Technology Laws
- New York Internet Security and Privacy Act
- New York Education Law § 2-d
- Part 121 of the Regulations of the Commissioner of Education
- Family Educational Rights and Privacy Act (FERPA)
- New York Parents Bill of Rights for Data Privacy and Security
- New York SHIELD Act
- Protection of Pupil Rights Amendment
- Children's Online Privacy Protection Act
- Children's Internet Protection Act
New York Internet Security and Privacy Act
New York State Technology Law Article 2 is also known as the Internet Security and Privacy Act. Enacted in 2011, it focuses on protecting the privacy of individuals' personal information collected by state agencies. Here's a breakdown of the key points in Article 2:
- Model Internet Privacy Policy: The law requires state agencies to develop and implement a model internet privacy policy. This policy outlines how state agencies will collect, use, and disclose personal information collected through their websites and online services.
- Collection and Disclosure of Personal Information: The Act restricts how state agencies can collect and disclose personal information. Generally, state agencies can only collect personal information that is necessary for a specific purpose and authorized by law. Additionally, they must obtain individuals' consent before disclosing personal information to third parties, with some exceptions.
- Access to Personal Information: Individuals have the right to access their personal information maintained by state agencies, with some limitations. They can also request corrections to inaccurate information.
- Exceptions: There are exceptions to the requirements of Article 2. For instance, some personal information may be exempt from disclosure if it relates to public safety, law enforcement, or certain government functions.
Here are some additional points to consider:
- Article 2 complements other data privacy laws in New York, such as the NY SHIELD Act, which focuses on data security requirements for businesses.
- The New York State Attorney General's Office is responsible for enforcing Article 2.
Here are some resources where you can learn more about Article 2 of the New York State Technology Law:
- New York Laws - STT - State Technology Law. Article 2 - Internet Security and Privacy Act: https://www.justia.com/privacy-policy/
- New York Office of the Attorney General - SHIELD Act: https://ag.ny.gov/resources/organizations/data-breach-reporting/shield-act
New York Education Law § 2-d
Enacted in early 2020, New York State's Education Law § 2-d, also known as Ed Law 2-d, focuses on protecting the privacy and security of student and school staff data (https://www.nysed.gov/data-privacy-security/education-law-section-2-d-definitions). Here are the key aspects of Ed Law 2-d:
- Protection from Unauthorized Release: The law prohibits the unauthorized release of personally identifiable information (PII) of students and staff. PII includes things like names, addresses, dates of birth, and disability status.
- Data Security Standards: Ed Law 2-d establishes data security and privacy standards that educational agencies (schools, school districts, boards of cooperative educational services) must follow to safeguard student and staff data.
- Third-Party Contractor Rules: The law has specific provisions for contracts with third-party vendors who handle student or staff data. These vendors must meet certain security requirements and are prohibited from selling or using the data for marketing purposes.
- Breach Notification: In the event of a data breach involving student or staff PII, the educational agency must notify those affected as quickly as possible.
- Enforcement: The New York State Education Department (NYSED) has the authority to impose penalties for violations of Ed Law 2-d. These penalties can include fines, mandatory training, and restrictions on accessing student data.
Here are some additional points to consider:
- Ed Law 2-d supplements the "Parent's Bill of Rights" for Data Privacy and Security, which gives parents certain rights regarding their children's educational data.
- The NYS Education Department website has a section dedicated to Ed Law 2-d, which includes resources and information for schools and districts: https://www.nysed.gov/data-privacy-security/education-law-section-2-d-definitions
Part 121 of the Regulations of the Commissioner of Education
Part 121 of the Regulations of the Commissioner of Education in New York, also known as 8 NYCRR Part 121, focuses on strengthening data privacy and security for student and teacher data within educational agencies. It was implemented in January 2020 to enforce Education Law § 2-d.
Here's a breakdown of the key aspects of 8 NYCRR Part 121:
- Data Minimization: Educational agencies are required to minimize the collection, processing, and transmission of personally identifiable information (PII) of students and staff. This means collecting only the data necessary for legitimate educational purposes.
- Data Security Standards: The law establishes data security and privacy standards that educational agencies must follow. These standards aim to protect PII from unauthorized access, disclosure, use, or modification.
