Student Data Privacy Law in the State of Nebraska

Nebraska’s Student Online Personal Information Protection Act or SOPIPA for short is a student data protection and privacy law that was passed in the U.S. state of Nebraska in 2017. In contrast to many other U.S. states that had enacted some form of legislation governing the protection of the personal information of K-12 students prior to 2017, Nebraska’s SOPIPA was the first of such laws to be passed within the state. With this being said, the law outlines the requirements that online operators and associated third parties must follow using the personal information of students to assist said students in furthering their education.

How is an online operator defined under Nebraska’s SOPIPA?

Under Nebraska’s Student Online Personal Information Protection Act, an online operator is defined as “the operator of an Internet website, online service, online application, or mobile application with actual knowledge that the site, service, or application is used primarily for elementary, middle, or high school purposes and was designed and marketed for elementary, middle, or high school purposes. This term does not include Internet websites, online services, online applications, or mobile applications operated by a post-secondary institution with a physical presence in Nebraska.”

What are the responsibilities of online operators under the law?

Under Nebraska’s Student Online Personal Information Protection Act, online operators that serve students within the state have the following obligations and responsibilities as it concerns protecting the personal information and privacy of said students:

• Online operators are prohibited from using personal information obtained from students within Nebraska for the purposes of engaging in targeted advertising.
• Online operators are prohibited from selling or renting personal information obtained from students within Nebraska, unless such transactions are for opportunities related to the furtherance of educational pursuits.
• Online operators are prohibited from disclosing personal information obtained from students in Nebraska, subject to certain exceptions. Such exceptions include instances where a student’s personal information needs to be disclosed in order to participate in the judicial process, or to fulfill an employment contract or purpose that has been requested by a student or their parent or guardian, among others.
• Online operators are responsible for developing, implementing, and maintaining reasonable security measures and procedures geared toward protecting the personal information of students.
• Online operators are responsible for deleting a student’s personal information within a reasonable period of time, should their parent, guardian, or school district make such a request.

What categories of personal information are protected under the law?

Under Nebraska’s Student Online Personal Information Protection Act, the following categories of personal information pertaining to students within the state are legally protected from unauthorized access, use, modification, disclosure, and destruction:

• Educational records.
• Email addresses.
• Physical addresses.
• First and last names.
• Disciplinary records.
• Juvenile dependency records.
• Grades and evaluations.
• Test results.
• Medical and health records.
• Social security numbers.
• Criminal records.
• Biometric and student identifiers.
• Political affiliations.
• Religious information.
• Geolocation information.
• Food purchases.
• Search activity.
• Photos and voice recordings.

What are the penalties for violating Nebraska’s SOPIPA?

In terms of the enforcement of the law, the provisions set forth in Nebraska’s Student Online Personal Information Protection Act are enforced by the Director of Nebraska’s Coordinating Commission for Postsecondary Education. To this point, while online operators and school districts that are found to be in violation of the law do not face criminal or civil penalties, pro-profit educational institutions within Nebraska that fail to comply with the law are subject to the loss of authorization to operate. What’s more, in instances where a for-profit educational institution within Nebraska is ordered to cease operations, the institution is also responsible for reimbursement of all fees and costs associated with said operations to all applicable parents, guardians, and employees.

Through the provisions of Nebraska’s Student Online Personal Information Protection Act, parents within the state can have the peace of mind that the personal information and privacy of their children is being protected at all times, particularly as it relates to online access and usage. Moreover, as it concerns for-profit schools and educational institutions within Nebraska, such institutions stand to face the termination of their authorization to operate should they fail to comply with any of the provisions of the law. As such, Nebraska’s Student Online Personal Information Protection Act stands are the foremost legal means that protects the personal information of students within the state.