California is known for a few key things: golden sunshine, Hollywood hijinks, and consumer privacy laws protecting sensitive personal information and user data.
OK — that last one might not belong on a postcard. But for K-12 schools in the Golden State, California data privacy laws are a vital part of life — one that impacts everything from homework assignments to cloud service provider relationships.
Of course, like most things in the data privacy landscape, data protection, and consumer privacy regulations are always changing. It’s up to you to juggle all those privacy rights while still maintaining an efficient, flexible digital environment for students, staff, faculty, and other users.
That might sound like a pretty heavy lift. Luckily, you just found our K-12 guide to California consumer privacy and personal data protection laws — so let’s jump in.
School districts in every state have a responsibility to protect sensitive personal information and other student data. That’s based on the idea that everyone has the right to privacy. Students, however, are perhaps particularly vulnerable — and this isn’t just because they’re minors, which puts them under the protection of rules such as the Children’s Online Privacy Protection Act.
In truth, student data privacy matters for a few key reasons:
Unfortunately, data protection is often an uphill battle. From disgruntled students to overseas cybercrime organizations, there are all kinds of malicious actors out there.
Take, for example, the Finalsite hacking event in January 2022. Finalsite is a website host and communication service provider that fell victim to a ransomware attack. EducationWeek reported that 3,000 K-12 schools were impacted, but Finalsite said it found no evidence of data theft. Next time, schools and students might not be so lucky — which is why security and data privacy laws are key for educational organizations.
The good news is that, even as students create more data and encounter new risks, privacy legislation evolves to keep up. That’s especially true when it comes to consumer data protection in schools.
The U.S. Department of Education keeps a close eye on this, administering and enforcing data privacy laws such as:
While these regulations apply from coast to coast, individual states may have their own approach to privacy law — and that’s where things get interesting for schools in California.
As any California resident will likely tell you, the state is proud of its advanced approach to data privacy law. According to Brookings, advocates have even argued that California privacy rights are so advanced that a proposed federal law (the American Data Privacy and Protection Act) might actually undermine existing protections.
Lawmakers, organizations, and even private citizens work to ensure students and general consumers are protected. This vigilance has led to many new regulations, two with particularly important considerations for K-12 school districts:
Although California privacy rights are good news for students and data, these regulations can leave school districts with a lot to juggle.
In January 2016, a new California privacy law took effect: The Student Online Personal Information Protection Act, or SOPIPA. It’s widely considered one of the most comprehensive consumer privacy and personal data laws in the nation and is enforced by the California attorney general.
Here’s the specific language: “The bill [prohibits] an operator from knowingly using, disclosing, compiling, or allowing a 3rd party to use, disclose, or compile, the personal information of a minor for the purpose of marketing or advertising.”
Generally speaking, the SOPIPA restricts any K-12 edtech service provider from using sensitive personal information for the purposes of marketing to students. The law is built on three key restrictions:
When the law says “may not collect student data,” it’s talking about sensitive personal information that may be used to create or log into an account, track grades, verify qualifications for financial support, and more. Here are a few examples:
Any company that provides software or hosts services for K-12 schools can use this information for educational purposes, but not for marketing or advertising. That goes for any business serving California students (even if the organization isn’t based in California).
It’s up to an edtech service provider to comply with the SOPIPA, which means all you have to do is verify that your software and cloud operators are following the rules. You can also use SOPIPA compliance as a requirement for choosing new tools or other digital solutions. Just remember that not all apps — especially free ones — have good intentions, and some may exploit SOPIPA loopholes to continue leveraging student data for commercial purposes.
The California Consumer Privacy Act, or CCPA, got its start in 2018. Although it’s not unique to education like the SOPIPA, this California privacy law is good news for consumer rights overall. That’s especially true in 2023 and beyond, as new amendments have further expanded the CCPA’s list of rights.
Here’s a look at what the CCPA creates:
According to the State of California Department of Justice (DOJ), businesses that gather information about kids under 16 can only sell this data if they have affirmative authorization, or an opt-in. This CCPA compliance rule differs depending on the child’s age:
The California DOJ clarifies what is and isn’t considered “personal data” under the CCPA:
Personal information: This is any data that “identifies, relates to, or could reasonably be linked with you or your household.” Personal information can include name, email address, internet browsing history, fingerprints, and more. Sensitive personal information is a subset of this category and includes social security numbers, financial data, contents of digital messages, and more.
Non-protected data: Publicly available records are not protected under the CCPA. That means property records, some consumer credit reporting information, certain medical information, and more.
The CCPA creates a lot of value for California schools. For example, this state privacy law requires businesses to offer a privacy notice and a “notice at collection.” These must list two key things:
Your school can use these notices on students’ behalf to ensure that no data privacy laws are violated. You can also double-check why a certain service provider or app is collecting data, which is a good indicator of its overall reliability.
It’s also important to know student rights under the CCPA. That’s not just to protect your school; it’s also a great way to encourage parents or the students themselves to take a more active role in protecting consumer data privacy.
The California Privacy Rights Act, or CPRA, is one of the more recent pieces of privacy legislation. The CPRA is actually an amendment of the CCPA, creating additional rights and protections for consumer data. It also expands the definitions of a data breach and requires service providers to establish data protection solutions.
Perhaps most notably, the CPRA introduced the California Privacy Protection Agency, or CPPA. The CPPA was created to handle any new data privacy law and act as a guardian of consumer rights.
CPPA board members are appointed by the attorney general and other high-ranking officials. The agency’s responsibilities include administering, implementing, and enforcing the law, according to the International Association of Privacy Professionals. The CPPA can also handle consumer requests or complaints regarding potential violations.
Although nonprofit organizations like many K-12 schools don’t have to worry about complying with the CPRA, it’s still important to understand the rights this act creates. You should also brush up on the CPPA and how it can help protect you, your school, and your students from issues such as a data breach or a service provider’s improper use of sensitive personal information.
As you’ve probably noticed, most California privacy rights laws don’t require your school to do anything — beyond learning your rights and understanding what your service providers are doing with student data, that is.
So what can you do?
The good news is that there’s a way to take advantage of privacy rights, keep up with each new data privacy law, and ensure that student data stays secure along the way. It’s called data loss prevention, or DLP, and it’s a set of solutions designed to defend student information without creating new complexities.
A cloud-based DLP solution like ManagedMethods doesn’t replace your cloud service providers; instead, it unites different vendors — including Google Workspace and Microsoft 365 — to create a single source of automated data security. The result is a more secure cloud environment free from many modern vulnerabilities, including both internal and external risks.
You’ll have visibility into school and student data, where it’s created, how it’s used, and how many people have access. The system can even help you screen new apps or software solutions, check privacy policies, and get rid of unreliable third-party installations.
Better yet, you’ll be able to implement custom or templated policies to enforce your rules, which helps you stay compliant with California data privacy laws and any general data protection regulation. That protects your school and your students.