Regional Analysis of State Student Data Privacy Laws: Northeast

Educational technology has demonstrated numerous benefits for both educators and students; however, recent advancements are not without concerns.

As ed tech becomes more prevalent in the classroom, privacy rights activists and the Federal government are growing concerned about how sensitive student data is being handled and secured.

The Center for Democracy & Technology, along with the law firm BakerHostetler, developed a state-by-state compendium of privacy laws relating to the collection, use, and sharing of student data.

While the practice of collecting data about students is not new–schools have been gathering and reporting test scores, grades, retention records, and the like for years–the means by which student data is collected, the types of data collected, and the entities that ultimately have access to this data have expanded dramatically, the report explains.

In order to understand the laws on a state level, as well as in a regional and national context, let’s look at each state and regional individually, using the United States Census Bureau’s four statistical regions–the Northeast, Midwest, South, and West.

Northeast

Connecticut–Connecticut does offer strong definitions of what are considered educational records and student data, meaning that if the right laws are in place, students would be well protected. However, the Nutmeg State doesn’t codify any rules regarding data retention limits or the requirement of de-identification or aggregation of data. Additionally, the state’s Department of Education is charged with the development of a statewide school information system, which tracks student data while maintaining its confidentiality. However, according to the report, educational records “which are not subject to disclosure under FERPA (Family Educational Rights and Privacy Act” are excluded.

Maine–Maine provides detailed definitions for both educational record and student data. According to the report, the state also prohibits a third-party operator from using student data to engage in targeted advertising, amass a profile of a student except for K-12 purposes, sell student data, or otherwise disclose student personally identifiable information unless the disclosure is made pursuant to a limited set of exceptions. However, the report also notes that third-party operators may disclose student personally identifiable information for limited purposes including, but not limited to, advancing the K-12 school purposes of the operator’s website, service, or application, as long as the recipient of the student data disclosed may not further disclose the student data other than to allow or improve operability and functionality of the website, service, or application for use in the classroom. The state also requires third-party operators to delete student data within 45 days of their request and maintain safeguards to protect data under their control.

Massachusetts–Regulations in the Bay State provide a definition for educational record, but not student data. Additionally, regulations prohibit sharing of student data except in limited circumstances. The state also has security protocols, data reduction policies, and de-identification rules in place. How long the state can keep student data depends on what type of data it is. Student transcripts must be kept for 60 years after a student has left the school; whereas, a student’s temporary record must only be kept for seven years after a student graduates.

New Hampshire–In addition to providing detailed definitions, the state also prohibits student data to be shared with third parties, except under limited circumstances. The state also has security protocols and data disposal policies in place. In terms of de-identifying data, the report notes that an operator may use de-identified student covered information within the operator’s [service] or other [services] owned by the operator to improve educational products and to demonstrate the effectiveness of the operator’s services, including in its marketing. An operator may further share aggregated de-identified student covered information for the development and improvement of educational sites, services, or applications.

New Jersey–New Jersey regulations provide strong definitions for data privacy related words. Additionally, the Garden State doesn’t allow student data to be shared, has regulations regarding data disposal and security protocols, and requires data used for research to be de-identified.

New York–While statutes do refer to educational records, no definition is provided; however, New York does provide a definition of student data. New York has extremely lengthy regulations regarding sharing data with a third party, including requiring the third party to notify the state if they ever experience a data breach, requiring them to use encryption technology and maintain safeguards to protect data. Additionally, the report explains that the state allows an educational agency to opt out of providing personally identifiable information of a student to a “shared learning infrastructure service provider” or data dashboard operator for the purpose of creating data dashboards. This request must be made directly to the New York State Education Department. According to the report, the state is developing security protocols, data minimization policies, and de-identification requirements.

Pennsylvania–Pennsylvania provides adequate definitions for educational records and student data. Additionally, the state has provided security protocols and requires data used in reports to be used in aggregate. The state isn’t allowed to share student data except in limited circumstances and with security controls in place. For instance, data can be shared with researchers as long as the researcher doesn’t disclose the data to a third party and if the data is destroyed after the research is completed. However, the Keystone State hasn’t codified data retention limits with respect to K-12 educational records, according to the report.

