California is known for a few key things: golden sunshine, Hollywood hijinks, and consumer privacy laws protecting sensitive personal information and user data.
OK — that last one might not belong on a postcard. But for K-12 schools in the Golden State, California data privacy laws are a vital part of life — one that impacts everything from homework assignments to cloud service provider relationships.
Of course, like most things in the data privacy landscape, data protection, and consumer privacy regulations are always changing. It’s up to you to juggle all those privacy rights while still maintaining an efficient, flexible digital environment for students, staff, faculty, and other users.
That might sound like a pretty heavy lift. Luckily, you just found our K-12 guide to California consumer privacy and personal data protection laws — so let’s jump in.
Why California schools need to protect student data
School districts in every state have a responsibility to protect sensitive personal information and other student data. That’s based on the idea that everyone has the right to privacy. Students, however, are perhaps particularly vulnerable — and this isn’t just because they’re minors, which puts them under the protection of rules such as the Children’s Online Privacy Protection Act.
In truth, student data privacy matters for a few key reasons:
- Attitudes toward data: EDUCAUSE describes what’s called a “privacy paradox.” Some students claim to value privacy — especially data concerning their academic or professional prospects — but don’t act in accordance with that belief when offered something with a higher perceived value.
- More tools, more data: From educational websites and online courses to social media platforms, students have access to more apps and digital tools than ever before. The more data they create, the more important it becomes to uphold privacy rights.
- Vulnerable futures: According to a survey by The Harris Poll, 71% of U.S. hiring decision-makers say that social media is an effective way to screen applicants. This has made students more aware of how sensitive personal information could impact their future if leaked online or shared inappropriately.
- Higher risks: A Statista report found that 41% of U.S. internet users have experienced online harassment regardless of age. However, a Pew Research Center survey found that, when it comes to U.S. teens, 46% have experienced cyberbullying — which suggests that younger people are more likely to encounter this kind of digital risk.
Unfortunately, data protection is often an uphill battle. From disgruntled students to overseas cybercrime organizations, there are all kinds of malicious actors out there.
Take, for example, the Finalsite hacking event in January 2022. Finalsite is a website host and communication service provider that fell victim to a ransomware attack. EducationWeek reported that 3,000 K-12 schools were impacted, but Finalsite said it found no evidence of data theft. Next time, schools and students might not be so lucky — which is why security and data privacy laws are key for educational organizations.
Privacy laws for everyone
The good news is that, even as students create more data and encounter new risks, privacy legislation evolves to keep up. That’s especially true when it comes to consumer data protection in schools.
The U.S. Department of Education keeps a close eye on this, administering and enforcing data privacy laws such as:
- The Family Educational Rights and Privacy Act (FERPA)
- The Protection of Pupil Rights Amendment (PPRA)
While these regulations apply from coast to coast, individual states may have their own approach to privacy law — and that’s where things get interesting for schools in California.
Why California is different
As any California resident will likely tell you, the state is proud of its advanced approach to data privacy law. According to Brookings, advocates have even argued that California privacy rights are so advanced that a proposed federal law (the American Data Privacy and Protection Act) might actually undermine existing protections.
Lawmakers, organizations, and even private citizens work to ensure students and general consumers are protected. This vigilance has led to many new regulations, two with particularly important considerations for K-12 school districts:
- The California Consumer Privacy Act
- The California Privacy Rights Act (which also established the California Privacy Protection Agency)
Although California privacy rights are good news for students and data, these regulations can leave school districts with a lot to juggle.
Data defense: The Student Online Personal Information Protection Act
In January 2016, a new California privacy law took effect: The Student Online Personal Information Protection Act, or SOPIPA. It’s widely considered one of the most comprehensive consumer privacy and personal data laws in the nation and is enforced by the California attorney general.
Here’s the specific language: “The bill [prohibits] an operator from knowingly using, disclosing, compiling, or allowing a 3rd party to use, disclose, or compile, the personal information of a minor for the purpose of marketing or advertising.”
Generally speaking, the SOPIPA restricts any K-12 edtech service provider from using sensitive personal information for the purposes of marketing to students. The law is built on three key restrictions:
- A service provider may not collect student data for targeted advertising.
- A service provider may not create student data profiles for commercial purposes.
- A service provider may not sell student information.
Data covered by the SOPIPA
When the law says “may not collect student data,” it’s talking about sensitive personal information that may be used to create or log into an account, track grades, verify qualifications for financial support, and more. Here are a few examples:
- Health records.
- Socioeconomic status.
