California Statutes Lead the Way in Strengthening Student Data Privacy

The California Student Online Personal Information Protection Act (SOPIPA), in conjunction with California Education Code section 49073.1 (formerly AB 1584), was the first state law to comprehensively address student privacy. In fact it served as a template for other states as they developed their own student privacy policies. The California legislation require all K–12 websites and digital application vendors to protect student information.

Edtech vendors are prohibited from using, sharing, compiling, or disclosing data for anything other than legitimate educational purposes 

Companies may not sell the Personally Identifiable Information (PII) of minors for marketing products or services. However, they may share aggregated data stripped of PII if the information is used to improve their product or service. They can also release the data for legitimate research purposes according to regulations in federal and state law. 

An addendum to the California statutes became effective on January 1, 2016. The addendum strengthened the requirement that companies could not build a profile of a K-12 student, sell student PII or disclose the covered information. Specifically, the bill requires vendors:

"to implement and maintain reasonable security procedures and practices appropriate to the nature of the covered information, to protect the information from unauthorized access, destruction, use, modification, or disclosure, and to delete a student's covered information if the school or district requests deletion of data under the control of the school or district." [1]

SOPIPA directly addresses the way online software applications can collect and use student data. Edtech companies may use the de-identified data to develop better products and services, but they are not allowed to use the information for targeted advertising.[2]

California State Law AB1584 Adds Protection for Student Information 

Educators, privacy advocates, legislators, and edtech industry members were divided on whether SB1177 provided enough protection for today’s digital lives. While SOPIPA outlines guidelines for education websites and digital products, California’s AB 1584 advises that the following issues should be spelled out in contracts between districts or other educational institutions and the education software vendor:

  • Clarify that the local education agency (LEA) owns and controls student records.
  • Describe how a student keeps control of their projects along with a way to transfer their content to a personal account later.
  • Prohibit third parties from using student information outside of what is allowed in the contract.
  • Outline how parents, guardians, and students can review and correct their PII.
  • Describe the protection procedures to keep student information secure and confidential.
  • Provide a process to notify parents, guardians, and students of unauthorized disclosure of student records.
  • Certify how student records will be deleted at the end of the contract.
  • Prohibit targeted advertising to students through use of their PII.
  • Describe how LEAs and third parties will comply with FERPA.[3] 

Additional Student Data Protection to be Provided by Consumer Privacy Act

The California Consumer Privacy Act of 2018 (CCPA) goes into effect on January 1, 2020. This law will put the state closer to alignment with the European Union’s General Data Protection Regulation (GDPR). Like the GDPR, the CCPA does not specifically focus on education technology, but impacts all companies that collect PII from California residents, including minors.

The big takeaway for education companies is that while COPPA regulates the information of children up to 13 years of age, the CCPA will extend the required compliance from age 13 to age 16.

How EdPrivacy Can Help

Keeping student data safe and secure is critical for schools and districts. EdPrivacy utilizes machine learning-based artificial intelligence to create privacy quality scores for thousands of online technology resources commonly used in classrooms across the nation. The scores help educators and administrators quickly identify safe online technologies and easily determine which service providers respect and protect student data privacy. With EdPrivacy, school district leaders better understand school privacy laws for students, and enjoy student data privacy peace of mind. 

For more information on what school and district administrators should know about federal student privacy laws, read EFI’s federal legislation page. 


[1] Retrieved from

[2] Retrieved from

[3] Retrieved from