Skip to main content
North Carolina

North Carolina Student Data Privacy

Requires Signed Agreement
Does not require signed agreement

North Carolina restricts how edtech operators may use student data and requires reasonable security and deletion practices.

North Carolina Student Online Privacy Protection Guide

Primary Law
Student online privacy protection

Citation
North Carolina General Statutes 115C-401.2

Official Text
https://www.ncleg.net/enactedlegislation/statutes/html/bysection/chapter_115c/gs_115c-401.2.html
https://www.ncleg.gov/EnactedLegislation/Statutes/PDF/BySection/Chapter_115C/GS_115C-401.2.pdf

Overview

North Carolina has a dedicated K-12 student data privacy statute focused on online services used for school purposes. G.S. 115C-401.2 establishes clear limitations on how operators of websites, online services, and applications may collect, use, and disclose covered student information when their products are designed and marketed for K-12 school purposes.

The law is structured around two practical goals: limiting commercial misuse of student information (such as targeted advertising, selling data, and non-educational profiling) and requiring baseline security and deletion practices so student data does not linger indefinitely in vendor systems.

Applicability and Scope

G.S. 115C-401.2 applies to an operator of an Internet website, online service, online application, or mobile application with actual knowledge that the product is used primarily for K-12 school purposes and was designed and marketed for K-12 school purposes.

Student data generally includes covered information that is personally identifiable and is created, provided, or gathered in connection with K-12 school purposes, including student identifiers and other information that can identify or be linked to a student.

District teams should treat the law as in-scope when a tool:

  • Is used by students or staff for instruction, assessment, collaboration, or school operations
  • Creates student accounts or collects identifiers and usage data
  • Stores student work products, communications, or content created in the service

Prohibitions for Operators

North Carolina places direct restrictions on how operators may use student data obtained through school use.

In general, operators are prohibited from:

  • Using student information for targeted advertising based on information obtained through K-12 school use
  • Amassing profiles of students for purposes other than K-12 school purposes
  • Selling or renting student covered information
  • Disclosing covered information except in limited, permitted circumstances

These requirements are vendor-facing and are designed to reduce risk even when tools are widely adopted across classrooms.

Security and Deletion Requirements

North Carolina requires operators to implement and maintain reasonable security procedures and practices appropriate to the nature of the covered information.

The law also includes a deletion expectation: operators must delete a student's covered information within a defined timeframe when a school or local board requests deletion or notifies the operator that services are complete, subject to certain consent-based exceptions.

District review commonly considers:

  • What security controls are in place to protect covered information
  • Whether data deletion and account removal are available and operationally realistic
  • How the vendor handles retention, backups, and downstream service providers

Permitted Uses and Disclosures

While the law restricts disclosure, it also allows certain uses and disclosures, such as disclosures needed to provide the K-12 service, support legal compliance, protect safety and security, or use subcontractors under contractual controls.

Districts should ensure vendor terms clearly describe:

  • When data may be shared and with whom
  • How subcontractors are restricted from secondary use or redisclosure
  • What controls exist for incident response and data lifecycle management

How North Carolina Districts Commonly Implement Compliance

North Carolina districts commonly implement compliance through a repeatable edtech approval process that documents what data a tool uses and whether the operator limits use to school purposes.

A scalable approach often includes:

  • Maintaining an inventory of tools and services used with students
  • Standardizing privacy review questions aligned to G.S. 115C-401.2 prohibitions
  • Confirming security and deletion practices for tools that store covered information
  • Revisiting approvals when vendor policies, subprocessors, or features change

How Can EdPrivacy Help North Carolina Schools

North Carolina's framework requires districts to confirm that operators follow strict limits on advertising, sale, profiling, disclosure, and data retention. EdPrivacy helps North Carolina schools centralize vendor documentation and approval decisions so reviews are consistent and easy to audit.

The platform helps districts:

  • Maintain a searchable inventory of tools used across the district
  • Capture vendor privacy and security documentation in a consistent format
  • Record approval rationale tied to the statute's prohibitions and security expectations
  • Monitor vendor policy changes so reviews can be refreshed when risk changes

Summary

North Carolina districts should be prepared to:

  • Ensure operators do not use student data for targeted advertising, sale, or non-educational profiling
  • Confirm reasonable security practices for covered information
  • Document deletion and retention expectations for tools that store student data
  • Use a repeatable approval and monitoring process that scales across many tools

G.S. 115C-401.2 provides a clear operator-focused baseline for student online privacy in North Carolina schools.