Regulations for Online Operators in New Hampshire

New Hampshire’s Student Online Personal Information Protection Act or SOPIPA, otherwise known as HB 520, is a student data privacy law that was initially passed in 2015. The law was amended 3 years later in 2018, for the purpose of providing additional protection and security as it relates to the personal information of K-12 students within the state of New Hampshire. With all this being said, the law establishes the guidelines that educators, online operators, and other related third parties are required to adhere to as it concerns protecting the personal information of students within the state from unauthorized access, use, modification, deletion, and dissemination. Furthermore, the law also sets forth the specific categories of personal data that are legally protected.

How is covered personal information defined under the law?

New Hampshire’s HB 520 defines covered personal information as “personally identifiable information or materials, in any media or format that meets any of the following criteria: (1) Is created or provided by a student, or the student’s parent or legal guardian, to an operator in the course of the student’s, parent’s, or legal guardian’s use of the operator’s site, service, or application for K-12 school purposes (2) Is created or provided by an employee or agent of the K-12 school, school district local education agency, or county office of education, to an operator (3) Is gathered by an operator through the operation of a site, service, or application described in subparagraph (a) and is descriptive of a student or otherwise identifies a student.”

What are the requirements of online operators under the law?

Online operators have the following obligations and responsibilities under New Hampshire’s HB 520 as it relates to safeguarding the personal information and privacy of students that attend K-12 educational institutions within the state:

• Online operators are prohibited from using personal information for the purposes of engaging in targeted advertising within their website, application, or online service.
• Online operators are prohibited from using online identifiers or personal information for the purpose of amassing an online profile for a student.
• Online operators are prohibited from selling, leasing, renting, or otherwise making the personal information of a student publicly available online.
• Online operators are prohibited from disclosing the covered personal information of students, unless such disclosure is in relation to participation in judicial proceedings.
• Online operators are responsible for implementing security measures and procedures that are designed to protect the covered personal information of students. Moreover, these measures and procedures must be appropriate to the nature of the personal information that an online operator has obtained from students.

What personal data is protected under the law?

The data elements that are legally protected from unauthorized use, access, and disclosure under New Hampshire’s HB 520 include but are not limited to:

• Student educational records.
• Email addresses.
• Physical addresses.
• First and last names.
• Financial and insurance account numbers.
• Unique pupil identifers.
• Text messages.
• Documents.
• Special education data.
• Social security numbers.
• Medical and health records.
• Biometric information.
• Voice recordings.
• Political affiliations.
• Religious information.

Complying with New Hampshire’s HB 520

As online operators are charged with both providing educational services to students as well as ensuring that the personal data of said students is protected from misuse, striking the delicate balance between maintaining compliance while managing the duties of the job can prove to be a difficult task. In order to combat this issue, online operators within New Hampshire can look to automatic redaction software. Through the use of such software, online operators can prevent the personal data of their students from being hacked or stolen, as they can redact any information that is not pertinent to the educational goal or objective that is at hand at any given time. In this way, they can also ensure that they remain compliant with legislation such as HB 520.

As online internet access has completely changed the manner in which children around the world pursue their educational journeys, passing laws that would regulate the transfer and dissemination of the personal information of students was an all but inevitable reality. What’s more, as the U.S. has yet to enact a comprehensive data protection and privacy law at the federal level, state legislation such as New Hampshire’s HB 520 is the primary means by which the average American citizen can protect their personal information and privacy. As such, while HB 520 was amended in 2018, new legislation will likely be needed in future years to combat the ever-increasing threat of cybercrime.