California Governor Jerry Brown has signed into law Senate Bill 1177, the Student Online Personal Information Protection Act (SOPIPA), restricting collection and marketing uses of K-12 student data. The Bill requires the operator of an internet website, online service or mobile application to implement and maintain reasonable security procedures and practices to protect the student data from unauthorized access, destruction, use, modification or disclosure. The Bill also restricts the disclosure of student data, and requires that the data be deleted upon request of the school or district. There are only specific limited circumstances under which disclosure of student data is allowed. The operator may use the deidentified student data to improve its educational products, or demonstrate the effectiveness of its products in their marketing.
The second main aspect of the Bill restricts the use of student data for marketing. This is the reaction to the inBloom debacle, which has led to new legislation in states around the country. Online operators may not use the student data to engage in targeted advertising on its own site, or any other site or service. The operator also may not use the data to create a profile about a student, except for school purposes. Lastly, the operator may not sell student data. This law goes into effect on January 1, 2016.