Skip to main content
Maine

Maine Student Data Privacy

Requires Signed Agreement
Does not require signed agreement

Regulates operators of websites/services used for K–12

Maine Student Data Privacy Guide

Primary Law: Student Information Privacy Act (SIPA)
Citation: 20-A M.R.S. §§ 951–953
Official Text: https://www.mainelegislature.org/legis/statutes/20-a/title20-Ach13sec0.html

The Maine Student Information Privacy Act (SIPA) regulates how online services, apps, and platforms (“operators”) used for K–12 school purposes may collect, use, share, and protect student data. It defines “student data” broadly, sets strict boundaries on targeted advertising and profiling, and requires reasonable security and timely deletion on request. Maine State Legislature+1

Crucially for district leaders: SIPA does not require school administrative units to enter a written data-privacy contract with every operator. Instead, Maine directly regulates operator behavior through statute. Maine State Legislature+1

Core scope and definitions

Under SIPA, an operator is an entity (other than the Maine Department of Education, a school, or a school administrative unit) that: Maine State Legislature

  • Operates a website, online service, application, or mobile app designed and marketed for K–12 school purposes and used for those purposes; and
  • Collects, maintains, or uses student personally identifiable information in a digital or electronic format.

Student data is defined very broadly and includes: Maine State Legislature+1

  • Direct identifiers (name, family member names, addresses, email, phone number).
  • Indirect identifiers and demographic information (date/place of birth, race, ethnicity, disability status, socioeconomic information).
  • Assessment results, course and transcript data, attendance and mobility information.
  • Participation in programs required by state or federal law.
  • Highly granular digital exhaust such as student emails, documents, messages, search activity, photos, voice recordings, and geolocation information.

If a service is designed and marketed for K–12 and uses this kind of data, it is very likely within SIPA’s reach.

Restrictions on operators (ed-tech vendors)

20-A M.R.S. § 953 sets out key prohibitions and obligations for operators. Maine State Legislature+1

Prohibited uses without consent

Without explicit written or electronic consent from a parent or eligible student, an operator may not:

  • Use student data to engage in targeted advertising, whether on its own service or elsewhere, when the targeting is based on student data and persistent identifiers obtained through the school-use service.
  • Use student data to amass a profile of a student, except when that profile is strictly for K–12 school purposes.
  • Sell student data.
  • Disclose student personally identifiable information, except in a limited set of permitted circumstances (e.g., to support the service’s K–12 purpose, to comply with law, for security, safety, or through properly bound service providers).

These prohibitions apply directly to the operator, regardless of whether the district has a signed contract in place. Maine State Legislature+1

Security and deletion

SIPA requires operators to: Maine State Legislature+1

  • Implement and maintain reasonable security procedures and practices appropriate to the nature of the student data.
  • Delete student data within 45 days of a request from a school or school administrative unit.

Permitted uses and disclosures

The law allows certain uses of student data, such as: Maine State Legislature+1

  • Operating, maintaining, and improving the educational service.
  • Adaptive or customized learning within the service.
  • Recommendation engines for educational or job-related opportunities within the service (without third-party pay-to-play).
  • Sharing de-identified or aggregate data to improve products or demonstrate effectiveness.

Operators may also disclose data when required by law, for specific research under legal constraints, or to state agencies and schools for K–12 purposes, as permitted by state or federal law. Maine State Legislature+1

Relationship to other Maine student-record rules

SIPA explicitly states that nothing in the chapter authorizes disclosure in violation of 20-A M.R.S. § 6001 (Maine’s student-records dissemination law). Maine State Legislature+1

Separately, Maine rules (e.g., MUSER, Ch. 101, § XIV) and federal FERPA/IDEA require school administrative units to: Legal Information Institute+1

  • Permit parents to inspect and review education records relating to their child.
  • Maintain lists of the types and locations of records on request.
  • Handle transfer and disclosure of records in line with FERPA, state law, and special-education regulations.

SIPA sits on top of these frameworks, adding specific obligations for K–12 online operators and digital services.

Are signed district–vendor contracts required under Maine law?

No, SIPA itself does not require signed contracts with every operator.

  • Chapter 13 (SIPA) contains no provision that mandates districts to execute a written data-privacy agreement with each operator. Maine State Legislature+1
  • Instead, the statute directly governs operators’ conduct (advertising, profiling, sale, disclosure, security, and deletion).

That said, many Maine school units still choose to use written data-privacy agreements. For example, the Maine Student Data Privacy Agreement (Version 1.0) is a standardized contract template that references SIPA, § 6001, MUSER, and federal laws such as FERPA and COPPA and can be adopted by school units and providers through a “General Offer of Privacy Terms.” sdpc.a4l.org

Nothing in SIPA prevents districts from requiring contracts; it simply does not make them mandatory.

Practical implications for Maine districts

Because SIPA is operator-focused, Maine districts should pay particular attention to:

  • Identifying operators
    Determine which apps and services meet the statutory definition of an operator (K–12-focused, digital, and handling student data). Maine State Legislature
  • Understanding each vendor’s data uses
    Confirm whether a vendor’s practices line up with SIPA’s limits on targeted advertising, profiling, sale of data, and disclosure. Maine State Legislature+1
  • Documenting deletion requests and responses
    When a school or SAU asks a vendor to delete student data, track the request and ensure the operator complies within 45 days. Maine State Legislature
  • Aligning local practice with § 6001 and FERPA
    Ensure internal policies for record access, transfer, and confidentiality are consistent with Maine’s student-records chapter and federal law, then layer SIPA-specific expectations on top. Maine State Legislature+1
  • Using optional DPAs wisely
    Where districts adopt the Maine Student Data Privacy Agreement or similar contracts, ensure the terms match SIPA’s definitions, prohibitions, and timelines, and avoid conflicts with local procedures. sdpc.a4l.org

How EdPrivacy Supports Maine Schools

Even without a mandatory contract requirement, Maine districts still need a clear process for evaluating and managing the operators they use. EdPrivacy helps by giving districts a consolidated, easy-to-maintain view of all apps used in classrooms, supporting:

  • Vetting of operators under SIPA, with quick access to each vendor’s documented data practices and privacy posture.
  • Vendor improvement requests, allowing districts to identify policy gaps and communicate needed clarifications directly with providers.
  • Contract and agreement tracking, so districts can maintain organized records of any DPAs or agreements they choose to use.

This gives Maine administrators a dependable, structured way to manage SIPA-related responsibilities and strengthen vendor accountability, without adding unnecessary administrative burden.