At a time when over 8 in 10 Americans are concerned about how their data privacy is respected by companies, pressure has been mounting on lawmakers across the nation to regulate how personal information online is handled. 

But the Ohio Statehouse has failed to deliver comprehensive data privacy legislation. 

However, Ohio succeeded last fall in passing a bill to protect students’ educational records—Senate Bill 29.

The law, sponsored by State Senator Stephen Huffman, is in line with  most states in regulating both vendors and schools to insure student data privacy. 

“Everyone deserves the right to privacy, and students are no different,” Huffman said at the bill’s first senate hearing. “Our children need privacy to express themselves, and it should be left to parents, not tech companies, to monitor our children’s online presence.” 

Mandating new restrictions on the collection, storage and usage of student information with the stated goal of protecting student data privacy, Senate Bill 29 garnered strong bipartisan support and went into effect on Oct. 24 of last year. 

BHS, like all Ohio public schools, is required by the bill to inform students and their families of any use of student data by Aug. 1 every year, starting this year.

“Not later than the first day of August of each school year, each school district shall provide parents and students direct and timely notice… of any curriculum, testing or assessment technology provider contract affecting a student’s educational records,” the bill states.

In keeping with the legislation, Beachwood has begun to notify families of the district’s use of student data, according to Director of Educational Technology Jeremy Hunter.

“Each year, families receive detailed information about their data privacy rights and how student information is used,” Hunter wrote in an email.

Despite the close-to-unanimous support of elected officials, SB 29 has led to some unintentional friction. 

Take, for example, the bill’s requirement for a Data Privacy Agreement (DPA). 

“A contract between a technology provider and a school district shall ensure appropriate security safeguards for educational records,” the bill states.

The necessity for a DPA presented a challenge for Librarian Angela Maxwell and students who wanted to access the New York Times earlier this year.

“We couldn’t access the New York Times [as purchased through the BHS library] because it required students to make accounts and that violated the law because the New York Times does not consider itself a technology product, so it did not sign a DPA,” Maxwell said.

Most companies Beachwood works with, such as GoGuardian or Kahoot, comply with Senate Bill 29, and ultimately, the New York Times allowed access from the school without login.

Aside from a select few roadblocks that restricted access to educational resources, Maxwell found SB 29 did not cause many other problems.

“Most of the technologies we use protect students’ privacy anyway… and for the most part things have stayed the same,” Maxwell said.

Beachwood has been able to comply with the bill by updating privacy policies and vendor contracts to secure student data and ensure contractors also comply with the bill, according to Hunter.

“[Beachwood] reviewed data privacy policies and contracts with vendors to ensure compliance,” he wrote. “This included updating agreements to clarify how student information is collected, stored and used and making sure that all contractors understand and follow the new legal requirements.” 

Notably missing from the list of those who signed a DPA is Google, whose Google Classroom platform is used by more than 150 million students. Google’s core services like Gmail and Docs still comply with Senate Bill 29, but other services have not been certified to do so. 

Though teachers in some districts, such as Nelsonville-York school district to Athens City Schools feel that SB 29 makes it harder to use technology in the classroom without inadvertently violating the law, the ACLU of Ohio endorsed the bill for what it considers are still its strong points: clear rules on the acceptable (or unacceptable) collection of student data, school ownership of provider-collected data, limited use of personally identifiable information, transparency about data collection and access, mandatory breach-notification procedures and requirements for providers to delete or return data when contracts end.

Not only could the bill directly restrict access to educational resources like news websites, but more broadly, there is a fear held by some like Athens City Schools Associate Superintendent Chad Springer that Senate Bill 29 could potentially drive away businesses who fear violating the law.

“[Some companies], if they don’t change their contracts to follow Senate Bill 29, they’re not going to be able to provide service in Ohio,” Springer told public radio station WOUB. 

Huffman explained his motivation for sponsoring the bill.

 “Tech companies should not be able to use their access to school devices to capture our kids’ data, target them or sell their data to third parties,” he said. 

Still, Huffman, like many supporters of the bill, sees some ways that the legislation could be improved.

“One item in this law that does need to be revised is the process of providing family notice when schools or tech companies interact with a student’s school-issued device,” Huffman said.

Relatively minor amendments like the one Huffman suggested were addressed by House Bill 432 on March 10 this year. Among such amendments were the clarification of when parents must be notified about device access, the limiting of 72-hour notices to specific situations as well as exceptions to parental notification if it would create a safety risk. 

SB 29 builds on existent federal regulations like those of FERPA and COPPA which are already in place for the purpose of protecting student data.

Maxwell emphasized that Beachwood schools staff has always valued student data privacy. 

“The district was already a good steward of student privacy and information… ” she said. “We’ve always been aware of students’ privacy concerns and have only wanted access to tools that enrich our educational experience.” 

Hunter also emphasized the school district’s mindfulness of data protection. 

“There are always some risks when data is handled by third parties, such as the potential for data breaches or misuse,” he wrote. “That’s why we are very selective about the vendors we work with and require them to meet high security and privacy standards.” 

According to Hunter, the district has systems in place to keep student data securely protected.

“[Beachwood] uses secure digital systems with strong password protections and encryption,” he wrote. “Only authorized personnel have access to confidential records and [Beachwood] provides regular training to staff on data privacy best practices. Physical records are kept in locked cabinets, and [Beachwood] follows strict protocols for sharing or disposing of information.” 

Ohio-based law firm Ennis Britton characterized SB 29 as a key development in defining legal standards for school district contracts with technology providers.

“SB29 is Ohio’s first substantive step into setting legal expectations for contracts between school districts and technology providers,” the firm wrote in an article on their website.