Privacy Bills by State Chart

State	Bill	Description
Arizona	HB 2088 (2016)	Survey notification, consent & transparency
	SB 1314 (2017)	SOPIPA (Student Online Personal Information Protection Act); opt-out of technology
Arkansas	HB 1241 (2015)	Restricts disclosure of student data to the US Department of Education; (PARCC delay, but not included in this analysis)
	HB 1961  (2015)	SOPIPA (Student Online Personal Information Protection Act)
	HB 1793  (2017)	Creates a panel to study statewide longitudinal data systems (SLDS); establishes Chief Privacy Officer (CPO) & Chief Data Officer (CDO)
California	AB 1584 (2014)	Contract requirements for cloud-based data storage services
	SB 1177 (2014)	SOPIPA (Student Online Personal Information Protection Act)
	SB 2799 (2016)	SOPIPA (Student Online Personal Information Protection Act) – preschool & prekindergarten
	AB 2097 (2016)	Prohibits collection of Social Security numbers
Colorado	HB 1294 (2014)	Student Data Accessibility, Transparency & Accountability Act
	HB 1423 (2016)	SOPIPA (Student Online Personal Information Protection Act); contract & on-demand provider requirements
Connecticut	SB 949 (2015)	Development of a statewide longitudinal data system (SLDS); state agency data security & breach in written agreements
	HB 5469 (2016)	SOPIPA (Student Online Personal Information Protection Act); contractor & operator requirements
	HB 7207 (2017)	Delay implementation of CT SOPIPA (Student Online Personal Information Protection Act)
	HB 5444 (2018)	Weakens transparency and data deletion of CT SOPIPA (Student Online Personal Information Protection Act)
Delaware	SB 79 (2015)	SOPIPA (Student Online Personal Information Protection Act)
District of Columbia	B21-0578 (2016)	SOPIPA (Student Online Personal Information Protection Act); (1-to-1 devices, but not included in this analysis)
Florida	SB 188 / HB 195 (2014)	Restricts collection of sensitive information; makes disclosure of Social Security numbers voluntary
Georgia	SB 89 (2015)	SOPIPA (Student Online Personal Information Protection Act); Student Data Accessibility, Transparency & Accountability Act
Hawaii	SB 2607 (2016)	SOPIPA (Student Online Personal Information Protection Act)
Idaho	SB 1372 (2014)	Student Data Accessibility, Transparency & Accountability Act
Illinois	105ILCS 10/2	Disclosure of student records: permanent vs. temporary
	HB 3527 (2016)	School social media privacy protections
	SB 1796 (2017)	SOPIPA (Student Online Personal Information Protection Act)
Indiana	HB 1003 (2014)	Statewide longitudinal data systems (SLDS) data accessibility, restrictions, & oversight
Iowa	HF 2354 (2018)	SOPIPA (Student Online Personal Information Protection Act)
Kansas	SB 367 (2014)	General student privacy act
	HB 2008 (2016)	SOPIPA (Student Online Personal Information Protection Act)
Kentucky	HB 232 (2014)	Cloud-computing services requirements
Louisiana	HB 1076 (2014)   (originally HB 946)	Collection & disclosure of personally identifiable information; contract service
	HB 1283 (2014)	Written agreement transparency & requirements
	HB 718 (2015)	Prohibits predictive modeling by contractors
	SB 270 (2016)	Requires data sharing for enrollment verification
Maine	LD 59 (2014)	Adds privacy protections to some private schools
	LD 454/SP 183 (2015)	SOPIPA (Student Online Personal Information Protection Act)
	LD 1276 (2015)	Restricts sensitive data collection & dissemination via state assessments
	LD 678 (2017)	Student Social Security numbers; collection and deletion
	LD 1616 (2017)	Adds permitted disclosures to ME SOPIPA (Student Online Personal Information Protection Act)
Maryland	HB 298 (2015)	SOPIPA (Student Online Personal Information Protection Act)
	SB 1165 (2017)	Extends the amount of time education and workforce data are linked in the statewide longitudinal data system (SLDS)
	HB 568 (2018)	Limits access to student data in the statewide longitudinal data system (SLDS); requires development of security plan
Michigan	SB 33 (2016)	Student data transparency; limits selling student data; gives opt out to certain directory information disclosures
	SB 510 (2016)	SOPIPA (Student Online Personal Information Protection Act)
Missouri	HB 1490 (2014)	Student Data Accessibility, Transparency & Accountability Act
Nebraska	LB 512 (2017)	SOPIPA (Student Online Personal Information Protection Act)
Nevada	AB 221 (2015)	Transparency, Security; & Contracted Services
	SB 463 (2015)	SOPIPA (Student Online Personal Information Protection Act)
New Hampshire	HB 1587 (2014)	Restricts collection of student data for the statewide longitudinal data system (SLDS), & disclosure of student data
