Noting concerns about student privacy, state lawmakers sent Senate Bill 325 to the House for consideration late last month to refine Maryland’s Student Data Privacy Act of 2015, which requires operators of ed-tech websites and applications to protect sensitive student information from unauthorized access and data breaches, as well as vendors to delete data upon request by local school officials.
The new bill comes three years after the state established its Student Data Privacy Council to assess the implementation of guidelines from the 2015 bill. The council’s resulting report, released last year, noted that much of the burden has so far been on schools to contract with vendors and ensure compliance, in the absence of other state accountability measures or monitoring.
According to language in the bill, SB 325 would require local districts to submit a list of digital tools approved for use by educators, and it would require the Maryland State Department of Education to keep and annually update an online database of K-12 ed-tech tools used in state schools. In addition, the law would define “covered information” protected by state law as data that can be linked to individual students for marketing and advertising purposes.
State Sen. Susan Lee, the primary sponsor of the Senate bill and Student Data Privacy Council member, said the legislation is “designed to tighten our state laws surrounding privacy of students whose local school systems contract with vendors to provide digital tools.”
“There are many priorities in the space of privacy, but none as important as those for children who lack the ability to consent to contracts, but whose every keystroke can be tracked for a lifelong record that is hard to expunge,” she said in an email to Government Technology. “Children deserve to be protected before they have the ability to consent that their data be shared and sold to third parties.”
Lee expects the bill to pass the state House of Delegates in the months ahead as K-12 policymakers on the local, state and national levels place more focus on student data privacy protections amid the efforts of schools to digitize instruction.
“[The] session ends the second week of April, so we will know definitely then the status of this law,” she said.
According to the council’s report, Maryland has modeled much of its K-12 data regulations on California’s Student Online Personal Information Protection Act (SOPIPA) — the first state law to address K-12 student data privacy concerns. Maryland is among 40 states with one or more K-12 data privacy laws, and among 20 states using SOPIPA as the basis for K-12 privacy legislation, including Arizona, Connecticut, Delaware, Maine, Michigan and Nebraska, among others.
