Oliver Page
Case study
October 14, 2025
The Iowa Student Data Privacy Act (Iowa Code § 279.71, also known as HF2354) is a state law enacted in 2018 that regulates how educational technology companies and online service providers handle K-12 student data. The law prohibits operators from using student information for targeted advertising, selling student data, or building profiles for commercial purposes, while requiring reasonable security measures and data deletion upon request.
Key Points About the Iowa Student Data Privacy Act:
As an IT director in an Iowa school district, you manage countless EdTech vendors handling sensitive student data. While the federal FERPA law has been a baseline since 1974, it wasn't designed for today's digital landscape. The Iowa Student Data Privacy Act fills these critical gaps by placing specific obligations directly on technology companies, not just your district.
This law is about protecting students from data exploitation and commercial targeting. Understanding its protections helps you vet vendors and strengthen contracts.
Iowa Student Data Privacy Act basics:
When the Iowa Student Data Privacy Act became law in 2018, it marked a turning point for how the state protects student information in the digital age. Known officially as House File 2354 (HF2354) and codified in Iowa Code § 279.71, this legislation recognized something important: federal law alone wasn't enough to address the explosion of educational technology in classrooms.
The heart of the law is straightforward. It places specific obligations on operators—companies that run online services, applications, and websites designed for K-12 school purposes. If you're working with an EdTech vendor that knows their product is being used primarily in Iowa schools, they're covered by this law.
This wasn't just about adding more regulations. It was about filling real gaps. While FERPA has protected student education records since 1974, it was written long before learning apps, cloud-based platforms, and digital assessments became everyday classroom tools. Iowa's law steps in to make sure technology companies themselves—not just schools—are held accountable for how they handle student data.
For a deeper dive into how this law works in practice, check out our comprehensive guide: More info about the Iowa Student Data Privacy Act.
The Iowa Student Data Privacy Act gets specific about what it protects and who is responsible. Key definitions include:
The law also defines "parent" and "school employee" to ensure their data is protected when using school technology.
The Iowa Student Data Privacy Act protects all K-12 students in Iowa's public and private schools. If a student is enrolled anywhere from kindergarten through twelfth grade, their data is covered.
For EdTech companies, the law applies when they're providing digital tools, platforms, or services used in classrooms or for school administration. This includes learning management systems, assessment platforms, communication apps, online services, mobile applications, and websites—basically any digital tool that's designed for and used primarily in K-12 education.
Here's an important distinction though: the law includes an exemption for general audience sites. If a website or app is primarily designed for and marketed to everyone—not specifically to schools—it's not covered by Iowa's law, even if students can log in with school credentials. Think of sites like YouTube or Google Docs. While schools use them, they're built for a general audience, not specifically for K-12 education.
This exemption keeps the law focused where it matters most: on vendors who are specifically in the business of providing educational technology to schools. Those are the operators who need to understand and comply with Iowa's student data privacy requirements.
At the heart of the Iowa Student Data Privacy Act is a straightforward principle: student data exists to support learning, not to generate profit. The law draws clear lines around what EdTech operators can and cannot do with the information they collect. Think of these provisions as guardrails that keep student data on the right path.
Understanding these rules matters whether you're evaluating a new learning platform or reviewing contracts with current vendors. The Act creates specific obligations that technology companies must follow, and knowing these requirements helps you hold vendors accountable. For a comprehensive look at how we approach data protection, explore our Data Security and Privacy Plan.
The Act strictly prohibits the commercial exploitation of student data. Key prohibitions for operators include:
These prohibitions create a protective barrier, ensuring EdTech serves education first.
While the Act establishes firm boundaries, it's not designed to prevent the legitimate use of data that supports learning and safety. The law recognizes that some data sharing is necessary for education to function effectively in the digital age.
Data can certainly be used for school purposes—the very reason it was collected in the first place. When an operator needs to share information with another service to support learning, that's permitted, as long as the recipient agrees not to further disclose it. This allows your learning management system to communicate with your grade book software, for example.
