All About Florida’s Student Data Privacy Act (FS 1002.222)

Safeguarding Student Data in the Digital Age

All About Florida's Student Data Privacy Act (FS 1002.222) is essential for K-12 IT directors in Florida. This law establishes strict rules for collecting and protecting student information and outlines the rights of parents and students over their data.

Quick Overview: Key Points About FS 1002.222

• Prohibited Data: Schools cannot collect or retain information about a student's (or their parent's/sibling's) political affiliation, voting history, religious affiliation, or biometric data.
• Parental Rights: Parents and students receive annual notice of their rights, can access and challenge education records, and must consent before data is shared with third parties.
• Vendor Rules: The 2023 SOPIPA amendment bans ed-tech operators from targeted advertising, selling student data, or creating student profiles for non-educational purposes.
• Enforcement: Violations are treated as deceptive trade practices, with enforcement by the Florida Department of Legal Affairs.

The post-pandemic surge in educational technology, with educators using an average of 148 apps per year, makes student data protection more critical than ever.

The stakes are high. Education records contain sensitive data like Social Security numbers and health records. Non-compliance can lead to lost federal funding, legal action, and reputational damage.

Florida's law builds on federal laws like FERPA, adding prohibitions on biometric and political data collection in 2014. The 2023 SOPIPA amendment further addresses ed-tech privacy risks by restricting how app developers use student data.

For K-12 IT directors, understanding this law is about legal compliance, building trust with parents, and defending against cybersecurity threats targeting schools.

The Foundation of Florida's Student Privacy: What is FS 1002.222?

All About Florida's Student Data Privacy Act (FS 1002.222) acts as a guardrail for student information in Florida's K-12 schools, creating a legal framework that complements federal law to protect education records. Its primary purpose is to define how schools handle student data and the rights families have. While FERPA sets a baseline, Florida's law is more stringent.

The law's origins trace back to 2014, when the legislature responded to the growth of digital learning by adding protections against the collection of highly personal information. The law also empowers parents and students by requiring schools to provide an annual notice of their data privacy rights. This notice ensures families know they can access and challenge their records and understand consent requirements. For more on privacy principles, see our page on More info about Privacy.

Information Prohibited from Collection

The 2014 amendments established a hard line on data collection. Schools are legally prohibited from collecting, obtaining, or retaining information on a student's political affiliation, voting history, religious affiliation, and biometric information. This protection extends beyond the student to include their parent and sibling data, creating a comprehensive privacy shield for families.

Defining 'Biometric Information' Under the Act

Florida's law provides a clear definition of biometric information to address the rise of this technology. The statute defines it as data from the electronic measurement of physical or behavioral characteristics used for identification. This broad definition covers current and future technologies.

In practice, this includes fingerprints, hand scans, eye scans (retina and iris), and vocal patterns. The common thread is using technology for electronic identification based on unique physical traits.

A grandfather clause allowed districts using palm scanners before March 1, 2014, to continue through the 2014-2015 school year, giving them time to transition away from the newly prohibited technology.

Data Disclosure, Consent, and Directory Information Rules

All About Florida's Student Data Privacy Act (FS 1002.222) controls what student data schools can share. Education records are confidential and exempt from Florida's public records laws, giving them special protection. The default rule is that schools cannot release education records to third parties without written consent from the parent or student.

However, there are exceptions. In accordance with FERPA, schools can disclose records without consent under specific circumstances, such as for a lawfully issued subpoena, a court order, or as required by federal law. An important exception is for interagency agreements, allowing data sharing with entities like the Department of Juvenile Justice or law enforcement for student welfare and safety cases under strict controls. State auditing offices like the Auditor General can also access records for official duties, provided they adhere to FERPA. For more on the federal framework, see the Federal guidance on FERPA. Learn about secure data flow on our Data Processing page.

Designating 'Directory Information'

FS 1002.222 sets clear rules for designating "directory information," such as student names or grades. Governing boards must designate this information in accordance with FERPA during a public meeting, ensuring transparency. Florida's law also requires boards to assess student safety risks before designation, considering potential exposure to marketing campaigns, unwanted media attention, or criminal acts. This risk assessment goes beyond federal minimums, prioritizing student safety.

Parent and Student Rights to Access and Challenge Records

Florida law provides families with powerful, enforceable rights over education records. Parents and eligible students have the right to inspect and review education records, ensuring transparency. They also have the right to challenge content that is inaccurate, misleading, or violates privacy, and can request corrections.

If a school refuses to honor these rights, parents or students can seek an injunction in circuit court and may recover attorney fees. This provides a strong enforcement mechanism. These protections are central to student data privacy in Florida. The full legal text is available in the 2024 Florida Statutes Chapter 1002 Part II.

