Oliver Page
Case study
November 10, 2025
Georgia’s Student Data Privacy, Accessibility, and Transparency Act (also known as Senate Bill 89 or SB 89) is the state's key law protecting student information. This act sets rules for how K-12 schools handle student data. Passed unanimously and signed into law in 2015, it aims to protect student privacy while allowing schools to use data for educational purposes.
Here's a quick look at what the Act covers:
This guide breaks down this important law for parents, educators, and school administrators. Understanding it is essential for keeping student data safe in our digital learning world.
Related content about All About Georgia's Student Data Privacy, Accessibility, and Transparency Act:
When Georgia lawmakers voted on Senate Bill 89, it passed unanimously. Both chambers of the Georgia General Assembly agreed that protecting student data was too important for politics. Governor Nathan Deal signed it into law on May 6, 2015, and by July 1, 2016, Georgia schools had a powerful new tool for keeping student information safe.
The Student Data Privacy, Accessibility, and Transparency Act—officially coded as O.C.G.A. §20-2-661 – 20-2-667—was considered the most comprehensive student data privacy law in the nation at the time, showing how seriously Georgia takes protecting its students.
At its heart, the Act recognizes that student data is incredibly valuable. Teachers use it to personalize learning, parents to stay informed, and schools to make good decisions. But in the wrong hands, that data could cause real harm.
The Act walks a careful line, allowing schools to use data for learning while requiring it to be protected, safeguarded, and kept private. It's about using data wisely while keeping it secure. The law also gives parents more control, including the right to see, review, and correct their child's records.
If you want to dive into the legal details, you can review the official bill text yourself.
The Act creates specific rules to make its goals a reality.
First, Georgia appointed a Chief Privacy Officer (CPO). The State School Superintendent must designate a senior employee at the Georgia Department of Education (GaDOE) to serve as the CPO, responsible for developing and maintaining the department's data privacy and security policy. This ensures privacy is a top-level focus.
The GaDOE must also create and maintain a comprehensive Data Inventory & Security Plan. This is a detailed map of all student data the state collects: what it is, where it goes, who can access it, and how it's protected. Part of this plan includes publishing a public data dictionary, a plain-language guide to every piece of data collected. This helps parents and educators understand what information schools are gathering.
The Act also regulates online operators—any company (excluding the state or schools) running a website, app, or online service for K-12 education. If they collect, store, or use student data, they must follow specific rules.
The most important rule is no targeted advertising. Companies cannot use student data for personalized ads, build profiles for non-educational purposes, or sell student data. This stops tech companies from treating students like products.
The Act also requires operators to implement strong data security measures. They must train staff on data security, have clear data breach response plans (including notification protocols), and have written policies for data retention and disposal. These are requirements, not suggestions.
If your school uses online tools and apps, understanding these operator requirements is crucial. Protecting against phishing attacks is also vital; consider a free phishing audit to find your school's vulnerabilities.
For years, getting information about a child's school records could be difficult. The Act changed that, making parents true partners by giving them real access to information.
The most basic right is the Right to Inspect & Review a child's education record. Parents can look at all information the school or local board of education keeps about their child.
Reflecting our digital age, parents also have the Right to Electronic Copies. They can request a digital version of their child's records, which schools must provide, typically within three business days. Exceptions are rare and apply only if the record isn't stored electronically or if conversion is "unduly burdensome."
If parents or eligible students (age 18+ or emancipated) find inaccurate information, the Right to Request Corrections allows them to ask the school to fix it. The school must correct demonstrated inaccuracies and confirm the correction within a reasonable time.
To enforce these rights, the Act established a clear Complaint Process. If parents believe their rights have been violated, they can file a formal complaint with their local school system. Each system must have a designated person to handle these issues, provide a written response, and offer an appeal process up to the local board of education. This process ensures accountability and gives parents recourse.
Understanding what information the Student Data Privacy, Accessibility, and Transparency Act protects is essential. The Act broadly defines 'student data' as any information about a K-12 student collected and maintained at the individual level—a digital footprint of their educational journey.
The range of protected Personally Identifiable Information (PII) is comprehensive. It includes obvious data like names, addresses, phone numbers, and email addresses, but it goes much deeper.
The Act also protects personal and indirect identifiers such as student ID numbers, biometric records, dates and places of birth, and a mother's maiden name. A child's academic records (grades, assessment results), attendance records, and socioeconomic information are also protected.
In our digital world, the Act recognizes that student data extends online. Search activity, photos, voice recordings, text messages, and digital documents are all considered protected information.
What Schools Can't Collect
The Act is even more protective in some areas, recognizing that some information is too personal for school records. It explicitly restricts schools from collecting data about a student's or family's political affiliation or religious beliefs. These personal aspects of family life remain private.
The Act also restricts the collection of economic data unless it's necessary for program eligibility, such as for free or reduced-price lunch programs.
What Schools Can't Report
Even when certain information is in a student's record, the Act limits what can be reported to outside parties. Juvenile delinquency records and criminal records cannot be freely shared. Additionally, specific medical and health data beyond what's needed for care or educational accommodations is restricted from reporting.
These protections ensure that a mistake or personal challenge doesn't unfairly follow a student. The Act recognizes that students deserve privacy and the opportunity to grow without every detail of their lives being documented and shared.
Understanding these protections helps parents know what information schools should and shouldn't be collecting about their children. It's about creating a learning environment where data serves education without compromising privacy or dignity.