Legal compliance sometimes requires disclosure. When a court order, subpoena, or federal regulation demands it, operators must be able to respond. Similarly, when safety is at stake—whether that's protecting a student in danger or securing the platform from a cyberattack—disclosure is permitted.
The Act supports legitimate research that can improve educational outcomes, provided the data is de-identified or not associated with individual students. This same principle applies to product improvement, allowing EdTech companies to improve their offerings without compromising individual privacy.
One of the most beneficial provisions allows customized student learning and adaptive learning technologies. These personalized approaches can significantly improve educational outcomes, and the Act explicitly permits using data for these purposes when they directly serve the student's educational needs.
When a student or parent specifically requests it, information can be shared for educational or employment purposes. This puts control in the hands of families when they need transcripts, recommendations, or other records.
Finally, operators can work with third-party contractors, but only when there's a written contract ensuring the same level of protection. This chain of responsibility means that subcontractors must uphold the same standards as the primary operator.
Protecting data isn't just about restricting its use—it's about securing it properly and giving schools control over its lifecycle. The Iowa Student Data Privacy Act sets clear expectations for both.
Operators must implement reasonable security procedures that align with current industry standards. This isn't a suggestion; it's a legal requirement. These security measures must be appropriate to the sensitivity of the information and designed to prevent unauthorized access, destruction, modification, or disclosure. In practical terms, this means robust cybersecurity practices are mandatory, not optional.
What "reasonable" means evolves as threats change and technology advances. A security approach that was adequate five years ago might not cut it today. This is why staying current with cybersecurity best practices is essential. For more insights on protecting your school's digital environment, check out our resources on Cybersecurity for Educational Institutions.
Perhaps one of the most powerful provisions in the Act is the data deletion mandate. Schools can request that operators delete a student's covered information, and operators must comply "as soon as reasonably practicable." This gives your district direct control over how long student data exists in vendor systems.
There's an exception if the student or parent consents to continued maintenance of the data, but the default position is clear: when a school says delete, vendors must delete. This is particularly important when a student leaves your district, when you discontinue a service, or when data is simply no longer needed.
When operators work with third-party subprocessors, they must ensure these partners are contractually bound to the same standards. The responsibility doesn't end when data moves to another vendor's servers. The entire chain of data handling must maintain the same level of protection.
Your role as a school district is crucial in this process. You're not just a passive recipient of vendor services—you're an active guardian of student data, with the authority to demand both security and deletion when appropriate.
When discussing student data privacy, understand the Family Educational Rights and Privacy Act (FERPA), the federal law that has protected student education records since 1974. While FERPA provides broad protections, the Iowa Student Data Privacy Act addresses the unique challenges of our digital age in ways that FERPA simply wasn't designed to handle. Let's explore how these two laws work together to protect Iowa students.
FERPA (20 U.S.C. § 1232g; 34 CFR Part 99) is the federal law that has been protecting student education records since 1974. It applies to all educational institutions that receive funds under an applicable program of the U.S. Department of Education. Think of it as the foundation of student privacy protection in the United States.
Under FERPA, education records include nearly any record maintained by an educational institution that is directly related to a student. The law gives parents (or eligible students—those 18 or older, or enrolled in post-secondary education) the right to inspect and review the student's education records, request amendments to records they believe are inaccurate or misleading, and control the disclosure of personally identifiable information from these records.
FERPA also allows institutions to designate certain information as directory information, such as a student's name, address, major, or dates of attendance. This information can be disclosed without consent, provided parents or students are notified and given an opportunity to opt out.
One important thing to understand: FERPA transfers rights from parents to the student when the student turns 18 or attends a post-secondary institution. This ensures that as students mature, they gain control over their own educational data.
For a comprehensive understanding of this foundational federal law, visit More information about FERPA or read our detailed article, All About FERPA: The Federal Student Privacy Law That Still Matters in 2025.
Here's where things get interesting. FERPA was enacted in 1974—long before smartphones, learning management systems, and educational apps were part of everyday classroom life. While FERPA remains crucial, it primarily regulates schools themselves, not the third-party vendors that now handle so much student data. That's the gap the Iowa Student Data Privacy Act was designed to fill.
