Arizona Student Data Privacy (EdTech Operator) Guide
Primary Law
Student data privacy rules for operators of online services used for school purposes
Citation
A.R.S. 15-1046 (and related provisions in A.R.S. Title 15, Article 2.1)
Official Text
https://www.azleg.gov/ars/15/01046.htm
Overview
Arizona restricts how operators of online services used for school purposes may use and disclose student information. The law prohibits targeted advertising based on information collected through school use, limits profiling of students beyond school purposes, and restricts selling or renting student information. It also requires reasonable security practices and supports deletion of student information when requested by a public school (subject to applicable exceptions).
For districts, the operational takeaway is vendor governance: verify that edtech products are configured and contractually committed to use student information only for school purposes, with safeguards and lifecycle controls that fit the sensitivity of the data.
Applicability and Scope
Arizona's student data privacy requirements are most relevant when:
- Students or staff use an operator's website, service, or application for school purposes
- The operator collects covered information or persistent unique identifiers from student use
- A vendor relationship involves sharing or storing student information in a third-party system
Prohibited Activities (Advertising, Profiling, Sale)
Arizona prohibits operators from engaging in targeted advertising based on information acquired because of school use. Operators also may not build student profiles except in furtherance of school purposes and may not sell or rent student information (with limited exceptions such as certain acquisition scenarios).
District reviews commonly document:
- Whether advertising and marketing use is blocked for student data collected in the school context
- Whether student profiling is limited to supporting instruction or the school purpose
- Whether data sale and rental is prohibited
Permitted Disclosures and Vendor Controls
Arizona allows certain uses and disclosures, such as those necessary to provide the service for school purposes, for legal compliance, for safety and integrity, and to vetted service providers under contract restrictions. Districts should ensure subcontractors and downstream recipients are bound by appropriate limitations and security requirements.
Security and Deletion Expectations
Arizona requires operators to implement reasonable security procedures and practices appropriate to the nature of covered information. Operators must delete student covered information within a reasonable time if a public school requests deletion of information under the control of the public school, unless the student or parent/guardian consents to continued maintenance.
How Can EdPrivacy Help Arizona Schools
Arizona districts often need to prove that vendors are aligned with the statute: no targeted advertising, no secondary profiling, secure handling, and deletion responsiveness. EdPrivacy helps districts keep that evidence organized and makes vendor reviews repeatable across many tools.
The platform helps districts:
- Identify which apps collect covered information and where persistent identifiers may be used
- Store vendor policies, contracts, and security materials so approvals are easy to reference later
- Document required constraints (purpose-only use, no sale, no targeted advertising, deletion workflows)
- Track changes over time so vendor commitments remain aligned with how the product operates
Summary
Arizona districts should be prepared to:
- Confirm edtech operators do not use school-collected student information for targeted advertising
- Ensure student profiling stays within school purposes and data sale/rental is prohibited
- Verify reasonable security safeguards and clear deletion processes
- Maintain documentation that supports consistent approvals and periodic re-review
A.R.S. 15-1046 supports a practical oversight model focused on vendor limitations, security, and student data lifecycle controls.