Specifically, the law prevents the following:

  • Online service providers that cater to K12 users may not collect student data for the purposes of targeted advertisements;
  • Online providers that cater to K12 users may not create profiles based on persistent unique identifiers for commercial purposes; and
  • Companies may not sell student information.

The data that is covered in the law includes any information about a student that could potentially identify the individual. Similar to the definition of personally identifiable information (PII) in COPPA, SOPIPA covers any of the following information about a student:

  • First and last names
  • Physical address
  • Email address
  • Grades and evaluations
  • Disciplinary records
  • Health records
  • Socioeconomic information
  • Online multimedia generated by the student (e.g. videos, photos, voice recordings)
  • Geolocation data

Companies that host online services for K12 schools may also not disclose student information unless it is for legitimate scholastic purposes or for legal/judicial compliance. Additionally, these companies may not share student data with a third-party vendor unless under SOPIPA. K12 software vendors must delete student data at the request of the district.

Currently, SOPIPA does not have any explicit penalties or enforcement procedures for noncompliance. It does, however, provide a “right of action”, which may be brought before the state Attorney General. Violations are expected to be addressed under California's Unfair Competition Law (UCL), which allows illegal business practices (such as not complying with SOPIPA), to be prosecuted in court by state officials and attorneys. The court can order an injunction, monetary restitution, or civil penalties on offending businesses.

Who needs to comply with SOPIPA?

Any company that has actual knowledge that it stores data of K12 students in California must comply with SOPIPA. Any website, application, or service that is directed towards K12 education or is a vendor for a school falls under the law. Similar to how GDPR can affect companies that are not based in the EU, SOPIPA regulates any company that does business in California or knowingly has any users from California.

How to comply with SOPIPA?

If a business is covered by SOPIPA, there are a few steps to take to make sure that the business is compliant with the law. First and foremost is to make sure that the data collected is not sold or used to advertise services. Furthermore, ensure that the business has a procedure where schools can request student data to be deleted and that the business can follow through on the request.

To best comply with the regulations under SOPIPA, understand what data is collected, why it is being collected, and how it is being used. This should also be communicated clearly in a privacy policy and in any contract that is made between the business (the vendor) and the school. Also be sure to apply robust and modern security practices to protect the student data that the business maintains.


Want to Read More?

If you’re interested to learn more about Edlink’s Unified API, here are some reading suggestions:

Create a Free Developer Account

Want to see a demonstration of Edlink’s Unified API, then start by signing up for a free developer account.