Home/New York State

New York State

state

State layer above federal baseline. NY has the most active student data privacy regime in the country.

Applies to: All NY charter schools regardless of authorizer (Regents, SUNY-CSI, NYC DOE).

Layered legal regime

A charter in this jurisdiction is subject to all of the following layers stacked:

Layer 1Federal Baseline— 5 laws
Layer 2New York State— 3 laws

New York State — Laws & Regulations

Ed Law 2-d

NY Education Law § 2-d

Full detail →

Statute: NY Education Law § 2-d (Article 2)

Regs: 8 NYCRR Part 121

THE major NY student data privacy statute. Requires every educational agency to adopt a Parents' Bill of Rights, designate a Data Protection Officer, align with NIST CSF, train staff annually, and tightly govern third-party-contractor data sharing.

School-side obligations

Publish a Parents' Bill of Rights for Data Privacy and Security
Designate a Data Protection Officer (8 NYCRR § 121.6)
Adopt data security policy aligned with NIST Cybersecurity Framework
Provide annual data privacy and security training to all employees handling student data
Maintain an inventory of third-party contractors and data accessed
+ 4 more on detail page

Vendor-side obligations

Sign contract incorporating Parents' Bill of Rights as supplement
Adopt NIST CSF-aligned technologies, safeguards, practices
Use student PII ONLY for authorized purposes
NOT sell, market, or commercialize student PII
Notify educational agency of breach without unreasonable delay, no later than 7 calendar days
+ 3 more on detail page

Breach notification: Vendor → school: ≤7 calendar days from discovery. School → parents and NYSED CPO: ≤10 calendar days from receiving vendor notice (or self-discovery).

Enforcement: NYSED Chief Privacy Officer. Civil penalties up to $10,000 per violation, $25,000 per school year for material violations. No express private right of action; Article 78 review available.

NY SHIELD Act

Stop Hacks and Improve Electronic Data Security Act

Full detail →

Statute: NY General Business Law §§ 899-aa, 899-bb

Regs: —

Expanded NY's breach notification law and added affirmative reasonable-safeguards requirements for any person or business owning or licensing NY residents' private information. Applies concurrently with Ed Law 2-d for charters.

School-side obligations

Implement reasonable administrative, technical, and physical safeguards
Notify affected NY residents of breach in most expedient time possible
Notify NY AG, Department of State, State Police of breach
Adopt safe-harbor framework (Ed Law 2-d / Part 121 / NIST CSF satisfies for student data)

Vendor-side obligations

If holding NY-resident private info, same safeguards apply
Vendor breach notification under Ed Law 2-d (7 days) generally tighter than SHIELD

Breach notification: Without unreasonable delay; specific content requirements; concurrent with NYAG / DOS / State Police notification.

Enforcement: NY Attorney General. Civil penalties up to $20 per failed notification (capped at $250K).

Charter Schools Act

NY Education Law Article 56

Full detail →

Statute: NY Education Law §§ 2850-2857

Regs: 8 NYCRR Part 119

Authorizing framework for NY charter schools. Makes Ed Law 2-d (and all generally-applicable education laws) applicable to charters.

School-side obligations

Operate as nonprofit education corporation under N-PCL
Comply with all generally-applicable NY education laws except where Article 56 specifically exempts

Vendor-side obligations

No direct vendor obligations.

Breach notification: N/A directly; flows through Ed Law 2-d.

Enforcement: Authorizer (Regents, SUNY-CSI, or NYC DOE); ultimately renewal/non-renewal/revocation.