California Gov. Jerry Brown signed into law Monday, August 29, 2014, a law aimed at restricting the use of students' educational data by third-party vendors, making this one of the more restrictive and sweeping state privacy laws pertaining to kids.

Among other things, the Student Online Personal Information Protection Act, ("SOPIPA"), prohibits operators of online educational services from selling student data and using such information for targeted advertising to students or to "amass a profile" on students for a non-educational purpose. The law also requires online service providers to maintain adequate security procedures and to delete student information at the request of a school or district. The law authorizes the disclosure of covered information of a student under specified circumstances and goes into effect on January 1, 2016.

This law will require companies (those that qualify as an "operator"; meaning companies with "actual knowledge that the site, service, or application is used primarily for K–12 school purposes and was designed and marketed for K–12 school purposes") to rethink their websites and apps. Unless an exception applies, operators cannot engage in any of the following activities on their sites or apps:

  • (A) Engage in targeted advertising on the operator’s site, service, or application, or (B) target advertising on any other site, service, or application when the targeting of the advertising is based upon any information, including covered information and persistent unique identifiers, that the operator has acquired because of the use of that operator’s site, service, or application described in subdivision (a).
  • (2) Use information, including persistent unique identifiers, created or gathered by the operator’s site, service, or application, to amass a profile about a K–12 student except in furtherance of K–12 school purposes.
  • (3) Sell a student’s information, including covered information. This prohibition does not apply to the purchase, merger, or other type of acquisition of an operator by another entity, provided that the operator or successor entity continues to be subject to the provisions of this section with respect to previously acquired student information."

One notable exception - there are others - is that this law does not apply to general audience Internet Web sites, general audience online services, general audience online applications, or general audience mobile applications.