The Privacy Laws Covering Us and Our Clients — and the Resource We Don't Have

If you're an IEC or IECA member, you hold some of the most sensitive information a family will ever hand over: academic records, learning evaluations, essays, sometimes health or mental health history. Most of us didn't get into this profession to become privacy experts, but the reality is that how we're allowed to collect, store, and share that information isn't just a matter of professional ethics anymore. It's a matter of state law, and the rules are multiplying faster than most of us have time to track on our own.
There's no single federal privacy law — so states are writing their own
The U.S. has no comprehensive federal privacy statute. In that vacuum, states have spent the last five years building their own frameworks, and the pace has been striking. Depending on which count and which month you check, somewhere between 19 and 24 states now have comprehensive privacy laws in effect. The range itself says something: even people who track this professionally can't agree on an exact number, because it keeps moving.
That's not for lack of a model to follow. IAPP maintains a US State Privacy Legislation Tracker that does exactly this kind of work for the privacy profession at large — a chart, a map, and a state-by-state directory of comprehensive privacy bills, kept current as legislatures move. It's genuinely useful, and, by design, broad: it only includes bills that take a comprehensive approach to governing personal information generally, and it's built for privacy professionals working across every industry. IAPP also runs companion trackers for state AI governance bills and federal privacy legislation, worth knowing about given how much of our work now touches AI-powered tools.

What that breadth leaves out for our kind of practice
Look at IAPP's tracker and the natural next question is: where's the version of this built for us? Not a rebuild of what IAPP already does well, but a much narrower slice of it.
IAPP's tracker isn't going to tell you:
Whether the notes you keep on a client's IEP or 504 plan fall under FERPA, a state student-data-privacy law, or neither — that depends on whether you're working through a school or independently, since FERPA's protections hinge on a "school official" exception that most of us sit outside of.
- Which states treat therapeutic or admissions-related records like health information, triggering something closer to HIPAA-style handling even though most of us aren't HIPAA-covered entities.
- What "de-identified" is legally required to mean in a given state, as opposed to what a vendor's marketing implies it means.
- What breach-notification timelines apply to a solo or small-practice consultant who's never had to think about incident response before.
- How new state child-specific privacy provisions — several states have passed or are considering "age-appropriate design code" style laws — affect our intake forms, portals, or any third-party platforms we use with minors.
None of that is a gap in IAPP's tracker. It's built for a different, broader audience. But it means the laws that actually govern our day-to-day work sit scattered across a landscape with no resource curated for this profession specifically.
Why this matters more for us than it looks
A few things make our privacy exposure distinctive rather than just general small-business compliance:
We're intermediaries, not just collectors. Records move through us from a school, a family, sometimes a therapeutic program — and then, potentially, out again to whatever tools we use. That flow is where the exposure lives.
Our clients are minors, and minors are the current legislative focus. State legislatures are moving fast on youth-specific privacy and online safety rules, often faster than on general consumer privacy. A tracker built for general consumer bills won't surface these the way a practice-specific one would.
There's often no regulatory floor to fall back on. Most tools and practices in this space aren't bound by FERPA or HIPAA at all, which means the whole question of what's appropriate rests on our own consent language and practice norms — exactly the kind of thing a shared resource could help standardize.
Most of us don't have compliance departments. A consultant with a handful of families under contract doesn't have the bandwidth a privacy team would bring to this. What we need isn't a comprehensive legislative chart — it's a curated, practice-specific "here's what changed and what it means for you."

What a useful version could look like
It wouldn't need to be complicated to be valuable:
A state-by-state quick reference covering the handful of law types that actually touch this kind of practice — comprehensive consumer privacy laws, student data privacy laws, health-data-adjacent laws, and minor-specific online privacy rules — rather than the full universe of bills IAPP tracks.
- Plain-language operational notes translating legal text into practice: what belongs in an intake form, a data retention policy, a breach response plan, a consent clause before sharing a client's file with any third-party platform.
- A change log, updated a few times a year, flagging newly enacted or newly effective laws.
- Template documents — a basic privacy policy, a data-sharing consent form for coordinating with schools and outside programs, a breach-notification checklist — sized for a solo or small practice rather than an enterprise compliance team.

The ask
Does IECA have a resource page for us to track the privacy laws that cover us and our clients? As far as I've been able to find, not yet. It feels like exactly the kind of subset of IAPP's tracker that would genuinely serve this profession — narrower in scope, but built specifically for the questions we actually face: which laws apply to a solo or small practice, what they require operationally, and how to keep up as the landscape keeps shifting. If this resonates, it's worth raising with the national office — the more of us who ask for it, the more likely it is to happen.
