Skip to main content

NASBE Report: Seven Lessons for State Data Privacy Legislation

NASBE Report: Seven Lessons for State Data Privacy Legislation

In the past three years, policymakers in almost every state have considered laws to ensure the safety of student data, and the US Congress is considering seven bills on student data privacy. At the same time, the Every Student Succeeds (ESSA) Act requires that states adopt evidence-based interventions to improve school performance. The education research to inform these interventions depends on access to student data. In a new report released today, Policymaking on Education Data Privacy: Lessons Learned, NASBE Director of Education Data and Technology Amelia Vance outlines key lessons policymakers should contemplate before taking action.

  1. State boards shape data privacy policy significantly. Often because of their public, transparent nature, state boards are increasingly given authority over data privacy. State boards can and should embrace this responsibility to ensure purposeful collection and use of data.
  2. Stating the value of data is essential. If parents do not understand how data can help their children, they will not care how the state is protecting the privacy or security of that data. Policymakers must be proactive in explaining the value of student data to the public.
  3. More transparency = More trust. Building support for quality data use is not possible without transparency. States ought to go above what is required by most current laws to build trust between parents and schools on data privacy. State boards, for example, can ensure the accessibility of resources and information on data privacy.
  4. Early adopters can shape second generation laws. Most states that passed student data privacy laws in the last two years based their legislation on Oklahoma’s Student DATA Act or California’s Student Online Personal Information Protection Act (SOPIPA). These early adopters are models for other states, and states should pay close attention to any bills that raise new privacy issues, such as model legislation the ACLU introduced earlier this year.
  5. Clarify, revisit, and revise existing laws. Laws can and should be improved and enhanced. Policymakers should continue to examine and revise laws to ensure they adequately balance privacy and data use in education and ensure implementers fully understand policymakers’ intent.
  6. Student data privacy legislation can cause unintended harms. It is essential for all data privacy legislation to be vetted with a fine-toothed comb for vague or problematic language that may unnecessarily restrict the positive use of data. State boards are ideally placed to review bills before they pass.
  7. Training on data use and privacy is essential. Anyone who handles data should know how to protect those data. Although more than 300 bills have been introduced over the past two years on data privacy, few mention training. Policymakers must ensure that each state has training laws and policies and identify resources to make training feasible.

The report is available on NASBE's website at