	HB 206 (2015)	AN ACT establishing a committee to study non-academic surveys or questionnaires administered by a public school to its students and relative to non-academic surveys or questionnaires given to students
	HB 322 (2015)	Requires development (but not implementation) of security plan
	HB 507 (2015)	Protection of teacher personally identifiable information; & classroom video recording
	HB 520 (2015)	SOPIPA (Student Online Personal Information Protection Act)
	HB 301 (2016)	Establishes a committee to study statewide longitudinal data systems (SLDS)
	HB 1497 (2016)	Exception for college entrance exams (ACT/SAT)
	HB 1372 (2016)	Allows video & audio recording of students
	HB 275 (2017)	Prohibits inclusion of statewide exam results in transcripts without consent
	SB 43 (2017)	Non-academic surveys & questionnaires
	HB 1551 (2018)	Retention & deletion of Individualized Education Program (IEP) data
	HB 1612 (2018)	Strengthens NH SOPIPA (Student Online Personal Information Protection Act); adds security, & digital badges
New York	AB 8556 (2014)	Strengthens NH SOPIPA (Student Online Personal Information Protection Act); adds security, & digital badges
North Carolina	SB 815 ( 2014)	Student Data Accessibility, Transparency & Accountability Act
	HB 632 (2016)	SOPIPA (Student Online Personal Information Protection Act)
North Dakota	SB 2326 (2015)	Statewide longitudinal data system (SLDS) development & oversight; authorized employees who may access student data
Ohio	HB 487 (2014)	Statewide data system safeguards
Oklahoma	HB 1989 (2013)	Student Data Accessibility, Transparency & Accountability Act
Oregon	HB 2655 (2015)	Privacy standards; (exam opt-out, but not included in this analysis)
	SB 187 (2015)	SOPIPA (Student Online Personal Information Protection Act)
Pennsylvania	HB 1606 (2016)	Student data collection reduction; & establishes a data advisory committee
Rhode Island	H 7124 (2014)	Cloud computing services requirements; & social media privacy
South Dakota	SB 63 (2014)	Survey requirements & restricts student data disclosure to USED
Tennessee	HB 1549 (2014)	Student Data Accessibility, Transparency & Accountability Act
	SB 1835 (2014)	Prohibits commercial use, & disclosure of student personally identifiable information to the US Department of Education
	HB 1931  / SB 1900 (2016)	SOPIPA (Student Online Personal Information Protection Act)
	HB2690 / SB2029 (2018)	Mental health screening notification
Texas	HB 4046 (2015)	Student record confidentiality
	HB 2087 (2017)	SOPIPA (Student Online Personal Information Protection Act)
Utah	HB 68 (2015)	Mandates student privacy study & Chief Privacy Officer (CPO)
	HB 163 (2015)	Student data breach requirements
	HB 358 (2016)	SOPIPA (Student Online Personal Information Protection Act) contracted services requirements; prohibits collection of Social Security numbers
	SB 102 (2017)	Create list of authorized employees who may access education records; requires privacy training
	SB 163 (2017)	Weakens UT SOPIPA (Student Online Personal Information Protection Act) contracted services requirements; targeted advertising & national assessment provider (ACT/SAT) exceptions
	SB 207 (2018)	Amends UT SOPIPA (Student Online Personal Information Protection Act) contracted services requirements; revokes national assessment provider (ACT/SAT) exceptions
Virginia	SB 242 (2014)	Higher education ban on selling student data
	HB 1334 (2015)	State Department of Education breach notification
	HB 1698 (2015)	Restricts surveys & questionnaires
	HB 2350 (2015)	Establishes a security plan, group & Chief Privacy Officer (CPO)
	HB 1612 (2015)	SOPIPA (Student Online Personal Information Protection Act)
	HB 519 (2016)	Expands VA SOPIPA (Student Online Personal Information Protection Act) definitions
	HB 749 (2016)	Weakens VA SOPIPA (Student Online Personal Information Protection Act)
	HB 750 (2016)	Weakens VA SOPIPA (Student Online Personal Information Protection Act) with a college & career assessment (ACT & SAT) exception
	HB 524 (2016)	Confidentiality of student & teacher data held in teacher personnel files
	SB 438 (2016)	Higher education social media privacy
	SB 951 (2017)	Amends VA SOPIPA (Student Online Personal Information Protection Act) with providing student access to personal information
	HB 1 (2018)	Limits disclosure of PII in Freedom of Information requests
Washington State	SB 5419 / HB 1495 (2015)	SOPIPA (Student Online Personal Information Protection Act)
West Virginia	HB 4316 (2014)	Student Data Accessibility, Transparency & Accountability Act
	HB 4261 (2016)	Amends WV Student Accessibility, Transparency, Accountability Act to include state assessments’ (ACT & SAT) use of student data
Wyoming	SF 79 (2014)	Development of a student data security plan & report
	HB 08 (2017)	Implementation of student privacy & security guidelines

