EduLensEduLens

Products

EduLens K-5Safety, dismissal, messaging & more
EduLens for Higher EducationAI chat, faculty insights, governance
EduLens 6-12Soon
About
Blog
Watch DemoContact
Back to blog
GeneralFebruary 10, 20266 min read

NY Education Law 2-d: What Every School Technology Vendor Needs to Know

New York's student data privacy law has specific requirements for third-party vendors. Here's what 2-d requires and how to comply.

New York Education Law § 2-d is one of the strongest student data privacy laws in the country. If you're a technology vendor working with New York schools, compliance isn't optional — and it goes well beyond what FERPA requires.

What 2-d Requires of Vendors

Any third-party contractor that receives student PII or teacher/principal APPR data from a New York educational agency must:

Data Privacy Agreement (DPA)

Before any data is shared, a DPA must be executed that specifies:

  • Exactly which data elements will be collected
  • The specific purposes for collection
  • How the data will be protected
  • When and how data will be returned or deleted
  • Subcontractor and subprocessor details

Parents' Bill of Rights

Schools must provide a Parents' Bill of Rights that includes the vendor's supplemental information. This must state:

  • Student PII cannot be sold or released for commercial purposes
  • Parents can inspect and review their child's education records
  • Industry-standard safeguards are in place
  • A complete list of data elements collected is available
  • Parents can file complaints with the school's CPO or NYSED

Breach Notification

Vendors must notify the educational agency of any unauthorized release or acquisition of student PII. Best practice is within 60 calendar days of discovery, though some districts negotiate shorter windows.

Data Minimization

Only collect what's necessary for the educational purpose. If your platform doesn't need a student's home address to function, don't collect it.

Common Compliance Gaps

  • No DPA — Many vendors skip the formal agreement, which is a violation
  • Vague data practices — "We take privacy seriously" is not a compliance statement
  • Undocumented subprocessors — Every third party that touches student data must be listed
  • No deletion process — Vendors must be able to return or delete data on request

The Practical Takeaway

If you're building edtech for New York schools, build compliance into your architecture — don't bolt it on after. Multi-tenant data isolation, role-based access controls, audit logging, and documented data retention policies should be part of the foundation, not an afterthought.

See EduLens in Action

Schedule a personalized demo for your school, district, or university.

Request a Demo