Policy

New Report Explains Student Privacy under SOPIPA and Similar Regs

• By Dian Schaffhauser
• 12/05/16

A national advocacy group that focuses on data privacy has issued a report that offers an overview of California's Student Online Personal Information Protection Act. SOPIPA, as it's called, is the first state law that "comprehensively" addresses student privacy, according to the Future of Privacy Forum (FPF). Since its 2014 passage and implementation at the beginning of 2016 in that state, the regulations have been borrowed heavily by numerous other states, which have used them as a template for developing their own laws.

According to FPF, 49 states have introduced almost 400 student privacy bills since 2014. Thirty-five states have passed 73 laws since 2013. Thirty-three states have introduced their own versions of SOPIPA or a "similar piece of legislation" that does the same, but is known as "student user privacy in education rights" or "SUPER."

SOPIPA was to put in place to stipulate how student information could be used by education technology companies that are serving the education market. The laws apply to companies that run websites, online services, online applications and mobile applications designed for and marketed to K-12 customers. It doesn't apply to companies that run "general audience products," even when those programs may be used for school purposes.

As the report, "FPF Guide to Protecting Student Data Under SOPIPA: For K-12 School Administrators and Ed Tech Vendors," lays out, under the terms of SOPIPA, third-party operators "must not":

• Engage in targeted advertising based on information acquired through the use of that operator's site, service or application;
• Use information to build a profile about K-12 students except for school purposes;
• Sell a student's data; or
• Disclose information except in specific, limited circumstances.

Operators are also expected to:

• Maintain reasonable security procedures and practices;
• Protect information from "unauthorized access, destruction, use, modification or disclosure"; and
• Delete a student's information if the school or district requests it.

How can student information be used? According to the report, ed tech companies can use the data in two ways:

• To conduct "legitimate research"; and
• For product improvement, marketing and development, as long as the data is "de-identified."

The 38-page report defines terms; explains the background for specific aspects of the regulations and provides context for SOPIPA as it relates to other laws in the area of student privacy, such as the Family Educational Rights and Privacy Act (FERPA); and compares SOPIPA to the regulations introduced in other states.

The report is available for download on the FPF website here.