Rhode Island–The Ocean State provides adequate definitions for words concerning student data privacy, as well as prohibiting student data to be used for any commercial purposes. Educational institutions are also required to submit records control schedules to the public records administration program. Additionally, Rhode Island also has a “Children’s Cabinet” within its executive branch that oversees security protocols concerning student data. However, the state doesn’t have regulations regarding de-identification or aggregation of data.

Vermont–The state doesn’t have any definitions in its statutes; however, in 2008, the Department of Education approved a data suppression policy for student information that applies to all Vermont Department of Education contracts and reports as well as those generated by third parties working on its behalf. So, while there are few state statutes governing student data, the data suppression policy does discuss many issues. According to the data suppression policy, all analysis of student-level data must take place on a Vermont Department of Education network, and personally identifiable student information may not be removed from a Vermont Department of Education network. The state also requires that student data used for research or analysis must be de-identified by a Vermont Department of Education staff member.

Also in this Report:

Regional Analysis of State Student Data Privacy Laws: South

Alabama, Arkansas, Delaware, Florida, Georgia, Kentucky, Louisiana, Maryland, Mississippi, North Carolina, Oklahoma, South Carolina, Tennessee, Texas, Virginia, Washington, D.C., West Virginia

Regional Analysis of State Student Data Privacy Laws: West

Alaska, Arizona, California, Colorado, Hawaii, Idaho, Montana, Nevada, New Mexico, Oregon, Utah, Washington, Wyoming

Regional Analysis of State Student Data Privacy Laws: Midwest

Illinois, Indiana, Iowa, Kansas, Michigan, Minnesota, Missouri, Nebraska, North Dakota, Ohio, South Dakota, Wisconsin

Cookie	Duration	Description
AWSALBCORS	7 days	Amazon Web Services set this cookie for load balancing.
cookielawinfo-checkbox-advertisement	1 year	Set by the GDPR Cookie Consent plugin, this cookie records the user consent for the cookies in the "Advertisement" category.
cookielawinfo-checkbox-analytics	11 months	This cookie is set by GDPR Cookie Consent plugin. The cookie is used to store the user consent for the cookies in the category "Analytics".
cookielawinfo-checkbox-functional	11 months	The cookie is set by GDPR cookie consent to record the user consent for the cookies in the category "Functional".
cookielawinfo-checkbox-necessary	11 months	This cookie is set by GDPR Cookie Consent plugin. The cookies is used to store the user consent for the cookies in the category "Necessary".
cookielawinfo-checkbox-others	11 months	This cookie is set by GDPR Cookie Consent plugin. The cookie is used to store the user consent for the cookies in the category "Other.
cookielawinfo-checkbox-performance	11 months	This cookie is set by GDPR Cookie Consent plugin. The cookie is used to store the user consent for the cookies in the category "Performance".
CookieLawInfoConsent	1 year	CookieYes sets this cookie to record the default button state of the corresponding category and the status of CCPA. It works only in coordination with the primary cookie.
JSESSIONID	session	New Relic uses this cookie to store a session identifier so that New Relic can monitor session counts for an application.
PHPSESSID	session	This cookie is native to PHP applications. The cookie stores and identifies a user's unique session ID to manage user sessions on the website. The cookie is a session cookie and will be deleted when all the browser windows are closed.
viewed_cookie_policy	11 months	The cookie is set by the GDPR Cookie Consent plugin and is used to store whether or not user has consented to the use of cookies. It does not store any personal data.
_pxhd	1 year	PerimeterX sets this cookie for server-side bot detection, which helps identify malicious bots on the site.

Cookie	Duration	Description
lidc	1 day	LinkedIn sets the lidc cookie to facilitate data center selection.
li_gc	5 months 27 days	Linkedin set this cookie for storing visitor's consent regarding using cookies for non-essential purposes.
UserMatchHistory	1 month	LinkedIn sets this cookie for LinkedIn Ads ID syncing.
__cf_bm	30 minutes	Cloudflare set the cookie to support Cloudflare Bot Management.

