Student Online Personal Information Protection Act (SOPIPA)

Student Online Personal Information Protection Act (SOPIPA)

In September 2014, California Governor Jerry Brown signed into law the most comprehensive industry-targeted student-data-privacy legislation in the country. The law, spearheaded by Common Sense CEO Jim Steyer, is the most aggressive legislative effort to date aimed at protecting the privacy and security of student data and was cited by President Obama as a model for federal legislation. The law is unique in that it puts responsibility for protecting student data directly on industry by expressly prohibiting education technology service providers from selling student data, using that information to advertise to students or their families, or "amassing a profile" on students to be used for noneducational purposes. In addition, the law requires online service providers to ensure that any data they collect is secure and to delete student information at the request of a school or district.

The success of this landmark legislation in California has sparked a national conversation on the importance of protecting our children's data and is the inspiration for similar legislation across the country. To date, SOPIPA-like legislation has been introduced in 13 states and is being pursued at the federal level by the Obama administration and Congress.

  1. An Introduction to SOPIPA
  2. How SOPIPA Affects Parents
  3. How SOPIPA Affects Teachers
  4. How SOPIPA Affects Vendors

An Introduction to SOPIPA

In January 2016, the Student Online Personal Information Protection Act (SOPIPA) takes effect in California and New Hampshire.

SOPIPA addresses the changing use of technology in education.

Schools are increasingly integrating computers, laptops, and tablets in the classroom and relying on cloud-computing services for a variety of academic and administrative functions. Through the smart use of technology, schools can enhance and personalize student learning and improve school efficiency. At the same time, private educational technology companies can collect massive amounts of sensitive data about students, including contact information, performance records, online activity and keystrokes, health records, behavior and disciplinary records, eligibility for free or reduced-price lunch, family demographics and financial status, and even cafeteria selections and location along bus routes.

Some edtech companies have collected and analyzed students' personal details without clear limits on how that data is being used. Others have failed to adequately secure and encrypt students' personal information from potential misuse. Preexisting federal and state laws have failed to keep up with technology and left large gaps in the protection of students' information. And many vendor contracts, terms of service, and privacy policies fail to protect student data on their own.

SOPIPA provides clear rules of the road to ensure children's information isn't exploited for commercial or harmful purposes, and it ensures that information stays out of the wrong hands. It also supports innovation and personalized learning, so schools and students can harness the benefits of technology.

What does SOPIPA mean for me?

Whether you're a parent, a student, an educator, or a technology vendor, we hope you will find answers to your questions below. Read more here for Parents, Teachers, and Vendors.

For more information, see: School Privacy Zone Page.

How SOPIPA Affects Parents

Q: How is SOPIPA different from other laws?
A: SOPIPA is different from other student privacy laws because: It makes the edtech companies who collect and handle students' sensitive information responsible for compliance; it applies whether or not a contract is in place with a school; and it applies to apps, cloud-computing programs, and all manner of online edtech services.

Q: Who has to comply with SOPIPA?
A: Websites, online services, and mobile apps that are designed, marketed, and used primarily for K–12 school purposes have to comply with SOPIPA. It doesn't matter whether they have a contract with a school or district.

Q: Does SOPIPA let companies use students' sensitive personal information to market products or amass profiles of students if they get consent?
A: No. With SOPIPA, California has said very clearly that schools should be a place for learning, not marketing or profiling. Though at first it may sound appealing to allow parents, students, or even schools to "consent" to the commercial use of students' personal information, on closer inspection this idea is deeply problematic. Schools are a very unique environment. With schools making many of the edtech choices, parents and students are a captive audience. Schools may feel pressured by companies to give or get consent to receive free or discounted products. Parents may easily feel pressured by schools to "consent" so their children can receive a good education, or they may assume -- often wrongly -- that the school has fully vetted the vendor and its privacy and security practices. And most K–12 students can't give meaningful consent, since they are not of appropriate age or level of understanding of what it means to share their personal information.

In an educational setting, it is better for students and parents if the law bars commercial use of student data outright, without creating loopholes that companies may exploit to pressure parents, students, or schools.

How SOPIPA Affects Teachers

SOPIPA makes sure edtech providers use student data for educational purposes and nothing else -- such as targeted ads or to make a quick buck. SOPIPA also requires that edtech providers protect student data. The school zone should be a privacy zone, a place where students are safe to learn and explore. SOPIPA covers a broad range of K–12 online companies, including websites, services, and apps that may be used with or without a contract with the school or district.

When a vendor says that it complies with SOPIPA, it is verifying that it:

  1. is not using any data collected via its service to target ads;
  2. is not creating advertising profiles on students;
  3. is not selling student information;
  4. won't disclose information, unless required by law or as part of the maintenance and development of its service;
  5. is using sound information-security practices, which often include encrypting data;
  6. will delete data that it has collected from students in a school when the school or district requests it;
  7. can share information only with educational researchers or with educational agencies performing a function for the school;
  8. and will innovate safely without compromising student privacy by only using de-identified and aggregated data as it develops and improves its service.

