ontinuing to establish itself as the most progressive state in the data privacy arena, California has passed the Student Online Personal Information Protection Act (“SOPIPA”). The law imposes some of the strongest restrictions on the use of students’ information online to date. SOPIPA will become effective January 1, 2016 and website operators, app developers and educational tech entrepreneurs should take steps to ensure compliance with the new law. This post will highlight the key facets of SOPIPA, namely, to what data it applies, to whom it applies and the restrictions and obligations it imposes on the use of data.
Parties and Data Covered by SOPIPA
SOPIPA is designed to protect the personal information of students. The law applies to the data collection and use by website operators, online service providers and application proprietors that have “actual knowledge” that (1) their services are used for kindergarten through twelfth grade purposes and (2) such services were designed and marketed for such purposes. The law defines such K-12 purposes broadly as “purposes that customarily take place at the direction of the K–12 school, teacher, or school district or aid in the administration of school activities, including, but not limited to, instruction in the classroom or at home, administrative activities, and collaboration between students, school personnel, or parents, or are for the use and benefit of the school.” Importantly, this law does not only apply to service providers located in California. Any service provider falls into law’s purview if it collects information from Californian students.
The law governs the use of any personally identifiable information that (1) is created or provided by a student, the student’s parent or legal guardian, to an operator in the course of the student’s, parent’s, or legal guardian’s use of the operator’s site, service, or application for K–12 school purposes; (2) is created or provided by an employee or agent of the K–12 school, school district, local education agency, or county office of education, to an operator; or (3) is descriptive of a student or otherwise identifies a student, including, but not limited to, information in the student’s educational record or email, first and last name, home address, telephone number, email address, or other information that allows physical or online contact, discipline records, test results, special education data, juvenile dependency records, grades, evaluations, criminal records, medical records, health records, social security number, biometric information, disabilities, socioeconomic information, food purchases, political affiliations, religious information, text messages, documents, student identifiers, search activity, photos, voice recordings, or geolocation information. Clearly, the law is drafted to encompass any and all information about a student that has any potential to identify that student. Therefore, service providers should err on the side of inclusion when considering whether information that they collect is covered under the law.
Restrictions on the Use of Student Data
SOPIPA prohibits services providers from knowingly engaging in targeted advertising on their site, services or application or on any other site, service or application when such targeting is based upon any of the information detailed above. The law further prohibits using covered information to amass a profile about a K–12 student except in furtherance of K–12 school purposes. Service providers may not sell a student’s information, including covered information, except in a merger.
The law also places restrictions on disclosing covered information. Disclosure may only be made in furtherance of the K–12 purpose of the site, service, or application and the recipient of covered information may not further disclose the information unless done to allow or improve operability and functionality within that student’s classroom or school. The recipient is legally required to comply with the data security and deletion provisions of the law as well.
Disclosure of covered information is permitted to allow service providers to ensure legal and regulatory compliance, to respond to or participate in judicial process and to protect the safety of users or others or the security of the site. Operators collecting covered information may also disclose covered information to their service providers, provided that the operator contractually (A) prohibits the service providers from using any covered information for any purpose other than providing the contracted service to, or on behalf of, the operator, (B) prohibits the service providers from disclosing any covered information provided by the operator with subsequent third parties, and (C) requires the service provider to implement and maintain reasonable security procedures and practices dictated by the law.
These strictures will have far-reaching effects and may require existing operators to revisit their agreements with data storage and other service providers to ensure that transfer of covered information in the normal course of business does not run afoul of the law. Moreover, cloud-based storage and software and platform-as-a-service providers may have to alter the way they treat data collected from educational websites, services and application operators, including their own disclosure policies and security protocols.
In addition to the restrictions on use of covered data, the new law also demands that service providers implement reasonable security procedures and practices appropriate to the nature of the information they collect. The security measures must protect the information from unauthorized access, destruction, use, modification and disclosure. Service providers must also comply with requests from schools to delete data under the control of that school. What constitute “reasonable security procedures” under SOPIPA is not clear. Service providers will therefore have to treat this uncertainty carefully and it may be best to implement stronger security measures than they themselves deem reasonable.
Additional Suggestions for Service Providers
Determining whether a service provider is actually covered under SOPIPA may prove challenging. It may be advisable to conduct a data and privacy audit to determine exactly what information is being collected and from whom. If a service provider determines that it is covered (or, indeed, if it remains unsure) it should implement stringent security protocols and amend privacy policies and terms of use to reflect the strictures of the law. In fact, all service providers may want to revise their terms of use and privacy policies, even if only to state that they are not used for K-12 purposes and that users should not use the services for such purposes. Service providers in general should review their marketing and advertisements strategies as well with SOPIPA in mind.
Filed in: Legal Blog
December 1, 2015