Skip to main content
Ohio

Ohio Student Data Privacy

Requires Signed Agreement
Does not require signed agreement

Ohio prioritizes contracts for student records

Ohio Student Data Privacy and AI Governance Guide

Primary Laws
Student Data Privacy Act and Education Records Modernization Act

Citations
Ohio Revised Code §§ 3319.321, 3319.322, 3319.324, and 3301.24
Enacted through Senate Bill 29 and House Bill 96

Official Text
https://www.legislature.ohio.gov/legislation/135/sb29
https://codes.ohio.gov/ohio-revised-code/section-3301.24

Overview

Ohio’s student data privacy framework combines statutory limits on vendor data use with district-level responsibility for oversight, approval, and governance of educational technology. Senate Bill 29 establishes clear prohibitions on how vendors may use student data. House Bill 96 adds a separate but related requirement: districts must formally address the use of artificial intelligence tools through local policy and evaluation processes.

Together, these laws require Ohio school districts to actively manage which tools are approved, how student data is used, and how emerging technologies such as AI are evaluated and monitored.

Applicability and Scope

Ohio law applies when student data is collected, accessed, processed, or maintained through school-approved products or services, including digital platforms and AI-enabled tools.

Student data generally includes information that:

  • Identifies or can reasonably be linked to a specific student
  • Is created, collected, or maintained through instructional, assessment, or administrative activities
  • Is accessed or processed by a vendor acting on behalf of a school or district

Covered entities include traditional school districts, community schools, STEM schools, and vendors providing educational or operational services to those entities.

Senate Bill 29: Student Data Privacy Requirements

Senate Bill 29 imposes direct, statewide restrictions on how vendors may use student data obtained from Ohio schools.

Under SB 29, vendors are prohibited from:

  • Using student data for targeted advertising
  • Selling, licensing, or trading student data
  • Creating student profiles for purposes unrelated to education

These restrictions apply by statute, but districts remain responsible for determining which vendors are authorized to receive student data and ensuring access is limited to legitimate educational purposes.

SB 29 functions as a baseline: it limits vendor conduct, but it does not replace district oversight or approval processes.

House Bill 96 and Revised Code § 3301.24: Artificial Intelligence in Schools

House Bill 96 added Revised Code § 3301.24, which directly addresses the use of artificial intelligence in Ohio schools.

Under § 3301.24, Ohio school districts must:

  • Adopt a local policy governing the use of artificial intelligence
  • Establish a process for evaluating AI tools used by staff or students
  • Ensure AI use aligns with educational purposes and district policy

The statute does not approve or ban specific AI tools. Instead, it requires districts to maintain documented oversight of AI systems used in instructional or operational contexts.

This includes being able to show:

  • That AI tools are reviewed before use
  • Whether and how student data is involved
  • How AI tools align with district policy
  • That approval decisions are intentional and documented

Contracts, Oversight, and Documentation

Ohio law does not prescribe a specific contract format. However, when vendors:

  • Access or maintain student data on behalf of a district, or
  • Provide AI-enabled functionality subject to district policy

districts must be able to demonstrate control over data access, permitted use, and compliance with SB 29 restrictions and § 3301.24 requirements.

For this reason, Ohio districts commonly rely on written agreements to:

  • Define vendor roles and responsibilities
  • Limit data use to educational purposes
  • Prevent unauthorized reuse or disclosure
  • Support AI governance and approval decisions

Contracts function as the primary compliance mechanism for higher-risk systems and core instructional platforms.

Safeguarding and Security Expectations

Ohio law expects student data to be reasonably protected. Districts are responsible for ensuring that vendors implement safeguards appropriate to the sensitivity of the data involved.

District review commonly considers:

  • Administrative and technical security controls
  • Access limitations based on educational need
  • Controls on data retention and disclosure
  • Alignment between vendor practices and district policy

These expectations are typically documented through contracts, approval records, and internal review processes.

Permitted Uses of Student Data

Student data may be used only when the use is directly connected to school functions, including:

  • Instruction, assessment, and academic support
  • Operation and improvement of educational services
  • Compliance with state or federal law

Use outside these purposes may violate SB 29 and conflict with district AI policies adopted under § 3301.24.

How Ohio Districts Commonly Implement Compliance

Ohio districts typically operationalize compliance through a policy-driven and documentation-focused approach, which often includes:

  • Maintaining an approved vendor list
  • Requiring written agreements for vendors that access student data
  • Reviewing tools for privacy, security, and AI implications
  • Coordinating approval across technology, curriculum, and legal stakeholders
  • Reassessing approvals when vendor practices or features change

Lower-risk tools may sometimes be approved through limited review, but data-intensive and AI-enabled platforms generally require formal evaluation and documentation.

How EdPrivacy Can Help Ohio Schools

Ohio’s framework requires districts to manage student data privacy and AI oversight at the same time, with clear documentation and defensible approval decisions.

The latest version of the EdPrivacy solution helps Ohio districts:

  • Centralize vendor approval and oversight aligned to SB 29 requirements
  • Document evaluation and approval of AI tools under § 3301.24
  • Track which vendors access student data and under what authority
  • Maintain audit-ready records supporting district policies

In addition, EdPrivacy now includes:

  • AI Risk Reviews, which evaluate how AI-enabled tools handle data, transparency, and risk in the context of district policy
  • Accessibility Reviews, which assess vendor conformance with accessibility standards districts are increasingly expected to consider alongside privacy and AI use

Together, these capabilities support Ohio districts in meeting their legal obligations while maintaining clear, consistent oversight of educational technology across the organization.

Summary

Ohio school districts must:

  • Enforce SB 29 restrictions on vendor use of student data
  • Adopt and maintain an AI use policy under § 3301.24
  • Evaluate AI tools before approval
  • Limit student data use to authorized educational purposes
  • Maintain oversight and documentation for vendors that access student data or deploy AI

Ohio’s approach emphasizes district responsibility, documented decision-making, and ongoing oversight, particularly as AI becomes more prevalent in educational technology.