23 January 2020
In August 2014, California State Governor Jerry Brown signed a law that will restrict the use of student's educational data.
Dubbed as Student Online Personal Information Protection Act (SOPIPA), the law prohibits operators of from sharing student data and using that data for targeted advertising on students for a non-educational purpose.
The law took effect on January 1, 2016. This law marks one of the largest, most restrictive privacy moves that concerns K-12 students in California.
It requires operators to implement and maintain reasonable security procedures and practices to protect student data. It also requires operators to delete a student's information at the request of the school or district.
Operators can be anything of the following:
James Steyer, CEO, and founder of Common Sense Media, a San Francisco-based nonprofit that helped craft the law:
It's a major step forward in creating a trusted online learning environment.
I think this is a blunt call to industry to say that school data is for educational purposes. Period.
SOPIPA "prohibits an operator of an Internet Web site or online service from knowingly using, disclosing, compiling, or allowing a 3rd party to use, disclose, or compile the personal information of a minor for the purpose of marketing or advertising specified types of products or services".
This applies if you use any third-party vendors to collect information from students on your website or mobile app, e.g. using MailChimp to collect email addresses for advertising various products.
State Senate President Pro tempore Darrell Steinberg who is SOPIPA's sponsor in the California Senate:
The bottom line is that [SOPIPA] fosters innovation, and protects kids' privacy, and demonstrates that these goals can be complimentary.
The old notion of trading privacy for innovation is a false choice.
SOPIPA doesn't cover general audiences websites and services.
Google Search is used by a lot of K-12 students, but it doesn't necessarily target K-12 students and is therefore not bound by this law.
SOPIPA applies to you if you collect student data from K-12 students in California. The Act applies to you even if you're not based anywhere in California, but you collect information from K-12 students from California.
While the main target of SOPIPA is the EdTech market, you could very well be under the scope if your business is for K-12 students and it's designed and marketed as such.
If your business is for K-12 students or, even if it's not for K-12 students, but it collects, stores and uses information from K-12 students, then comply with SOPIPA.
Currently, there's no comprehensive guidance on how to be in compliance with this law.
As long as you target K-12 students in California, you should start considering the collection and usage of K-12 students and how SOPIPA will apply to you starting January 1, 2016.
If your web site or mobile app is directed towards children under 13, you need to comply with COPPA.
If SOPIPA applies to your website or mobile app, here are the type of information that's targeted by SOPIPA:
"Covered information" constitutes a wide array of information including but not limited to:
Geolocation information is part of the covered information as targeted by SOPIPA. If you develop a mobile app directed towards K-12 students, and would use geolocation, read the law bill.
Companies that are considered "operators" which means they have "actual knowledge that the site, service, or application is used primarily for K-12 school purposes and was designed and marketed for K-12 school purposes" are encouraged to review their websites or mobile apps.
These companies are prohibited from doing the following:
Using targeted advertising on their website, mobile application etc. or use targeted advertising on other websites, but the targeting is based on information (covered information and persistent unique identifiers) acquired by the operator because of the use of that operator's website or mobile app.
This can mean that you can't use Remarketing with Google Adwords or various third-party vendors that will allow you to start a remarketing campaign.
This law does not apply to general audience Internet Web sites, general audience online services, general audience online applications, or general audience mobile applications.
There are a few exceptions when companies can disclose student information:
If you're using third-party vendors to manage students' data, e.g. storing email address via other services other than internal-built tools, SOPIPA states that you can't use service provides for this type of information, unless:
the operator contractually (i) prohibits the service provider from using any covered information for any purpose other than providing the contracted service to, or on behalf of, the operator, (ii) prohibits the service provider from disclosing any covered information provided by the operator with subsequent third parties, and (iii) requires the service provider to implement and maintain reasonable security procedures and practices as provided in subdivision (d).
Currently, there has not been any guidance issued on how to ensure compliance with SOPIPA.
Aside from non-disclosure of K-12 student data, companies are encouraged to comply with security and deletion requirements through the following:
SOPIPA is new and there is currently no known penalty for non-compliance.
If you're currently developing a website or mobile app targeted towards students, first determine if your website or mobile app is covered by SOPIPA.
If it is, consider these steps:
SOPIPA does not entirely prohibit web site or mobile app operators from using K-12 school data. You can use the collected data for the following purposes:
This article is not a substitute for professional legal advice. This article does not create an attorney-client relationship, nor is it a solicitation to offer legal advice.