State privacy laws protecting K–12 student data may foreshadow future data protections for higher education institutions.
January 28 is Data Privacy Day. Throughout the months of January and February, the EDUCAUSE Cybersecurity Program will highlight higher education privacy issues. To learn more, visit our awareness campaigns page.
There is no better time than Data Privacy Month for those in higher education to consider how state and federal policymakers — many of whom just started the 2018 legislative session — are changing the student privacy legal landscape. While this shift has mostly focused on regulating K–12 institutions, some legislatures have intentionally — or, occasionally, unintentionally — extended legal requirements or restrictions to college campuses as well. My organization, the Future of Privacy Forum (FPF), tracks these laws and will be releasing a white paper this spring on the student privacy laws with implications for higher education that have passed since 2013.
Over the past five years, states have enacted over 120 laws governing how schools and their service providers collect, use, and protect student data. These laws do not include the many general privacy laws enacted by state legislatures, such as data breach notification laws, that may also have implications for educational institutions. Most of these laws cover information collected from students in elementary, middle, and high school. However, 35 of these laws also govern how private and public higher education institutions use student data.
Most of those laws only have minor requirements for higher education, but 12 of the laws passed are explicitly aimed at higher education data governance and/or student privacy. Four laws prohibit colleges and universities from selling student information or requesting social media account information from students and otherwise penalizing them for refusing to provide it.1 Another common type of law actually exempts higher education institutions from liability when they disclose certain student information, such as personally identifiable information (PII), student records, and research records.2 One particularly interesting Louisiana law from 2015 places an affirmative duty on institutions of higher education to delete any student data they obtained for purposes of processing applications for admission.
The most wide-reaching of the laws passed is Kentucky's HB 5. Passed in 2014, this law mandates that colleges and universities create and implement data security and breach procedures. As with many K–12 student privacy laws, HB 5 also includes requirements for contracts between higher education institutions and service providers. For example, these contracts must require service providers to implement security and breach procedures to protect student information and prevent unauthorized access or disclosure.
Wyoming also passed an interesting law in 2017 providing postsecondary students at the University of Wyoming and community colleges with both a privacy and property right to their electronic communications on their institution's network or an electronic device provide by the institution. A bill introduced in Illinois in 2017 would regulate educational tech providers that serve higher education institutions. The bill would prohibit online service providers from using student information to engage in targeted advertising, create a student profile, or sell student information. It would also prohibit disclosing covered information unless it is for educational purposes or such disclosure is required to comply with other laws, or unless a service provide is contractually obligated to do so. The bill would also require that service providers create and implement security procedures for covered information. While the higher education version of this bill did not pass in 2017, a K–12 version did. It is worth watching to see if the higher education version will come up again in 2018.
In the meantime, the federal government has not been silent. A 2015 bill that will likely be reintroduced in 2018 would rewrite FERPA entirely and require substantive changes in how student data are collected, used, and shared in higher education institutions. Changes to how colleges and universities report student outcomes to the federal government have been suggested — with associated new privacy requirements and restrictions — in two pending bills, the College Transparency Act and the Student Right To Know Before You Go Act.
The bills and laws discussed above are harbingers of the student privacy legal shift that has taken place in K–12 moving to higher education. In a climate where educational institutions continue to adopt more education technology — even as consumer trust in the government and technology companies has gone down (according to research from Pew, Gallup, Pew, and Morning Consult) and as more breaches of sensitive information are reported — this area is ripe for legislative action. A single front-page newspaper story easily lends itself to a bill; for example, after a political group in Virginia used FERPA's directory information exception and the state FOIA law to get student cell phone numbers in 2017, the first filed bill of the 2018 legislative session prevented "state colleges from handing over student records data…to private groups who ask for it with a Freedom of Information Act request."
It is vital that EDUCAUSE members keep an eye on state and federal legislation to make sure that any future laws ensure student privacy while also safeguarding the data and technology used by campuses to improve education.
Notes
- Louisiana HB 340 (2014), Rhode Island HB 7124 (2014), Virginia SB 438 (2016), and Virginia SB 242 (2014) (selling student information). ↩
- North Carolina HB1030 (2016) (PII) and HB 632 (PII), Ohio SB 321 (2016) (student records), North Dakota SB 2295 (2017) (research records and PII), and Virginia HB 1664 (2017) (student records). ↩
Amelia Vance is policy counsel, education privacy at the Future of Privacy Forum.
© 2018 Amelia Vance. The text of this work is licensed under a Creative Commons BY-NC 4.0 International License.