Any company that provides software or hosts services for K-12 schools can use this information for educational purposes, but not for marketing or advertising. That goes for any business serving California students (even if the organization isn’t based in California).
What this means for schools
It’s up to an edtech service provider to comply with the SOPIPA, which means all you have to do is verify that your software and cloud operators are following the rules. You can also use SOPIPA compliance as a requirement for choosing new tools or other digital solutions. Just remember that not all apps — especially free ones — have good intentions, and some may exploit SOPIPA loopholes to continue leveraging student data for commercial purposes.
Data defense: The California Consumer Privacy Act
The California Consumer Privacy Act, or CCPA, got its start in 2018. Although it’s not unique to education like the SOPIPA, this California privacy law is good news for consumer rights overall. That’s especially true in 2023 and beyond, as new amendments have further expanded the CCPA’s list of rights.
Here’s a look at what the CCPA creates:
- The right to know what personal information is collected, how it’s used, and how it’s shared
- The right to correct collected personal information
- The right to delete most collected personal information
- The right to opt-out of data sale or sharing
- The right to limit the use of personal information
- The right to non-discrimination for using CCPA freedoms
Student data and the CCPA
According to the State of California Department of Justice (DOJ), businesses that gather information about kids under 16 can only sell this data if they have affirmative authorization, or an opt-in. This CCPA compliance rule differs depending on the child’s age:
- Under 13: Opt-in must come from a parent or guardian
- 13 – 16: Opt-in can come from the child
Data covered by the CCPA
The California DOJ clarifies what is and isn’t considered “personal data” under the CCPA:
Personal information: This is any data that “identifies, relates to, or could reasonably be linked with you or your household.” Personal information can include name, email address, internet browsing history, fingerprints, and more. Sensitive personal information is a subset of this category and includes social security numbers, financial data, contents of digital messages, and more.
Non-protected data: Publicly available records are not protected under the CCPA. That means property records, some consumer credit reporting information, certain medical information, and more.
What this means for schools
The CCPA creates a lot of value for California schools. For example, this state privacy law requires businesses to offer a privacy notice and a “notice at collection.” These must list two key things:
- What information they collect
- How they use the information
Your school can use these notices on students’ behalf to ensure that no data privacy laws are violated. You can also double-check why a certain service provider or app is collecting data, which is a good indicator of its overall reliability.
It’s also important to know student rights under the CCPA. That’s not just to protect your school; it’s also a great way to encourage parents or the students themselves to take a more active role in protecting consumer data privacy.
Data defense: The California Privacy Rights Act
The California Privacy Rights Act, or CPRA, is one of the more recent pieces of privacy legislation. The CPRA is actually an amendment of the CCPA, creating additional rights and protections for consumer data. It also expands the definitions of a data breach and requires service providers to establish data protection solutions.
Perhaps most notably, the CPRA introduced the California Privacy Protection Agency, or CPPA. The CPPA was created to handle any new data privacy law and act as a guardian of consumer rights.
CPPA board members are appointed by the attorney general and other high-ranking officials. The agency’s responsibilities include administering, implementing, and enforcing the law, according to the International Association of Privacy Professionals. The CPPA can also handle consumer requests or complaints regarding potential violations.
What this means for schools
Although nonprofit organizations like many K-12 schools don’t have to worry about complying with the CPRA, it’s still important to understand the rights this act creates. You should also brush up on the CPPA and how it can help protect you, your school, and your students from issues such as a data breach or a service provider’s improper use of sensitive personal information.
Protect personal information with data loss prevention
As you’ve probably noticed, most California privacy rights laws don’t require your school to do anything — beyond learning your rights and understanding what your service providers are doing with student data, that is.
So what can you do?
The good news is that there’s a way to take advantage of privacy rights, keep up with each new data privacy law, and ensure that student data stays secure along the way. It’s called data loss prevention, or DLP, and it’s a set of solutions designed to defend student information without creating new complexities.
A cloud-based DLP solution like ManagedMethods doesn’t replace your cloud service providers; instead, it unites different vendors — including Google Workspace and Microsoft 365 — to create a single source of automated data security. The result is a more secure cloud environment free from many modern vulnerabilities, including both internal and external risks.
You’ll have visibility into school and student data, where it’s created, how it’s used, and how many people have access. The system can even help you screen new apps or software solutions, check privacy policies, and get rid of unreliable third-party installations.
Better yet, you’ll be able to implement custom or templated policies to enforce your rules, which helps you stay compliant with California data privacy laws and any general data protection regulation. That protects your school and your students.