PA SB378

Establishes a Chief Data Privacy Officer within the Pennsylvania Department of Education to oversee student data privacy policy, conduct investigations, and prepare annual reports to the General Assembly

Requires educational entities to provide annual written notice to students and parents about what data is collected, how it may be disclosed, and which third parties have access; disclosure requires written authorization except when required by law, court order, or health/safety emergencies

Prohibits collection of biometric identifiers (fingerprints, iris scans, facial geometry) except as required by law, and bans use of student data for targeted marketing unless necessary for educational purposes like adaptive learning software

Grants students ownership of their data with rights to download, export, inspect, correct inaccurate information, and expunge records related to unsubstantiated accusations or adjudicated matters where found not guilty

Imposes administrative penalties of $1,000-$5,000 per violation (up to $1,000,000 annually) for data breaches, plus civil penalties including identity protection costs and legal fees; requires breach notification within 24 hours to the state and 3 business days to affected individuals