The definitive guide to student data privacy laws, AI governance, and SDPC membership across every U.S. state. Find your state. Know your landscape. Close the gap.
51
States Tracked
36
SDPC Members
44
AI Governance
11
DPAs Available
Showing 51 of 51
State ▲
SDPC β
AI Gov. β
DPA β
Laws β
Key Notes
Alabama(AL)
β
Active
β
1
Mandatory compliance audits; specific AI vendor contract language prohibiting unauthorized training.
Alaska(AK)
β
Active
β
0
6-Step Policy Development Process; annual policy reviews; vendor vetting protocols; focus on cultural responsiveness and remote connectivity.
Arizona(AZ)
β
None
β
1
Parental consent for assessments; opt-out for directory info; operator prohibitions on targeted advertising.
Arkansas(AR)
β
Emerging
β
1
Public entities must create AI authorized use policies (H 1958); prohibits operators from profiling or selling covered info.
California(CA)
β
Active
β
6
Strict data minimization; mandatory deletion on request; vendors barred from non-educational data use; risk assessments for sensitive info; security procedures for covered info.
Colorado(CO)
β
Emerging
β
3
SBE must publish data inventory; CPA mandates privacy risk assessments; mandatory breach notification within 30 days; HB 21-1110 web accessibility.
Connecticut(CT)
β
Emerging
β
3
Written contracts for data sharing; mandatory breach notification; prohibitions on targeted advertising/profiling; state agency AI inventory required.
Delaware(DE)
β
None
β
1
Providers must implement security and delete data; prohibited from selling data or targeted advertising.
District of Columbia(DC)
β
None
β
1
Mandatory security in LEA contracts; prohibits social media password access.
Florida(FL)
β
None
β
1
Prohibits collection of biometric/political info; mandatory use of VAM (50% of evaluation); prohibits bargaining on teacher evaluations; prohibits use of SSN as ID; prohibits operators from selling student info.
Georgia(GA)
β
Emerging
β
1
Prohibits AI for high-stakes tasks; prohibits service providers from using data for commercial purposes.
Hawaii(HI)
β
Emerging
β
1
Centralized review process for software; unified helpdesk for tool requests; transition to National Data Privacy Agreement (NDPA).
Idaho(ID)
β
None
β
1
Create student data system; public privacy policies; develop security and destruction plans; prohibit biometric collection.
Illinois(IL)
β
Emerging
β
3
Student Online Personal Protection Act (SOPPA); data sharing agreements required for PII.
Indiana(IN)
β
Active
β
0
No data available
Iowa(IA)
β
None
β
1
Prohibits operators from targeted advertising, profiling, or selling student information.
Kansas(KS)
β
None
β
1
SOPPA; prohibits targeted advertising and biometric collection; mandatory breach notification; annual reports to governor.
Kentucky(KY)
β
Emerging
β
1
Mandatory breach notification; cloud services prohibited from commercial use of data; requires AI disclosure in public decision-making.
Louisiana(LA)
β
Emerging
β
1
Prohibits requesting social media logins; 10-day records request limit; $10,000 fine for violations; cyclical four-component policy approach.
Maine(ME)
β
Emerging
β
1
SEA acts as state agent for SDPC; provides cybersecurity guidance aligned with NIST/ISO.
Maryland(MD)
β
Active
β
3
Annual AI system inventories; impact assessments for AI systems; public availability of inventories; MLDS links data for 20 years.
Massachusetts(MA)
β
Emerging
β
1
Districts urged to establish AI disclosure expectations; minimize use of AI detection tools.
Michigan(MI)
β
Active
β
2
Evaluation systems must include growth data; performance is "majority factor" in RIF; seniority cannot be considered.
Minnesota(MN)
β
Emerging
β
1
No data available
Mississippi(MS)
β
Emerging
β
1
Privacy/governance built into SIS design; use of simplified National Data Privacy Agreement (NDPA).
Missouri(MO)
β
Emerging
β
1
No data available
Montana(MT)
β
Emerging
β
2
Mandatory compliance with state laws; biannual AI guideline review; government AI decisions must be human-reviewed (HB 178).
Nebraska(NE)
β
Emerging
β
1
No data available
Nevada(NV)
β
Active
β
1
Prohibits targeted advertising and selling student data.
New Hampshire(NH)
β
Active
β
1
Prohibits transfer of sensitive data to for-profit entities without consent.
New Jersey(NJ)
β
Emerging
β
2
SOPPA-NJ: prohibits ed-tech data sales/targeted ads; written contracts required; NJDPA: data protection assessments mandatory.
New Mexico(NM)
β
Emerging
β
0
Utilizes M.A.Z.E. framework (Monitor, Assess, Zero-in, Evaluate); requires disclosure of AI assistance in coursework.
New York(NY)
β
Active
β
1
Mandatory Data Privacy and Security Plans for vendors; Parents' Bill of Rights; ban on biometric ID tech; data minimization restricted to strictly necessary elements.
North Carolina(NC)
β
Active
β
0
No data available
North Dakota(ND)
β
Emerging
β
0
No data available
Ohio(OH)
β
Active
β
1
Annual notice for device monitoring; 72-hour notice for specific access; mandatory destruction of records within 90 days of contract end.
Oklahoma(OK)
β
Emerging
β
1
No data available
Oregon(OR)
β
Active
β
1
Prohibits targeted advertising; vendor data disposal within 60 days of termination; annual retirement audit for EdTech products.
Pennsylvania(PA)
β
Active
β
0
Interim Policy on Use of GenAI requires human review of outputs; personnel responsible for accuracy.
Rhode Island(RI)
β
Active
β
1
No data available
South Carolina(SC)
β
Emerging
β
1
Required district data governance plans; privacy impact assessments; data classification frameworks.
South Dakota(SD)
β
Emerging
β
1
No data available
Tennessee(TN)
β
Active
β
2
All districts must adopt AI policies; annual reporting from Directors to Board by June; opt-out for automated decision-making.
Texas(TX)
β
Emerging
β
3
Cybersecurity framework mandatory; breach reporting to agency; data minimization standards; informed consent for mental health software.
Utah(UT)MODEL
β
Active
β
4
Adopt Data Governance Plan; maintain Metadata Dictionary; annual info security awareness course; breach reporting within 10 days; annual Privacy Practices Benchmark; 45-day record access response.
Vermont(VT)
β
Active
β
0
No data available
Virginia(VA)
β
Active
β
2
Incident reporting within 24 hours; mandatory model data security plan; restrictions on facial recognition; parent right to download record copies.
Washington(WA)
β
Active
β
1
Regular review of LEA policies; vetting of AI tools for DPA verification and encryption; use of an AI Matrix (5-step scaffolding scale).
West Virginia(WV)
β
Emerging
β
1
Prohibits sale of student data; parental opt-out for sharing.
Wisconsin(WI)
β
Emerging
β
1
Vetting checklist for tools; yearly staff refresh on privacy; redaction of identifiers before AI uploads; restricted bargaining (2011 Budget Repair Bill).
Wyoming(WY)
β
Active
β
1
No data available
ποΈ
Utah: The Model State
Utah went from 8% to 92% data privacy compliance across 150+ LEAs over approximately four years. With 1,000+ vendor agreements, a dedicated state alliance, and comprehensive compliance frameworks, Utah is the proof of concept for every other state.
