The Student Online Personal Information Protection Act (SOPIPA), which came into effect in 2015, is a California state law which prevents online companies from compiling K-12 student data for marketing or advertising purposes. Specifically, the law prevents the following:

  • Online service providers that cater to K-12 users may not collect student data for the purposes of targeted advertisements;
  • Online providers that cater to K-12 users may not create profiles based on persistent unique identifiers for commercial purposes; and
  • Companies may not sell student information.

The data that is covered in the law includes any information about a student that could potentially identify the individual. Similar to the definition of personally identifiable information (PII) in COPPA, SOPIPA covers any of the following information about a student:

  • First and last names
  • Physical address
  • Email address
  • Grades and evaluations
  • Disciplinary records
  • Health records
  • Socioeconomic information
  • Online multimedia generated by the student (e.g. videos, photos, voice recordings)
  • Geolocation data

Companies that host online services for K-12 schools may also not disclose student information unless it is for legitimate scholastic purposes or for legal/judicial compliance. Additionally, these companies may not share student data with a third-party vendor unless under SOPIPA, K-12 software vendors must delete student data at the request of the district.

Currently, SOPIPA does not have any explicit penalties or enforcement procedures for noncompliance. It does, however, provide a right of action which may be brought before the state Attorney General. Violations are expected to be addressed under California's Unfair Competition Law (UCL), which allows illegal business practices (such as not complying with SOPIPA), to be prosecuted in court by state officials and attorneys. The court can order an injunction, monetary restitution, or civil penalties on offending businesses.

Who needs to comply with SOPIPA?

Any company that has actual knowledge that it stores data of K-12 students in California must comply with SOPIPA. Any website, application, or service that is directed towards K-12 education or is a vendor for a school falls under the law. Similar to how GDPR can affect companies that are not based in the EU, SOPIPA regulates any company that does business in California or knowingly has any users from California.

How to comply with SOPIPA?

If your business is covered by SOPIPA, there are a few steps you should take in order to make sure that you are in compliance with the law. First and foremost is to make sure that the data you collect is not sold or used to advertise your services. Furthermore, ensure that you have a procedure whereby schools can request that student data be deleted and that you can follow through on the request.

To best comply with the regulations under SOPIPA, you need to understand what data you are collecting, for what reason it is being collected, and how it is being used. This should also be communicated clearly in your privacy policy and in any contract that is made between you (the vendor) and the school. Also be sure to apply robust and modern security practices to protect the student data that you maintain.


Want to Read More?

If you’re interested to learn more about Edlink’s Unified API, here are some reading suggestions:

Create a Free Developer Account

Want to see a demonstration of Edlink’s Unified API, then start by signing up for a free developer account.