The landscape of data privacy in the United States has undergone significant shifts in recent years, impacting universities and colleges. Professionals in the higher education field must now consider data privacy and security as integral aspects of their institutional digital footprint. U.S. institutions and higher education technology companies face the challenge of adapting to these changes.

Setting the Stage (GDPR and Similar Privacy Legislation)

This increase in pressure seems to have grown with the European Union’s General Data Protection Regulation (GDPR) and has been echoed in the legislative landscape of the United States and other countries as well.

In 2018, when GDPR went into effect, it elicited varied reactions within the higher education community. Conversations with IT professionals revealed differing viewpoints:

• One perspective was that the GDPR, being a European law, would not hold U.S. institutions accountable unless they had a physical presence in the EU.
• Another view pointed out the generality and lack of federal mandates in U.S. privacy laws, noting that, aside from FERPA and HIPAA, there was no significant legislative focus on privacy.
• Some believed that privacy laws in general were targeting large international tech companies, suggesting that universities, colleges, and higher education technology companies in the U.S. should focus primarily on FERPA and HIPAA.

As we traverse 2024, it’s clear that the higher education community needs to plan and implement changes to avoid legislative scrutiny. The U.S. Federal Agencies have begun strengthening existing federal privacy laws such as the Gramm-Leach-Bliley Act (GLBA) & Children’s Online Privacy Protection Act (COPPA) and empowering the Federal Trade Commission (FTC) to address privacy concerns more robustly. This includes recognizing the impact of laws like the Gramm-Leach-Bliley Act (GLBA) on higher education institutions, which, while primarily seen as financial legislation, also significantly impacts privacy and data security.  As an example, updates to the Gramm-Leach-Bliley Act have led institutions to increase the use of single sign-on services and the use of multi-factor authentication processes.

This will only increase with the legislative pursuit to pass the American Data Privacy and Protection Act (ADPPA) in Congress.

While it could be argued that many U.S. students, parents, and consumers are more concerned about the ease of use of technology and internet resources than true data privacy, there does appear to be a growing trend of concern and response to security breaches and unethical uses of their private data. So, in addition to the legal compliance issues, there is a growing concern about negative impact on a college or university’s reputation.

The U.S. & Individual State’s Data Privacy Laws

While the GDPR directly affects institutions dealing with EU residents, its influence extends to the U.S., prompting a closer examination of domestic privacy laws. Higher education institutions must navigate a complex web of state-specific regulations, balancing compliance with diverse legal requirements.

American Data Privacy and Protection Act

While it has not been passed by the U.S. Legislature yet, the American Data Privacy and Protection Act (ADPPA) is a federal bill that aims to regulate how organizations use and keep consumer data. It is expected to pass at some point.

The ADPPA’s main principles include:

• Data minimization.
• Individual data ownership.
• Privacy right of action.

The ADPPA’s requirements include:

• Limiting the collection, processing, and transfer of personal data to what is necessary to provide a requested product or service.
• Providing consumers with foundational data privacy rights.
• Creating strong oversight mechanisms.
• Establishing meaningful enforcement.
• Requiring companies to evaluate certain artificial intelligence tools and submit those evaluations to the FTC.

The ADPPA would preempt existing state comprehensive privacy protection laws, except for certain categories of laws in California and Illinois.

Additional Legislative Acts

Another example for consideration is the Children’s Online Privacy Protection Act (COPPA). Some college athletic recruiters may start tracking and storing data about young athletes that could be covered by the COPPA regulations.

In 2023, several U.S. states enacted new privacy laws, reflecting a growing trend toward comprehensive data privacy legislation at the state level. These laws include the Indiana Consumer Data Protection Act (ICDPA), the Montana Consumer Data Privacy Act (MCDPA), the Oregon Consumer Privacy Act (OCPA), and the Tennessee Information Protection Act (TIPA), each coming into effect in different years, ranging from 2024 to 2026​​​​. Additionally, states like Virginia, Utah, and others have enacted or begun enforcing their data privacy laws​​​​. While many of these laws have exceptions for higher education, you should be aware of what may or may not impact your institution.

In 2024, the landscape is expected to continue evolving with more states introducing or considering privacy regulations. Notably, California has been actively working on broad protections related to the use of AI systems, with significant legislative progress made on bills like AB331, which aims to prevent algorithmic discrimination​​.

These state privacy laws typically include consumer rights such as:

• Right to know
• Right to access
• Data portability
• Right of deletion
• Data correction
• Various opt-out rights

They also impose obligations on businesses to:

• Adopt reasonable data security practices
• Provide transparent privacy notices
• Avoid unlawful discrimination
• Control relationships with third parties
• Obtain consent for processing sensitive data​​

Many of these laws exempt certain entities and data types, including information subject to the Health Insurance Portability and Accountability Act (HIPAA) and entities covered under the Gramm-Leach-Bliley Act (GLBA). Notably, higher education institutions are often exempted under these state laws, but they still need to be aware of these developments as they could have indirect effects or apply in specific contexts​​​​.

