Skip to main content
Maryland

Maryland Student Data Privacy

Requires Signed Agreement
Does not require signed agreement

Maryland student data privacy rules apply to vendors operating under contract with schools, and Maryland accessibility/nonvisual access requirements should be included in edtech procurement and contracts.

Maryland Student Data Privacy and Accessibility (ICT) Guide

Primary Laws
1) Student Data Privacy (operator requirements when providing online services under contract with a public school/local school system)
2) Maryland accessibility/nonvisual access requirements for information and communication technology (ICT) used/procured by public entities

Citations
Maryland Education Article § 4-131 (Student Data Privacy)
Maryland State Finance and Procurement Article § 3.5-311 (Nonvisual Access Clause) and related DoIT nonvisual access standards

Official Text
https://mgaleg.maryland.gov/2024RS/Statute_Web/ged/4-131.pdf
https://doit.maryland.gov/policies/Accessibility/Pages/Nonvisual-Access-Regulatory-Standards.aspx

Overview

Maryland's Student Data Privacy law regulates operators (vendors) that provide online services or applications to schools under a contract or agreement, and restricts how student covered information can be collected, used, disclosed, and retained.

In addition, Maryland enforces accessibility requirements for information and communication technology, including nonvisual access standards. For school systems procuring or deploying digital learning tools and platforms, accessibility compliance should be addressed alongside privacy and security in the vendor selection and contracting process.

Applicability and Scope

This matters most when:

  • A vendor provides a website/app/online service to a Maryland public school/local school system under a contract or agreement and receives student covered information
  • Districts procure or rely on ICT that must be accessible to users with disabilities (including nonvisual access expectations)
  • Districts need a repeatable, documented vendor approval process across many tools

Student Data Privacy and Vendor Oversight

Maryland’s student data privacy framework emphasizes clear limits on how vendors may collect, use, and protect student information. While districts often rely on written agreements to formalize these expectations, Maryland law allows districts to operationalize compliance through contracts, documented vendor vetting, or a combination of both, depending on risk and data sensitivity.

Districts should ensure that vendor agreements and/or formal review documentation clearly establish:

  • Permitted uses of student data, limited to legitimate educational or school system purposes
  • Restrictions on disclosure, resale, or secondary use of student information
  • Appropriate security safeguards aligned with the sensitivity of the data involved
  • Practical data lifecycle controls, including retention limits and clear deletion or return processes

This approach enables Maryland districts to apply consistent, enforceable controls across vendors while maintaining flexibility in how compliance is documented and managed.

Accessibility Requirements (Nonvisual Access / ICT Standards)

Maryland's accessibility requirements mean districts should treat accessibility as a procurement and implementation requirement, not an afterthought. Vendor agreements and implementation plans should address accessibility standards, documentation (e.g., VPAT or equivalent), and remediation timelines where gaps exist.

How Can EdPrivacy Help Maryland Schools

Maryland districts benefit from managing privacy, security, and accessibility requirements through a single, consistent vendor review process. EdPrivacy helps districts centralize vendor evaluations and supporting documentation so compliance does not rely on fragmented spreadsheets, inbox searches, or informal tracking methods.

EdPrivacy enables districts to:

  • Track which applications and vendors receive covered student information, and under what governance model (contract, vetting, or both)
  • Store contracts, DPAs, privacy and security documentation, and accessibility materials (such as VPATs or ACRs) in one place
  • Document required safeguards, including purpose limitation, disclosure restrictions, breach response expectations, and data retention or deletion requirements
  • Monitor vendor policy, ownership, or feature changes and schedule periodic re-reviews to maintain ongoing compliance

This unified workflow helps districts apply consistent standards while scaling oversight across a growing number of tools.

Summary

Maryland districts should be prepared to:

  • Apply written agreements, structured vendor vetting, or a combination of both when tools handle covered student information
  • Confirm enforceable privacy and security protections, including practical data deletion and return processes
  • Incorporate accessibility and nonvisual access considerations into vendor review, procurement, and governance decisions
  • Maintain clear, auditable documentation that supports ongoing monitoring and can be easily updated

Maryland’s student privacy and accessibility framework supports a documentation-first, risk-based approach to managing edtech vendors—allowing districts to demonstrate compliance through contracts, structured evaluations, or an integrated model that uses both.