Legal Review

How California's Student Privacy Law Protects Against Targeted Advertising

How California's Student Privacy Law Protects Against Targeted Advertising 

In 2014, California signed into law the most comprehensive student-data-privacy legislation in the country. The success of this landmark legislation in California has sparked a national conversation on the importance of protecting our students’ data, and has been the inspiration for similar legislation across the country. When I speak with parents and educators about the Student Online Personal Information Protection Act (SOPIPA), they often ask me how the law protects student’s personally identifiable information when collected from apps and services used in K-12 schools.

Most educators in California understand that SOPIPA protects students’ information, but they are not clear on the details. The law protects students from being tracked online, or from being subject to behavioral advertisements based on their personal information or online activity. However, there is often confusion about the different types of advertising, profiling, or tracking that are prohibited under SOPIPA.

Contextual, Targeted, and Behavioral Ads

Contextual advertisements display products and services to students based only on the relevant content or webpage in which the student is currently viewing, but contextual advertisements do not collect any specific information about the student in order to display these advertisements beyond a student’s search query or specific webpage they visited.

Targeted advertisements, on the other hand, collect more generalized information about students from various sources that can include: demographic, location, gender, age, school, or interests. This information is collected in order to display products and services to a more specific target audience that may be more directed to students based on their information than simply contextual advertisements. The definition of targeted advertisements has been the subject of much discussion, but SOPIPA prohibits targeted advertising based on any information about a user.

Targeted advertisements also include behavioral advertisements which collect specific information about a student typically through the use of cookies, beacons, tracking pixels, persistent identifiers, or other tracking technologies that provide more specific information about a student’s behavior or activities over time. This information can be shared with third-party advertisers, who are able to display even more targeted products and services to students than general targeted advertisements based on the highly specific information they received from the student’s behavior while using the application or service. Therefore, targeted and behavioral advertising are prohibited under SOPIPA, but not contextual advertising.

Ad Profiles

Profiling is the automated processing of personal data to evaluate certain personal aspects relating to a specific student. Profiling of a student is prohibited because the information can be used to analyze or predict aspects concerning that student for marketing or advertising purposes. Advertising tracking is also prohibited, because the collection of information from students using persistent identifiers or third-party scripts can be used to recognize and track students across other third-party websites. Tracking students in this manner for marketing or advertising purposes can also result in unintended consequences such as the disclosure of sensitive data through unknown tracking processes.

Expectations of Privacy

When discussing these different types of advertising, profiling, and tracking — educators often discover a difference between what their personal expectations of privacy are, and what the legal expectations of privacy require. For example, SOPIPA does not prohibit contextual advertising or applications and services from marketing educational products directly to parents so long as the marketing did not result from information collected from students. However, parents and educators expect that educational related applications and services are “safe places,” where parents and students can visit to learn more about these services with the personal expectation that they will not be subject to any advertising or tracking.

About the Author

Girard Kelly is Counsel and Director, Privacy Review at Common Sense, where he evaluates the privacy and security practices of education technology products. He is focused on Internet, privacy, cybersecurity, and Intellectual Property law and has a background in public policy, information technology, entrepreneurship, and emerging technologies. Girard received his B.S., in Business Administration and Management Information Systems from the University of Arizona, a M.A., in Applied Ethics of Science and Technology Policy from Arizona State University, and a J.D., from Santa Clara University School of Law.