For institutions, especially those that are for-profit, it is crucial to stay informed about these developments. The increasing number of state-specific privacy laws could impact how they handle student data, particularly in terms of compliance requirements – and  especially the need for better utilization of the Fair Information Practice Principles (FIPPs),   privacy by design, and privacy engineering in their operations and services. Institutions must also consider the potential impact on their partnerships with vendors and technology providers, ensuring that these partners are compliant with the relevant state privacy laws. International laws and regulations are already starting to require these.

Challenges in Higher Education

Higher education institutions have been grappling with aligning their practices with FERPA, HIPAA, and GLBA, amidst evolving technological landscapes. The increasing reliance on digital platforms necessitates a more robust approach to data security.

• Compliance with Evolving Laws: Institutions must navigate a complex array of new and changing international, federal, and state-specific privacy laws, such as the California Consumer Privacy Act (CCPA) and Virginia’s Consumer Data Protection Act (VCDPA), which create a challenging compliance landscape.
• Technological Adaptation: The increasing use of technology in higher education brings unique challenges in managing student data privacy, especially with tools like AI and machine learning.
• Balancing Privacy and Innovation: Institutions must find a balance between leveraging technological advancements for educational purposes and ensuring student data privacy.
• Variations in State Laws: The differences in privacy laws across states make it challenging for institutions, particularly those operating in multiple states or online, to maintain consistent privacy standards.
• Role of Privacy Officers: The importance of Chief Privacy Officers in higher education is emphasized, highlighting their role in navigating the complexities of data privacy and regulations.
• Data Security Threats: Increased cybersecurity threats, such as ransomware attacks, underscore the need for robust data protection measures in higher education.
• Emerging Technologies: The rise of new technologies like generative AI poses fresh challenges for data privacy and security in educational settings.

Technology Vendors’ Role

For technology vendors serving the higher education market, integrating Privacy by Design and Privacy Engineering becomes crucial. Vendors must ensure that their products not only comply with current regulations but also anticipate future privacy needs. However, as Ronald Reagan once said, “Trust but Verify.” The IT professionals inside higher education universities need to become familiar with all the U.S. federal and state laws being introduced. They need to start developing a strategy to require software and cloud computing vendor adherence to laws and regulations that are pertinent to their institution’s specific scenarios. This means taking time to identify their needs.

• Create a standard vendor due diligence checklist that can guide your procurement decision-making. Every item on the list will be applicable for every vendor decision but, the more you complete, the more thoroughly you can mitigate risk in the vendor selection process. Here is an example of a checklist.
• What international, federal, and state laws affect you? Remember that each scenario could be different based on whose data you’re tracking, but it could also be different based on where your vendor is located. In the world of online cloud services, where your data is stored can affect which laws and regulations are binding.
• Identify how you want cloud and software vendors to show evidence of compliance with the laws and regulations that apply to your specific institutional needs.
• Ensure that your vendor agreements clearly outline the shared responsibility matrix for their services, so you know what their responsibility is, as well as the institution’s.
• If data needs to be updated and/or deleted due to legal or compliance reasons, are there procedures in place to accomplish this promptly?
• When considering solutions being offered by technology vendors, you should consider the difference between SaaS or On-Premise solutions (particularly in terms of data ownership, control, and security responsibilities).
• Do your agreements clearly outline which party is the controller and who is the processor of the data? Remember that, while contracting a third-party vendor to assist with data and services can help mitigate potential risks and liabilities, it does not eliminate your responsibilities and liabilities.

Utilizing External Resources for Vendor Assessment

There are several considerations when a school, department, or manager decides to contract with vendors to assist with processing and storing data. (Let’s also acknowledge that most college employees are not ‘privacy’ or ‘legal’ experts in the fields of Software as a Service (SaaS), Cybersecurity, and Compliance.) With that in mind, I would recommend that higher education professionals take advantage of some of the resources that they have access to.

• The Higher Education Community Vendor Assessment Toolkit (HECVAT) is a specialized questionnaire framework developed for higher education institutions to assess the risks associated with vendors. It was developed by members of the higher ed community under the EDUCAUSE This process ensures that vendors have robust information, data, and cybersecurity measures in place to safeguard sensitive institutional data and the Personally Identifiable Information (PII) of constituents. It is essential for colleges and universities to comprehend their risks. Many higher education software and service vendors have already completed and submitted HECVAT questionnaires to the community or keep a copy handy that can be tailored for individual requests.
• NIST Cybersecurity Framework – Assessment & Auditing Resources – Academia discipline This resource page from national Institute of Standards and Technology (NIST) also contains some higher education specific resources, information, and case studies involving the University of Chicago & Baldridge Cybersecurity to give you food for thought on efforts to improve your institution’s privacy & security posture.

