California recently passed the Student Online Personal Information Protection Act (“SOPIPA” a.k.a. “so-peep’-ah”), which is the first state law to comprehensively address student privacy and became effective January 1, 2016. SOPIPA applies fairly broadly to websites, applications and online services that focus on K-12 students and is designed to protect personal information on K-12 students. Even if your business is not based in California, SOPIPA will apply if you will be collecting covered information from California K-12 students.
Does SOPIPA Apply To You?
Even if you don’t think your company is in the EdTech market, SOPIPA may apply. To be subject to SOPIPA, you must know that your offering is being used for K-12 school purposes and was designed and marketed for K-12 purposes. As this is a new law, there is little guidance yet as to what that means, but if your site is used by K-12 students, keep reading! SOPIPA does not apply, however, to a general audience (for example Google Search, which of course “happens” to be used by K-12 students, but is not designed for their use specifically).
What Information Do You Need To Worry About?
If SOPIPA applies to your business, it protects personally identifiable information or materials, in any media or format, that
- is provided to you by a student or parent for K-12 school purposes;
- is provided to you by an agent of the K-12 school, school district, or county office of education; or
- is gathered by you through your service and is descriptive of a student or otherwise identifies a student.
This information can be painfully broad, including information in the student’s educational record, first and last name, home address, telephone number, email address or other information that allows physical or online contact, discipline records, test results, special education data, juvenile dependency records, grades, evaluations, criminal records, medical records, health records, social security number, biometric information, disabilities, socioeconomic information, food purchases, political affiliations, religious information, text messages, documents, student identifiers, search activity, photos, voice recordings, or geolocation information.
What Can’t You Do With SOPIPA-Protected Data?
Well, that’s a long list! SOPIPA prohibits:
- Engaging in targeted advertising on your service using the information proscribed;
- Targeted advertising elsewhere using information collected or created;
- Using information created or collected for the purpose of creating a profile about students, other than in furtherance of K-12 school purposes;
- Selling the information (except in connection with merger or acquisition where the purchaser is also bound by SOPIPA); and
- Disclosing, except in specified circumstances, any collected or created information about a student unless made in furtherance of the K-12 purpose you serve where the information is not further disclosed unless to allow or improve functionality within the student’s classroom or school.
So, How Do You Comply?
. SOPIPA imposes the following security and deletion requirements on Covered Services
- Security requirements: You could be required to implement and maintain reasonable (whatever that means!) security procedures and practices appropriate to the nature of the information.
- Deletion requirements: You also may be required to delete information if the school or district requests deletion of data under the control of the school or district.
We strongly recommend you speak with an attorney well-versed in SOPIPA to help interpret the requirements in your specific circumstances.
What Happens If You Don’t Comply?
What may be most unique about SOPIPA, for website operators with experience in the EdTech sector, is the fact that it imposes direct liability on those operators (i.e., the law applies directly to those entities as opposed to indirectly through contractual obligations from their customers). This is in stark contrast with the most well-known educational privacy law—the Family Educational Rights and Privacy Act (“FERPA”), which does not apply directly to website operators. FERPA only applies directly to educational institutions that receive federal funding. SOPIPA is new enough that we don’t yet know what sorts of penalties will be imposed or which entities will be targeted for such penalties, but we believe that suits will fall under “unfair competition” claims.
The Good News: Several Ways You Can Still Use Data
There is some good news here. Under SOPIPA you CAN use the information you gather, even if subject to SOPIPA, for:
- maintaining, developing, supporting, improving, and diagnosing your services (or related purposes);
- legitimate research purposes as allowed by state or federal law and under the direction of a school, school district, or state department of education (and in compliance with the above restrictions on creating of profiles and advertising);
- creating and then using de-identified data within your services to improve educational products or to demonstrate the effectiveness of your services;
- sharing de-identified and aggregated student information for the development and improvement of educational sites, services, or applications;
- adaptive learning or customized student learning purposes; and
- marketing educational products directly to parents so long as the marketing does not result from the use of Covered Information obtained by you through your services.
If SOPIPA applies to your company’s activities, you would be required to be in compliance. We recommend all website operators that collect information from K-12 students take the following steps.
- Determine whether your online services are covered under SOPIPA and, if so, whether you collect the type of information protected under SOPIPA;
- If you do collect this type of information and are covered by SOPIPA, put into place procedural and technical measures designed to ensure the information is not used for any of the restricted purposes or otherwise disclosed in violation of the law;
- Conduct a threat and risk assessment (TRA) to determine what security measures would be appropriate for your particular service;
- Set up technical, physical, and administrative security measures commensurate with the sensitive nature of the applicable information (which may include developing new and/or revising existing policies and procedures and (using industry best practices such as encryption to protect the data both in transit and at rest on your services); and
- Review your existing agreements with subcontractors and consider amending existing and/or future contracts to require subcontractors to comply with SOPIPA. Consider whether indemnification by your subcontractors may be appropriate. Similar FERPA provisions are also advisable.