Twenty-first century students, parents, and teachers use technology for everyday tasks such as instruction, testing, and communicating regarding student performance.  Online services frequently require students, parents, or teachers to create accounts and provide detailed information about the student, including his or her name, grades and disciplinary history.  The Family Educational Rights and Privacy Act (FERPA) has long addressed some of the related privacy concerns on the federal level.  Last month, however, California went a step further by enacting what is widely considered the nation’s strictest law protecting student information, the Student Online Personal Information Protection Act (SOPIPA).  SOPIPA will become effective on January 1, 2016.

FERPA, originally enacted in 1974, is the federal law governing privacy of student education records.  FERPA grants parents and students ages 18 and older certain rights with respect to the education records and dictates when a school that receives federal funding may disclose information in student records.  Generally speaking, a school must obtain written permission from a parent or an eligible student before disclosing any information in student education records to any third party.

However, the advent of digital learning technologies and the prevalence of MacBooks replacing textbooks in the classroom create a heightened risk of improper disclosure of student personal information by schools and third parties alike.  It has become apparent in recent years that FERPA is insufficient to cover third-party uses and disclosures of student information.  As a result, states have begun filling the gaps in FERPA with their own legislation.

California’s SOPIPA prohibits website, online service, and online and mobile application operators who “have actual knowledge that the site, service, or application is used primarily for K–12 school purposes and was designed and marketed for K–12 school purposes” from: (1) engaging in targeted advertising on the operator’s site service or application; (2) using information created or gathered by the site, service or application to create a profile about a K-12 student; (3) selling a student’s information; and (4) disclosing student information, except in certain enumerated circumstances.

Various stakeholders applaud the bill for helping to ensure secure online environments for students and their parents while still permitting innovation related to learning technologies.  According to The New York Times, 36 states introduced student privacy legislation in 2014 and approximately 30 bills passed, covering a range of topics from prohibiting the collection of student biometric data to requiring disclosure of third-parties who hold student data, to requiring security measures for protecting student information.