- Third-Party Contractor Rules: The law has specific provisions for contracts with vendors who handle student or staff data. These vendors must meet certain security requirements and are prohibited from selling or using the data for marketing purposes.
- Transparency and Restrictions: Educational agencies are prohibited from selling student PII and using or disclosing it for any marketing or commercial purposes.
- Bill of Rights for Data Privacy and Security: The law requires that every contract with a third-party contractor includes a Bill of Rights outlining students' and eligible students' (those over 18 or enrolled in postsecondary institutions) rights regarding their data.
- Data Breach Notification: In the event of a data breach involving student or staff PII, the educational agency must notify those affected as quickly as possible.
- Enforcement: The New York State Education Department (NYSED) has the authority to impose penalties for violations of 8 NYCRR Part 121. These penalties can include fines, mandatory training, and restrictions on accessing student data.
- 8 NYCRR Part 121 complements the federal Family Educational Rights and Privacy Act (FERPA) which also protects the privacy of student education records.
- The NYSED website has a section dedicated to 8 NYCRR Part 121, which includes resources and information for schools and districts: https://www.nysed.gov/data-privacy-security/education-law-section-2-d-definitions
Family Educational Rights and Privacy Act (FERPA)
The Family Educational Rights and Privacy Act (FERPA) is a comprehensive federal law that protects the privacy of student education records. It applies to all schools that receive funding from the U.S. Department of Education, which covers most public and private elementary, secondary, and postsecondary institutions. Here's a breakdown of FERPA's key regulations:
Student and Parental Rights
- Access to Education Records: Students (or eligible students, those over 18 or enrolled in postsecondary institutions) have the right to inspect and review their education records. Schools must provide a copy of the records upon request, unless it's impossible (e.g., due to great distance). (34 CFR § 99.10)
- Right to Amend Records: Students have the right to request that a school amend any part of their education record that they believe is inaccurate, misleading, or otherwise in violation of their privacy rights. The school must follow a specific process for handling such requests. (34 CFR § 99.40)
- Right to Privacy: Schools generally cannot disclose personally identifiable information (PII) from a student's education record without prior written consent from the parent (or the student if they are eligible). There are some exceptions to this rule, which we'll discuss below. (34 CFR § 99.31)
School Disclosure and Recordkeeping
- Directory Information: Schools may disclose certain "directory information" about students without consent, but they must first give parents a chance to opt-out of such disclosures. Directory information typically includes things like a student's name, address, phone number, and participation in activities. (34 CFR § 99.31)
- Disclosures to School Officials: Schools can disclose student information to other school officials who have a legitimate educational interest in the student. This allows teachers, counselors, and administrators to collaborate and share necessary information for the student's education. (34 CFR § 99.31(a)(3))
- Disclosures to Other Parties: FERPA allows schools to disclose student information without consent under certain conditions, such as to comply with a court order or to certain parties like state education agencies or accrediting organizations, but only if the information is needed to fulfill their official duties. (34 CFR § 99.31)
- Recordkeeping Requirements: Schools must maintain a record of all requests for access to and disclosure of student education records. This helps maintain an audit trail of who has accessed a student's information. (34 CFR § 99.32)
Additional Considerations
- Transfer of Rights: When a student turns 18 or enrolls in a postsecondary institution, the rights under FERPA transfer from the parents to the student (who becomes the "eligible student"). (34 CFR § 99.5)
- FERPA doesn't apply to all student data: FERPA primarily focuses on education records, which are defined as records that are directly related to a student and maintained by the school. There may be other student data, such as information collected by websites or marketing tools, that isn't covered by FERPA but might be subject to other privacy laws.
Here are some resources where you can learn more about FERPA:
- Family Educational Rights and Privacy Act (FERPA): https://www2.ed.gov/ferpa
- Protecting Student Privacy: https://www2.ed.gov/ferpa
- 34 CFR Part 99 -- Family Educational Rights and Privacy: https://www.ecfr.gov/current/title-34/subtitle-A/part-99?toc=1
New York Parents Bill of Rights for Data Privacy and Security
The New York Parents Bill of Rights for Data Privacy and Security isn't a separate law, but rather an outcome mandated by Education Law § 2-d. This law, enacted in early 2020, focuses on protecting the privacy and security of student and school staff data (https://www.nysed.gov/data-privacy-security/education-law-section-2-d-definitions).
