SOPIPA: Student Online Personal Information Protection Act

In August 2014, California State Governor Jerry Brown signed a law that will restrict the use of student's educational data.

Dubbed as Student Online Personal Information Protection Act (SOPIPA), the law prohibits operators of from sharing student data and using that data for targeted advertising on students for a non-educational purpose.

The law took effect on January 1, 2016. This law marks one of the largest, most restrictive privacy moves that concerns K-12 students in California.

It requires operators to implement and maintain reasonable security procedures and practices to protect student data. It also requires operators to delete a student's information at the request of the school or district.

Operators can be anything of the following:

• Educational websites
• Online services
• Online applications
• Mobile applications

James Steyer, CEO, and founder of Common Sense Media, a San Francisco-based nonprofit that helped craft the law:

It's a major step forward in creating a trusted online learning environment.

I think this is a blunt call to industry to say that school data is for educational purposes. Period.

SOPIPA "prohibits an operator of an Internet Web site or online service from knowingly using, disclosing, compiling, or allowing a 3rd party to use, disclose, or compile the personal information of a minor for the purpose of marketing or advertising specified types of products or services".

This applies if you use any third-party vendors to collect information from students on your website or mobile app, e.g. using MailChimp to collect email addresses for advertising various products.

State Senate President Pro tempore Darrell Steinberg who is SOPIPA's sponsor in the California Senate:

The bottom line is that [SOPIPA] fosters innovation, and protects kids' privacy, and demonstrates that these goals can be complimentary.

The old notion of trading privacy for innovation is a false choice.

Do I need to comply with SOPIPA?

SOPIPA doesn't cover general audiences websites and services.

Google Search is used by a lot of K-12 students, but it doesn't necessarily target K-12 students and is therefore not bound by this law.

SOPIPA applies to you if you collect student data from K-12 students in California. The Act applies to you even if you're not based anywhere in California, but you collect information from K-12 students from California.

While the main target of SOPIPA is the EdTech market, you could very well be under the scope if your business is for K-12 students and it's designed and marketed as such.

If your business is for K-12 students or, even if it's not for K-12 students, but it collects, stores and uses information from K-12 students, then comply with SOPIPA.

Currently, there's no comprehensive guidance on how to be in compliance with this law.

As long as you target K-12 students in California, you should start considering the collection and usage of K-12 students and how SOPIPA will apply to you starting January 1, 2016.

If your web site or mobile app is directed towards children under 13, you need to comply with COPPA.

If SOPIPA applies to your website or mobile app, here are the type of information that's targeted by SOPIPA:

• Information provided by a student or parent for K-12 school purposes
• Information provided to you by K-12 school or agents of K-12 school, school district, or county office of education
• Information you gathered through your services that clearly describes a student or identifies a student

"Covered information" constitutes a wide array of information including but not limited to:

• Information in the student's educational record
• First and last name, home address, telephone number, email address, or other information that allows physical or online contact
• Discipline records, test results, special education data, juvenile dependency records, grades, evaluations
• Criminal records, medical records, health records, social security number, biometric information, disabilities
• Socioeconomic information, food purchases, political affiliations, religious information
• Text messages, documents, student identifiers, search activity, photos, voice recordings, or geolocation information

Geolocation information is part of the covered information as targeted by SOPIPA. If you develop a mobile app directed towards K-12 students, and would use geolocation, read the law bill.

If you use location data with your mobile app, you must disclose this in your Privacy Policy.

Restrictions on protected data

Companies that are considered "operators" which means they have "actual knowledge that the site, service, or application is used primarily for K-12 school purposes and was designed and marketed for K-12 school purposes" are encouraged to review their websites or mobile apps.

These companies are prohibited from doing the following:

• Using targeted advertising on their website, mobile application etc. or use targeted advertising on other websites, but the targeting is based on information (covered information and persistent unique identifiers) acquired by the operator because of the use of that operator's website or mobile app.

  This can mean that you can't use Remarketing with Google Adwords or various third-party vendors that will allow you to start a remarketing campaign.

  If you use Google AdWords Remarketing, you need to update your Privacy Policy.

• Creating or gathering information about K-12 students and using that collected information to create a profile of the K-12 students, except in cases when the information is used for K-12 school purposes.
• Selling student's information (including covered information as defined above). This doesn't apply to "the purchase, merger, or other type of acquisition of an operator by another entity, provided that the operator or successor entity continues to be subject to the provisions of this section with respect to previously acquired student information".

This law does not apply to general audience Internet Web sites, general audience online services, general audience online applications, or general audience mobile applications.

There are a few exceptions when companies can disclose student information:

• Unless it's done to "allow or improve operability and functionality within that student's classroom or school"
• It's legally required to do so to ensure legal and regulatory compliance, to respond to or participate in judicial process, to protect the safety of users or others or security of the web site

If you're using third-party vendors to manage students' data, e.g. storing email address via other services other than internal-built tools, SOPIPA states that you can't use service provides for this type of information, unless:

the operator contractually (i) prohibits the service provider from using any covered information for any purpose other than providing the contracted service to, or on behalf of, the operator, (ii) prohibits the service provider from disclosing any covered information provided by the operator with subsequent third parties, and (iii) requires the service provider to implement and maintain reasonable security procedures and practices as provided in subdivision (d).

How to comply with SOPIPA

Currently, there has not been any guidance issued on how to ensure compliance with SOPIPA.

Aside from non-disclosure of K-12 student data, companies are encouraged to comply with security and deletion requirements through the following:

• Implement and maintain security procedures to protect the collected information from unauthorized access, destruction, use, modification, or disclosure.
• Delete a student's covered information (as defined by SOPIPA; see list above) if the school or the district requests deletion of data under the control of the school or district.

SOPIPA is new and there is currently no known penalty for non-compliance.

Tips for students apps

If you're currently developing a website or mobile app targeted towards students, first determine if your website or mobile app is covered by SOPIPA.

If it is, consider these steps:

• Check if you collect and make use of any of the covered information.
• Implement measures and security procedures to make sure that no information would be disclosed in violation of the law or used for any restricted purposes.
• Review your contracts with third-party vendors that you may use to operate your website or mobile app. Pay attention to the vendors that are helping you collect information.
• Improve your website or mobile app and your internal system to make sure that K-12 students data is kept safe.
• Run a threat and risk assessment to check if your current security procedures are adequate to protect students' data.

SOPIPA does not entirely prohibit web site or mobile app operators from using K-12 school data. You can use the collected data for the following purposes:

• Maintain, develop and improve the web site or mobile app
• Legitimate research purposes as required by state or federal law (subject to the additional restrictions under state and federal law)
• Using de-identified data to improve products
• Learning purposes, such as for adaptive learning
• Marketing products (education products) that are targeted towards parents, as long as the marketing campaign doesn't result from the use of covered information