Within a district, if you want to explore how a vendor protects information, you can use the following questions, which are based on the protections required by SOPIPA:

  • Does any data collected by you or any affiliates get used for advertising? Is any of this advertising targeted?
  • Do you create a profile for students? Is this profile ever used for advertising or in any other way that does not support the educational goals of students?
  • Do you sell student information for any reason?
  • Have there been any instances when you have disclosed student information?
  • Which security practices do you use to protect student information from data breaches or unauthorized access?
  • Can we delete our data from your system ourselves, or do we need to request deletions from your support staff?
  • If we need to request that data be deleted, how long does it take you to comply with our request?
  • How long does it take for your backups to no longer contain any of our data?
  • Do you share data with any educational research organizations or educational agencies? If so, who are they, and when and where can we have access to this research?

Q: Who has to comply with SOPIPA?
A: Websites, online services, and mobile apps that are designed, marketed, and used primarily for K–12 school purposes have to comply with SOPIPA. It doesn't matter whether they have a contract with a school or district.

Q: What does SOPIPA mean for districts?
A: If you work in a school district, you have another way of evaluating how well educational software vendors protect the student data they collect. From the district perspective, this allows you to ask vendors one specific question: Do you comply with SOPIPA?

Q: What does SOPIPA require of me?
A: SOPIPA puts the burden of protecting students on those handling the students' information: the edtech providers. SOPIPA does not place any requirements on educators, schools, or districts. Teachers bringing their own apps into the classroom or looking for more guidance on best practices can check out the additional questions below.

Q: What should I ask my vendors?
A: Ask your vendors if they comply with SOPIPA. If they don't comply or don't know, you should hold off on using that vendor. Though SOPIPA does not create liability for educators, you don't want to share students' sensitive personal information with those who cannot prove they will protect it.

Q: What does compliance with SOPIPA mean?
A: Starting in January 2016, when you ask a vendor if they comply with SOPIPA, the answer to this question needs to be an unequivocal "yes." SOPIPA requires that vendors meet all these standards and does not place any additional burdens on districts.

Q: I'm a teacher. What impact does SOPIPA have on how I bring apps into the classroom?
A: Because vendors are required to comply with SOPIPA, it doesn't create any burden on teachers looking to integrate technology. If you are a teacher and you want to use an app, ask if your school or district has an existing contract with the vendor and whether the vendor has been asked if it complies with SOPIPA.

If your school or district doesn't have a contract with the vendor (as will often be the case with many small apps), SOPIPA still applies to the vendor because students should be protected whether or not there is a contract between a school and a vendor. But it's always a good idea to do a quick review of a product's data-use policies. Major red flags include: companies that sell students' data; companies that share or use students' data for providing targeted ads; companies that amass profiles of students for noneducational purposes; and companies that have no or inadequate security provisions.

In general, free apps are more likely to engage in practices that violate student privacy, because many of these apps use data collected by the app as a means of earning money.

Though SOPIPA doesn't require listing apps used in the classroom, this is frequently recommended as a best practice.

If an app has any of the red flags listed above, don't use it.

Q: What should I tell parents?
A: SOPIPA allows the school zone to be a privacy zone, so kids can focus on learning, knowing that their information will be used only for educational purposes, won't be sold or used for targeted ads, and will be kept securely.

Q: Are there any other best practices for educators?
A: You should continue to use due diligence in evaluating products and providers. Treat all student data with care. Be cautious of "free" things that may have hidden costs, such as your students' personal information. And always be up front with parents and students.

How SOPIPA Affects Vendors

One question that we have been asked since SOPIPA's introduction is whether or not SOPIPA will adversely affect vendors who are working on building and delivering educational technology products. The answer is no. In our outreach to vendors while this law was being crafted and since the law has passed, the feedback we have consistently received is that SOPIPA reflects the good practices that many reputable edtech vendors have been doing for years, while highlighting ways that student data could potentially be used outside an educational context. We have also received feedback that SOPIPA has highlighted the need for sound data security, including encryption, and that many companies have reviewed and improved their security practices as a result.

Q: Do I have to comply with SOPIPA?
A: If you operate a website, an online service, or a mobile app designed, marketed, and used primarily for K–12 school purposes, and you operate in California K–12 schools, you must comply with SOPIPA.

Q: Will SOPIPA make it difficult for me to create educational products?
A: No.

To be SOPIPA compliant you as a vendor should meet the following requirements:

  1. not use any data collected via your service to target ads;
  2. not create advertising profiles on students;
  3. not sell student information;
  4. not disclose information, unless required by law or as part of the maintenance and development of your service;
  5. use sound information-security practices, which often include encrypting data;
  6. will delete data that you have collected from students in a school when the school or district requests it;
  7. share information only with educational researchers or with educational agencies performing a function for the school;
  8. innovate safely without compromising student privacy by only using de-identified and aggregated data as you develop and improve your service.