The Iowa law complements FERPA by targeting operators directly. Instead of placing all the responsibility on schools, Iowa's Act imposes requirements and prohibitions directly on the EdTech companies themselves. This means vendors can't hide behind their school district contracts—they have legal obligations of their own to uphold.
The Act also has a digital data focus that FERPA lacks. It's specifically designed for the modern technological landscape, addressing concerns like data collected through online services, mobile apps, and websites. It speaks the language of today's digital classroom.
Perhaps most importantly, the Iowa Student Data Privacy Act fills regulatory gaps that FERPA doesn't fully address. It explicitly prohibits activities like targeted advertising based on student data, selling student information, and amassing student profiles for commercial purposes. These are exactly the kinds of privacy violations that concern parents and educators in 2025, but they weren't even imaginable when FERPA was written.
The Act also mandates specific vendor requirements, including contractual obligations for data security standards and the handling of data deletion requests. This provides a stronger legal framework for school-vendor relationships than FERPA alone could offer.
Finally, the Iowa Student Data Privacy Act provides state-level enforcement mechanisms. While the Act itself doesn't detail specific penalties, having a state law creates another layer of protection and potential recourse beyond federal oversight. It gives Iowa schools additional leverage when negotiating with vendors and additional protection when things go wrong.
Think of it this way: FERPA is the foundation, and the Iowa Student Data Privacy Act is the modern addition built on top of it. Together, they create a comprehensive framework that protects Iowa students in both traditional and digital learning environments. FERPA ensures that schools respect student privacy, while Iowa's law ensures that the technology companies serving those schools do the same.
If you're managing technology in an Iowa school district, the Iowa Student Data Privacy Act changes how you need to approach vendor relationships. It's not just about picking the best educational tools anymore—it's about ensuring those tools protect your students' information with the same care you would.
Think of it this way: every time you sign a contract with an EdTech company, you're essentially giving them access to some of your students' most sensitive information. The Act gives you the legal framework to demand real protections, not just promises. In a landscape where Cybersecurity Risks: Protecting K-12 Schools From Evolving Threats continue to evolve, being proactive isn't optional.
Your vendor contracts—often called Student Data Privacy Agreements or DPAs—are where the Iowa Student Data Privacy Act becomes real. These aren't just formalities to file away. They're your strongest tool for holding EdTech companies accountable.
Here's what needs to be in every contract: First, data ownership clauses that make it crystal clear the student data remains yours. Even when information lives on a vendor's servers, your school district retains complete ownership and control. This isn't negotiable.
Second, you need security provisions that go beyond vague promises. Your contracts should require vendors to implement a comprehensive cybersecurity framework based on nationally recognized standards like NIST or ISO. They need to spell out the administrative, physical, and technical safeguards they'll use to protect student data from unauthorized access.
The Act also gives schools the power to request deletion of student data, and your contracts need to reflect this. Include clear timelines—typically 60 days or less—for when vendors must delete information upon your request. This gives you control over how long student data exists beyond your walls.
Don't forget about third-party sharing. Many EdTech vendors work with subprocessors or other partners. Your contract must require that any third party touching student data follows the same strict privacy and security standards. Otherwise, you're only protecting the first link in a much longer chain.
Finally, your contracts should mirror the Act's core prohibitions: no targeted advertising based on student data, no selling student information, and no building commercial profiles. Put these restrictions in writing, with clear consequences for violations.
Many schools find that a professional phishing audit can identify vulnerabilities in how staff members handle vendor communications and credentials—a critical but often overlooked aspect of vendor management.
The Iowa Student Data Privacy Act exists to protect students from having their educational experience commercialized. As a school administrator, you're the bridge between the law's protections and the families you serve.
Parents have the right to request deletion of their child's data from EdTech platforms. When a parent comes to you with concerns about a learning app or online service, you have the legal backing to contact that vendor and demand the removal of their child's information. This isn't a favor you're asking—it's a right the Act guarantees.
The Act also shields students from commercial exploitation. No company can use student data to serve targeted ads or sell information to data brokers. Your students' learning environment should be free from commercial tracking and manipulation. When you explain this to parents, you're not just sharing policy—you're reassuring them that their children's education isn't being monetized.
