Student Data Privacy Legislation in the State of California

The Student Online Personal Information Protection Act or SOPIPA is a student data privacy law that was passed in the U.S. state of California in 2016. The SOPIPA was passed for the purpose of protecting the personal information of students within California, particularly as it concerns the use of online services, websites, and online and mobile applications. To this point, the SOPIPA sets forth various requirements that online operators within the state must adhere to when providing services to students within the state of California. Moreover, the law also places various responsibilities on online operators as it pertains to protecting the personal information of California students.

What is the scope and application of California’s SOPIPA?

In terms of the scope and application of California’s Student Online Personal Information Protection Act, the law applies to “operators of websites, online services, or online or mobile applications (covered operators) who have actual knowledge that their services were designed, marketed, and are being used for K-12 purposes (covered services).” With this being said, the law defines an online operator as the “operator of an Internet Web site, online service, online application, or mobile application with actual knowledge that the site, service, or application is used primarily for K–12 school purposes and was designed and marketed for K–12 school purposes.”

What are the requirements of online operators under the SOPIPA?

Under the SOPIPA, online operators within California have numerous responsibilities as it pertains to the protection of the personal information and privacy of students within the state. These responsibilities include:

• Online operators are prohibited from using the personal information of students within California for the purposes of targeted advertising.
• Online operators are prohibited from selling personal information obtained from students within California for any reason or purpose.
• Online operators are prohibited from using personal information obtained from students within California for any purpose other than the advancement of educational pursuits.
• Online operators are only permitted to disclose personal information pertaining to students within California under certain circumstances. Such circumstances include the furtherance of the K-12 purpose of a particular website, or to ensure legal or regulatory compliance with other applicable laws, among others.
• Online operators must implement and maintain security measures for the purpose of ensuring that the personal information of students within California is protected from unauthorized access, use, modification, or disclosure.
• Online operators must delete personal information concerning a student within California at the request of a school district.

What categories of personal data are protected under the SOPIPA?

Under California’s Student Online Personal Information Protection Act, the following categories of personal information are legally protected from unauthorized use, access, and disclosure:

• Educational records.
• Email addresses.
• Physical addresses.
• First and last names.
• Telephone numbers.
• Grades and evaluations.
• Medical information and health records.
• Special education data.
• Socioeconomic data.
• Student identifiers.
• Photos and voice recordings.

How can online operators within California comply with SOPIPA?

While online operators within California are responsible for protecting the personal information of students under the provisions of SOPIPA, they are also permitted to use this information to provide said students with opportunities that could be used to further their education. As such, a primary means by which said online operators can utilize the personal information of students within California while also maintaining compliance with the SOPIPA is through redaction. Using an automatic redaction software program, online operators can automatically redact various forms of personal information relating to students within California. In this way, online operators can fulfill their job in terms of furthering the education of students, while simultaneously ensuring that the personal privacy of their students is protected at all times.

As online services and websites have become an integral part of K-12 education within the U.S., it is imperative that the personal information that students provide to online operators in the context of furthering their education is safeguarded from unauthorized access. To this end, the provisions of California’s Student Online Personal Information Protection Act mandate that online operators within the state take measures to ensure that the personal information of students within the state is protected at all times. What’s more, amendments to the law that were made in 2017 provided even more protections for students in preschool and prekindergarten. More importantly, however, parents and guardians of students within California can have the peace of mind that the personal information of their children is safeguarded from harm.