Regional Analysis of State Student Data Privacy Laws: Midwest

Educational technology has demonstrated numerous benefits for both educators and students; however, recent advancements are not without concerns.

As ed tech becomes more prevalent in the classroom, privacy rights activists and the Federal government are growing concerned about how sensitive student data is being handled and secured.

The Center for Democracy & Technology, along with the law firm BakerHostetler, developed a state-by-state compendium of privacy laws relating to the collection, use, and sharing of student data.

While the practice of collecting data about students is not new–schools have been gathering and reporting test scores, grades, retention records, and the like for years–the means by which student data is collected, the types of data collected, and the entities that ultimately have access to this data have expanded dramatically, the report explains.

In order to understand the laws on a state level, as well as in a regional and national context, let’s look at each state and regional individually, using the United States Census Bureau’s four statistical regions–the Northeast, Midwest, South, and West.

Midwest

Illinois–While Illinois offers a lengthy definition of educational record, it doesn’t offer a definition of student record. The state has a broad prohibition on releasing student records except in limited circumstances, including to parents, board of education employees who have a demonstrated need, pursuant to a court order, and to be in compliance with the Family Educational Rights and Privacy Act (FERPA). The report explains that [a] school may maintain indefinitely anonymous information from student temporary records for authorized research, statistical reporting or planning purposes, provided that no student or parent can be individually identified from the information maintained.” Additionally, according to the report, each school is required to have an “official records custodian,” who is responsible for “maintenance, care and security of all school student records, whether or not such records are in his personal custody or control.” The report also notes that the records custodian “shall take all reasonable measures to prevent unauthorized access to or dissemination of school student records. The Land of Lincoln only authorizes schools to maintain records of “anonymous information from student temporary records” and only for “authorized research, statistical reporting or planning purposes, provided that no student or parent can be individually identified from the information maintained.”

Indiana–As with other states in the region and country, Indiana offers a definition of educational record, but not one for student data. The state requires schools to comply with FERPA and to only release data under limited circumstances. The state hasn’t codified data retention limits, security protocols, or de-identification or aggregation rules.

Iowa–The Hawkeye State also only defines educational records in its statutes. Iowa also mandates that data be kept private unless required by law or court order to share data. It does, however, note that data can be shared with secondary education institutions upon the student’s request. The state also notes that statutes discussing data privacy shouldn’t be construed to prohibit a postsecondary education institution from disclosing to a parent or guardian information regarding a violation of a Federal, state, or local law, or institutional rule or policy governing the use or possession of alcohol or a controlled substance if the child is under 21 and the institution determines that the student committed a disciplinary violation with respect to the use or possession of alcohol or a controlled substance regardless of whether that information is contained in the student’s education records. The state does provide security protocols, but doesn’t have language on data retention or de-identification and aggregation.

Kansas–The state provides definitions for both educational records and student data. Additionally, data is required to be kept confidential except under limited circumstances. The report also notes that when student data is transferred to another agency or to a service provider pursuant to a data-sharing agreement, “the student data shall be destroyed when no longer necessary for the purposes of the data-sharing agreement or upon expiration of the data-sharing agreement, whichever occurs first.” School boards are also required to design and implement security protocols with specific requirements, as well as de-identification and aggregation procedures.

Michigan–Michigan provides strong definitions for both educational records and student data. The state also requires student data to be kept private except for limited circumstances. The statutes also note that official recruiting representatives of the armed forces of the United States or their service academies may receive pupil directory information, but shall use that information only to provide information to pupils concerning educational and career opportunities available in the armed forces or the service academies, and shall not release that information to a person who is not involved in recruiting for the armed forces or the service academies. The Great Lakes State hasn’t codified any security protocols or data minimization rules. However, the state does require schools to use data in aggregate for reporting purposes.

Minnesota–Minnesota provides a brief definition for educational records and no definition for student data. It does, however, require student data to be kept private and subjects any entities that the government contracts with to follow the state’s data privacy laws. Minnesota requires schools to keep data for a long period of time. The report notes that any registered schools (private schools offering degree programs and out-of-state postsecondary educational institutions offering distance learning to students within Minnesota), shall maintain a permanent record for each student for 50 years from the last date of the student’s attendance. The state also lays out requirements for data security and de-identification and aggregation of data.

Missouri–As with many states in the region, the state defines educational record, but not student data. Missouri also requires schools to keep data private, and when contracting with third parties the state must ensure that any contracts that govern databases, assessments, or instructional supports that include student or redacted data and are outsourced to private vendors include express provisions that safeguard privacy and security, including provisions that prohibit private vendors from selling student data or from using student data in furtherance of advertising, with penalties for noncompliance, except to a local service provider for the limited purpose authorized by the school or district whose access to student data, if any, is limited to “directory information” as that term is defined in the Federal regulations implementing FERPA. While the Show Me State doesn’t have any statutes on data minimization, it does have security protocols and aggregation requirements on the books.

