Connecticut Statute Creates Sweeping Changes in Student Data Privacy Regulations

When Connecticut’s Public Act No. 16-189, An Act Concerning Student Data Privacy, went into effect on October 1, 2016, it set forth minimum privacy and contractual standards for the creation and handling of student data by school districts and third party vendors. The law is comprehensive and incorporates provisions that protect the privacy of student information including:

  • Restricting how student information may be used by entities that contract to provide educational software and electronic storage of student records and by operators of websites, online services, or mobile applications (i.e., apps);
  • Clarifying that student data collected for school purposes is not owned by any of these third-party contractors;
  • Requiring local boards of education to notify parents when they execute a new contract with a software, data storage, or internet service provider;
  • Stipulating data security and privacy provisions that must figure in all contracts between local school districts and software, data storage, and internet service providers;
  • Requiring school districts to withhold the release of student directory information if the local or regional board of education determines that a request for such information is not related to school purposes.[1]

Notifications to Students and Families

The Act includes requirements for student and family notifications when:

  • New contracts are signed: within five business days, the local or regional board of education must provide electronic notices to students, parents, or legal guardians and post on its website the date the contract was executed, a brief description of the contract, and what student information or content may be collected as a result of the contract.
  • There is a breach of security: within 48 hours of a security breach, a board of education must notify students and families which student records or content was involved in the breach. The board of education must also post a notice of the breach on its website.[2]

Requirements for Contractors: Restrictions and Data Breaches

While the following requirements are not specified by the Act to be in the contract, it is recommended that a board include these provisions to ensure the contractor or site operator is notified of its legal obligations. 

  • Restrictions on use: All student content remains the property of the student or the student’s family. Contractors must implement and maintain security precautions and practices that “protect student information, student records, or student-generated content from unauthorized access, destruction, use, modification, or disclosure in a manner consistent with federal law and industry standards.” Contractors are also forbidden to use personally identifiable information (PII) for advertising.[3]
  • Data breaches: When a contractor discovers a security breach, they must notify the board of education “without reasonable delay” and no later than 30 days from the discovery of the breach. During that 30 days, contractors may conduct an investigation to determine the scope of the breach and restore the “integrity of the contractor’s data system.”[4]

State Resources for Compliance with Public Act No. 16-189

District leaders are encouraged to take advantage of tools listed on the Connecticut Educational Software Hub.This site allows contractors to register compliant products by digitally signing the Connecticut Student Data Privacy Pledge. The registration process encourages contractors to demonstrate compliance. When they do, they become visible to districts using the Hub to find compliant software.

One caveat is that simply signing the pledge or registering products on the Hub does not demonstrate contractor compliance by itself. The Act requires that boards of education and contractors must execute agreements to achieve compliance with the state’s privacy laws.

The Hub includes a Model Terms of Service (TOS) agreement that can be used for this purpose or modified by districts and boards across the state.

How EdPrivacy Can Help

The reality is that the process described in the section above is little more than a pledge. That is why many Connecticut districts are using EdPrivacy to do the real work of monitoring and tracking compliance with state statutes. EdPrivacy vets the online resources for privacy, manages privacy policy changes, publicly posts required information on district websites, processes vendor improvement requests and manages other relationship maintenance responsibilities.

EdPrivacy utilizes machine learning-based artificial intelligence to create privacy quality scores for thousands of online technology resources commonly used in classrooms across the nation. The scores help educators and administrators quickly identify safe online technologies and easily determine which service providers respect and protect student data privacy. With EdPrivacy, school district leaders enjoy student data privacy peace of mind by better understanding which technologies are safe for student use.

For more information on what school and district administrators should know about federal student privacy laws, read EFI’s federal legislation page.


[1] Retrieved from
[2] Retrieved from
[3] Ibid.
[4] Ibid.