The Student Data Privacy Landscape in Arizona

The Student Data Privacy Landscape in Arizona

Arizona’s Student Online Personal Information Protection Act or SOPIPA, also known as SB 1314 is a student data protection law that was passed in 2017. Arizona’s SB 1314 was passed to provide legal protections for students within the state in relation to the personal data they share with teachers, online operators, technology providers, and associated third parties when attending educational institutions. With this being said, the law sets forth the requirements that teachers and online operators must adhere to as it concerns collecting, maintaining, and disclosing student data within the state of Arizona. Furthermore, the law also outlines the specific categories of personal data that are covered under the law.

How are online operators defined under the law?

Under Arizona’s SB 1314, an online operator is defined as “the operator of an internet website, online service, online application or mobile application with actual knowledge that the site, service or application is used primarily for school purposes and was designed and marketed for school purposes.” Alternatively, the law defines school purposes to mean “purposes that are directed by or customarily take place at the direction of a public school or teacher, or that aid in the administration of school activities, including instruction in the classroom, instruction at home, administrative activities and collaboration between students, school personnel or parents, or that are otherwise for the use and benefit of the school.”

What are the duties of online operators under the law?

Under the provisions of Arizona’s SB 1314, online operators that serve students within the state have the following obligations and responsibilities in regards to the data and privacy protection of said students:

  • Online operators are required to both implement and maintain security procedures and practices geared toward protecting the personal data of students from unauthorized access, use, modification, destruction, and disclosure. Moreover, these procedures and practices must also be appropriate to the nature and scope of the personal data that online operators collect from students.
  • Online operators are required to provide both students and parents with prominent notice before making any changes to their privacy policies or regulations.
  • Online operators are required to delete a student’s personal data after a reasonable period of time, if the information in question is under the control of a particular school within Arizona.
  • Online operators are prohibited from using the personal data of students for the purpose of engaging in targeted advertising.
  • Online operators are prohibited from disclosing the personal data of their students, subject to certain exemptions. Such exemptions include the disclosure of personal data pertaining to students that has already been made publicly available, as well as instances where the disclosure of a student’s personal data is mandated by another state or federal law, among others.

What data elements are protected under the law?

Under Arizona’s SB 1314, the data elements relating to students within the state that are legally protected from unauthorized access and disclosure include but are not limited to:

  • First and last names.
  • Homes addresses.
  • Email addresses.
  • Medical and health records.
  • Telephone numbers.
  • Text messages.
  • Voice recordings.
  • Juvenile dependency records.
  • Socioeconomic information.
  • Student identifiers.
  • Social security numbers.
  • Grades and evaluations.
  • Criminal records.
  • Test results.
  • Biometric information.

What are the penalties for violating Arizona’s SB 1314?

As it pertains to the enforcement of the law, the provisions laid out in Arizona’s SB 1314 are enforced by the Arizona state attorney general. To this point, the Arizona state attorney general has the authority to both investigate and take appropriate action against online operators, educational institutions, and other relevant third parties that are found to be in violation of any of the sections established in the law. What’s more, violations of Arizona’s SB 1314 also constitute an unlawful practice under other applicable legislation within the state. As such, individuals and organizations within Arizona that are found to have violated the law are also subject to additional penalties.

Arizona’s SB 1314 is the foremost law within the state aimed at protecting the personal data that students share with their teachers, online operators, and the various other professionals that work within or in conjunction with educational institutions. Through the provisions of the law, parents and guardians can have the peace of mind that the personal data of their respective children is being protected from harm and misuse. As data breaches are growing even more common due to humanity’s ever-increasing reliance on online usage, legislation such as Arizona’s SB 1314 will become even more relevant moving forward, as many countries around the world have taken to passing such laws to protect the data privacy of their respective citizenship.