The Student Online Personal Information Protection Act (SOPIPA), which came into effect in 2015, is a California state law which prevents online companies from compiling K-12 student data for marketing or advertising purposes. Specifically, the law prevents the following:
- Online service providers that cater to K-12 users may not collect student data for the purposes of targeted advertisements;
- Online providers that cater to K-12 users may not create profiles based on persistent unique identifiers for commercial purposes; and
- Companies may not sell student information.
The data that is covered in the law includes any information about a student that could potentially identify the individual. Similar to the definition of personally identifiable information (PII) in COPPA, SOPIPA covers any of the following information about a student:
- First and last names
- Physical address
- Email address
- Grades and evaluations
- Disciplinary records
- Health records
- Socioeconomic information
- Online multimedia generated by the student (e.g. videos, photos, voice recordings)
- Geolocation data
Companies that host online services for K-12 schools may also not disclose student information unless it is for legitimate scholastic purposes or for legal/judicial compliance. Additionally, these companies may not share student data with a third-party vendor unless under SOPIPA, K-12 software vendors must delete student data at the request of the district.
Currently, SOPIPA does not have any explicit penalties or enforcement procedures for noncompliance. It does, however, provide a right of action which may be brought before the state Attorney General. Violations are expected to be addressed under California's Unfair Competition Law (UCL), which allows illegal business practices (such as not complying with SOPIPA), to be prosecuted in court by state officials and attorneys. The court can order an injunction, monetary restitution, or civil penalties on offending businesses.
Who needs to comply with SOPIPA?
Any company that has actual knowledge that it stores data of K-12 students in California must comply with SOPIPA. Any website, application, or service that is directed towards K-12 education or is a vendor for a school falls under the law. Similar to how GDPR can affect companies that are not based in the EU, SOPIPA regulates any company that does business in California or knowingly has any users from California.
How to comply with SOPIPA?
If your business is covered by SOPIPA, there are a few steps you should take in order to make sure that you are in compliance with the law. First and foremost is to make sure that the data you collect is not sold or used to advertise your services. Furthermore, ensure that you have a procedure whereby schools can request that student data be deleted and that you can follow through on the request.
Want to Read More?
If you’re interested to learn more about Edlink’s Unified API, here are some reading suggestions:
- Transformations: How Edlink Fixes School Data Issues for EdTech Developers
- What to Know When connecting a School’s LMS to Edlink
- How Edlink Compares to Microsoft DataSense
- How does Edlink Handle Data Privacy and Security?
- Pricing FAQ
Create a Free Developer Account
Want to see a demonstration of Edlink’s Unified API, then start by signing up for a free developer account.