On September 29, 2014, California Governor Jerry Brown, signed a bill into law that mandates the protection of the personal data of school children that use online educational programs. The Student Online Personal Information Protection Act ("SOPIPA") targets operators of websites, online services, online applications, and mobile applications that provide educational services to children from kindergarten through high school. Such operators must refrain from engaging in a host of activities that might be deemed misuse of the personal information of children, including (i) selling the personal data of the students using their services; (ii) placing advertisements targeted to specific children or their parents based on each child's unique identifying data; (iii) generating profiles for children based on their personal data unless such profiles are in furtherance of a school purpose; or (iv) disclosing personal information unless such disclosure is in furtherance of a school purpose or for the purpose of otherwise complying with the law. Operators also have affirmative obligations under this law to (i) implement security measures to protect any information they gather; and (ii) delete information if the school or district requests such deletion.
This legislation has been lauded by some as the "first truly comprehensive student-data-privacy legislation," but it does contain some potential gaps. For instance, the current text allows requests for deletion only by the school or district, and only for information under the control of the school or district. The text of the law does not specify whether parents and students will have the right to monitor and request deletion of information they do not wish to have collected, stored, and potentially shared.
There are also some questions as to what it means to be an "operator" under SOPIPA. The law is focused on parties whose technology "is used primarily for K-12 school purposes and was designed and marketed for K-12 school purposes." "K-12 school purposes" in turn is then broadly defined as activities that "customarily take place at the direction of a K-12 school, teacher or school district or aid in the administration of school activities." This definition is somewhat ambiguous and leaves open questions as to whether the law is meant to cover businesses aiding with college preparation courses and testing, college recruitment or private tutoring in addition to businesses that provide products that are directly used by students and teachers in school on a daily basis. Further, the law does not specify which party -- the operator, school, students or their parents -- decides whether a given use of the data collected qualifies as furthering a school purpose.
The law does strike some balances for developers and technology providers. SOPIPA allows operators to use de-identified student information, which is information that has been anonymized, for purposes of evaluating and improving their products and for marketing purposes. Similarly, operators may share aggregated de-identified student information for the development or improvement of educational products.
Following California's enactment of SOPIPA, several major operators pledged to protect student data. These companies have agreed, among other things, to several of the requirements imposed by SOPIPA, including not to sell data relating to students from kindergarten through high school, not to provide targeted advertising to kids based on such data, not to build profiles of children other than in support of an authorized educational purpose, and not to retain student data beyond the period of time required for the authorized educational purpose. The U.S. Senate is also currently considering a bill to protect student privacy under federal law.
SOPIPA's provisions become operative as of January 1, 2016.