Here's how the Parents' Bill of Rights works:
- Requirement: Every educational agency (schools, districts, boards of cooperative educational services) must develop a Parents' Bill of Rights for Data Privacy and Security. This Bill of Rights should be published on the school or district website in a clear and understandable way.
- Purpose: The Bill of Rights informs parents (and legal guardians) about their rights regarding their children's student data under Ed Law § 2-d. This empowers parents to understand how their children's data is collected, used, protected, and disclosed.
Key points typically covered in the Parents' Bill of Rights
- Data Minimization: Schools should collect only the student data necessary for legitimate educational purposes.
- Data Security Measures: The Bill of Rights should explain the security measures in place to protect student data from unauthorized access or misuse.
- Third-Party Sharing: It should outline how and when student data might be shared with third-party vendors, and how such vendors are required to comply with data privacy and security standards.
- Parental Rights: The Bill of Rights should explain parents' rights to access and review their child's education records, as well as their right to request amendments if they believe the information is inaccurate or misleading. (These rights are also established by FERPA - Family Educational Rights and Privacy Act).
- Data Breach Notification: The Bill of Rights should outline the process for notifying parents in case of a data breach involving their child's information.
Additional Resources
- While there isn't a single, standardized Parents' Bill of Rights across all schools in New York, you can find your school district's specific Bill of Rights on their website. Look for it under sections related to data privacy or student data.
- NYS Education Department's Ed Law § 2-d website: https://www.nysed.gov/data-privacy-security/education-law-section-2-d-definitions
New York SHIELD Act
New York SHIELD Act, formally known as the Stop Hacks and Improve Electronic Data Security Act, is a law enacted in New York in 2019. Its primary focus is on strengthening data security measures and notification procedures for businesses that handle the private information of New York residents.
Here's a breakdown of the key points of the NY SHIELD Act:
- Stronger Data Security: Businesses must implement and maintain "reasonable safeguards" to protect the confidentiality, security, and integrity of private information. This translates to measures like access controls, data encryption, and employee training on data security practices.
- Broadened Private Information Definition: The SHIELD Act goes beyond just Social Security numbers. It now defines private information as any data point that can be used to identify someone, including names, email addresses, physical addresses, phone numbers, and even a combination of unique identifiers with a password or security question.
- Expanded Breach Notification: A key change is the stricter notification requirement. Businesses must notify affected individuals anytime there is unauthorized access to their private information, even if the data wasn't misused . This means a notification is necessary even in cases of attempted breaches.
- Focus on Reasonable Security: The SHIELD Act doesn't dictate specific security measures. Instead, it emphasizes "reasonable security" based on the nature of the business, the type of data collected, and the potential risks of a data breach.
- The SHIELD Act applies to any business that possesses or licenses the private information of New York residents, regardless of the business's location. So, even a company based in California that handles New York residents' data must comply.
- The New York State Attorney General's Office enforces the SHIELD Act and can impose fines for non-compliance.
- The SHIELD Act works alongside other data privacy laws, such as FERPA (protecting student data) and HIPAA (protecting healthcare data), that address specific sectors.
Here are some resources where you can learn more about the NY SHIELD Act:
- New York State Attorney General's SHIELD Act website: https://ag.ny.gov/resources/organizations/data-breach-reporting
- The Definitive Guide to the New York SHIELD Act | NTSC: https://ag.ny.gov/resources/organizations/data-breach-reporting/shield-act
Protection of Pupil Rights Amendment
The Protection of Pupil Rights Amendment (PPRA) is a federal law enacted in 1978 that protects the privacy of students in certain situations. It applies to all schools that receive funding from the U.S. Department of Education, which covers most public and private elementary, secondary, and postsecondary institutions.
Here's what the PPRA does:
- Protects students' privacy in certain areas related to surveys, testing, and treatment.
- Provides rights to parents regarding their children's education records in these protected areas.
The PPRA applies to the following eight areas of student information:
- Political affiliations or beliefs of the student or the student's parent or guardian.
- Mental or psychological problems of the student or the student's family.
- Sex behavior or attitudes.
- Illegal, anti-social, self-incriminating, or demeaning behavior.
- Critical appraisals of other individuals with whom respondents have close family relationships.
- Religious practices, affiliations, or beliefs.
