Regional Analysis of State Student Data Privacy Laws: South

Educational technology has demonstrated numerous benefits for both educators and students; however, recent advancements are not without concerns.

As ed tech becomes more prevalent in the classroom, privacy rights activists and the Federal government are growing concerned about how sensitive student data is being handled and secured.

The Center for Democracy & Technology, along with the law firm BakerHostetler, developed a state-by-state compendium of privacy laws relating to the collection, use, and sharing of student data.

While the practice of collecting data about students is not new–schools have been gathering and reporting test scores, grades, retention records, and the like for years–the means by which student data is collected, the types of data collected, and the entities that ultimately have access to this data have expanded dramatically, the report explains.

In order to understand the laws on a state level, as well as in a regional and national context, let’s look at each state and regional individually, using the United States Census Bureau’s four statistical regions–the Northeast, Midwest, South, and West.

South

Alabama–There doesn’t seem to be a general definition of what constitutes an education record in the state, according to the report. However, the state does offer a definition when specifically discussing the children of members of the armed services. Additionally, Alabama law does not appear to directly address sharing student data with third parties. Overall, state law comes up lacking when addressing student data. The state doesn’t have a specific data retention limit in its statute, it does not appear to require de-identification or aggregation of data, or mandate a security program or specific security protocols.

Arkansas–The state does provide a definition of student data; however, concerning educational record, the report notes that no clear definition is given, but each school district must maintain a permanent student record as outlined by the state Department of Education. Arkansas’ Student Online Personal Information Protection Act limits the use and dissemination of student data by owners (or “operators”) of Internet websites, online services, and online and mobile applications that are designed, marketed, and used primarily for public school purposes and are operating in that capacity. Additionally, the report notes that disclosure limitations do not apply if parties have the “affirmative consent” of the school, student, parent or guardian, in response to clear and conspicuous notice of the use or disclosure. The state’s statutes also provide for security protocols, but do not require de-identification or aggregation of data. Additionally, the report notes that limits on data retention are unclear.

Delaware–Delaware gives detailed definitions for both educational records and student data. Third parties are also excluded from using student data for targeted advertising, as well as from using information gathered to amass a profile of a student except in furtherance of K-12 school purposes, selling student data, or otherwise disclosing student data. While there are security protocols and data retention rules, there are no requirements to de-identify data.

Florida–Florida uses FERPA’s (Family Educational Rights and Privacy Act) definition of educational record and provides its own, detailed definition of student record. The state also provides rules on security protocols and data minimization; however, the de-identification and aggregation of data is not codified.

Georgia–The state provides definitions for both educational record and student data and also requires that schools keep data private and confidential–unless required by law or court order to share the data. The state also provides for security protocols, data disposal policies, and the de-identification and aggregation of data.

Kentucky–Kentucky gives lengthy and detailed definitions for both educational record and student data. The state does require that student data be kept confidential except in limited circumstances. For instance, the state is allowed to release limited data to military recruitment officials, and parents of minor students. The state also provides specific time frames for when data must be disposed of, including print, digital, and auditory records. Kentucky requires security protocols to be followed and requires the de-identification of data.

Louisiana–The report notes that while educational record is used in the statutes, it is undefined by the state. The state does provide a definition for student data. Schools must keep data confidential. Additionally, the statutes require that no city, parish, or other local public school system, local or state governmental agency, public or private entity, or any person with access to personally identifiable student information shall sell, transfer, share, or process any student data for use in commercial advertising, or marketing, or any other commercial purpose. Additionally, the report explains that no person or public or private entity shall access a public school computer system on which student information is stored. The state does provide limited exceptions to these rules, including complying with a court order or providing student data with a parent or student’s permission. The state also provides guidance for data disposal for schools and contractors, as well as security protocols. The Bayou State also requires each local public school board to assign a unique student identification number to every student enrolled in a public elementary or secondary school that students shall have their entire tenure in Louisiana public elementary and secondary schools.

