What Ohio Schools Should Know About

Why Ohio Schools Must Act Now on Student Data Privacy

What Ohio Schools Should Know About the Ohio Student Privacy Act starts with this: Ohio Senate Bill 29 (SB 29) took effect on October 24, 2024, bringing sweeping changes to how schools handle student data. For K-12 IT directors in Ohio, understanding these new requirements is urgent, as compliance deadlines are already here.

Here's what you need to know right away:

• Effective Date: SB 29 became law on October 24, 2024
• Who It Affects: All Ohio public schools and their technology partners
• What Changed: New restrictions on monitoring school-issued devices, stricter rules for tech contracts, and mandatory parent notifications
• Key Deadlines: August 1, 2025 for annual parent notifications; 72 hours for breach or monitoring notices
• Bottom Line: Schools must retain sole ownership of student records, limit device monitoring, and ensure tech partners follow strict data protection rules.

The new rules create administrative burdens, but they are critical. Citizens cannot opt out of giving public institutions their most private information. When this data is exposed, as it was in the devastating Minneapolis Public Schools ransomware attack, it shatters trust and violates the law.

The human element remains your biggest vulnerability. With cyber-attacks on the public sector up 40% in Q2 2023 and social engineering causing 70-90% of breaches, staff awareness is as critical as your contracts.

Want to know if your district is vulnerable? Get a Phishing Audit to see where your staff stands before a real attack tests them.

What Ohio Schools Should Know About the Ohio Student Privacy Act word roundup:

• All About FERPA: The Federal Student Privacy Law That Still Matters in 2025
• All About New York’s Education Law § 2-d: Student Data Privacy, Explained
• What to Know About California’s SB 1177 (SOPIPA Expansion) and Its Impact on K–12 Schools

Understanding the Ohio Student Privacy Act (SB 29)

What Ohio Schools Should Know About the Ohio Student Privacy Act is that Senate Bill 29 is a fundamental shift in how Ohio protects student information. The law, effective October 24, 2024, has three core missions: improve student privacy, regulate technology partners, and ensure parents are informed about their children's data. SB 29 draws a protective circle around student data, with strict rules on access, use, and notification, specifically targeting tech contracts and device monitoring. For IT directors and administrators, this means student data privacy is no longer optional – it's law.

Who is regulated by SB 29?

SB 29 regulates Ohio public schools and their technology partners – any entity that contracts with a school to provide devices or handle educational records. This includes LMS vendors, device manufacturers, and software providers. These partners now have direct legal obligations. School administrators and staff are also covered, as the State Board of Education can take action against an educator's license for misusing confidential student information.

What constitutes an 'educational record' under the Ohio Student Privacy Act?

Understanding what constitutes an educational record is essential. Under SB 29, these are records containing information directly related to a student and maintained by the school, including grades, attendance, disciplinary actions, and health information. However, a teacher's sole-possession records, certain employee records, and specific medical records for students 18+ are excluded.

This differs from directory information – basic data like names, addresses, and sports participation. Educational records require explicit consent for disclosure, while directory information can be released after parents are given a chance to opt out. Importantly, Ohio law prohibits releasing directory information for profit-making activities. This distinction is crucial for data handling, contracts, and parent notifications. To learn more, see our guide on Sensitive Data Definition and Types.

Most breaches happen due to human error, not sophisticated hacks. Request a Phishing Audit to see how prepared your staff is.

New Obligations for Ohio School Districts

SB 29 mandates significant changes to technology contracts and device management.

What are the new requirements for technology partner contracts?

Your contracts with technology providers now require specific, non-negotiable protections.

• Sole Ownership: School districts must retain sole ownership of all student educational records. Providers are custodians, not owners, and cannot use student data for their own commercial purposes.
• Security Safeguards: Contracts must include "appropriate security safeguards," such as encryption and access controls, to protect educational records.
• Restricted Access: Provider employees may only access student records when necessary to fulfill their contractual duties.
• Data Destruction: Providers must destroy or return all educational records within 90 days of a contract's termination.
• Parental Inspection: Parents and students must have the opportunity to inspect contracts affecting their educational records.

These requirements mean most existing contracts will need review and renegotiation, a significant but necessary administrative lift.

