Alaska's breach notification framework drives incident readiness for student and staff systems and vendor-hosted platforms that store personal information.

Hawaii restricts edtech operators' use and disclosure of student covered information and requires reasonable security safeguards under HRS Section 302A-500.

New Hampshire requires student data privacy and security safeguards that districts implement through signed vendor agreements, controlled sharing, and incident response readiness.

Vermont student privacy expectations emphasize purpose limitation, security safeguards, and contract-based vendor oversight for tools that handle student data.

Massachusetts imposes strong data security requirements and breach readiness expectations that districts operationalize through signed vendor agreements and enforceable security controls.

Rhode Island regulates edtech operators' collection and use of student information and supports strong contract-driven safeguards and security expectations.

Connecticut's student data privacy rules emphasize contract-based vendor controls, security safeguards, and clear limits on use and sharing of student information.

Pennsylvania's breach notification law drives incident readiness for student data systems and vendor-hosted platforms that store personal information.

New Jersey restricts edtech operators' use/disclosure of student information and supports contract-driven safeguards, security controls, and deletion expectations.

Delaware's Student Data Privacy Protection Act requires reasonable security safeguards and restricts edtech operators' use and disclosure of student data.

Maryland student data privacy rules apply to vendors operating under contract with schools, and Maryland accessibility/nonvisual access requirements should be included in edtech procurement and contracts.

West Virginia requires strong governance of student data systems, detailed security planning, and vendor contracts with explicit privacy/security safeguards and penalties.

Virginia regulates school service providers operating under contract and requires an information security program plus contract-based limits on use/sharing of student personal information.

Utah requires strong contract-based controls for third-party contractors that receive personally identifiable student data under Utah Code 53E-9-309.

New Mexico requires reasonable security safeguards for personal identifying information and supports contract-based vendor controls and breach readiness for student PII in district systems.

Tennessee combines student data governance requirements with operator restrictions on targeted advertising, profiling, and sale for online services used in K-12 settings.

Kentucky restricts how cloud computing service providers may use personally identifiable student information under KRS 365.734.

Indiana districts commonly rely on federal FERPA requirements and strong local governance to control vendor access, disclosures, and security for student records.

Michigan combines education record transparency and vendor contract safeguards (MCL 380.1136) with operator limits on ads, profiling, sale, security, and deletion (MCL 388.1295).

Wisconsin's pupil records law defines record categories and governs access and disclosure of pupil records under Wis. Stat. 118.125.

Minnesota treats educational data as private by default and limits disclosures under Minn. Stat. 13.32, aligning closely with FERPA and requiring strong vendor governance.

South Dakota's student record privacy framework aligns with federal education record concepts and emphasizes controlled disclosure and vendor oversight.

North Dakota requires districts to maintain a student data protection policy with defined access, sharing rules, and vendor governance for student data.

Colorado requires transparency and security safeguards for student data and enforces vendor purpose limitation under the Student Data Transparency and Security Act.

Wyoming districts typically implement student data privacy through federal FERPA/COPPA requirements and strong local vendor governance, documentation, and security practices.

Montana limits targeted advertising, profiling, sale, and unauthorized disclosure by operators of K-12 online applications and requires security and deletion practices.

Arizona restricts edtech operators from targeted advertising, sale, and non-school profiling and requires reasonable security and deletion practices.

Nevada regulates school service providers' use of pupil data, limits targeted advertising, and emphasizes security planning and incident readiness.

Washington's SUPER Act limits targeted advertising and requires transparency, security, and deletion practices for K-12 school service providers.

Kansas requires structured data-sharing agreements and limits disclosure of student data under the Student Data Privacy Act (K.S.A. 72-6312 through 72-6320).

Missouri requires student data transparency, access controls, security planning, and vendor contract safeguards under RSMo Section 161.096.

Oklahoma's student data law emphasizes transparency, security safeguards, and accountability for student information systems and edtech data practices.

Arkansas combines operator restrictions with contract safeguards for student PII under SOPIPA and the Student Data Vendor Security Act.

Louisiana limits collection and disclosure of student information and emphasizes role-based access and governance under R.S. 17:3914.

North Carolina restricts how edtech operators may use student data and requires reasonable security and deletion practices.

South Carolina focuses on student data governance, controlled access, and disciplined disclosure aligned to SC Code 59-1-490.

Georgia regulates student data use by edtech operators and emphasizes district oversight, security, and parent access.

Alabama districts can use COPPA and FTC school guidance as a baseline for tools used by children under 13.

Mississippi districts can use COPPA and FTC school guidance as a baseline for tools used by children under 13.

Idaho sets statewide rules for how student data is defined, accessed, shared, and safeguarded across education systems and approved partners.

Ohio prioritizes contracts for student records

Florida regulates online student data practices

Texas student data privacy targets vendors rather than districts. The law restricts vendor use and disclosure of student data.

Regulates operators of websites/services used for K–12

Illinois Student Online Personal Protection Act

Districts must execute written data privacy agreements with any vendor that collects or stores student information.

Iowa student data privacy focuses on district responsibility

Nebraska’s student records law (79-2,104) limits disclosure and supports FERPA-aligned data sharing and governance.

Regulates operators of websites and services used for K–12

Oregon student data privacy focuses on vendors