Maryland–Maryland provides definitions for both educational record and student data. The state also requires they be kept confidential and prohibits contractors from selling data or using it in targeted advertising. Contractors are only allowed to share data when it’s for the purpose of the site or application in question. Additionally, whoever the contractor shares the data with must agree to keep it confidential. The state also provides for security protocols, data disposal rules, and requirements for de-identification and aggregation.

Mississippi–The state does provide a definition for educational record, and while it doesn’t provide a specific one for student data, much of what is typically defined as student data is lumped in with educational record. In terms of sharing student data, the school boards of all school districts have the power to delegate, privatize, or otherwise enter into a contract with private entities for the operation of any and all functions of nonacademic school process, procedures and operations including data processing and student records. Similarly, the report notes that the State Longitudinal Data System Governing Board is authorized to contract with a third party to manage and maintain the system and to ensure the policies and procedures developed by the board are enforced. While the state does have data disposal policies and data security protocols, it does not have requirements regarding de-identification or aggregation of data.

North Carolina–North Carolina provides definitions for both educational records and student data in its statutes. Additionally, the state requires data be kept confidential and prohibits third parties from selling any student data they possess as a result of contracted work with schools, unless they receive written permission from a student’s parent. The state also provides data minimization rules, security protocols, and guidelines for de-identification and aggregation of data.

Oklahoma–The Sooner State offers definitions for both educational record and student data, with student data having a lengthy and detailed definition. The state also requires that schools comply with FERPA regulations and bars schools from entering into any agreement to sell student data to any creditor for purposes of marketing consumer credit to students. The Board of Education is required to develop data retention and disposal policies. However, schools are also required to file and permanently retain the original copy of individual scholastic and other permanent student records. Oklahoma also required the BoE and schools to maintain security protocols to keep student data secure. Additionally, the state required the BoE to ensure that any contracts that govern databases, assessments, or instructional supports that include student or de-identified data and are outsourced to private vendors include express provisions that safeguard privacy and security and include penalties for noncompliance.

South Carolina–South Carolina offers no defined terms in its statutes, though it does prohibit the government from sharing student data with third parties and requires security protocols to be followed. There are no regulations regarding the disposal of student data, though it is required to be de-identified and used in aggregate in certain reporting circumstances.

Tennessee–The state offers lengthy definitions of descriptions of educational records and student data. Additionally, it also protects data from being released to third parties, except in necessary circumstances. Additionally, whenever data is used for research or reports, it must be de-identified and used in aggregate. The Volunteer State also has strong security protocols to protect data and has strict requirements about how and when to dispose of student data.

Texas–Texas pulls its definition of education records directly from FERPA. However, concerning the idea of student data it’s unclear as Texas’ definition. According to the report, it seems to include course or grade completion, teachers of record, assessment of instrument results, receipt of special education services, and personal graduation plan. The state is also prevented from sharing data except in limited circumstances. The state also has strong regulations for data minimization, security protocols, and de-identification policies.

Virginia–Virginia has lengthy regulations governing student data, with strong definitions for both educational records and student data. The state also prohibits the release of student data to third parties unless it’s de-identified information for research, or to a state or Federal employee such as a law enforcement officer or social worker. Additionally, the state specifically prohibits school service providers from using or sharing student personal information for behaviorally targeted advertisements to students, using or sharing student personal information to create a personal profile other than for supporting purposes. There are laws in place for the retention and disposal of student data, as well as security protocol and de-identification and aggregation requirements.

Washington, D.C.–The District of Columbia provides no definitions for educational records or student data. The report notes that no specific statute prohibits the sharing of student data with third parties. However, the District does require that the Office of the State Superintendent of Education develop and implement “a longitudinal educational data warehouse system” that maintains the confidentiality of individual student and staff data, in accordance with D.C. and Federal confidentiality laws, rules, and regulations, according to the report. The District doesn’t provide data retention guidelines, nor specify security protocols.

