Practical Strategy for School Compliance with Domestic and International Privacy Laws

Cameron G. Shilling
Director, Litigation Department & Chair of Cybersecurity and Privacy Group
Brian Garrett headshot
Brian B. Garrett
Director, Litigation Department and Chair, Education Law Practice Group
Published: McLane Middleton
December 14, 2023


Privacy is the newest frontier in cybersecurity. The European Union sparked the movement in 2018 with the adoption of the General Data Protection Regulation or GDPR. Many other countries have followed suit since then, some of the more prominent being the United Kingdom, Canada, Australia, and (more recently) China.

Though the United States Congress has remained silent, states are filling that void. California led the way in 2020 with the California Consumer Privacy Act. That wave then spread across the country. Twelve other states now have broad and generally applicable privacy laws: Colorado, Connecticut, Delaware, Florida, Indiana, Iowa, Oregon, Tennessee, Montana, Texas, Utah, and Virginia. Moreover, similar bills are currently pending in many other state legislatures.

Unlike previous security laws, which apply to a relatively smaller pool of personally identifiable information or PII (e.g. Social Security, governmental identification, and financial account numbers), privacy laws encompass an expansive scope of personal information. These laws govern any information that either identifies or is identifiable to an individual. Even just an individual’s name, email or physical address are personal information governed by privacy laws.

Additionally, privacy laws apply extra-territorially. Thus, under certain circumstances, a school in one state that educates students from other states and foreign countries will be subject to the privacy laws adopted in those other domestic and international localities. Indeed, many schools have recently become concerned about the potential extra-territorial applicability to them of China’s privacy law, called the Personal Information Protection Law or PIPL.

Question: What are schools to do? Answer: Adopt a practical strategy for compliance with all of the privacy laws that apply or might apply now and in the foreseeable future.

The swirling currents of domestic and international privacy law can be confusing to chart. Therefore, section II of this article explains the jurisdictional reach of these statutes. However, instead of attempting to navigate that route, the wiser course for schools is to adopt a strategy that complies with domestic and international privacy laws. Accordingly, section III summarizes the content of those laws, and section IV outlines a compliance strategy for schools.

To download the rest of the article please click here.