Transparency matters. While the Act doesn't require a formal "Parent's Bill of Rights," its spirit calls for openness. Make sure families understand what data your EdTech vendors collect, how it's used, and what protections are in place. Many districts include this information in their technology handbooks or post it on their websites.
Your role as intermediary between parents and vendors is crucial. When concerns arise, parents shouldn't have to steer complex vendor support systems alone. Your district, empowered by the Act, can engage directly with operators to resolve issues and ensure compliance.
These protections complement FERPA's education records provisions. Together, they create a comprehensive shield around student information, both in traditional records and in the digital spaces where learning increasingly happens.
Understanding what happens when vendors violate the Iowa Student Data Privacy Act helps you appreciate why strong contracts matter so much.
While HF2354 itself doesn't spell out specific penalties, the consequences of non-compliance can still be significant. Most enforcement happens through the contractual agreements you've signed with vendors. If an EdTech company breaches the terms of your DPA—whether by selling student data, failing to delete information, or inadequate security—your district can pursue legal action to enforce compliance, recover damages, or terminate the contract.
Iowa's broader consumer data protection law (SF262, effective January 2025) gives the Attorney General authority to enforce data privacy violations with civil penalties up to $7,500 per violation. While this law isn't specific to student data, it demonstrates Iowa's commitment to data protection and could influence how student privacy violations are handled.
Beyond legal consequences, reputational damage can be devastating for EdTech companies. Word travels fast in education circles. A vendor that mishandles student data will find it difficult to win new contracts or maintain existing relationships. Schools talk to each other, and trust, once broken, is hard to rebuild.
For your district, non-compliance by a vendor can mean more than legal headaches. It can mean a data breach affecting hundreds or thousands of students, notification requirements, angry parents, and media scrutiny. This is why understanding Sensitive Data Definition and Types matters—you need to know what you're protecting and why.
The best approach? Don't wait for problems to emerge. Review your vendor contracts now, ensure they include the protections the Act requires, and maintain open communication with your EdTech partners about expectations. Prevention is always easier than enforcement.
The Iowa Student Data Privacy Act represents Iowa's commitment to protecting students in an increasingly digital world. It's not just another compliance checkbox—it's a framework that helps us ensure technology serves learning, not corporate interests.
Throughout this guide, we've seen how HF2354 works alongside FERPA to create stronger protections for K-12 students. The law places direct responsibility on EdTech operators, prohibiting them from using student data for targeted advertising, selling information, or building commercial profiles. At the same time, it empowers schools to demand better security practices and gives parents meaningful control over their children's digital footprint.
Your key takeaways are straightforward: strengthen your vendor contracts with clear data protection language, understand your role as an intermediary protecting student and parent rights, and maintain industry-standard security practices throughout your technology ecosystem. These aren't just legal requirements—they're the foundation of trust between your school, your families, and your technology partners.
Building a security culture doesn't happen overnight. It requires consistent attention, ongoing training, and the right partners. At CyberNut, we understand the unique pressures facing K-12 schools. You're managing tight budgets, limited IT staff, and an ever-expanding array of digital tools—all while keeping students safe online.
That's why we've designed our approach specifically for educational institutions. Our automated, gamified micro-trainings make cybersecurity awareness engaging rather than overwhelming. We help your staff recognize phishing attempts, protect sensitive data, and understand why these practices matter for compliance with laws like the Iowa Student Data Privacy Act.
Human error remains one of the biggest vulnerabilities in school cybersecurity. To ensure your school is protected against common entry points for data breaches, consider a professional phishing audit. It's a practical first step toward understanding your current risk level and strengthening your defenses.
For comprehensive cybersecurity solutions custom for K-12 schools—from training programs to practical resources on implementing data privacy protections—explore our resources. We're here to help you steer these complex requirements with confidence, so you can focus on what matters most: providing a safe, enriching learning environment for every student.
Oliver Page
Some more Insigths
Back
.png)
.png)
.png)
.png)
.png)
