California Student Data Privacy

Requires Signed Agreement

Does not require signed agreement

Regulates operators of websites and services used for K–12

California Student Data Privacy Guide

Primary Law: Student Online Personal Information Protection Act, SOPIPA
Citation: California Business and Professions Code §§ 22584 through 22585
Official Text:
https://leginfo.legislature.ca.gov/faces/codes_displayText.xhtml?division=8.&chapter=22.2.&lawCode=BPC

‍

The California Student Online Personal Information Protection Act, commonly known as SOPIPA, regulates how online services, applications, and platforms used for K to 12 school purposes may collect, use, share, and protect student information. The law places strict limits on commercial use of student data, including targeted advertising, profiling, and the sale of covered information.

Unlike states that rely primarily on district executed agreements to impose privacy obligations, California directly regulates education technology operators through statute, while separately requiring districts to address pupil record protections through contract law when applicable.

Core scope and definitions

Under SOPIPA, an operator is a business entity that:

Operates a website, online service, or application designed and marketed for K to 12 school purposes and used for those purposes.
Has actual knowledge that the service is used by K to 12 students in California.

SOPIPA applies to operators. It does not apply to school districts, county offices of education, or the California Department of Education.

Student information under SOPIPA includes information that is:

Provided by a student, teacher, or school to the operator.
Collected by the operator through use of the service.
Personally identifiable or reasonably linkable to a specific student.

If a service is designed and marketed for K to 12 educational use and collects this type of information, it is very likely within SOPIPA’s scope.

Restrictions on operators, education technology vendors

California Business and Professions Code § 22584 establishes core prohibitions and obligations that apply directly to operators.

Prohibited uses

An operator may not:

Use student information to engage in targeted advertising.
Use student information to create or amass a profile of a student for purposes other than K to 12 school purposes.
Sell student information.
Disclose student information except in limited, legally permitted circumstances.

These restrictions apply regardless of whether a school district has executed a written agreement with the operator.

Security and data management obligations

SOPIPA requires operators to:

Implement and maintain reasonable security procedures and practices appropriate to the nature of the student information collected.
Limit access to student information to what is necessary to operate and improve the educational service.
Protect the confidentiality and integrity of student information throughout its lifecycle.

Permitted uses and disclosures

SOPIPA allows operators to use student information for legitimate school purposes, including:

Operating, maintaining, and improving the educational service.
Providing adaptive or personalized learning features within the service.
Conducting internal research and product improvement.
Disclosing information to service providers acting on the operator’s behalf under appropriate contractual controls.

Disclosure may also occur when required by law or to address security and safety concerns, provided the disclosure is consistent with SOPIPA.

Relationship to district pupil record laws, AB 1584

While SOPIPA regulates operator behavior, California Education Code 49073.1, commonly referred to as AB 1584, governs district contracts involving pupil records.

When a third party provider stores, processes, or maintains pupil records on behalf of a district, the district must enter into a written agreement that addresses:

Authorized uses of pupil records.
Data ownership and district control.
Security safeguards and breach notification responsibilities.
Data retention, return, and deletion requirements.

As a result, California districts typically apply a two layer review, SOPIPA compliance at the operator level and contract level protections when pupil records are involved.

Are signed district vendor contracts required under California law

It depends on the data involved.

SOPIPA itself does not require districts to sign a contract with every operator. The statute directly regulates operator conduct.
When a service accesses or manages pupil records under Education Code 49073.1, a written agreement is required.
Many California districts choose to standardize contracts even when not strictly required, to maintain consistent controls and documentation.

Practical implications for California districts

Because California relies on both operator regulation and contract based controls, districts should focus on:

Identifying which tools qualify as SOPIPA covered operators.
Reviewing vendor policies for advertising, profiling, and secondary data use risks.
Determining when pupil records are involved and triggering AB 1584 contract requirements.
Maintaining documentation of approvals, evidence reviewed, and agreements executed.
Reevaluating tools periodically as vendor policies, features, and subprocessors change.

How edprivacy supports California schools

California districts must manage operator level compliance under SOPIPA while also tracking contract obligations tied to pupil records.

edprivacy supports California schools by providing a centralized system to:

Evaluate and document SOPIPA related vendor practices.
Track which tools require AB 1584 compliant agreements.
Maintain organized records of approvals, contracts, and supporting evidence.
Monitor vendor policy changes over time so approvals remain current.

Edprivacy gives California administrators a structured, defensible way to manage student data privacy responsibilities across both statutory and contractual requirements, without relying on fragmented spreadsheets or one off reviews.