For immediate release: Wednesday, Jan. 23, 2018

For more information contact: Rachael Stickland, [email protected]; 303.204.1272

 

In the first of its kind, the Parent Coalition for Student Privacy and the Network for Public Education have released a report card that grades all fifty states on how well their laws protect student privacy.

The State Student Privacy Report Card analyses 99 laws passed in 39 states plus DC between 2013 and 2018, and awards points in each of the following five categories, aligned with the core principles put forward by PCSP: Transparency; Parental and Student Rights; Limitations on Commercial Use of Data; Data Security Requirements; and Oversight, Enforcement, and Penalties for Violations.

Two more categories were added to the evaluation: Parties Covered and Regulated and Other, a catch-all for provisions that did not fit into any of the above categories, such as prohibiting school employees from receiving compensation for recommending the use of specific technology products and services in their schools.

No state earned an “A” overall, as no state sufficiently protects student privacy to the degree necessary in each of these areas. Colorado earned the highest average grade of “B.” Three states – New York, Tennessee and New Hampshire– received the second highest average grade of “B-“.  Eleven states received the lowest grades of “F” because they have no laws protecting student privacy: Alabama, Alaska, Massachusetts, Minnesota, Mississippi, Montana, New Jersey, New Mexico, South Carolina, Vermont and Wisconsin.

The report tracks specific versions of state laws over time.  For example, many of the state privacy laws enacted since 2013 were modeled after the California’s 2014 law known as the Student Online Personal Information Protection Act (SOPIPA). While California barred all school vendors from selling student data, eight states subsequently passed laws that allowed the College Board and the ACT to do so.  Laws with specific loopholes to allow  these companies to sell student data were enacted in Arizona, Colorado, District of Columbia, Nebraska, North Carolina, Texas, Utah and Virginia –presumably because of lobbying efforts.

The issue of data security is also critical.  The primary federal student privacy law known as FERPA requires no specific protections against data breaches and hacking, nor does it require families be notified when inadvertent disclosures occur.  In recent years, the number of data breaches from schools and vendors have skyrocketed, and some districts have even been targeted by hackers with attempted blackmail and extortion.  A recent report rated the education industry last in terms of cybersecurity compared to all other major industries.  As a result, this fall the FBI put out an advisory, warning of the risks represented by the rapid growth of education tech tools and their collection of sensitive student data,  saying that this could “result in social engineering, bullying, tracking, identity theft, or other means for targeting children.”