All About Florida's Student Data Privacy Act (FS 1002.222) in a National Context

Understanding All About Florida's Student Data Privacy Act (FS 1002.222) requires placing it in the national context. Federal laws like FERPA provide a foundation, while states like Florida add stronger, specific protections. This layered approach allows states to address unique challenges. FS 1002.222 and its SOPIPA amendment build upon federal law, adding stricter rules for biometric data, personal privacy, and ed-tech platforms.

How FS 1002.222 Compares to FERPA

The Family Educational Rights and Privacy Act (FERPA) is the federal baseline for student privacy, enacted in 1974. It defines "education records," grants parents rights to access and challenge them, and requires consent for sharing personally identifiable information (PII).

FS 1002.222 is built on FERPA, and Florida schools must comply with both to receive federal funding. However, Florida's law goes beyond FERPA's baseline by specifically prohibiting the collection of political affiliation, voting history, religious affiliation, and biometric information for students and their families.

Florida's SOPIPA amendment also imposes stricter vendor requirements than FERPA. It directly regulates ed-tech operators, banning targeted advertising, non-educational student profiling, and the sale of student data.

Enforcement also differs. While FERPA violations risk federal funding, FS 1002.222 allows parents to seek a court injunction against schools. SOPIPA violations are handled by the Department of Legal Affairs, not through private lawsuits. Florida strengthens parental rights with an annual notice requirement and explicit legal recourse, making them more actionable. Complying with Florida's stricter law generally ensures FERPA compliance.

Understanding FS 1002.222 and the Children's Online Privacy Protection Act (COPPA)

The Children's Online Privacy Protection Act (COPPA) regulates how online services collect personal information from children under 13. In contrast, FS 1002.222 and its SOPIPA amendment protect all K-12 students, from kindergarten through high school.

Many ed-tech tools used in Florida schools serve children under 13, creating a dual compliance challenge under both COPPA and SOPIPA. While COPPA requires parental consent for children under 13, SOPIPA goes further by banning targeted advertising to all K-12 students and prohibiting the sale of their data.

COPPA requires parental consent, clear privacy policies, and data security. SOPIPA adds requirements for data minimization and mandatory data deletion upon request from a school district. This layered approach means all Florida K-12 students are shielded from commercial misuse of their data. K-12 IT directors must ensure their vendors comply with both frameworks, asking specifically about COPPA and SOPIPA compliance when vetting new tools.

Major Updates and Enforcement: The Student Online Personal Information Protection Act (SOPIPA)

In 2023, Florida updated its privacy protections by adding the Student Online Personal Information Protection Act (SOPIPA) to FS 1002.222. SOPIPA addresses what happens to student data when it is used by educational apps and websites. With educators using an average of 148 apps per year, concerns grew about data being tracked or sold for commercial purposes.

Lawmakers responded by passing HB 699, creating SOPIPA, effective July 1, 2023. This comprehensive framework regulates how ed-tech operators handle student data. For K-12 IT directors, this increases regulation of vendor relationships, which helps protect students. A comprehensive Data Security and Privacy Plan is a crucial next step.

Key Provisions of Florida's SOPIPA

SOPIPA places strict limits on ed-tech operators handling data for K-12 school purposes in Florida. Key prohibitions and requirements include:

• No Targeted Advertising: Operators are banned from using student data for targeted advertising.
• No Commercial Profiling: Operators cannot engage in student profiling for non-educational purposes.
• No Selling Data: SOPIPA prohibits selling or renting student information, with narrow exceptions for legal requirements or contracted service providers.
• Data Minimization: Operators must collect only data that is reasonably necessary for the technology to function.
• Reasonable Security: Operators must implement and maintain reasonable security procedures appropriate for the sensitivity of the data.
• Data Deletion: Operators must comply with data deletion requirements, deleting data upon a school's request or within 90 days of a student leaving the district, unless a parent consents to retention.

Enforcement and Penalties for Violations

Enforcement of All About Florida's Student Data Privacy Act (FS 1002.222) depends on the violation. For violations by school officials, parents and students have direct legal recourse. They can file for an injunction in circuit court to enforce their rights to access or challenge records and may recover attorney fees.

For SOPIPA violations by ed-tech operators, enforcement falls under Florida's Deceptive and Unfair Trade Practices Act (FDUTPA). Crucially, there is no private cause of action under SOPIPA. Parents cannot sue operators directly. Enforcement authority rests exclusively with the Department of Legal Affairs. This centralized approach ensures consistent enforcement, with penalties under FDUTPA including civil penalties up to $10,000 per willful violation.

IT directors should document and report suspected SOPIPA violations to the Department of Legal Affairs. While parents cannot sue under SOPIPA, other legal avenues may exist. However, prevention through strong vendor management and security reviews is the best approach. To identify vulnerabilities, consider a free phishing audit.

Practical Implications for Florida's Education Community

The All About Florida's Student Data Privacy Act (FS 1002.222) has tangible effects on everyone in Florida's K-12 system, including IT directors, parents, and app developers. Compliance is about building trust with parents that their child's information is handled with care. For state-specific guidance, check out our Cybersecurity Insights for Florida Districts.

