State & Federal Laws

There are many state and federal laws that safeguard student data. These laws help ensure data is protected while still fostering a culture that uses data for continuous improvement.

Children's Internet Protection Act
CIPA requires K-12 schools and libraries receiving federal discounts for internet access to implement internet safety policies that prevent students from accessing inappropriate and/or harmful material and protect against the unauthorized disclosure, use, and dissemination of a minor's personal information.

Children's Online Privacy Protection Act
COPPA regulates how commercial entities may collect and use information collected online from children under the age of 13, including the rules about parental consent.

Family Educational Rights & Privacy Act
FERPA is a federal law that safeguards student privacy by limiting who may access student records, specifying for what purpose they may access those records, and detailing what rules they have to follow when accessing the data.

Health Insurance Portability & Accountability Act
HIPAA establishes privacy and security rules regarding access to protected health information in certain kinds of health records, including health plans, health care clearinghouses, and health care providers. When health information about a student appears in an education record, FERPA governs the protection of the data, not HIPAA.

Protection of Pupil Rights Amendment
PPRA defines the rules that states and districts must follow when administering tools like surveys, analyses, and evaluations funded by the U.S. Department of Education. It requires parental consent to administer many tools and ensures school districts have policies in place regarding how the data collected through these tools can be used.

Student Online Personal Information Privacy Act
Adopted in 2015, The Student Online Personal Information Act governs how online service providers can collect, access, and use student data and prohibits online service providers from using student data for commercial or secondary purposes, while still allowing for personalized learning and service innovation and improvement. SOPIPA allows educators to use online services while still safeguarding student privacy.

Student Data Vendor Security Act (effective June 1, 2024)
Each school district must ensure that all contracts that disclose or make available student personally identifiable information (“PII”) to vendors, including school service contract providers, school service on-demand providers, and other third parties including subcontractors of contract providers, include express language that safeguard the privacy and security of PII. Districts must make information concerning data use available to parents. Parents also must consent to the use of PII by a provider if the provider plans to use the material in a manner inconsistent with the contract between the provider and the district. To ensure transparency, providers must furnish easily understood information identifying the data it collects, why it collects the data, and how it uses the data. Providers must keep an updated privacy policy, notify districts of any material change, and must notify the district of any discovered misuse of the PII. Providers are prohibited from using PII for any purpose other than that contained in the contract, selling PII, using or sharing PII for targeted advertising, and using PII to create profiles of students. Providers also must keep PII secure and destroy it on request of the school district (absent a parent’s consent for the provider to retain the PII). There are several exceptions to the law that allow a provider to use PII within express parameters.

File download iconRelated Files

Link iconRelated Links