“The inBloom debacle in 2013 exposed the longstanding culture of fast and loose student data sharing among government agencies, schools and companies,” said Rachael Stickland, co-chair of the Parent Coalition for Student Privacy, parent of two public school children in Colorado and the primary author of the report. “Consequently, parents across the nation began urging their state legislators to address the problem, resulting in a complex web of state privacy laws that are difficult to untangle and understand. Our hope is to bring attention to state laws that make a reasonable effort to protect student privacy and identify those that need improvement. Parents and advocacy groups can use our findings to advocate for even stronger measures to protect their children.”

NPE Executive Director Carol Burris noted, “This report card provides not only critical information regarding the existing laws, but also serves a blueprint for parents to use for lobbying for better protections for their children.”

As Leonie Haimson, co-chair of the Parent Coalition for Student Privacy, pointed out, “FERPA was passed over forty-five years ago and has been weakened by regulation over time to allow for the sharing of personal student data by schools and vendors without parent knowledge or consent.  State legislators have stepped up to the plate to try to fill in some of its many gaps and to require more transparency, security protections, enforcement, and the ability of parents and students to control their own data. Yet none of these laws are robust enough in each of these areas.  Congress must strengthen and update FERPA, but meanwhile, this report card can serve as a guide to parents and advocates as to which state laws should be strengthened and in which specific ways.”

An interactive map that shows the grades of each state, both overall and in each of the categories is posted here. The report is posted here ; here is a technical appendix with a more detailed account of how each law was evaluated.   There is also a downloadable matrix with links to all of the state laws, as well as specifying how many points were awarded in every category.

###

A few weeks ago, it was reported that the personal information of 500,000 San Diego students, former students and school staff was exposed in a massive breach. At about the same time, education institutions and organizations were rated as the worst sector for cybersecurity in a 2018 report.

We invite you to join us for a short webinar on Jan. 20, with important tips on how teachers and district/school staff members can better protect their students’ privacy of and their own.

We will be offering guidance along with Marla Kilfoyle of the Badass Teachers Association from our  Educator Toolkit for Teacher and Student Privacy, released this fall. Educators will receive a certificate of participation. Don’t miss out! Space is limited!

When? Sunday, January 20 from 6-7 PM EST (3-4 PST). We’re saving lots of time for questions!

How? Sign up here – it’s free!

We hope to see you on the 20th.

Leonie Haimson  and Rachael Stickland
Co-Chairs, Parent Coalition for Student Privacy

www.studentprivacymatters.org

If you’d like to add your voice and urge the mayor and Chancellor to stop robbing children of their privacy and stop encouraging charter schools to recruit more students and thereby defund public schools, send a letter by clicking here.

Last week, in a mindboggling audit, the Inspector General of the US Department of Education revealed that the US Department of Education had utterly failed to respond in a timely fashion to  complaints filed by parents about the violation of their children’s privacy by their schools or districts.

“The Privacy Office is not meeting its statutory obligation to appropriately enforce FERPA and resolve FERPA complaints,” the Inspector General concluded. “Complainants’ privacy rights are also not appropriately protected as FERPA intends.”

In some cases, as the audit reveals, it took up to six years for the Family Policy Compliance Office  (FPCO) of the US Dept of Education to respond to FERPA complaints.  Because the office hasn’t kept a systematic record of when complaints were filed and then resolved, it was difficult for the auditor to even know what the average time before investigations were launched, close or responses sent.   As of Sept. 2017, there were 285 open investigations.

As I was quoted in Edweek:  “Parents have these very serious complaints about their kids’ privacy having been violated, and they go through the trouble of filing complaints, but they just sit for years without any kind of substantive response.”

To make things worse, when FPCO finally decides that the law has been broken, as they did with Agora charter school in Nov. 2017 , five years after the original complaint, they  have never imposed any fines or withheld any funding. Years of delay and no punishment means yet more reasons for schools and districts to drag their feet and continue to violate the law.

Here in NYC,  children have suffered as a result of these inordinate delays. In November  2017, Johanna Garcia filed a FERPA complaint about the practice of NYC DOE making her family’s personal information and that of other families available to charter schools for the purpose of letting them mail marketing materials and recruit more students.  Four Council Members wrote a letter in support of Johanna’s complaint to the Mayor and Chancellor Carranza, urging them to halt this practice.