Best Practices for Data Privacy

To remain compliant, higher education institutions should adopt comprehensive data privacy strategies, including internal policy development and staff training. A proactive, rather than reactive, approach is key to maintaining privacy standards. Here are some best practices that higher education and IT professionals should consider applying to their roles.

• Transparency in Data Usage: Institutions must be transparent about how they collect, store, use, and protect student data. This transparency helps build trust and confidence among students and staff​​​​.
• Data Classification: Classifying sensitive data and where it is stored can immensely improve an institution’s ability to proactively protect and effectively respond to events or requests for information about confidential, sensitive, and PII information.
• Cybersecurity Measures: Adopting robust cybersecurity measures is essential. This includes securing cloud solutions, implementing effective cybersecurity policies, shifting towards a Zero Trust framework, and establishing strong security controls for sensitive data. It’s also important to vet SaaS vendors and cloud providers for cybersecurity commitment​​.
• Regular Security Assessments and Updates: Conducting regular security assessments, such as penetration testing, and keeping systems updated with the latest security patches are vital for identifying vulnerabilities and protecting against emerging threats​​.
• Data Encryption: Encrypting sensitive data, both at rest and in transit, adds an important layer of protection. Even if physical or network security is compromised, encrypted data remains secure and unreadable without proper access​​.
• Developing a Culture of Privacy: Building a culture of privacy within the institution involves engaging leadership and stakeholders, understanding compliance risks, and forming a coalition across different departments and functions. This culture should emphasize the importance of privacy and ensure all parties understand their roles in maintaining it​​.
• Creating and Implementing an Incident Response Plan: Having a well-defined incident response plan prepares the institution to effectively handle security incidents. This plan should cover roles, responsibilities, communication channels, containment measures, and steps for investigation and recovery​​.
• Data Governance Framework: Establishing a comprehensive data governance program is critical. This includes defining how data is collected, stored, used, accessed, categorized, and retained. It is also important to have processes for vendor management, ensuring that service providers protect data in compliance with applicable laws and regulations​​.

Looking Ahead

The future of data privacy in higher education will likely see more stringent regulations, with technology playing a central role in ensuring compliance. Institutions and vendors must stay ahead of these trends to safeguard student data effectively.

Looking at 2024 and beyond, several U.S. states have proposed and enacted privacy laws that could impact higher education, especially given their comprehensive nature. These laws vary significantly across states but share common themes in terms of consumer rights and business obligations.

For instance, states like Indiana, Iowa, Montana, Tennessee, Texas, Utah, and Virginia have all established, or are in the process of establishing, privacy laws with various thresholds for applicability, such as the number of consumers and revenue generated from the sale of personal data. These laws often include provisions for consumer rights, like knowing, accessing, and deleting their personal data, data portability, correction, non-discrimination, and opting out of the sale and targeted advertising/sharing​​.

California is focusing on AI systems with its two emerging approaches. The California Privacy Protection Agency is developing rules for automated decision-making technology, including individual opt-out rights in certain circumstances. Meanwhile, California’s AB 331 bill, which made substantial legislative progress in 2023, is aimed at preventing algorithmic discrimination and establishing a framework for AI governance. These developments in California might influence how other states consider AI systems and data privacy​​.

Furthermore, states like Massachusetts and Mississippi are proposing bills with key provisions that include privacy by design principles, requirements for processing sensitive data, consumer rights, and additional obligations for data brokers and entities using algorithms for consequential decisions. If passed, these proposed bills would add to the growing patchwork of state privacy laws in the U.S., potentially impacting colleges and universities in those states​​.

Higher education institutions need to be aware of these developments and prepare for the diverse privacy landscapes. The implementation of these laws will require institutions to review and update their data handling practices – particularly regarding student data – and ensure compliance with the varying state-specific requirements. Institutions should monitor these legislative developments closely and consider the potential impacts on their operations and data privacy strategies.

Conclusion

The evolving data privacy landscape presents both challenges and opportunities for higher education. By adopting proactive measures and embracing technology, institutions (and their vendors) can navigate these changes successfully, ensuring the privacy and security of student data.

Higher education professionals should be prepared to reflect on their roles and areas of influence and consider how they might be able to improve their knowledge, skills, and abilities. Consider a review of your institution’s privacy policy and privacy notice, along with initiating a conversation with your privacy and compliance leaders or legal team.

If you’d like to conduct additional research into data privacy in higher education, here is a list of Professional Associations and Advocacy Organizations that may be helpful.

Legal Disclaimer: The information provided in this article is for informational and conceptual purposes only and is not intended as legal advice. The author is not a lawyer, and this article does not constitute a substitute for legal advice from a licensed attorney. Readers are advised to consult a qualified attorney for advice regarding specific legal issues or concerns.