- Any legally recognized protected characteristic (e.g., race, ethnicity, disability).
- Income (unless required by law to determine eligibility for a program).
Here are some key things to remember about the PPRA:
- Schools cannot require students to participate in surveys or testing that cover these protected areas without prior written consent from the parent (or the student if they are 18 or emancipated).
- Schools cannot share this information with third parties without parental consent, except for certain exceptions like disclosures allowed by FERPA (Family Educational Rights and Privacy Act) or to comply with a court order.
- The PPRA does not apply to all surveys or testing. For instance, it wouldn't apply to a simple math quiz or a survey about student preferences for cafeteria food.
Here are some resources where you can learn more about the PPRA:
- Protection of Pupil Rights Amendment (PPRA): https://studentprivacy.ed.gov/
- What is the Protection of Pupil Rights Amendment? http://studentprivacy.ed.gov/training/what-protection-pupil-rights-amendment
Children's Online Privacy Protection Act
The Children's Online Privacy Protection Act (COPPA), also referred to as the Children's Online Privacy Protection Rule (COPPA Rule), is a federal law enforced by the Federal Trade Commission (FTC) that protects the privacy of children under 13 online.
Here's a breakdown of COPPA's key points:
- Protects children's data: COPPA applies to websites and online services that collect, use, or disclose personal information from children under 13. These websites must comply with specific requirements to safeguard children's privacy.
- Parental consent required: Websites must obtain verifiable parental consent before collecting, using, or disclosing a child's personal information. This typically involves notifying parents about the information practices and giving them a way to refuse consent or access and delete their child's data.
- Limits on data collection: COPPA restricts the amount of personal information websites can collect from children. They can only collect what's reasonably necessary and must provide a clear privacy policy explaining their data practices.
- Security requirements: Websites must have reasonable security measures in place to protect the confidentiality, integrity, and security of children's personal information.
- Enforcement by FTC: The FTC enforces COPPA and can impose fines on websites that violate the rule.
Here are some additional points to consider:
- COPPA applies to websites and online services directed towards children under 13, but it can also apply to general websites if they knowingly collect data from children.
- The COPPA Rule outlines a specific process for obtaining verifiable parental consent, such as through email verification or a credit card confirmation.
- There are resources available from the FTC to help website operators understand and comply with COPPA.
Here are some resources for further reading:
- Children's Online Privacy Protection Rule ("COPPA") | Federal Trade Commission: https://www.ftc.gov/business-guidance/resources/complying-coppa-frequently-asked-questions
- Children's Privacy | Federal Trade Commission: https://www.ftc.gov/business-guidance/resources/complying-coppa-frequently-asked-questions
Children's Internet Protection Act
The Children's Internet Protection Act (CIPA) is a federal law passed in 2000 that aims to protect children from harmful content on the Internet in certain settings. Here's a breakdown of the key points:
- Applies to Schools and Libraries: CIPA primarily applies to public schools and libraries that receive certain federal funding for internet access or internal connections, such as through the E-rate program.
- Filtering Requirement: Schools and libraries subject to CIPA must use technology protection measures to filter or block access to obscene content, child pornography, and other material considered "harmful to minors" on computers accessed by children.
- Levels of Filtering: The filtering requirements can differ for adults and minors. Adults may be able to disable the filtering for certain purposes, while stricter filtering must be in place when minors are using the computers.
- Public Hearing Requirement: Schools and libraries must hold a public hearing to get community input before adopting an internet safety policy that includes these technology protection measures.
- Focus on Internet Safety: Overall, CIPA aims to create a safer online environment for children in schools and libraries that rely on E-rate funding.
Here are some additional things to consider:
- CIPA has been criticized for potentially blocking access to legitimate educational resources due to overzealous filtering.
- The effectiveness of filtering software is a matter of debate, as some argue it can be easily bypassed by tech-savvy users.
- CIPA complements other laws like COPPA (Children's Online Privacy Protection Act) that focus on online data privacy for children.
Here are some resources where you can learn more about CIPA:
- Children's Internet Protection Act (CIPA) - Federal Communications Commission: https://www.fcc.gov/consumers/guides/childrens-internet-protection-act
- What is Children's Internet Protection Act (CIPA)? - Infoblox: https://docs.infoblox.com/space/nios86/35988400/Enabling+%2F+Disabling+Comm