What are the restrictions on monitoring school-issued devices?

SB 29 also draws clear lines around monitoring school-issued devices. Generally, schools are prohibited from electronically monitoring location-tracking features, audio/visual recording, or student interactions on these devices.

However, there are key exceptions:

• For noncommercial educational purposes, with advance notice to parents and students.
• With a judicial warrant or to locate a missing/stolen device.
• To comply with other laws, like the Children's Internet Protection Act (CIPA).
• When there is a reasonable belief of a threat to life or safety.

This creates a balance between privacy and safety. For help building a strategy, see our insights on creating a Data Security and Privacy Plan.

What are the notification requirements for parents and students?

Transparency is enforced through three notification requirements:

1. Annual Notice of Technology Contracts: By August 1, 2025, and annually thereafter, you must provide parents a list of all tech provider contracts affecting student records.
2. General Monitoring Notice: If your district monitors devices for permissible educational purposes, an annual notice must be issued to parents setting this expectation.
3. Trigger Notice for Specific Access: When you access a device under an exception (e.g., a safety threat), you must notify the parent within 72 hours, unless the notice itself would pose a threat.

These requirements demand robust systems to build and maintain trust with your community. Get a Phishing Audit to ensure your staff can protect this data from cyber threats.

What Ohio Schools Should Know About the Ohio Student Privacy Act: Vendor and Legal Context

SB 29 reshapes the relationship between schools and their technology partners, who now have direct legal obligations.

What are the obligations for technology partners?

When a vendor handles Ohio student data, they become a regulated guardian of that information.

• Data Breach Notification: Vendors must immediately notify the school district of any security incident involving student records.
• 90-Day Data Destruction: After a contract ends, providers must destroy or return all educational records within 90 days. This prevents data from lingering indefinitely on vendor servers.
• Prohibition on Commercial Use: Selling or sharing student data for commercial purposes, such as targeted advertising, is strictly prohibited. Vendors may only use anonymized, aggregate data to improve their services.
• Restricted Access: Vendor employees can only access records when necessary for their official duties.

Schools retain sole ownership of all educational records. Technology providers are processors, not owners.

How does SB 29 align with or differ from existing federal laws like FERPA?

You must comply with both SB 29 and the federal Family Educational Rights and Privacy Act (FERPA). Think of FERPA as the foundation and SB 29 as an additional, more modern layer of protection.

Here’s how SB 29 goes further than FERPA:

• Device Monitoring: FERPA is silent on school-issued devices. SB 29 explicitly restricts electronic monitoring and requires notifications.
• Vendor Obligations: SB 29 is more explicit than FERPA, defining specific duties for technology providers regarding breach reporting, data destruction, and commercial use.
• Notification Requirements: SB 29 adds new, time-bound notifications, such as the August 1, 2025 deadline for listing tech contracts and the 72-hour "trigger notices" for device access.
• Enforcement: SB 29 adds state-level enforcement from the Ohio Attorney General and the State Board of Education.

SB 29 supplements, not replaces, FERPA. When laws overlap, you should adhere to the one providing stronger privacy protection. While this dual compliance requires diligence, SB 29’s rules align with FERPA's core principles of transparency and parental rights, but with guardrails designed for the digital age. For a refresher, see our guide: All About FERPA: The Federal Student Privacy Law That Still Matters in 2025.

A Practical Compliance Checklist for Ohio Schools

Implementing SB 29 requires a clear plan to manage the new administrative workload. While the official fiscal note described costs as "minimal," the investment of time and effort is significant. Districts face major projects in contract review, policy development, staff training, and building new notification systems.

What are the recommendations for school districts to ensure compliance with the Ohio Student Privacy Act?

Here is a practical roadmap to ensure compliance:

1. Engage Legal Counsel: Work with your district's lawyers to interpret the law, review contracts, and draft compliant policies.
2. Audit Technology Contracts: Create a comprehensive inventory of all technology providers handling student data. Review each contract against SB 29's requirements for data ownership, security, access restrictions, and data destruction. Prioritize renegotiating non-compliant agreements.
3. Build a Notification Workflow: Develop a system to generate and distribute the annual August 1st notice of technology contracts. Create a clear protocol for issuing 72-hour trigger notices when device access exceptions are used.
4. Update Internal Policies: Refresh your student data privacy policies to include SB 29's rules on device monitoring and data breach responses.
5. Train Your Staff: Conduct mandatory training for all staff on the new privacy rules, including what constitutes an educational record, when monitoring is allowed, and how notification procedures work.

