The Family Educational Rights and Privacy Act of 1974 (FERPA) establishes baseline privacy protection for educational records. But lax enforcement coupled with the growth of student data collection had led many states to enact stronger safeguards. EPIC is a leader in the student privacy field and sued the Department of Education for weakening FERPA. EPIC recently proposed a Student Privacy Bill of Rights.
California's Student Online Personal Information Protection Act ("SOPIPA")
Enacted in 2014, California's Student Online Personal Information Protection Act ("SOPIPA") is a comprehensive student privacy law. SOPIPA applies to K-12 websites and mobile applications. The law:
- prohibits K-12 mobile and online service operators from using student information to target advertisements to students;
- prohibits online service providers from creating K-12 student profiles for commercial purposes; and
- forbids companies from selling student information.
SOPIPA also prohibits companies from disclosing student information, unless the disclosure is: (1) for K-12 purposes; (2) for legal and regulatory compliance; (3) in response to a judicial process; (4) "to protect the safety of users or others or security of the site"; or (5) to the website's service provider. Under SOPIPA, K-12 mobile and online service operators must establish security measures and delete student information at the request of a school or district. The law permits K-12 mobile and online service operators to use de-identified student information to improve educational products. SOPIPA also allows students to "download, export, or otherwise save or maintain their own student created data or documents."
What's Missing from California's Law
SOPIPA is a landmark student privacy law. Other states may wish to build upon SOPIPA’s framework in several ways, including:
- extending protection to all students, including college and post-graduate students;
- strong enforcement mechanisms, including a private right of action against private companies that abuse student data;
- limiting the type of data that companies and schools collect (e.g., Social Security numbers, biometric information, social media information);
- publishing the types of information companies and schools collect, the purposes for which the information will be used, and the security practices in place;
- data retention limitations that require companies to delete student data after the data is no longer needed;
- permitting students to delete certain student information;
- data breach notification;
- permitting students to correct their information; and
- prohibiting schools from disclosing “directory information,” including student name and home address.
Georgia's Student Data Privacy, Accessibility, and Transparency Act
Georgia’s Student Data Privacy, Accessibility, and Transparency Act provides significant protections for college and post-graduate students (section 20-2-666). The act permits parents or students aged 18 and up to (1) inspect and review the student’s records, (2) obtain copies of that information, and (3) request corrections to incorrect information (section 20-2-667). Under the Act, the state must also develop plans to address security breaches (section 20-2-664).
New Hampshire Data Deletion
Neither Georgia nor California provide a right of deletion—a requirement that the state delete student privacy information after a period of time. New Hampshire passed a new law in 2018 requiring education agencies to delete student records upon request after graduation or no later than a student’s 26th birthday.
The following table displays state student data privacy legislation with recent actions:
- EPIC: Student Privacy
- Student Privacy Bill of Rights
- Department of Education's Model Notification of Rights for Elementary and Secondary Students.
- Department of Education's Model Notification of Rights under FERPA for Post-secondary Institutions.
- Department of Education's Model Notification of Rights under FERPA for Directory Information.
- Department of Education's Model Notice and Consent/Opt-Out for Specific Activities under PPRA.
- Report to the Nation: State Implementation of the No Child Left Behind Act, Education Commission of the States.
- Improving the Effectiveness and Efficiency of FERPA Enforcement (Dept. of Education, Dec. 2018)
- Technical Assistance on Student Privacy for State and Local Educational Agencies When Administering College Admissions Examinations (Dept. of Education, May 2018)
- Best Practices for Data Destruction (Dept. of Education, Dec. 2016)
- Protecting Student Privacy While Using Online Educational Services: Model Terms of Service (Dept. of Education, Mar. 2016)
Share this page:
EPIC relies on support from individual donors to pursue our work.
Subscribe to the EPIC Alert
The EPIC Alert is a biweekly newsletter highlighting emerging privacy issues.