FPF Guide to Student Data Protections Under SOPIPA: For K-12 School Administrators and Ed Tech Vendors

FPF Guide to Student Data Protections Under SOPIPA: For K-12 School Administrators and Ed Tech Vendors

We are pleased to announce that we are publishing the FPF Guide to Student Data Protections Under SOPIPA: For K-12 School Administrators and Ed Tech Vendors.

Co-written with education privacy experts Linnette Attai of PlayWell LLC, Amelia Vance of the National Association of State Boards of Education, and David B. Rubin, Esq., this document provides an in-depth analysis for ed tech companies. In particular, we examine the definitions and unique requirements of the California Student Online Personal Information Protection Act (SOPIPA). Topics include:

  • Who Must Comply?
  • What is “Actual Knowledge”?7
  • What are “K-12 School Purposes”?
  • What Information Is Protected Under SOPIPA (“Covered Information”)
  • Specific Requirements of SOPIPA for Ed Tech Vendors
  • What is Targeted Advertising?
  • When Can an Operator Disclose Covered Information?
  • How Can Operators Use Student Information?
  • SOPIPA Rights for Students

SOPIPA was the first state law to comprehensively address student privacy. It became effective January 1, 2016 and applies to websites, applications, and online services that provide programs or services for K-12 students. SOPIPA applies to operators (as defined in the statute) that collect covered information from students in the state of California. This guide provides general information, not legal advice, and following the recommendations or tips within does not guarantee compliance with any particular law.

SOPIPA is important because most education technology companies do business with California schools, and because it became a template for similar statutes around the country. Our goal is to clearly explain what companies and information is covered, and what the law does (or doesn’t) require. This may be useful for companies and schools operating in California now, and also may prove helpful to policymakers in those states who may still be considering updates to their student privacy laws, and are considering whether to follow the California model.

On November 4, 2016, the California AG’s Director of Privacy Education and Policy released their document: Ready for School: Recommendations for the Ed Tech Industry to Protect the Privacy of Student Data. This is valuable information for vendor’s use on the state’s view of the requirements of the law. However, these are non-binding recommendations, and do not definitively address all the areas of the law that will have to be addressed by vendors operating in California schools. Our detailed guide provides a useful companion tool for vendors to make informed decisions about their privacy policies and practices when operating in California schools.


Cross-posted with the Future of Privacy Forum website.

Related Resources

  • FPF Perspectives

    FPF Responds to the FTC’s COPPA Policy Statement

    May 19, 2022

    On May 19, 2022, the Federal Trade Commission (FTC) held an open meeting where it approved a policy statement prioritizing enforcement of the Children’s Online…

    Learn More
  • Higher Ed Perspectives

    The Datafication of Student Life and the Consequences for Student Data Privacy

    Apr 11, 2022Kyle M. L. Jones (MLIS, PhD) Indiana University-Indianapolis (IUPUI)

    The COVID-19 pandemic changed American higher education in more ways than many people realize: beyond forcing schools to transition overnight to fully online l…

    Learn More
  • Blog

    So Much Data: Thinking About How We Govern with Data and How We Are Governed by Data in US Higher Education

    Apr 11, 2022Michael Brown, Assistant Professor of Higher Education and Student Affairs, School of Education, Iowa State University

    As a researcher who focuses on how US higher education institutions construct data systems to support students’ success, I find myself having the same conversa…

    Learn More