Student Data privacy guide
Where law meets daily decisions
This is where school leaders and staff can get clear, accessible guidance on FERPA, COPPA and state privacy rules. No legal jargon. Just what you need to support compliance and protect students.
Find your state’s student privacy laws
Many states have passed their own rules on how student data can be collected, stored and shared. Use the map below to view your state’s current laws, download checklists and link directly to relevant blog content.
Explore State by state
Select your state
Use the map below to view your state’s current laws, download checklists and link directly to relevant blog content.
Alaska's breach notification framework drives incident readiness for student and staff systems and vendor-hosted platforms that store personal information.
Hawaii restricts edtech operators' use and disclosure of student covered information and requires reasonable security safeguards under HRS Section 302A-500.
New Hampshire requires student data privacy and security safeguards that districts implement through signed vendor agreements, controlled sharing, and incident response readiness.
Vermont student privacy expectations emphasize purpose limitation, security safeguards, and contract-based vendor oversight for tools that handle student data.
Massachusetts imposes strong data security requirements and breach readiness expectations that districts operationalize through signed vendor agreements and enforceable security controls.
Rhode Island regulates edtech operators' collection and use of student information and supports strong contract-driven safeguards and security expectations.
Connecticut's student data privacy rules emphasize contract-based vendor controls, security safeguards, and clear limits on use and sharing of student information.
Pennsylvania's breach notification law drives incident readiness for student data systems and vendor-hosted platforms that store personal information.
New Jersey restricts edtech operators' use/disclosure of student information and supports contract-driven safeguards, security controls, and deletion expectations.
Delaware's Student Data Privacy Protection Act requires reasonable security safeguards and restricts edtech operators' use and disclosure of student data.
Maryland student data privacy rules apply to vendors operating under contract with schools, and Maryland accessibility/nonvisual access requirements should be included in edtech procurement and contracts.
West Virginia requires strong governance of student data systems, detailed security planning, and vendor contracts with explicit privacy/security safeguards and penalties.
Virginia regulates school service providers operating under contract and requires an information security program plus contract-based limits on use/sharing of student personal information.
Utah requires strong contract-based controls for third-party contractors that receive personally identifiable student data under Utah Code 53E-9-309.
New Mexico requires reasonable security safeguards for personal identifying information and supports contract-based vendor controls and breach readiness for student PII in district systems.
Tennessee combines student data governance requirements with operator restrictions on targeted advertising, profiling, and sale for online services used in K-12 settings.
Kentucky restricts how cloud computing service providers may use personally identifiable student information under KRS 365.734.
Indiana districts commonly rely on federal FERPA requirements and strong local governance to control vendor access, disclosures, and security for student records.
Michigan combines education record transparency and vendor contract safeguards (MCL 380.1136) with operator limits on ads, profiling, sale, security, and deletion (MCL 388.1295).
Wisconsin's pupil records law defines record categories and governs access and disclosure of pupil records under Wis. Stat. 118.125.
Minnesota treats educational data as private by default and limits disclosures under Minn. Stat. 13.32, aligning closely with FERPA and requiring strong vendor governance.
South Dakota's student record privacy framework aligns with federal education record concepts and emphasizes controlled disclosure and vendor oversight.
North Dakota requires districts to maintain a student data protection policy with defined access, sharing rules, and vendor governance for student data.
Colorado requires transparency and security safeguards for student data and enforces vendor purpose limitation under the Student Data Transparency and Security Act.
Wyoming districts typically implement student data privacy through federal FERPA/COPPA requirements and strong local vendor governance, documentation, and security practices.
Montana limits targeted advertising, profiling, sale, and unauthorized disclosure by operators of K-12 online applications and requires security and deletion practices.
Arizona restricts edtech operators from targeted advertising, sale, and non-school profiling and requires reasonable security and deletion practices.
Nevada regulates school service providers' use of pupil data, limits targeted advertising, and emphasizes security planning and incident readiness.
Washington's SUPER Act limits targeted advertising and requires transparency, security, and deletion practices for K-12 school service providers.
Kansas requires structured data-sharing agreements and limits disclosure of student data under the Student Data Privacy Act (K.S.A. 72-6312 through 72-6320).
Missouri requires student data transparency, access controls, security planning, and vendor contract safeguards under RSMo Section 161.096.
Oklahoma's student data law emphasizes transparency, security safeguards, and accountability for student information systems and edtech data practices.
Arkansas combines operator restrictions with contract safeguards for student PII under SOPIPA and the Student Data Vendor Security Act.
Louisiana limits collection and disclosure of student information and emphasizes role-based access and governance under R.S. 17:3914.
North Carolina restricts how edtech operators may use student data and requires reasonable security and deletion practices.
South Carolina focuses on student data governance, controlled access, and disciplined disclosure aligned to SC Code 59-1-490.
Georgia regulates student data use by edtech operators and emphasizes district oversight, security, and parent access.
Alabama districts can use COPPA and FTC school guidance as a baseline for tools used by children under 13.
Mississippi districts can use COPPA and FTC school guidance as a baseline for tools used by children under 13.
Idaho sets statewide rules for how student data is defined, accessed, shared, and safeguarded across education systems and approved partners.
Ohio prioritizes contracts for student records
Florida regulates online student data practices
Texas student data privacy targets vendors rather than districts. The law restricts vendor use and disclosure of student data.
Regulates operators of websites/services used for K–12
Illinois Student Online Personal Protection Act
Districts must execute written data privacy agreements with any vendor that collects or stores student information.
Iowa student data privacy focuses on district responsibility
Nebraska’s student records law (79-2,104) limits disclosure and supports FERPA-aligned data sharing and governance.
Regulates operators of websites and services used for K–12
Oregon student data privacy focuses on vendors
Essential privacy solutions for modern districts
Edprivacy brings every stage of privacy management into one place, so districts can move faster reduce risk and stay compliant with evolving laws.
What COPPA means for your school
COPPA protects the personal information of students under 13 when they use digital tools. It sets limits on what data websites and apps can collect and how they use it.
Applies to children under 13
Covers websites, apps, and online services that collect information from younger students, whether at home or in class.
Requires transparency
Vendors must clearly disclose what they collect, why they collect it, and how the information will be used or shared.
Limits data collection
Restricts what data can be gathered and how long it’s stored. Prohibits targeting users with ads based on personal details.
Schools can consent for parents
Districts often give consent on behalf of families, but must vet tools carefully and keep documentation on file.
What FERPA means for your school
FERPA is a federal law that protects the privacy of student education records. It gives parents and eligible students rights over their information and sets clear limits on when schools can share it.
Protects education records
Covers academic records, enrollment files, discipline history and other personally identifiable information tied to a student.
Parental and student rights
Parents, and students over 18, can access their records, request corrections and control who sees their information.
Requires clear access policies
Staff must have a legitimate educational interest to view records. Districts must track access and maintain audit trails.
Defines directory information
Basic info like name or grade level can be shared if parents are notified and allowed to opt out in advance.
Your go-to privacy resources
Find the right guidance for your district, whether you're staying updated on policy, digging into real-world insights or looking for quick help.
Our blog
Insightful reads on app vetting, compliance strategy, and K–12 edtech privacy trends.