The Family Educational Rights and Privacy Act of 1974 (FERPA) establishes baseline privacy protection for educational records. But lax enforcement coupled with the growth of student data collection had led many states to enact stronger safeguards. EPIC is a leader in the student privacy field and sued the Department of Education for weakening FERPA. EPIC recently proposed a Student Privacy Bill of Rights.
Exemplary Law: California's Student Online Personal Information Protection Act ("SOPIPA")
Enacted in 2014, California's Student Online Personal Information Protection Act ("SOPIPA") is a comprehensive student privacy law. SOPIPA applies to K-12 websites and mobile applications. The law:
- prohibits K-12 mobile and online service operators from using student information to target advertisements to students;
- prohibits online service providers from creating K-12 student profiles for commercial purposes; and
- forbids companies from selling student information.
SOPIPA also prohibits companies from disclosing student information, unless the disclosure is: (1) for K-12 purposes; (2) for legal and regulatory compliance; (3) in response to a judicial process; (4) "to protect the safety of users or others or security of the site"; or (5) to the website's service provider. Under SOPIPA, K-12 mobile and online service operators must establish security measures and delete student information at the request of a school or district. The law permits K-12 mobile and online service operators to use de-identified student information to improve educational products. SOPIPA also allows students to "download, export, or otherwise save or maintain their own student created data or documents."
What's Missing from California's Law
SOPIPA is a landmark student privacy law. Other states may wish to build upon SOPIPA’s framework in several ways, including:
- extending protection to all students, including college and post-graduate students;
- strong enforcement mechanisms, including a private right of action against private companies that abuse student data;
- limiting the type of data that companies and schools collect (e.g., Social Security numbers, biometric information, social media information);
- publishing the types of information companies and schools collect, the purposes for which the information will be used, and the security practices in place;
- data retention limitations that require companies to delete student data after the data is no longer needed;
- permitting students to delete certain student information;
- data breach notification;
- permitting students to correct their information; and
- prohibiting schools from disclosing “directory information,” including student name and home address.
State Student Data Privacy Legislation
According to the Data Quality Campaign, during the 2014 legislative session alone, 28 student data privacy bills had been signed into law in 20 states. Those bills generally fell into one of two categories: prohibitive (i.e. banning the collection of a certain type of data) or governance (establishing protections and procedures to ensure student data is used appropriately).
Pending Legislation in 2015
The following table displays state student data privacy legislation with recent actions:
- EPIC: Student Privacy
- Student Privacy Bill of Rights
- Department of Education's Model Notification of Rights for Elementary and Secondary Students.
- Department of Education's Model Notification of Rights under FERPA for Post-secondary Institutions.
- Department of Education's Model Notification of Rights under FERPA for Directory Information.
- Department of Education's Model Notice and Consent/Opt-Out for Specific Activities under PPRA.
- Report to the Nation: State Implementation of the No Child Left Behind Act, Education Commission of the States.