K-12

N.C. gov. signs bill restricting how companies can use student data

Gov. Pat McCrory approved legislation that prevents vendors of online educational resources from using student data for targeted advertising and other purposes.

By Alex Koma

June 10, 2016

Following more than a year of work and a series of legislative overhauls, North Carolina Gov. Pat McCrory signed a bill into law to establish a series of restrictions on how companies can use student data.

McCrory put pen to paper on state Rep. Jason Saine’s “Student Online Protection Act” Wednesday, which will put in place regulations limiting how vendors of online education resources can use the personally identifiable information of students or their guardians that they collect.

Specifically, starting Oct. 1, the new law bars companies from using the data to design any “targeted advertising” methods for their websites, or from selling or renting the information to a third party. Additionally, companies would be barred from using any “persistent unique identifiers” in the data to “amass a profile about a student.”

The law applies to a variety of companies, as any “operator of an internet website, online service, online application or mobile application with actual knowledge that the site, service, or application is used primarily for K-12 school purposes” is included under the legislation.

Additionally, the law lays out what types of student data are protected, including grades, criminal records and biometric data.

The companies in question would also be required to “implement and maintain reasonable security procedures” to protect student information from “unauthorized access, destruction, use, modification or disclosure.” Vendors would also have to delete any data they control within 45 days if a school asks them to do so.

However, the law is clear that companies can still use anonymized data to “improve educational products,” or even use personalized data to develop “recommendation engines” that suggest relevant content or services to students.

The law also contains a provision setting up a process for parents or school officials to report a violation of these strictures to the state’s attorney general, who could then pursue a civil case against a company.

But while the law as signed by McCrory is quite detailed, the version Saine introduced in April 2015 would have merely required the General Assembly’s Joint Legislative Education Oversight Committee to study issues involving electronic student data privacy and draft a report. Quickly, the bill was heavily amended, and it passed the House and Senate unanimously to make it to McCrory.

North Carolina isn’t the only state to enact student data privacy legislation. A report by the Data Quality Campaign, a group advocating for the responsible use of educational data, found that state lawmakers introduced 69 bills involving the “data activities of vendors” in 2015, and 13 enacted that legislation into law.

Contact the reporter who wrote this story at alex.koma@statescoop.com, or follow him on Twitter at @AlexKomaSNG.