Senate Bill 29 passed in June of 2024 and went into effect in October. The bill is formally titled “Regards education records and student data privacy.”
Ohio Sen. Steve Huffman (R-Tipp City) sponsored the bill, saying the motivation behind the bill is to make sure that student data is secure.
“It was about student privacy...they deserve privacy,” Huffman said. “Vendors for the schools were actually selling kids' information.”
The law changed who owns educational records. School districts now have ownership of all educational records instead of technology vendors. Educational records are any records involving a student, like grades, attendance, student email addresses and disciplinary records.
Huffman was concerned about students being targeted by data being sold, like student email addresses. The law makes it illegal to sell any student data.
There have also been amendments to the law since it has taken effect. These changes were added in December to clarify aspects of the law and make some necessary exceptions.
“Some of their legal teams did not know how to interpret the bill,” Huffman said about school districts' implementation of the law. “So in November we rectified some of those things and addressed those concerns.”
One such change is about notifying parents when a student’s device is accessed by the school. The original law mandated that parents must be notified within 72 hours if a student’s device is accessed either remotely or in-person. The law also outlined the circumstances when the policy would be enforced, such as when a device was stolen, a student was suspected to be looking at harmful material or to comply with a subpoena or federal law.
Columbus City Schools had initially adopted a policy of a blanket notification system, notifying parents every Monday, Wednesday and Friday.
Huffman said this interpretation was not the goal of the bill.
“If you notify a parent three times a week, they're going to block you and never listen to you and then not be able to look at the serious things,” he said.
The amendments clarify when parents should be notified. Also added to the law is an exception to parental notification. This would be when notifying a parent could put a student in danger, like in cases of child abuse.
The clarity was also added to a section that said if an educator sold student data, they would be in danger of losing their license. The amendment clarified that the sale of data would have to be intentional for loss of licensure to occur.
This law has been challenging for school districts across the state to implement.
Jennifer Furey, assistant director of instructional technology for the Olentangy Local School District, said that the district had already started measures to protect student data years before the bill was introduced.
“Senate Bill 29 came in and has shifted a little bit of what we do, but we really had a strong process leading up to it, so it's only truly just enhancing what we're already doing,“ Furey said.
It’s up to the schools to enforce and have a contract that covers Senate Bill 29. The law also mandates that a district must publish a list of all the vendors they’re working with before the school year starts.
For Olentangy Local Schools, the process of making sure the district is in compliance is started with teachers submitting which programs and vendors they would like to work with. The district then reviews the submissions, looking at what data a program collects, along with how the program can assist an educator.
“This has been challenging for districts across the state. It's definitely a change in mindset and a change in process,” said Sam Marshall, Olentangy’s IT security supervisor. “I think the overall goal of the legislation is positive. I feel like we do need to have that lens on our students' privacy and the data that we collect and how we manage that with our vendors.”
Most other states have some data protection, and student data is also protected nationally by the Family Educational Rights and Privacy Act (FERPA). However, FERPA does not explicitly protect all types of student data, like email addresses.
This law is the latest from the Ohio State Legislature on data privacy protections.