West Virginia–According to the report, educational records do not include teacher notes (not shared with others), law enforcement records, employment records, records by a health professional created in connection with provision of treatment to a student, and records of an educational agency or institution that contain only information related to a person after that person is no longer a student at the educational agency or institution, such as alumni records. The state does require data be kept confidential from third parties except for limited exceptions, including parents, medical emergencies, law enforcement officers, and in the event of an emergency. When it comes to disposing of student data, school boards are allowed to do as they wish. The report explains that an educational institution is not precluded from destroying records and may do so under certain circumstances. The report also explains that a school district has the responsibility to immediately respond to any data privacy or security incidents or breaches and report such incidents to the appropriate authorities. When the state is required to release public reports or student data by law, the information will also be presented in aggregate.

Also in This Report:

Regional Analysis of State Student Data Privacy Laws: West

Alaska, Arizona, California, Colorado, Hawaii, Idaho, Montana, Nevada, New Mexico, Oregon, Utah, Washington, Wyoming

Regional Analysis of State Student Data Privacy Laws: Midwest

Illinois, Indiana, Iowa, Kansas, Michigan, Minnesota, Missouri, Nebraska, North Dakota, Ohio, South Dakota, Wisconsin

Regional Analysis of State Student Data Privacy Laws: Northeast

Connecticut, Maine, Massachusetts, New Hampshire, New Jersey, New York, Pennsylvania, Rhode Island, Vermont

Cookie	Duration	Description
AWSALBCORS	7 days	Amazon Web Services set this cookie for load balancing.
cookielawinfo-checkbox-advertisement	1 year	Set by the GDPR Cookie Consent plugin, this cookie records the user consent for the cookies in the "Advertisement" category.
cookielawinfo-checkbox-analytics	11 months	This cookie is set by GDPR Cookie Consent plugin. The cookie is used to store the user consent for the cookies in the category "Analytics".
cookielawinfo-checkbox-functional	11 months	The cookie is set by GDPR cookie consent to record the user consent for the cookies in the category "Functional".
cookielawinfo-checkbox-necessary	11 months	This cookie is set by GDPR Cookie Consent plugin. The cookies is used to store the user consent for the cookies in the category "Necessary".
cookielawinfo-checkbox-others	11 months	This cookie is set by GDPR Cookie Consent plugin. The cookie is used to store the user consent for the cookies in the category "Other.
cookielawinfo-checkbox-performance	11 months	This cookie is set by GDPR Cookie Consent plugin. The cookie is used to store the user consent for the cookies in the category "Performance".
CookieLawInfoConsent	1 year	CookieYes sets this cookie to record the default button state of the corresponding category and the status of CCPA. It works only in coordination with the primary cookie.
JSESSIONID	session	New Relic uses this cookie to store a session identifier so that New Relic can monitor session counts for an application.
PHPSESSID	session	This cookie is native to PHP applications. The cookie stores and identifies a user's unique session ID to manage user sessions on the website. The cookie is a session cookie and will be deleted when all the browser windows are closed.
viewed_cookie_policy	11 months	The cookie is set by the GDPR Cookie Consent plugin and is used to store whether or not user has consented to the use of cookies. It does not store any personal data.
_pxhd	1 year	PerimeterX sets this cookie for server-side bot detection, which helps identify malicious bots on the site.

Cookie	Duration	Description
lidc	1 day	LinkedIn sets the lidc cookie to facilitate data center selection.
li_gc	5 months 27 days	Linkedin set this cookie for storing visitor's consent regarding using cookies for non-essential purposes.
UserMatchHistory	1 month	LinkedIn sets this cookie for LinkedIn Ads ID syncing.
__cf_bm	30 minutes	Cloudflare set the cookie to support Cloudflare Bot Management.

Cookie	Duration	Description
AWSALB	7 days	AWSALB is an application load balancer cookie set by Amazon Web Services to map the session to the target.
_gat	1 minute	Google Universal Analytics sets this cookie to restrain request rate and thus limit data collection on high-traffic sites.

