FPF Guide to Student Data Protections Under SOPIPA: For K-12 School Administrators and Ed Tech Vendors

FPF Guide to Student Data Protections Under SOPIPA: For K-12 School Administrators and Ed Tech Vendors

We are pleased to announce that we are publishing the FPF Guide to Student Data Protections Under SOPIPA: For K-12 School Administrators and Ed Tech Vendors.

Co-written with education privacy experts Linnette Attai of PlayWell LLC, Amelia Vance of the National Association of State Boards of Education, and David B. Rubin, Esq., this document provides an in-depth analysis for ed tech companies. In particular, we examine the definitions and unique requirements of the California Student Online Personal Information Protection Act (SOPIPA). Topics include:

  • Who Must Comply?
  • What is “Actual Knowledge”?7
  • What are “K-12 School Purposes”?
  • What Information Is Protected Under SOPIPA (“Covered Information”)
  • Specific Requirements of SOPIPA for Ed Tech Vendors
  • What is Targeted Advertising?
  • When Can an Operator Disclose Covered Information?
  • How Can Operators Use Student Information?
  • SOPIPA Rights for Students

SOPIPA was the first state law to comprehensively address student privacy. It became effective January 1, 2016 and applies to websites, applications, and online services that provide programs or services for K-12 students. SOPIPA applies to operators (as defined in the statute) that collect covered information from students in the state of California. This guide provides general information, not legal advice, and following the recommendations or tips within does not guarantee compliance with any particular law.

SOPIPA is important because most education technology companies do business with California schools, and because it became a template for similar statutes around the country. Our goal is to clearly explain what companies and information is covered, and what the law does (or doesn’t) require. This may be useful for companies and schools operating in California now, and also may prove helpful to policymakers in those states who may still be considering updates to their student privacy laws, and are considering whether to follow the California model.

On November 4, 2016, the California AG’s Director of Privacy Education and Policy released their document: Ready for School: Recommendations for the Ed Tech Industry to Protect the Privacy of Student Data. This is valuable information for vendor’s use on the state’s view of the requirements of the law. However, these are non-binding recommendations, and do not definitively address all the areas of the law that will have to be addressed by vendors operating in California schools. Our detailed guide provides a useful companion tool for vendors to make informed decisions about their privacy policies and practices when operating in California schools.


Cross-posted with the Future of Privacy Forum website.

Related Resources

  • Blog

    Talking to Kids About Privacy: Advice from a Panel of International Experts

    May 21, 2021Jasmine Park

    Now more than ever, as kids spend much of their lives online to learn, explore, play, and connect, it is essential to ensure their knowledge and understanding …

    Learn More
  • Blog

    U.S. Department of Education Opens an Investigation into Pasco County’s Predictive Policing Program

    Apr 19, 2021Anisha Reddy and Amelia Vance

    On Friday, the U.S. Department of Education opened an investigation into the data-sharing practices between Florida’s Pasco County sheriff’s office and school …

    Learn More
  • Blog

    Youth Privacy and Data Protection 101

    Apr 1, 2021Jasmine Park and Amelia Vance

    It is estimated that one-third of global internet users are under the age of 18. As digital technologies increasingly mediate nearly all facets of their lives,…

    Learn More