9/29/2014
On September 29, 2014, the Governor of California approved two education data privacy bills, Senate Bill 1177 and Assembly Bill 1442 (together, the Student Online Personal Information Protection Act (SOPIPA)), to protect student information by creating privacy standards for K-12 school districts that rely on third-parties to collect and analyze students' data.
SOPIPA comes at a time when there has been a substantial rise in schools' and educators' use of online educational technology products to develop curricula, deliver materials to students in real time, and monitor students' progress and learning habits through the collection of data by third-party cloud computing service providers.
The Family Educational Rights and Privacy Act (FERPA), which was enacted four decades ago to safeguard the privacy of student data, is outdated and ill-equipped to adequately safeguard against 21st century education data security concerns. Generally, schools must have written permission from a parent or eligible student in order to release any information from a student's education record. However, under FERPA schools are allowed to provide student data to a third-party cloud provider without parent or student consent. FERPA applies only to the schools themselves and does not apply to third-party cloud providers. Third-party cloud providers are shielded from liability, even if the Department of Education (DOE) alleges a FERPA violation against the school or school district. Thus, the school will be held liable if a third-party cloud provider leaks confidential student information (e.g., medical history, behavior issues, or academic performance), is hacked, or sells the information to private companies.
SOPIPA takes significant steps towards ensuring the privacy of student data by filling FERPA's gaps. Under SOPIPA, any operator of a company to whom student data is provided will be prohibited from using, selling, sharing, disclosing, or compiling personal information about a K-12 student for any purpose other than a "K-12 school purpose." SB 1177 defines "K-12 school purposes" to mean purposes that customarily take place at the direction of the school, teacher, or school district or aid in the administration of school activities, including, but not limited to, instruction in the classroom or at home, administrative activities, and collaboration between students, school personnel, or parents, or are for the use and benefit of the school. In addition, when an operator is no longer using the information for a legitimate educational purpose, the student requests deletion, or the student ceases to be a student at the school or school district, the student's personal information must be deleted. Finally, SOPIPA creates a private right of action for parents or students alleging that an online service provider has violated the statute.
If you have questions or need further explanation, please contact Iain MacMillan, Assistant General Counsel, at Alvarez-Glasman & Colvin (562) 699-5500 or send an email to imacmillan@agclawfirm.com.
Back to News Archive