Delaware introduces student data privacy bill

States around the country have introduced bills to protect the data privacy of public school students. And Delaware is finally getting in on the act.

Senator Dave Sokola, D-Newark, authored a bill introduced Friday that would limit what private companies and contractors can do with student data and set up a governance structuer for the state’s management of student information.

Under the new law,  private operators could not sell student data or use student data for the purposes of direct marketing. Companies could still market directly to parents, but they could not use the data they collect from students to guide or target those efforts.

Delaware’s new bill comes amid a nationwide push to secure sensitive and potentially lucrative student data. As more and more states contract with education technology vendors to improve digital learning and data collection, legislators have introduced a spate of bills to outline what private firms can and can’t do with the digital breadcrumbs they collect.

In 2014 alone, 20 states passed 28 laws addressing student data privacy according to the nonprofit Data Quality Campaign. Delaware is the 45th state overall to introduce some sort of data privacy legislation, according to Paige Kowalski, the Data Quality Campaign’s vice president of policy and advocacy. But that’s not neccessarily a detriment, she said.

“I think it shows purposefulness and intentionality,” Kowalski said. “You get to learn from everybody else.”

The Data Quality Campaign does not lobby states, but did advise Sokola and the Department of Education during the bill’s formation.

Delaware’s bill also mirrors recently intoduced federal legislation. The congressional proposal, which has bi-partisan support, would also ban operators from selling student data or using that data for internal marketing purposes.

Crucially, Delaware’s bill would not apply to contracts signed before the law goes into effect.

In late March, the Delaware Department of Education signed a deal with the private firm Schoology to manage the state’s learning management system. That deal is expected to last until the end of the 2018 school year.

In addition to regulating outside vendors, Sokola’s bill also details the Department of Education’s role in ensuring data privacy and efficient data collection.

The law would require the department to create, maintain, and make public a “data inventory” that details every category of information that state collects on students. It would also require the department to “develop a detailed data security plan.” Included in that would be a plan for responding to data breaches.

The law also attempts to navigate the tricky legal waters around what constitues “targeted advertising.” It explicitly allows, for example, districts and schools to recommend other educational products to students so long as there is no reciprocal compensation for district employees and the products pertain exclusively to “K-12 school purposes.”

Some ed-tech softward can, for example, identify student weaknesses in real time and suggest other products or interventions that may help correct them. Many states are trying to craft laws that will preserve this benefit without allowing companies to commercialize student data or sell it on the secondary market.

“It’s incredibly tricky and why we really urge folks that policy is important, but language is critical,” Kowalski said.

Even if Delaware’s bill fails, it may not matter much. The pending federal legislation would cover much of the same material.

Kowalski also noted that in the border-blind world of ed tech, companies tend to create products that comply with the toughest state law. She said California’s data privacy bill is widely considered the strictest on the books.