Cookie	Duration	Description
AnalyticsSyncHistory	1 month	Linkedin set this cookie to store information about the time a sync took place with the lms_analytics cookie.
CONSENT	2 years	YouTube sets this cookie via embedded YouTube videos and registers anonymous statistical data.
ln_or	1 day	Linkedin sets this cookie to registers statistical data on users' behaviour on the website for internal analytics.
pardot	past	The pardot cookie is set while the visitor is logged in as a Pardot user. The cookie indicates an active session and is not used for tracking.
UID	1 year 1 month 4 days	Scorecard Research sets this cookie for browser behaviour research.
vuid	1 year 1 month 4 days	Vimeo installs this cookie to collect tracking information by setting a unique ID to embed videos on the website.
_ga	1 year 1 month 4 days	Google Analytics sets this cookie to calculate visitor, session and campaign data and track site usage for the site's analytics report. The cookie stores information anonymously and assigns a randomly generated number to recognise unique visitors.
_ga_*	1 year 1 month 4 days	Google Analytics sets this cookie to store and count page views.
_gcl_au	3 months	Google Tag Manager sets the cookie to experiment advertisement efficiency of websites using their services.
_gid	1 day	Google Analytics sets this cookie to store information on how visitors use a website while also creating an analytics report of the website's performance. Some of the collected data includes the number of visitors, their source, and the pages they visit anonymously.
__gads	1 year 24 days	Google sets this cookie under the DoubleClick domain, tracks the number of times users see an advert, measures the campaign's success, and calculates its revenue. This cookie can only be read from the domain they are currently on and will not track any data while they are browsing other sites.

Cookie	Duration	Description
anj	3 months	AppNexus sets the anj cookie that contains data stating whether a cookie ID is synced with partners.
bcookie	1 year	LinkedIn sets this cookie from LinkedIn share buttons and ad tags to recognize browser IDs.
bscookie	1 year	LinkedIn sets this cookie to store performed actions on the website.
GoogleAdServingTest	session	Google sets this cookie to determine what ads have been shown to the website visitor.
IDE	1 year 24 days	Google DoubleClick IDE cookies store information about how the user uses the website to present them with relevant ads according to the user profile.
li_sugr	3 months	LinkedIn sets this cookie to collect user behaviour data to optimise the website and make advertisements on the website more relevant.
muc_ads	1 year 1 month 4 days	Twitter sets this cookie to collect user behaviour and interaction data to optimize the website.
personalization_id	1 year 1 month 4 days	Twitter sets this cookie to integrate and share features for social media and also store information about how the user uses the website, for tracking and targeting.
test_cookie	15 minutes	doubleclick.net sets this cookie to determine if the user's browser supports cookies.
uuid2	3 months	The uuid2 cookie is set by AppNexus and records information that helps differentiate between devices and browsers. This information is used to pick out ads delivered by the platform and assess the ad performance and its attribute payment.
VISITOR_INFO1_LIVE	5 months 27 days	YouTube sets this cookie to measure bandwidth, determining whether the user gets the new or old player interface.
YSC	session	Youtube sets this cookie to track the views of embedded videos on Youtube pages.
yt-remote-connected-devices	never	YouTube sets this cookie to store the user's video preferences using embedded YouTube videos.
yt-remote-device-id	never	YouTube sets this cookie to store the user's video preferences using embedded YouTube videos.
yt.innertube::nextId	never	YouTube sets this cookie to register a unique ID to store data on what videos from YouTube the user has seen.
yt.innertube::requests	never	YouTube sets this cookie to register a unique ID to store data on what videos from YouTube the user has seen.
_mkto_trk	1 year 1 month 4 days	This cookie, provided by Marketo, has information (such as a unique user ID) that is used to track the user's site usage. The cookies set by Marketo are readable only by Marketo.
__gpi	1 year 24 days	Google Ads Service uses this cookie to collect information about from multiple websites for retargeting ads.