Take 2:  A Look at an Amended SB 29

Despite being just a few months old, Senate Bill 29 (SB 29) – a significant piece of student data privacy legislation – will soon look quite different. On December 4, both the Ohio Senate and the Ohio House unanimously passed House Bill 432, a bill, which, among other things, amends SB 29 in some significant measure. The bill, which is headed to Governor DeWine for signature, contains an emergency clause, which means that it will take immediate effect once signed and filed with the Secretary of State.    

We understand that the amendments to SB 29 were made in an effort to clarify its scope and to reduce some of the administrative burden that school districts across the state reported. While the core of SB 29 – safeguarding student data remains – the amendments are significant.

Here’s what you need to know:

1. Revised Definitions

The amended definitions are few but mighty.  First, "educational records” is replaced by the more commonly accepted “education records,” as defined under FERPA. No need to work through two frameworks when evaluating compliance under SB29 and other student data privacy laws.  Second, the definition of “school-issued device” is modestly broader now that it captures devices provided for “dedicated student use.” Third, the definition of “student” is helpfully narrowed to currently enrolled K-12 students.  Last, and most significant is a change to how “technology provider” is defined. Notably, “curriculum” and “assessment” providers, along with ITCs, ESCs, and several other entities, are now excluded from this definition. 

2. Permissible Access Clarified

Access to school-issued devices in response to subpoenas (not just warrants) is now more clearly permitted, though school districts should continue to be mindful of the fact that certain warrants and subpoenas may include provisions that prohibit disclosure. When in doubt, seek legal counsel.

3. Trigger Notification Reduction

At the top, there is no doubt that these amendments will alleviate the frequency of notifications. However, they still contain something of a math problem to work through in determining when notification is required.

Importantly, no part of this math problem involves having to notify parents or guardians about access to a school-issued device pursuant to non-commercial educational purposes (i.e., the type of routine, daily notifications that were feared in the original draft).

Instead, notifications regarding access are now only required in a handful of instances:

• when the district “initiates responsive action” due to a warrant, subpoena, or missing/stolen device.
• if, in response to a threat to life or safety, the district initiates action on its own OR initiates action under specific Ohio Revised Code obligations, UNLESS the notice itself poses a threat to life or safety.

4. Contracting Requirements Remain

No significant changes were made to SB29’s original requirements for how school districts contract with “technology providers.” As a result, school districts should continue to ensure contracts include security safeguards, restrict unauthorized access, and limit the use of education records to contractual purposes.

In light of the amendments to the definition of a “technology provider,” consider verifying if vendors meet the amended definition, noting exclusions for assessment and curriculum providers. Be prepared for vendors to lean on these exclusions to potentially side-step SB29 compliance. 

5. Accountability Remains

Though the amendments concerning licensure largely track the licensure code of professional conduct, amended SB29 makes clear that the State Board of Education may take licensure action against an individual who purposely uses or intentionally releases confidential student information for purposes other than student instruction. 

Moving forward ...

The amendments to SB29 will quite likely reduce some of the collective heartburn that many school district leaders felt over the past several months. However, there are certain important steps to take now to further reduce any lingering anxiety:

• Continue to develop a thorough understanding of the technology being used in classrooms and consider whether a centralized process for technology approval is warranted. This is undoubtedly a major throughline in SB29.
• By August 1, 2025, gather and prepare a list of technology providers and the education records they affect.  
• Review your Notice of General Monitoring and determine if these amendments impact the specifics of that notice.
• Be prepared for a variety of responses from your vendors and service providers. Some will be well-versed in how SB29 impacts their terms, some will not. Some may be looking at how the amended definition of “technology provider” impacts their services.