Nebraska–Nebraska also only defines educational record. The state does require records to be kept private, but it carves out an exception for state employees who are analyzing whether a Federal- or state-funded educational program is successful or working properly. While the Cornhusker State doesn’t have data security protocols codified, it does have regulations on data minimization, as well as de-identification and aggregation.

North Dakota–The Peace Garden State does provide a brief definition of educational record, but skips one on student data. The state does have data minimization rules laid out, including when data must be disposed of. While North Dakota doesn’t have any rules codified regarding de-identification or aggregation of data, it does lay out specific security requirements, including the use of encryption technology and staff training.

Ohio–The state provides definitions for both educational record and student data–both of which are lengthy and detailed. Additionally, while the state does require personalized data to be kept private, the report notes that the state doesn’t possess identifiable data in the first place. The statewide Education Management Information System (EMIS) is the Department of Education’s student data system. Data submitted to the statewide EMIS includes individual test, attendance, demographic, program, and course data. Such data are reported using a Statewide Student Identifier. The state also provides lengthy regulations, with specific rules and requirements, governing data minimization, security protocols, and de-identification and aggregation. The state also provides governance for third-party contracts that the board of education or schools may enter into.

South Dakota–The state offers strong definitions for numerous words surrounding the issue of student data privacy. However, it does not offer regulations on data retention or de-identification requirements. The law does prevent the government from sharing student data with third parties and offers protocols regarding the securing of student data.

Wisconsin–The state excludes notes or records maintained for personal use by a teacher or other person who is required to hold a certificate, license, or permit if such records and notes are not available to others; records necessary for, and available only to persons involved in, the psychological treatment of a pupil; and law enforcement unit records from its definition of educational record. Additionally, Wisconsin requires student records to be kept confidential with limited exceptions, including law enforcement, authorized public officials, parents of the pupil, or for limited purposes in an emergency. The state also has clear data retention policies, requiring that each school board adopt rules in writing specifying the content of pupil records and the time during which pupil records shall be maintained. According to the report, pupils’ progress records shall be maintained for at least five years after the pupil ceases to be enrolled in the school. Additionally, behavioral records shall only be maintained for one year after the pupil ceases to be enrolled in the school, unless the student requests records be maintained for longer. However, the Badger State doesn’t specify security protocols regarding student data or require the de-identification or aggregation of data.

Also in This Report:

Regional Analysis of State Student Data Privacy Laws: South

Alabama, Arkansas, Delaware, Florida, Georgia, Kentucky, Louisiana, Maryland, Mississippi, North Carolina, Oklahoma, South Carolina, Tennessee, Texas, Virginia, Washington, D.C., West Virginia

Regional Analysis of State Student Data Privacy Laws: West

Alaska, Arizona, California, Colorado, Hawaii, Idaho, Montana, Nevada, New Mexico, Oregon, Utah, Washington, Wyoming

Regional Analysis of State Student Data Privacy Laws: Northeast

Connecticut, Maine, Massachusetts, New Hampshire, New Jersey, New York, Pennsylvania, Rhode Island, Vermont

Cookie	Duration	Description
AWSALBCORS	7 days	Amazon Web Services set this cookie for load balancing.
cookielawinfo-checkbox-advertisement	1 year	Set by the GDPR Cookie Consent plugin, this cookie records the user consent for the cookies in the "Advertisement" category.
cookielawinfo-checkbox-analytics	11 months	This cookie is set by GDPR Cookie Consent plugin. The cookie is used to store the user consent for the cookies in the category "Analytics".
cookielawinfo-checkbox-functional	11 months	The cookie is set by GDPR cookie consent to record the user consent for the cookies in the category "Functional".
cookielawinfo-checkbox-necessary	11 months	This cookie is set by GDPR Cookie Consent plugin. The cookies is used to store the user consent for the cookies in the category "Necessary".
cookielawinfo-checkbox-others	11 months	This cookie is set by GDPR Cookie Consent plugin. The cookie is used to store the user consent for the cookies in the category "Other.
cookielawinfo-checkbox-performance	11 months	This cookie is set by GDPR Cookie Consent plugin. The cookie is used to store the user consent for the cookies in the category "Performance".
CookieLawInfoConsent	1 year	CookieYes sets this cookie to record the default button state of the corresponding category and the status of CCPA. It works only in coordination with the primary cookie.
JSESSIONID	session	New Relic uses this cookie to store a session identifier so that New Relic can monitor session counts for an application.
PHPSESSID	session	This cookie is native to PHP applications. The cookie stores and identifies a user's unique session ID to manage user sessions on the website. The cookie is a session cookie and will be deleted when all the browser windows are closed.
viewed_cookie_policy	11 months	The cookie is set by the GDPR Cookie Consent plugin and is used to store whether or not user has consented to the use of cookies. It does not store any personal data.
_pxhd	1 year	PerimeterX sets this cookie for server-side bot detection, which helps identify malicious bots on the site.