Johanna finally received a written response from the US DOE on September 25,  2018,  nearly one year later, saying they had finally launched an investigation.  Dale King of FPCO forwarded her a letter that he had sent DOE, which asked several  piercing questions about their privacy practices and their rationale for allowing charter schools to access student personal information, while stating that there was a deadline of four weeks in which they would have to respond.

Yet DOE further delayed, and apparently sent their response a full month after the deadline, on or around November 26.  Meanwhile, as I feared, charter schools have already begun to send out  mailings, promoting their schools and urging parents to apply for next year.

On Twitter this morning, Naomi Pena, President of the Community Education Council in District 1, posted photos of the glossy brochures she just received in the mail from Success Academy charters, run by Eva Moskowitz, and the Hebrew Public (sic) Charter Schools, founded by Sara Berman, the daughter of billionaire Michael Steinhardt.

‘‘Tis the season for more charter propaganda from the poverty pimps @SuccessCharters I would love for @NYCSchools to give parents the option to OPT OUT of mailing from charters. Again CECs are banned from getting parent info directly help do local outreach. Unless we pay #bs pic.twitter.com/FeimCcO1NY

— Naomi Peña (@naomi325) December 5, 2018

This is how they “market” themselves and create an inflated waiting list of kids. All for families to go there on false promises to eventually come back to PS. This practice just further hinders our work!

— Naomi Peña (@naomi325) December 5, 2018

 

You know what would be great @NYCSchools if my address can be opted out from charter propaganda. Yet CECs are not allowed to have contact info to our district families so we can do outreach & inform them events. #hinderingparentengagement #ourinfoisforsale pic.twitter.com/WzH25N8KQN

— Naomi Peña (@naomi325) December 3, 2018

Naomi’s last tweet refers to the fact that the DOE makes elected Community Education Councils pay the Vanguard mailing house to send parents information about what’s happening in their districts — even though the DOE could provide parent emails for free.  DOE could do this either under the directory information exception to FERPA, or the school officials exception.  In the first case, DOE would have to allow parental opt out, in the second case, CECs would have to sign a written agreement that they would only use this contact information to increase parental involvement and promise not to redisclose the data to other entities.

CECs are eligible to be defined as school officials under FERPA as by  encouraging parental engagement, they are truly providing a service to DOE – unlike charter schools, which are providing no services to DOE, making them ineligible to be defined as school officials under the law.  CECs receive very little money from DOE and simply don’t have the budget to pay the thousands of dollars to Vanguard that wealthy charter school chains like Success and the Hebrew charter schools can afford.

If you’d like to add your voice and urge the mayor and Chancellor to stop robbing children of their privacy and stop encouraging charter schools to recruit more students and thereby defund public schools, send a letter by clicking here.

An even worse fate has been suffered by Fatima Geidi and her son because of the failure of the US Department of Education to carry out its responsibilities under the law.  On October 30, 2015,  more than three years ago, Fatima filed a FERPA complaint against Success Academy after she appeared  on the PBS News Hour to discuss the abusive treatment that her son had experienced at a Success charter school.  Eva Moskowitz took revenge against her, by posting her son’s disciplinary file online, full of false charges, and sending it to reporters throughout the nation.

After filing a complaint against this egregious violation of her son’s privacy, Fatima received no response from the US Department of Education until more than two years later, when she received a letter which said that they had initiated an investigation and had asked Success for an explanation.  On February 16, 2018, they emailed her again to say that they had now received a response from Success and in a few weeks would let her know the results.

By that time, however, Eva Moskowitz had taken the initial posting of the child’s supposed disciplinary offenses down.  But instead, she had since published the same chronicle of trumped-up allegations against him in a book published by Harper Collins on September 12, 2017. Fatima had informed the US Dept of Education of this fact as soon as she discovered it by filing yet another FERPA complaint on December 20, 2017, in which she cited her earlier complaint, and wrote that because of the delay the harm to her child ‘s privacy had been seriously aggravated.

Fatima has heard nothing more from the US Department of Education about either her initial or more recent FERPA complaint since February 2018.  Eva Moskowitz’  book is still available online and in bookstores.  Fatima is now in the process of changing her son’s name so that in the future, his opportunities will not be wrecked by the false allegations made against him, contained in the pages of this horrific book.

