States Enact New Student Data Privacy Laws

Safeguarding Data
States Enact New Student Data Privacy Laws

Recently the governors of New Hampshire, Utah, Virginia, and West Virginia approved the first student data privacy laws of 2016. Each has legislative approaches similar to those we have seen in years past. They focus on data governance, transparency, and leadership—a hopeful sign that states are learning from each other.

  • New Hampshire passed a law (HB 301) that establishes a committee to study the state’s statewide longitudinal data system (SLDS), create a dictionary of data elements currently being collected and maintained, and study the security of school district databases and privacy policies.
  • Utah’s “Student Data Protection Act” (HB 358) establishes data governance (processes for managing and making decisions about student data collection and use) and creates new ways for the state to get feedback about its data policies from various stakeholders. The law describes how state and local education entities and third-party contractors use and communicate about student data. This law has a notable focus on local data use: in addition to establishing a governance plan and student data officer at the state level, it requires districts to develop their own data governance policies and designate a student data privacy manager. It also establishes a “data users advisory group” composed of individuals who use student data in districts and schools, which will provide feedback on the practicality of proposed state data use policies.
  • West Virginia’s Student Data Accessibility, Transparency, and Accountability Act (HB 4261) is modeled off of a law Oklahoma passed in 2013 (HB 1989) establishing state-level governance, including a “data governance manager” to lead the state’s data management activities. It also tasks the state education agency with making its data practices more transparent and accessible to parents.
  • Virginia has made amendments (HB 519 and HB 749) to a 2015 law governing the activities of service providers. These amendments include additional definitions, which largely make the law more in line with legislative approaches that other states and the federal government are considering. The law will also now cover services designed and marketed for schools that are used by a “school-affiliated entity,” or a private entity that supports schools (e.g., booster clubs or PTAs). Additionally, Virginia passed a law (HB 390) relating the privacy and security of teacher data.

So far this year, we’ve seen 94 student data privacy bills in 31 states (see our further analysis here). With 34 state legislatures still in session, we anticipate that several more bills will be signed into law in the coming months. While the stream of state legislation has certainly slowed compared to 2014 and 2015, we’re encouraged to see states building on their previous efforts—and those of their peers—to be thoughtful about protecting student privacy while still allowing for the use of data to support student learning.


Senior Associate, Policy and Advocacy
As a senior associate for policy and advocacy, Taryn helps identify, advocate for, and support changes to state policy and practice that make data work for students. She tracks the changing landscape of state policies that govern education data and helps DQC develop and share resulting insights and recommendations with policymakers and the field. She manages efforts to build DQC’s expertise on the data implications of emerging education issues, such as personalized learning and measuring student growth, and identify action steps state policymakers can take to ensure effective data use while pursuing their education goals.