Skip to main content
Michigan

Michigan Student Data Privacy

Requires Signed Agreement
Does not require signed agreement

Michigan combines education record transparency and vendor contract safeguards (MCL 380.1136) with operator limits on ads, profiling, sale, security, and deletion (MCL 388.1295).

Michigan Student Data Privacy and Vendor Oversight Guide

Primary Laws
Protection of Pupil Privacy Act and Student Online Personal Protection Act

Citations
MCL 380.1136 (Protection of pupil privacy); MCL 388.1295 (Operator prohibited conduct and duties) and related sections

Official Text
https://legislature.mi.gov/Laws/MCL?objectName=MCL-380-1136
https://www.legislature.mi.gov/Laws/MCL?objectName=mcl-388-1295

Overview

Michigan addresses student data privacy through a combination of governance requirements and operator restrictions. The Protection of Pupil Privacy Act focuses on transparency, disclosure controls, and vendor contract safeguards for education records held by the Michigan Department of Education (MDE), CEPI, districts, and related entities. Michigan's Student Online Personal Protection Act restricts edtech operators from using school-collected student information for targeted advertising, non-school profiling, or sale, and it includes security and deletion expectations.

Together, these laws support a practical district approach: implement clear disclosure rules, require strong vendor contract terms, and verify that online services used for school purposes are technically and contractually limited to educational use.

Applicability and Scope

Michigan student data requirements are most relevant when:

  • Districts or state agencies collect, maintain, or disclose education records or personally identifiable information
  • Vendors receive access to education records under a contract (including service providers and subcontractors)
  • Students use online services, websites, or applications for K-12 school purposes

Transparency and Disclosure Accountability

Michigan requires transparency about what data is collected and emphasizes controlling disclosures. For example, Michigan law includes expectations for publicly available criteria governing disclosure of pupil information and for responding to parent requests about what was disclosed, to whom, and why in certain circumstances.

Districts typically operationalize this by:

  • Keeping a current inventory of systems and tools that store or process student information
  • Documenting the purpose for each disclosure and the data elements included
  • Maintaining a consistent process to respond to parent questions and requests about student records

Vendor Safeguards and Governance Expectations

Michigan’s student data privacy framework emphasizes that when districts permit vendor access to education records, privacy protections must be clearly defined and enforceable. While districts often formalize these expectations through written agreements, compliance may also be supported through documented vendor vetting, depending on risk and data sensitivity.

Districts should ensure that vendor agreements and/or formal review documentation:

  • Clearly reflect actual data access and use, aligned to the services being provided
  • Establish privacy and confidentiality requirements, including accountability measures for noncompliance
  • Address security practices appropriate to the scope and sensitivity of the data involved
  • Remain current as integrations, features, or vendor practices change, with reviews refreshed as needed

This approach helps Michigan districts ensure that governance controls stay aligned with real-world usage and evolving vendor relationships, whether implemented through contracts, structured evaluations, or a combination of both.

Operator Restrictions (Ads, Profiling, Sale) and Data Lifecycle

Michigan's Student Online Personal Protection Act prohibits operators from targeted advertising based on information obtained through school use, limits profiling to K-12 school purposes, and prohibits selling or renting student information (with limited exceptions). Operators must implement reasonable security procedures and delete covered information when a school or district requests deletion of data under its control.

How EdPrivacy Helps Michigan Schools

Michigan districts benefit from having clear, well-organized documentation that demonstrates how vendors are governed and how student data is protected. EdPrivacy helps districts bring together vendor reviews, agreements (where used), and supporting evidence so oversight remains consistent, even as products evolve and renewals occur.

With EdPrivacy, districts can:

  • Maintain a comprehensive inventory of applications and vendors, identifying which tools access education records or student identifiers
  • Centralize privacy policies, contracts, DPAs, and security materials to support audit readiness and internal review
  • Record approval guardrails, such as prohibitions on targeted advertising, purpose-only data use, controlled sharing, and retention or deletion expectations
  • Monitor vendor changes and trigger re-evaluations when terms, subprocessors, or integrations are updated

This structure helps districts keep governance aligned with real-world usage over time.

Summary

Michigan districts should be prepared to:

  • Maintain transparent, well-documented data disclosure practices for student education records
  • Apply enforceable privacy and security controls through written agreements, structured vetting, or both
  • Confirm that edtech providers do not sell, advertise with, or profile students using school-collected data
  • Assess security protections and data deletion responsiveness for tools that store or process covered information

Michigan’s combined statutory and regulatory framework supports a durable, governance-centered approach to student data protection—allowing districts to demonstrate compliance through contracts, documented evaluations, or an integrated model that uses both across district operations and digital learning tools.