For a third straight year, state legislators are hammering out student data privacy protection, this time with a deeper and broader focus.
After just one state passed a student data privacy law in 2013, states spent the next two years sprinting to get ahead of problems with student data privacy at the school district, state and online service provider levels. Overall, 33 states added laws to their books that dealt with student data privacy, said Rachel Anderson, senior associate for policy and advocacy at the Data Quality Campaign, a Washington, D.C.-based advocacy group.
This year, legislators slowed their pace to a jog while concentrating their efforts on other types of data collection, including social media, non-academic and school-provided device data, Anderson said. Legislators have introduced 69 student data privacy bills so far in 2016, down from a high of 138 the previous year.
"In one way, I think it's just a continuation of the conversation that we've seen in the last year," Anderson said.
That conversation includes what to do about third-party service providers that access student data. Twelve states introduced 20 bills this year that have adapted language from California's 2014 Student Online Personal Information Protection Act (SOPIPA) — widely hailed as one of the strongest student data privacy laws in the country. SOPIPA prohibits online service providers from selling or disclosing protected student information; creating student profiles based on the data; and targeting advertising to students based on the data they collect. It also requires online service providers to take appropriate security measures and honor school data deletion requests.
Two bills stood out in particular that trace their roots back to SOPIPA, Anderson said. Both of them are waiting for committee hearings.
In California, Rep. Ed Chau introduced AB 2799 this year to extend SOPIPA's protections to preschool and pre-kindergarten students. In New Jersey, Sen. Paul A. Sarlo wrote S 794, which includes privacy protections loosely based on SOPIPA. The New Jersey bill would also require the state's commissioner of education to issue guidance and provide technical assistance to schools as they try to prepare for security breaches that could compromise student data.
A third major bill tackles data governance in Utah and covers plenty of ground in other areas as well. H.B. 358 from Rep. Jacob L. Anderegg is waiting for Gov. Gary Herbert's signature.
This bill would require the Utah State Board of Education to oversee the creation of a statewide data governance plan and a state-level metadata dictionary. The board would also appoint a student data officer and create two advisory groups. At the regional level, local education agencies would hire student data managers to create data governance plans and metadata dictionaries for their service areas.
"It's encouraging to see states continue to think about data governance and how to make good decisions with data while also serving students," Anderson said.