FPF Guide to Student Data Protections Under SOPIPA: For K-12 School Administrators and Ed Tech Vendors

FPF Guide to Student Data Protections Under SOPIPA: For K-12 School Administrators and Ed Tech Vendors

We are pleased to announce that we are publishing the FPF Guide to Student Data Protections Under SOPIPA: For K-12 School Administrators and Ed Tech Vendors.

Co-written with education privacy experts Linnette Attai of PlayWell LLC, Amelia Vance of the National Association of State Boards of Education, and David B. Rubin, Esq., this document provides an in-depth analysis for ed tech companies. In particular, we examine the definitions and unique requirements of the California Student Online Personal Information Protection Act (SOPIPA). Topics include:

  • Who Must Comply?
  • What is “Actual Knowledge”?7
  • What are “K-12 School Purposes”?
  • What Information Is Protected Under SOPIPA (“Covered Information”)
  • Specific Requirements of SOPIPA for Ed Tech Vendors
  • What is Targeted Advertising?
  • When Can an Operator Disclose Covered Information?
  • How Can Operators Use Student Information?
  • SOPIPA Rights for Students

SOPIPA was the first state law to comprehensively address student privacy. It became effective January 1, 2016 and applies to websites, applications, and online services that provide programs or services for K-12 students. SOPIPA applies to operators (as defined in the statute) that collect covered information from students in the state of California. This guide provides general information, not legal advice, and following the recommendations or tips within does not guarantee compliance with any particular law.

SOPIPA is important because most education technology companies do business with California schools, and because it became a template for similar statutes around the country. Our goal is to clearly explain what companies and information is covered, and what the law does (or doesn’t) require. This may be useful for companies and schools operating in California now, and also may prove helpful to policymakers in those states who may still be considering updates to their student privacy laws, and are considering whether to follow the California model.

On November 4, 2016, the California AG’s Director of Privacy Education and Policy released their document: Ready for School: Recommendations for the Ed Tech Industry to Protect the Privacy of Student Data. This is valuable information for vendor’s use on the state’s view of the requirements of the law. However, these are non-binding recommendations, and do not definitively address all the areas of the law that will have to be addressed by vendors operating in California schools. Our detailed guide provides a useful companion tool for vendors to make informed decisions about their privacy policies and practices when operating in California schools.


Cross-posted with the Future of Privacy Forum website.

Related Resources

  • Blog

    Surveillance Won’t Save Our Kids, Humane Public Policy Can

    Sep 17, 2021Isabelle Barbour

    As a result of the lack of investment by our country in mental health services, schools have, for years, been the de facto providers of mental health supports …

    Learn More
  • Blog

    Regulating State and Local Education Agencies

    Sep 15, 2021Elijah Armstrong

    In March of 2020, the COVID-19 pandemic changed education in ways never before seen, as suddenly most students began taking remote classes exclusively. Even no…

    Learn More
  • Blog

    Bodycams in the Classroom? The Risks are Plain to See.

    Jul 10, 2021Anisha Reddy and Amelia Vance

    Proposals that would force teachers to wear bodycams are grabbing headlines as some activists push to install an unproven surveillance program in classrooms ac…

    Learn More