K-12 Student Data Privacy and Security Laws in California

California has established one of the most detailed frameworks in the United States for protecting student data generated within K-12 public schools. These protections span state statutes, federal baseline requirements, and the obligations of third-party vendors who receive or process student information. Understanding which laws apply, how they interact, and where their boundaries lie is essential for school districts, software companies, and education technology administrators operating in California.

Definition and scope

California's K-12 student data privacy framework is anchored by the Student Online Personal Information Protection Act (SOPIPA), codified at California Business and Professions Code §§ 22584–22585. Enacted in 2014 and effective January 1, 2016 (California Legislative Information, B&P Code § 22584), SOPIPA places restrictions on operators of websites, online services, and mobile apps that are designed and marketed primarily for K-12 school purposes. The law prohibits covered operators from using student data to build advertising profiles, selling student information, or disclosing it to third parties without authorization.

Separately, the California Education Code §§ 49073–49079.7 governs access to and disclosure of pupil records maintained by school districts directly. These provisions address what records districts may share, with whom, under what conditions, and what parental consent is required.

At the federal level, two statutes establish a compliance floor that California law supplements rather than replaces:

Family Educational Rights and Privacy Act (FERPA) (34 CFR Part 99) — grants parents rights over their children's education records at institutions receiving federal funding.
Children's Online Privacy Protection Act (COPPA) (16 CFR Part 312) — enforced by the Federal Trade Commission, governs online collection of personal information from children under 13.

California's state statutes are generally stricter than FERPA and COPPA, meaning California-based school districts and vendors must meet both federal and state standards simultaneously. For a broader orientation to how California's cybersecurity regulatory environment is organized, the California cybersecurity regulatory context page provides additional framing.

Scope limitations: These California statutes apply to K-12 public school districts and to vendors serving them. Private schools not receiving federal funds occupy a different regulatory position under FERPA, though SOPIPA's vendor-side obligations may still apply. Higher education institutions are governed by a distinct body of law and are not covered by SOPIPA or Education Code §§ 49073–49079. Out-of-state entities serving California students through online platforms remain subject to SOPIPA regardless of where the company is incorporated.

How it works

SOPIPA operates primarily through vendor-side obligations rather than district-side mandates. An "operator" under SOPIPA is any entity that runs a website, online service, or application with actual knowledge it is used primarily for K-12 purposes. The statute's compliance mechanism works in three operational phases:

Prohibition on secondary use — Operators cannot use student data acquired through K-12 services to advertise to students, create advertising profiles, or sell the information. This prohibition is categorical and does not allow opt-out exceptions.
Data security requirement — Operators must implement and maintain reasonable security procedures and practices appropriate to the nature of the student personal information they handle (B&P Code § 22584(d)).
Deletion on request — When a school district requests deletion of student data the district provided, the operator must comply unless a legal hold or other legal obligation prevents it.

California Education Code § 49073.1 further requires that school district governing boards adopt a written policy governing the collection and use of pupil personal information by contractors. Districts must also ensure that any contract signed with an education technology provider includes specific data governance provisions.

The California Privacy Protection Agency (CPPA), established under the California Privacy Rights Act (CPRA), holds rulemaking authority over consumer privacy broadly but has focused rulemaking attention on areas including children's data. The CPPA's evolving regulatory guidance intersects with K-12 data privacy because some student-adjacent data may fall under the CPRA depending on context. The California Privacy Protection Agency's cybersecurity role page covers the CPPA's broader mandate.

For a grounding in key terminology used across California's cybersecurity and privacy statutes, the California cybersecurity terminology and definitions glossary is a useful reference.

Common scenarios

Three operational scenarios illustrate how these rules engage in practice:

Scenario 1 — EdTech platform audit. A district deploys a learning management system to 40,000 students. Before the contract is signed, the district's technology coordinator must confirm the vendor has a data security program, will not use student data for advertising, and will delete records within a defined period at contract end. This is a direct SOPIPA and Education Code § 49073.1 requirement.

Scenario 2 — Third-party data transfer. A vendor that holds student assessment data wants to share anonymized records with a research firm. Even if the data is de-identified, SOPIPA prohibits disclosing student information for purposes unrelated to the K-12 service without explicit authorization. De-identification under California law must meet a standard that makes re-identification not reasonably possible.

Scenario 3 — Breach of student records. If a vendor experiences a security incident involving student personal information, California's data breach notification law (California Civil Code §§ 1798.29 and 1798.82) requires notification to affected individuals. The California data breach notification law page details the notification timeline and content requirements. In the education context, the school district — as the data custodian — typically bears notification responsibility, though the vendor's contract should specify this allocation.

The California education sector cybersecurity page covers the broader threat landscape and security posture challenges facing California school districts.

Decision boundaries

Understanding which law applies — and to whom — requires distinguishing between operator obligations, district obligations, and federal preemption boundaries.

SOPIPA vs. FERPA: SOPIPA regulates vendors; FERPA primarily regulates school districts and their direct handling of education records. A vendor can be in compliance with FERPA (because it is acting as a "school official" with legitimate educational interest) while still violating SOPIPA if it uses student data for advertising. The two frameworks are not interchangeable.

SOPIPA vs. CPRA: The CPRA (California Civil Code § 1798.100 et seq.) governs consumer personal information broadly. Student data collected exclusively within a SOPIPA-covered K-12 context may be excluded from some CPRA obligations, but the boundary depends on whether the operator's services are used exclusively for K-12 purposes or also serve adult consumers in the same product instance. Dual-use products complicate this boundary materially.

Age thresholds: COPPA's protections apply to children under 13. SOPIPA applies to all K-12 students regardless of age, meaning high school students aged 16 or 17 fall outside COPPA but remain inside SOPIPA's protective scope.

Public vs. private schools: California Education Code § 49073 applies to public school districts. Private K-12 schools not receiving federal funds are not subject to FERPA and have no obligation under Education Code § 49073, though vendor-side SOPIPA obligations still attach if the service is marketed for K-12 use.

Enforcement: The California Attorney General holds enforcement authority over SOPIPA under Business and Professions Code § 22586. There is no private right of action under SOPIPA itself. FERPA enforcement runs through the U.S. Department of Education's Student Privacy Policy Office, which can withhold federal funding from non-compliant districts — a significant structural deterrent for the state's 1,000-plus school districts receiving Title I or other federal allocations.

For a conceptual overview of how California's layered cybersecurity obligations fit together, the how California cybersecurity works page situates K-12 requirements within the state's broader regulatory architecture. The California K-12 student data privacy and security page provides supplemental resources and references specific to the education sector. For a starting point across all site content, the California Security Authority home offers a navigational index of topics.

References

California Business and Professions Code § 22584 — SOPIPA (California Legislative Information)
California Education Code § 49073 — Pupil Records (California Legislative Information)
Family Educational Rights and Privacy Act (FERPA) — 34 CFR Part 99 (eCFR)
[Children's Online Privacy Protection Act (COPPA) — 16 CFR Part 312 (eCFR)](https://www.ecfr.gov/current/title-16

📜 4 regulatory citations referenced · 🔍 Monitored by ANA Regulatory Watch · View update log

Explore This Site

Services & Options Types of California Cybersecurity Regulations & Safety Regulatory Context for California Cybersecurity Tools & Calculators Password Strength Calculator FAQ California Cybersecurity: Frequently Asked Questions