposes; and
forbids companies from selling student information.

SOPIPA also prohibits companies from disclosing student information, unless the disclosure is: (1) for K-12 purposes; (2) for legal and regulatory compliance; (3) in response to a judicial process; (4) "to protect the safety of users or others or security of the site"; or (5) to the website's service provider. Under SOPIPA, K-12 mobile and online service operators must establish security measures and delete student information at the request of a school or district. The law permits K-12 mobile and online service operators to use de-identified student information to improve educational products. SOPIPA also allows students to "download, export, or otherwise save or maintain their own student created data or documents."

What's Missing from California's Law

SOPIPA is a landmark student privacy law. Other states may wish to build upon SOPIPA’s framework in several ways, including:

extending protection to all students, including college and post-graduate students;
strong enforcement mechanisms, including a private right of action against private companies that abuse student data;
limiting the type of data that companies and schools collect (e.g., Social Security numbers, biometric information, social media information);
publishing the types of information companies and schools collect, the purposes for which the information will be used, and the security practices in place;
data retention limitations that require companies to delete student data after the data is no longer needed;
permitting students to delete certain student information;
data breach notification;
permitting students to correct their information; and
prohibiting schools from disclosing “directory information,” including student name and home address.

Georgia's Student Data Privacy, Accessibility, and Transparency Act

Georgia’s Student Data Privacy, Accessibility, and Transparency Act provides significant protections for college and post-graduate students (section 20-2-666). The act permits parents or students aged 18 and up to (1) inspect and review the student’s records, (2) obtain copies of that information, and (3) request corrections to incorrect information (section 20-2-667). Under the Act, the state must also develop plans to address security breaches (section 20-2-664).

New Hampshire Data Deletion

Neither Georgia nor California provide a right of deletion—a requirement that the state delete student privacy information after a period of time. New Hampshire passed a new law in 2018 requiring education agencies to delete student records upon request after graduation or no later than a student’s 26th birthday.