Cookie	Duration	Description
AWSALB	7 days	AWSALB is an application load balancer cookie set by Amazon Web Services to map the session to the target.
_gat	1 minute	Google Universal Analytics sets this cookie to restrain request rate and thus limit data collection on high-traffic sites.

Cookie	Duration	Description
AnalyticsSyncHistory	1 month	Linkedin set this cookie to store information about the time a sync took place with the lms_analytics cookie.
CONSENT	2 years	YouTube sets this cookie via embedded YouTube videos and registers anonymous statistical data.
ln_or	1 day	Linkedin sets this cookie to registers statistical data on users' behaviour on the website for internal analytics.
pardot	past	The pardot cookie is set while the visitor is logged in as a Pardot user. The cookie indicates an active session and is not used for tracking.
UID	1 year 1 month 4 days	Scorecard Research sets this cookie for browser behaviour research.
vuid	1 year 1 month 4 days	Vimeo installs this cookie to collect tracking information by setting a unique ID to embed videos on the website.
_ga	1 year 1 month 4 days	Google Analytics sets this cookie to calculate visitor, session and campaign data and track site usage for the site's analytics report. The cookie stores information anonymously and assigns a randomly generated number to recognise unique visitors.
_ga_*	1 year 1 month 4 days	Google Analytics sets this cookie to store and count page views.
_gcl_au	3 months	Google Tag Manager sets the cookie to experiment advertisement efficiency of websites using their services.
_gid	1 day	Google Analytics sets this cookie to store information on how visitors use a website while also creating an analytics report of the website's performance. Some of the collected data includes the number of visitors, their source, and the pages they visit anonymously.
__gads	1 year 24 days	Google sets this cookie under the DoubleClick domain, tracks the number of times users see an advert, measures the campaign's success, and calculates its revenue. This cookie can only be read from the domain they are currently on and will not track any data while they are browsing other sites.

Cookie	Duration	Description
anj	3 months	AppNexus sets the anj cookie that contains data stating whether a cookie ID is synced with partners.
bcookie	1 year	LinkedIn sets this cookie from LinkedIn share buttons and ad tags to recognize browser IDs.
bscookie	1 year	LinkedIn sets this cookie to store performed actions on the website.
GoogleAdServingTest	session	Google sets this cookie to determine what ads have been shown to the website visitor.
IDE	1 year 24 days	Google DoubleClick IDE cookies store information about how the user uses the website to present them with relevant ads according to the user profile.
li_sugr	3 months	LinkedIn sets this cookie to collect user behaviour data to optimise the website and make advertisements on the website more relevant.
muc_ads	1 year 1 month 4 days	Twitter sets this cookie to collect user behaviour and interaction data to optimize the website.
personalization_id	1 year 1 month 4 days	Twitter sets this cookie to integrate and share features for social media and also store information about how the user uses the website, for tracking and targeting.
test_cookie	15 minutes	doubleclick.net sets this cookie to determine if the user's browser supports cookies.
uuid2	3 months	The uuid2 cookie is set by AppNexus and records information that helps differentiate between devices and browsers. This information is used to pick out ads delivered by the platform and assess the ad performance and its attribute payment.
VISITOR_INFO1_LIVE	5 months 27 days	YouTube sets this cookie to measure bandwidth, determining whether the user gets the new or old player interface.
YSC	session	Youtube sets this cookie to track the views of embedded videos on Youtube pages.
yt-remote-connected-devices	never	YouTube sets this cookie to store the user's video preferences using embedded YouTube videos.
yt-remote-device-id	never	YouTube sets this cookie to store the user's video preferences using embedded YouTube videos.
yt.innertube::nextId	never	YouTube sets this cookie to register a unique ID to store data on what videos from YouTube the user has seen.
yt.innertube::requests	never	YouTube sets this cookie to register a unique ID to store data on what videos from YouTube the user has seen.
_mkto_trk	1 year 1 month 4 days	This cookie, provided by Marketo, has information (such as a unique user ID) that is used to track the user's site usage. The cookies set by Marketo are readable only by Marketo.
__gpi	1 year 24 days	Google Ads Service uses this cookie to collect information about from multiple websites for retargeting ads.