Student Data Privacy Law in the State of Connecticut

Connecticut’s Act Concerning Student Data Privacy is a student data privacy law that was passed in the U.S. state of Connecticut in 2016. The Act Concerning Student Data Privacy was enacted for the purpose of amending previous student data privacy legislation within Connecticut, effectively providing students of the state with an enhanced level of data protection and privacy, particularly as it concerns the use of the internet. With this being said, Connecticut’s Act Concerning Student Data Privacy sets forth various obligations that online operators within the state must adhere to as it pertains to protecting the personal information of students.

How are online operators defined under the provisions of the law?

Under Connecticut’s Act Concerning Student Data Privacy, an online operator is defined as “any person who (A) operates an Internet web site, online service or mobile application with actual knowledge that such Internet web site, online service or mobile application is used for school purposes and was designed and marketed for school purposes, to the extent it is engaged in the operation of such Internet web site, online service or mobile application, and (B) collects, maintains or uses student information.” Alternatively, the law defines a consultant as “a professional who provides noninstructional services, including, but not limited to, administrative, planning, analysis, statistical or research services, to a local or regional board of education pursuant to a contract with such local or regional board of education.”

What are the duties of online operators under the law?

Under Connecticut’s Act Concerning Student Data Privacy, online operators and consultants that serve students within the state are prohibited from using the personal information of said students for the following purposes:

• Online operators and consultants are forbidden from using personal information obtained from students for the purposes of targeted advertising.
• Online operators and consultants are forbidden from collecting, storing, or using student information for any purpose other than the furtherance of school purposes.
• Online operators and consultants are forbidden from selling or renting student information, unless such transactions are in relation to the furtherance of school purposes.
• Online operators are forbidden from disclosing student information, subject to certain exceptions. Such exceptions include instances where the personal information of a student is disclosed for the purposes of complying with a state or federal law, or when the disclosure is needed to protect the safety and integrity of other users in regards to an online website, among others.
• In the event that a data breach occurs, online operators are required to provide notification to all affected parties without unreasonable delay, but no later than 60 days after the discovery of such an event.

Conversely, online operators are also responsible for developing, implementing, and maintaining “security procedures and practices that meet or exceed industry standards.” Moreover, these security procedures and practices must be specifically designed to protect student records, information, and content from unauthorized access, use, modification, disclosure, and destruction. Furthermore, online operations are also obligated to delete personal information concerning students within a reasonable amount of time, in the event that a student’s parent, guardian, or board of education member requests that such information be deleted. Additionally, any contracts that online operators forge with educational institutions within Connecticut must take into account the provisions set forth in the law.

What categories of personal data are protected under the law?

Under Connecticut’s Act Concerning Student Data Privacy, the categories of personal information that are protected under the law include but are not limited to:

• Student records.
• Test results, grades, and evaluations.
• Medical and health records.
• First and last names.
• Email addresses.
• Physical addresses.
• Social security numbers.
• Socioeconomic information.
• Biometric identifiers.
• Text messages.
• Photographs and voice recordings.
• Survey responses and behavioral assessments.

What’s more, Connecticut’s Act Concerning Student Data Privacy also contains provisions that call for the establishment of a task force for the purposes of researching issues related to student data privacy. In terms of duties, this task force is permitted to study a number of factors that influence online student privacy, some of which include the means and methods by which parents and guardians may request that personal information relating to students be deleted, reasonable penalties that can be imposed against online operators that around found to be in violation of the law, and strategies that other states around the country have utilized in order to protect student privacy, among other things.

As online privacy continues to be an issue of concern around the world, many U.S. states have taken steps to protect the privacy of their respective residents, both in the form of comprehensive legislation and laws that pertain to specific businesses or industries. To this point, the provisions of Connecticut’s Act Concerning Student Data Privacy provide parents and guardians within the state with the means to ensure that the personal information of their children is protected when they disclose said information to online operators during the course of their educational pursuits. Through the provisions of the law, said parents and guardians can have the peace of mind that the privacy of their children is being protected as it relates to their educational experiences.