These are just two stories showing the immense price that NYC parents and their children have been forced to pay for the utter failure of the US Department of Education to carry out its responsibilities under the law.  The personal information of children has been handed off by DOE like candy to charter schools to help them recruit more students, where these children can be further abused and their privacy even more seriously violated.

If you’d like to add your voice and urge the mayor and Chancellor to stop robbing children of their privacy and stop encouraging charter schools to recruit more students and thereby defund public schools, send a letter by clicking here.

Update: this David vs. Goliath story with national implications was reported also on Fast Company, Business Insider,  EdSurge, and NY Magazine. The Washington Post also published the letter the students subsequently sent to Mark Zuckerberg.

On November 5, about 100 students at the Secondary School of Journalism in Brooklyn walked out of their schools to protest the Summit online program.  This digital instruction program, funded by Mark Zuckerberg of Facebook and Bill Gates, forces students to spend hours staring at computers, left at sea with little human interaction or help from their teachers, all in the name of “personalized learning.”

As one of the students, Mitchel Storman, said to Sue Edelman who reported on the protest in the NY Post, “I have seen lots of students playing games instead of working….Students can easily cheat on quizzes since they can just copy and paste the question into Google.”

Senior Akila Robinson said she couldn’t even log onto Summit for nearly two months, while other classmates can’t or won’t use it. “The whole day, all we do is sit there.”  A teacher said, “It’s a lot of reading on the computer, and that’s not good for the eyes. Kids complain. Some kids refuse to do it.”

The online program, which originated in the Summit chain of charter schools in California, and was further developed and expanded with millions of dollars from the Gates Foundation, Facebook and now the Chan Zuckerberg LLC, has now been inserted in more than 300 or so public schools, collecting a huge amount of personal data from thousands of students without their knowledge or consent or that of their parents.

I have been writing and questioning Summit for the past two years, and last year, met with Diane Tavenner, asked her all sorts of questions she never responded to, and toured her flagship charter school in Redwood City.  My description of this visit is here.

Since then, parents in 15 states have reached out to me in distress about the negative impact of this program on their children. Many report that their children, who had previously done well in school,  now say that they aren’t learning, that they feel constantly stressed, are beginning to hate school and want to drop out. Some parents have told me that they are now homeschooling their kids or have decided to sell their homes and move out of the district.

Recently it was disclosed that next year, the Summit program would spin off to a  separate nonprofit corporation,  run by a board led by Priscilla Chan, Zuckerberg’s wife and the CZI Chief Financial Officer.  Diane Tavenner told reporters  the new corporation “doesn’t plan to expand the program, but rather, the new nonprofit will focus on meeting current demand.”  Yet a few days ago on Twitter, I saw that Summit is still entreating schools to apply .

Below is a fact sheet I have shared with parents and students at Summit schools nationwide, along with questions they can ask their schools and districts about the instructional program, its data collection and privacy protections (or lack thereof).  The fact sheet is also available as a pdf you can download here.

As it points out in more detail, parents have the right to demand that their children’s data be deleted from the online platform, according to Summit itself, and to opt out of their children’s directory information (name, email, student ID number etc.) provided to Summit from now on.  Here is a sample letter you can send to your child’s principal:

Dear Principal [name],

I hereby demand that all the data of my child [name] in the [grade] be immediately deleted from the Summit online system, as is my right according to the Summit Privacy Center. I also want to make it clear that from now on, I opt out of  [his or her] directory information provided to Summit, including name, address, student ID number, email address, etc.  This is my right according to the Summit Data Privacy Addendum.  Please respond as soon as possible to let me know that you have understood and complied with my request.

Name, address, email

Bravo to the courageous students at Secondary School of Journalism, who are fighting  for their own right to privacy and a quality education, vs Zuckerberg,  Gates and the other ed tech oligarchs who are attempting to control their classrooms and their personal data.  As the recent NY Times series pointed out, Silicon Valley corporate leaders and engineers want one kind of screen-free education for their own kids, while imposing  mechanized schooling on everyone else.