FPF Guide to Student Data Protections Under SOPIPA: For K-12 School Administrators and Ed Tech Vendors

FPF Guide to Student Data Protections Under SOPIPA: For K-12 School Administrators and Ed Tech Vendors

We are pleased to announce that we are publishing the FPF Guide to Student Data Protections Under SOPIPA: For K-12 School Administrators and Ed Tech Vendors.

Co-written with education privacy experts Linnette Attai of PlayWell LLC, Amelia Vance of the National Association of State Boards of Education, and David B. Rubin, Esq., this document provides an in-depth analysis for ed tech companies. In particular, we examine the definitions and unique requirements of the California Student Online Personal Information Protection Act (SOPIPA). Topics include:

  • Who Must Comply?
  • What is “Actual Knowledge”?7
  • What are “K-12 School Purposes”?
  • What Information Is Protected Under SOPIPA (“Covered Information”)
  • Specific Requirements of SOPIPA for Ed Tech Vendors
  • What is Targeted Advertising?
  • When Can an Operator Disclose Covered Information?
  • How Can Operators Use Student Information?
  • SOPIPA Rights for Students

SOPIPA was the first state law to comprehensively address student privacy. It became effective January 1, 2016 and applies to websites, applications, and online services that provide programs or services for K-12 students. SOPIPA applies to operators (as defined in the statute) that collect covered information from students in the state of California. This guide provides general information, not legal advice, and following the recommendations or tips within does not guarantee compliance with any particular law.

SOPIPA is important because most education technology companies do business with California schools, and because it became a template for similar statutes around the country. Our goal is to clearly explain what companies and information is covered, and what the law does (or doesn’t) require. This may be useful for companies and schools operating in California now, and also may prove helpful to policymakers in those states who may still be considering updates to their student privacy laws, and are considering whether to follow the California model.

On November 4, 2016, the California AG’s Director of Privacy Education and Policy released their document: Ready for School: Recommendations for the Ed Tech Industry to Protect the Privacy of Student Data. This is valuable information for vendor’s use on the state’s view of the requirements of the law. However, these are non-binding recommendations, and do not definitively address all the areas of the law that will have to be addressed by vendors operating in California schools. Our detailed guide provides a useful companion tool for vendors to make informed decisions about their privacy policies and practices when operating in California schools.


Cross-posted with the Future of Privacy Forum website.

Related Resources

  • EdTech Perspectives

    Demystifying the Consumer Privacy Patchwork

    Jan 18, 2024Randy Cantz

    What should edtech companies know about consumer privacy laws?As states continue to pass new consumer privacy laws, edtech companies may be left wondering what…

    Learn More
  • Higher Ed Perspectives

    Higher Education Compliance with Updates to the GLBA Safeguards Rule

    Jul 6, 2023

    Higher education institutions participating in the US Department of Education’s federal student aid programs need to be aware of recent updates to requirements…

    Learn More
  • FPF Perspectives

    FTC announces a complaint and consent agreement against Chegg

    Nov 7, 2022Jamie Gorosh and Lauren Merk

    Since May 2022, education technology (edtech) companies have been on notice that the Federal Trade Commission (FTC) is closely monitoring the industry to ensur…

    Learn More