Student Data Privacy in the State of North Carolina

The Student Online Personal Information Protection Act or SOPIPA is a student data privacy law that was passed in the U.S. state of North Carolina in 2016. In accordance with legislative measures that many other U.S. states have adopted in recent years, the SOPIPA was passed for the purposes of providing students within the state of North Carolina with some modicum of protection as in concerns the collection, use, modification, disclosure, and destruction of their personal information. To this point, the law sets forth various provisions that school districts, online operators, and associated third parties are responsible for adhering to when managing the personal information of students within the state of North Carolina.

How is the term online operator defined under the SOPIPA?

Under the SOPIPA, an online operator is defined as “the operator of an Internet Web site, online service, online application, or mobile application with actual knowledge that the site, service, or application is used primarily for K-12 school purposes and was designed and marketed for K-12 school purposes. An operator does not include a K-12 school or local board of education that operates an Internet Web site, online service, online application, or mobile application for that K-12 school or local board of education’s own K-12 school purposes.” Alternatively, the law defines a subcontractor as “an entity providing a service to an operator under contract and on its behalf to further a K-12 school purpose.”

What are the duties of online operators under the law?

Under the provisions of North Carolina’s Student Online Personal Information Protection Act, online operators and subcontractors have the following responsibilities as it pertains to the protection of the personal information and privacy of students that attend school within the state:

• Online operators and subcontractors are responsible for both implementing and maintaining reasonable security measures and policies for the purposes of protecting personal information from unauthorized access, use, modification, disclosure, and deletion.
• Online operators and contractors are responsible for deleting a student’s personal information at the request of a particular school district within 45 days.
• Online operators and subcontractors are prohibited from using the personal information of North Carolina students for the purpose of engaging in targeted advertising.
• Online operators and subcontractors are prohibited from using the personal information, identifiers, or other relevant details of students for the purposes of creating a profile for said students, except in the furtherance of K-12 school activities and purposes.
• Online operators are prohibited from selling or renting the personal information of students, except in certain circumstances. Such circumstances include instances where students over the age of 13, or a student’s parent or guardian permit an online operator or subcontractor to sell or rent the personal information of their children for the purpose of achieving higher educational objectives, in accordance with expressed written consent.

What categories of personal data are protected under the SOPIPA?

Under the SOPIPA, the following categories of personal information concerning students within the state of North Carolina are legally protected under the provisions of the law:

• Information contained within a student’s email or educational records.
• First and last names.
• Physical addresses.
• Information that would permit physical or online contact.
• Disciplinary records.
• Test results.
• Special education data.
• Juvenile dependency records.
• Grades and evaluations.
• Criminal records.
• Medical and healthcare records.
• Social security numbers.
• Biometric information.
• Socioeconomic information.
• Text messages and documents.
• Search acvtivty.

Maintaining compliance with the law

While the personal information of students must be protected from threats such as unauthorized access and cybercrime, this information must also be disclosed to certain individuals and organizations for the purpose of the furtherance of educational opportunities. As such, online operators and subcontractors can utilize redaction to ensure that they protect the personal privacy of their respective students when looking to help them progress through their educational journeys. Using an automatic redaction software program, online operators and contractors can redact any personal information that is not pertinent to a particular task at hand, enabling them to both use student information for appropriate purposes, while simultaneously protecting this information from harm or misuse.

Through the provisions of North Carolina’s Student Online Personal Information Protection Act, parents and guardians within the state were provided with the legal means to protect the personal information and records of their children as it relates to online access and usage. As K-12 children within the U.S. currently access the internet more than any other generation throughout the history of the nation, legislation such as the Student Online Personal Information Protection Act will become even more relevant in the future. As such, many other states around the country will surely pass laws geared toward protecting the personal information that students disclose to online providers over the course of their educational careers.