Compliance training alone isn't enough. With cyber-attacks against the public sector on the rise, your staff is your first line of defense. Social engineering is the entry point for most successful breaches. Combining legal compliance with robust cybersecurity awareness turns your staff into a "human firewall." Our guide on Cybersecurity Training: Empowering K-12 Staff Against Cyber Threats explains how to use automated, gamified micro-trainings that make security awareness stick.

Find out where your vulnerabilities lie before an attacker does. Get a Phishing Audit to assess your staff's readiness.

Frequently Asked Questions about the Ohio Student Privacy Act

Here are answers to common questions about About the Ohio Student Privacy Act.

Can schools still use device monitoring software?

Yes, but with significant new restrictions. SB 29 limits monitoring to specific, legitimate reasons and requires transparency.

• Permissible Uses: Monitoring is allowed for noncommercial educational purposes (like instructional support or online proctoring) and for safety alerts.
• Notice is Key: These uses require advance notice to parents. If a device is accessed under an exception, a "trigger notice" must be sent within 72 hours.
• What's Prohibited: General, unrestricted tracking of student locations, audio/visual recording, or keystroke logging is forbidden without meeting a strict exception.The goal is to shift from broad surveillance to justified access with clear communication.

What happens if a school or technology partner doesn't comply with SB 29?

Non-compliance carries several risks:

• Educator License Implications: The State Board of Education can take action against an educator's license for misusing confidential student information.
• Legal and Administrative Burdens: Districts could face lawsuits, regulatory penalties, and immense administrative effort to remediate issues.
• Loss of Trust: A privacy breach can severely erode the trust parents and the community place in your schools.The risks are substantial, affecting the district's reputation, finances, and the professional standing of its educators.

Does SB 29 also cover school cellphone policies?

No, that is covered by separate legislation.

• SB 29's Focus: This law addresses data privacy on school-issued devices and contracts with technology providers.
• Related Legislation (HB 250): House Bill 250 requires Ohio public schools to adopt policies governing student cellphone use during school hours to manage personal devices and limit distractions.
• Deadline for Cellphone Policies: Cellphone use policies must be in place before July 1, 2025.While both laws impact student technology, they address different issues and require separate compliance efforts.

Conclusion: Strengthening Your School's Cybersecurity Posture

The Ohio Student Privacy Act (SB 29) marks a new era for protecting students' digital lives. The law makes it clear: safeguarding student data is a top priority, with defined responsibilities for schools and their tech partners.

Here's what really matters as you move forward:

• Proactive Compliance is Essential: With deadlines like August 1, 2025, for parent notifications, districts must act now to review contracts, update policies, and train staff.
• Student Data is Sacred: Educational records belong to students and their families. SB 29 prohibits technology providers from using this data for commercial purposes.
• Monitoring is Limited and Transparent: Broad surveillance is over. Device monitoring is now restricted to specific, justified purposes with mandatory parent notifications.
• Transparency Builds Trust: The law's notification requirements are designed to keep parents informed, which is vital for maintaining public confidence.

But here's something we can't overlook: all the legal compliance in the world won't protect your district if your staff clicks on a phishing email. Social engineering remains the top threat, making your staff the front line of defense. Your people are your human firewall, and their awareness is just as critical as any policy or contract.

CyberNut's cybersecurity training is built for K-12 schools. We transform staff from potential targets into vigilant defenders through automated, gamified micro-trainings that make phishing awareness engaging and effective.

Ready to strengthen your school's defenses? Take the first step by requesting a Phishing Audit for your district. We'll help you identify vulnerabilities before they become breaches.

SB 29 compliance is one piece of the puzzle. To build a truly resilient security posture, explore more cybersecurity resources for schools. By combining legal compliance with cybersecurity vigilance, you can create a safer educational environment for every student in Ohio.