Understanding Georgia’s Student Data Privacy, Accessibility, and Transparency Act is best done in the context of federal privacy laws. Federal laws like FERPA provide the foundation, while Georgia's Act adds stronger, state-specific protections. These laws work together to keep student data safe.
Let's start with the big one: FERPA. The Family Educational Rights and Privacy Act (FERPA) is a federal law from 1974. It's the granddaddy of student privacy laws across the entire U.S. FERPA gives parents (and eligible students) important rights, like looking at education records and asking for corrections.
Georgia’s Student Data Privacy, Accessibility, and Transparency Act (or SB 89) doesn't just copy FERPA; it builds on it, enhancing protections for Georgia students in key ways.
For instance, SB 89 gets specific by creating a Chief Privacy Officer (CPO) within the Georgia Department of Education to focus on student data privacy at the state level.
Also, SB 89 has very clear rules for online operators – the ed-tech companies in our classrooms. It goes further than FERPA by specifically banning targeted advertising using student data, creating student profiles for non-school reasons, and selling student data.
And because we live in a digital world, SB 89 ensures you can get digital copies of records. Plus, the requirement for GaDOE to have public Data Inventory and Security Plans adds a level of transparency that FERPA doesn't explicitly demand.
While FERPA sets the baseline, Georgia’s Student Data Privacy, Accessibility, and Transparency Act customizes and strengthens student data protections, especially regarding digital tools and third-party vendors. If you want to learn more about the federal baseline, check out our guide: All About FERPA: The Federal Student Privacy Law That Still Matters in 2025.
Beyond FERPA, Georgia’s Student Data Privacy, Accessibility, and Transparency Act works with two other key federal laws: COPPA and PPRA, which are crucial for online activities and sensitive information.
First is COPPA (Children's Online Privacy Protection Act). This federal law protects the online privacy of kids under 13 by requiring parental permission before companies collect their personal information. Georgia's SB 89 supports COPPA by enforcing strict rules on online operators, like banning targeted ads. You can find more detailed guidance from the FTC on COPPA here: FTC's COPPA guidance.
Then there's PPRA (Protection of Pupil Rights Amendments). This federal law requires parental consent before students answer surveys on sensitive topics like political views, mental health, or religious beliefs. SB 89 strengthens PPRA's goals by stating that Georgia schools shouldn't collect information on political affiliation or religious beliefs in the first place. These ideas are echoed in other state laws, like those discussed in All About New York's Education Law 2-D: Student Data Privacy Explained.
All these laws, both federal and state, weave together to create a strong safety net for student privacy.
Here are some frequently asked questions about Georgia’s Student Data Privacy, Accessibility, and Transparency Act to clarify its key points.
The Georgia State Board of Education oversees the Act. While the law doesn't list specific fines for every violation, non-compliance can lead to serious consequences.
Parents can use the established complaint process to report suspected violations. If a violation is found, the State Board of Education can demand corrective actions.
Crucially, a violation of Georgia's SB 89 can also be a violation of FERPA, the federal student privacy law. FERPA violations can lead to the loss of federal funding, making compliance with these privacy laws essential.
The Act directly addresses the use of student data for commercial purposes. It includes an explicit prohibition against using student Personally Identifiable Information (PII) for targeted advertising or marketing.
This means online operators—ed-tech companies and app providers—are strictly forbidden from:
This ban ensures student data is used for education, not profit, relieving parents' concerns about their children being tracked by advertisers.
Georgia’s Student Data Privacy, Accessibility, and Transparency Act mandates that the GaDOE, local school systems, and their online operators implement strong data security plans. These plans act as a shield to protect student data and are built on three pillars: administrative, physical, and technical safeguards.
Administrative Safeguards are the rules and procedures. This includes having clear data privacy and security policies, mandatory annual privacy and security awareness training for staff, an incident response plan for data breaches, and clear data retention and disposal policies.
Physical Safeguards protect the physical hardware where data is stored, such as securing servers and controlling access to server rooms.
Technical Safeguards are the digital tools that protect data within computer systems. Key components include encryption (scrambling data), access controls (ensuring only authorized people see data), monitoring and audit trails (tracking access and activity), anti-malware software and firewalls, and regular vulnerability testing and remediation.
Georgia's Student Data Privacy, Accessibility, and Transparency Act represents a powerful commitment to protecting students in the digital age. It's a living framework recognizing that student data is precious and deserves the strongest protection.
The Act balances the needs of schools, parents, and students. It establishes clear rules, appoints a Chief Privacy Officer, mandates comprehensive data security plans, and gives parents unprecedented access to their child's records.
For everyone in Georgia schools—teachers, administrators, and technology vendors—compliance is about creating a trustworthy environment where students can learn without their personal information being exploited. It's about building trust with parents.
A strong culture of security starts with knowledge. When staff understand what student data is, why it matters, and how to protect it, schools become more secure. Cybersecurity training is essential, changing legal requirements into daily practices that keep students safe.
At CyberNut, we've designed our training specifically for K-12 schools. Our automated, gamified micro-trainings make learning about cybersecurity engaging and effective. We offer a low-touch, high-impact solution for your busy staff.
Your human firewall—your staff—is your first line of defense against data breaches. To see how strong that defense really is, consider a free phishing audit with us. We'll help you identify vulnerabilities and strengthen your team's ability to spot threats.
Compliance with Georgia's Student Data Privacy, Accessibility, and Transparency Act is an ongoing journey. Explore more cybersecurity insights on our resources page, and let's work together to keep Georgia's students safe, both in the classroom and online.
Oliver Page
Some more Insigths
Back
.png)
.png)
.png)
.png)
.png)