Cookie	Duration	Description
lidc	1 day	LinkedIn sets the lidc cookie to facilitate data center selection.
li_gc	5 months 27 days	Linkedin set this cookie for storing visitor's consent regarding using cookies for non-essential purposes.
UserMatchHistory	1 month	LinkedIn sets this cookie for LinkedIn Ads ID syncing.
__cf_bm	30 minutes	Cloudflare set the cookie to support Cloudflare Bot Management.

Cookie	Duration	Description
AWSALB	7 days	AWSALB is an application load balancer cookie set by Amazon Web Services to map the session to the target.
_gat	1 minute	Google Universal Analytics sets this cookie to restrain request rate and thus limit data collection on high-traffic sites.

Cookie	Duration	Description
AnalyticsSyncHistory	1 month	Linkedin set this cookie to store information about the time a sync took place with the lms_analytics cookie.
CONSENT	2 years	YouTube sets this cookie via embedded YouTube videos and registers anonymous statistical data.
ln_or	1 day	Linkedin sets this cookie to registers statistical data on users' behaviour on the website for internal analytics.
pardot	past	The pardot cookie is set while the visitor is logged in as a Pardot user. The cookie indicates an active session and is not used for tracking.
UID	1 year 1 month 4 days	Scorecard Research sets this cookie for browser behaviour research.
vuid	1 year 1 month 4 days	Vimeo installs this cookie to collect tracking information by setting a unique ID to embed videos on the website.
_ga	1 year 1 month 4 days	Google Analytics sets this cookie to calculate visitor, session and campaign data and track site usage for the site's analytics report. The cookie stores information anonymously and assigns a randomly generated number to recognise unique visitors.
_ga_*	1 year 1 month 4 days	Google Analytics sets this cookie to store and count page views.
_gcl_au	3 months	Google Tag Manager sets the cookie to experiment advertisement efficiency of websites using their services.
_gid	1 day	Google Analytics sets this cookie to store information on how visitors use a website while also creating an analytics report of the website's performance. Some of the collected data includes the number of visitors, their source, and the pages they visit anonymously.
__gads	1 year 24 days	Google sets this cookie under the DoubleClick domain, tracks the number of times users see an advert, measures the campaign's success, and calculates its revenue. This cookie can only be read from the domain they are currently on and will not track any data while they are browsing other sites.

Cookie	Duration	Description
anj	3 months	AppNexus sets the anj cookie that contains data stating whether a cookie ID is synced with partners.
bcookie	1 year	LinkedIn sets this cookie from LinkedIn share buttons and ad tags to recognize browser IDs.
bscookie	1 year	LinkedIn sets this cookie to store performed actions on the website.
GoogleAdServingTest	session	Google sets this cookie to determine what ads have been shown to the website visitor.
IDE	1 year 24 days	Google DoubleClick IDE cookies store information about how the user uses the website to present them with relevant ads according to the user profile.
li_sugr	3 months	LinkedIn sets this cookie to collect user behaviour data to optimise the website and make advertisements on the website more relevant.
muc_ads	1 year 1 month 4 days	Twitter sets this cookie to collect user behaviour and interaction data to optimize the website.
personalization_id	1 year 1 month 4 days	Twitter sets this cookie to integrate and share features for social media and also store information about how the user uses the website, for tracking and targeting.
test_cookie	15 minutes	doubleclick.net sets this cookie to determine if the user's browser supports cookies.
uuid2	3 months	The uuid2 cookie is set by AppNexus and records information that helps differentiate between devices and browsers. This information is used to pick out ads delivered by the platform and assess the ad performance and its attribute payment.
VISITOR_INFO1_LIVE	5 months 27 days	YouTube sets this cookie to measure bandwidth, determining whether the user gets the new or old player interface.
YSC	session	Youtube sets this cookie to track the views of embedded videos on Youtube pages.
yt-remote-connected-devices	never	YouTube sets this cookie to store the user's video preferences using embedded YouTube videos.
yt-remote-device-id	never	YouTube sets this cookie to store the user's video preferences using embedded YouTube videos.
yt.innertube::nextId	never	YouTube sets this cookie to register a unique ID to store data on what videos from YouTube the user has seen.
yt.innertube::requests	never	YouTube sets this cookie to register a unique ID to store data on what videos from YouTube the user has seen.
_mkto_trk	1 year 1 month 4 days	This cookie, provided by Marketo, has information (such as a unique user ID) that is used to track the user's site usage. The cookies set by Marketo are readable only by Marketo.
__gpi	1 year 24 days	Google Ads Service uses this cookie to collect information about from multiple websites for retargeting ads.