For Educational Institutions and Districts

For school administrators and IT leaders, FS 1002.222 and SOPIPA create key responsibilities:

• Policy Updates: Regularly review and update district policies to align with state and federal privacy laws.
• Annual Notifications: Provide a yearly notice to parents and students outlining their rights.
• Vendor Contract Management: Vet ed-tech vendors and ensure Purchasing Contracts include clauses requiring SOPIPA compliance.
• Responding to Parent Requests: Maintain an efficient process for handling parent requests to access, review, or challenge records.
• Data Deletion Protocols: Implement systems to delete student data per SOPIPA requirements.

A strong cybersecurity posture is foundational. Without staff trained to spot threats like phishing, policies are insufficient. Assess your district's risk with a free phishing audit.

For Parents and Students

Parents and students in Florida should know their rights under these protective laws:

• Know Your Rights: You have the right to access, review, and challenge education records.
• Review the Annual Notice: This document from the school outlines your specific rights.
• Challenge Incorrect Data: You have the right to request corrections for inaccurate or misleading information.
• Use Opt-Out Procedures: You can often opt out of sharing "directory information."
• Understand Consent: Read consent forms for ed-tech apps carefully, especially regarding data retention.

For Ed-Tech Website and App Operators

For ed-tech operators serving Florida K-12 schools, SOPIPA raises the bar for handling student data:

• Ensure SOPIPA Compliance: Review your practices to eliminate targeted advertising, non-school profiling, and the sale of student data. Your Terms of Service must reflect these legal requirements.
• Implement Security and Data Minimization: Collect only necessary data and protect it with appropriate security measures.
• Manage the Data Lifecycle: Have clear policies for data retention and deletion, and be prepared to delete data upon a district's request.
• Respond to Deletion Requests: Promptly and completely fulfill deletion requests from schools to maintain trust and legal compliance.

Frequently Asked Questions about Florida's Student Data Privacy Act

Navigating student privacy law can be complex. Here are answers to common questions about All About Florida's Student Data Privacy Act (FS 1002.222).

What specific data can Florida schools NOT collect under FS 1002.222?

Florida schools are explicitly prohibited from collecting or retaining information about a student's political affiliation, voting history, or religious affiliation. These prohibitions also apply to the student's parents and siblings. The law also bans the collection of biometric information like fingerprints, hand scans, eye scans (retina or iris), and vocal patterns.

What is SOPIPA and how does it relate to FS 1002.222?

The Student Online Personal Information Protection Act (SOPIPA) is a 2023 update to FS 1002.222 that regulates operators of K-12 websites and apps. SOPIPA adds teeth to student data privacy by banning ed-tech operators from using student data for targeted advertising, creating student profiles for non-educational purposes, or selling or renting student information. It also requires these operators to implement robust security measures and delete student data upon request.

Can parents sue a school or app developer for violating FS 1002.222?

It depends. For violations by a school official or institution, parents can sue in circuit court for an injunction to enforce their rights (e.g., to access records). If successful, they may recover attorney fees.

However, for SOPIPA violations by an app developer, there is no private cause of action. Enforcement is handled exclusively by the Florida Department of Legal Affairs, which treats violations as deceptive trade practices. This dual structure allows parents to hold schools directly accountable, while the state handles enforcement against commercial operators.

To better protect student data from unauthorized access, consider a complimentary phishing audit to identify security weak points.

Conclusion: Building a Secure Future for Florida's Students

Florida takes student privacy seriously, as shown by All About Florida's Student Data Privacy Act (FS 1002.222). The state has continuously strengthened protections, from the 2014 ban on collecting sensitive political and biometric data to the 2023 SOPIPA amendment. SOPIPA has significantly impacted ed-tech by restricting operators from using student data for targeted advertising, unauthorized profiling, or commercial sale.

Student data privacy is a shared responsibility. Schools must update policies and vet vendors. Parents must know and use their rights. Ed-tech operators must comply with SOPIPA's data minimization and security rules.

A strong cybersecurity posture is the foundation for compliance. Without staff trained to recognize threats like phishing, even the best policies can fail. Building a proactive security culture is where CyberNut specializes.

Is your district's staff truly prepared to be the first line of defense against cyber threats? Many IT directors are surprised by their team's vulnerability to phishing attacks. You can find out where you stand right now. Get a complimentary phishing audit to assess your risk and identify gaps in your security awareness. Get Your Free Phishing Audit.

CyberNut understands the demands on K-12 staff. Our low-touch, engaging, and gamified micro-trainings are designed for educational environments. We help schools build the resilience needed to comply with FS 1002.222 and protect the entire school community from real-world threats.

Building a secure future for Florida's students is about creating a safe learning environment. It requires a commitment from everyone to protect what matters most. For more on building a resilient security program, explore our Resources.