FPF Guide to Student Data Protections Under SOPIPA: For K-12 School Administrators and Ed Tech Vendors
We are pleased to announce that we are publishing the FPF Guide to Student Data Protections Under SOPIPA: For K-12 School Administrators and Ed Tech Vendors.
Co-written with education privacy experts Linnette Attai of PlayWell LLC, Amelia Vance of the National Association of State Boards of Education, and David B. Rubin, Esq., this document provides an in-depth analysis for ed tech companies. In particular, we examine the definitions and unique requirements of the California Student Online Personal Information Protection Act (SOPIPA). Topics include:
- Who Must Comply?
- What is “Actual Knowledge”?7
- What are “K-12 School Purposes”?
- What Information Is Protected Under SOPIPA (“Covered Information”)
- Specific Requirements of SOPIPA for Ed Tech Vendors
- What is Targeted Advertising?
- When Can an Operator Disclose Covered Information?
- How Can Operators Use Student Information?
- SOPIPA Rights for Students
SOPIPA was the first state law to comprehensively address student privacy. It became effective January 1, 2016 and applies to websites, applications, and online services that provide programs or services for K-12 students. SOPIPA applies to operators (as defined in the statute) that collect covered information from students in the state of California. This guide provides general information, not legal advice, and following the recommendations or tips within does not guarantee compliance with any particular law.
SOPIPA is important because most education technology companies do business with California schools, and because it became a template for similar statutes around the country. Our goal is to clearly explain what companies and information is covered, and what the law does (or doesn’t) require. This may be useful for companies and schools operating in California now, and also may prove helpful to policymakers in those states who may still be considering updates to their student privacy laws, and are considering whether to follow the California model.
On November 4, 2016, the California AG’s Director of Privacy Education and Policy released their document: Ready for School: Recommendations for the Ed Tech Industry to Protect the Privacy of Student Data. This is valuable information for vendor’s use on the state’s view of the requirements of the law. However, these are non-binding recommendations, and do not definitively address all the areas of the law that will have to be addressed by vendors operating in California schools. Our detailed guide provides a useful companion tool for vendors to make informed decisions about their privacy policies and practices when operating in California schools.