Specifically, the law prevents the following:
- Online service providers that cater to K12 users may not collect student data for the purposes of targeted advertisements;
- Online providers that cater to K12 users may not create profiles based on persistent unique identifiers for commercial purposes; and
- Companies may not sell student information.
The data that is covered in the law includes any information about a student that could potentially identify the individual. Similar to the definition of personally identifiable information (PII) in COPPA, SOPIPA covers any of the following information about a student:
- First and last names
- Physical address
- Email address
- Grades and evaluations
- Disciplinary records
- Health records
- Socioeconomic information
- Online multimedia generated by the student (e.g. videos, photos, voice recordings)
- Geolocation data
Companies that host online services for K12 schools may also not disclose student information unless it is for legitimate scholastic purposes or for legal/judicial compliance. Additionally, these companies may not share student data with a third-party vendor unless under SOPIPA. K12 software vendors must delete student data at the request of the district.
Currently, SOPIPA does not have any explicit penalties or enforcement procedures for noncompliance. It does, however, provide a “right of action”, which may be brought before the state Attorney General. Violations are expected to be addressed under California's Unfair Competition Law (UCL), which allows illegal business practices (such as not complying with SOPIPA), to be prosecuted in court by state officials and attorneys. The court can order an injunction, monetary restitution, or civil penalties on offending businesses.
Who needs to comply with SOPIPA?
Any company that has actual knowledge that it stores data of K12 students in California must comply with SOPIPA. Any website, application, or service that is directed towards K12 education or is a vendor for a school falls under the law. Similar to how GDPR can affect companies that are not based in the EU, SOPIPA regulates any company that does business in California or knowingly has any users from California.
How to comply with SOPIPA?
If a business is covered by SOPIPA, there are a few steps to take to make sure that the business is compliant with the law. First and foremost is to make sure that the data collected is not sold or used to advertise services. Furthermore, ensure that the business has a procedure where schools can request student data to be deleted and that the business can follow through on the request.
Want to Read More?
If you’re interested to learn more about Edlink’s Unified API, here are some reading suggestions:
- Transformations: How Edlink Fixes School Data Issues for EdTech Developers
- What to Know When connecting a School’s LMS to Edlink
- How Edlink Compares to Microsoft DataSense
- How does Edlink Handle Data Privacy and Security?
- Pricing FAQ
Create a Free Developer Account
Want to see a demonstration of Edlink’s Unified API, then start by signing up for a free developer account.