Student Data Privacy
Federal Law and State Law
Children’s Online Privacy Protection Act (COPPA)
COPPA imposes certain requirements on operators of websites or online services directed to children under 13 years of age, and on operators of other websites or online services that have actual knowledge that they are collecting personal information online from a child under 13 years of age.
Family Educational Rights and Privacy Act (FERPA)
The Family Educational Rights and Privacy Act (FERPA) (20 U.S.C. § 1232g; 34 CFR Part 99) is a Federal law that protects the privacy of student education records. The law applies to all schools that receive funds under an applicable program of the U.S. Department of Education.)
Protection of Pupil Rights Amendment (PPRA)
The PPRA applies to the programs and activities of a State educational agency (SEA), local educational agency (LEA), or other recipient of funds under any program funded by the U.S. Department of Education.
California S.B. 1177, known as the Student Online Personal Information Protection Act (SOPIPA), imposes rigorous rules on operators of websites or providers of Internet services or mobile applications with actual knowledge that the services are used primarily for “K-12 school purposes” and were designed and marketed for K–12 school purposes. Among other things, it prohibits the use of student data for targeted advertising on the website, service or app and the sale of student data. Operators of educational online services must also implement and maintain reasonable security procedures and practices, as well as protect that student data from unauthorized access, destruction, use, modification, or disclosure. “Operator” is broadly defined as any service provider whose services are primarily used for K-12 educational purposes and designed and marketed for K-12 school purposes.
California A.B. 1584 requires that contracts between a school district and third parties specify, among other things, that the student data remains the property of the educational agency; how students and parents may access their data; how the third party will ensure the confidentiality and security of student data; and how to notify students and parents in the event of a security breach.