Author's Note: This piece was co-authored with Ariel Fox Johnson, Policy Counsel with Common Sense Kid's Action.
The Student Online Personal Information Protection Act (SOPIPA), which goes into effect in several states in 2016, makes sure edtech providers use student data for educational purposes and nothing else -- such as targeted ads or to make a quick buck. SOPIPA also requires that edtech providers protect student data. The school zone should be a privacy zone, a place where students are safe to learn and explore. SOPIPA covers a broad range of K–12 online companies, including websites, services, and apps that may be used with or without a contract with the school or district.
When a vendor says that it complies with SOPIPA, it is verifying that it:
- is not using any data collected via its service to target ads;
- is not creating advertising profiles on students;
- is not selling student information;
- won't disclose information, unless required by law or as part of the maintenance and development of its service;
- is using sound information-security practices, which often include encrypting data;
- will delete data that it has collected from students in a school when the school or district requests it;
- can share information only with educational researchers or with educational agencies performing a function for the school;
- and will innovate safely without compromising student privacy by only using de-identified and aggregated data as it develops and improves its service.
Within a district, if you want to explore how a vendor protects information, you can use the following questions, which are based on the protections required by SOPIPA:
- Does any data collected by you or any affiliates get used for advertising? Is any of this advertising targeted?
- Do you create a profile for students? Is this profile ever used for advertising or in any other way that does not support the educational goals of students?
- Do you sell student information for any reason?
- Have there been any instances when you have disclosed student information?
- Which security practices do you use to protect student information from data breaches or unauthorized access?
- Can we delete our data from your system ourselves, or do we need to request deletions from your support staff?
- If we need to request that data be deleted, how long does it take you to comply with our request?
- How long does it take for your backups to no longer contain any of our data?
- Do you share data with any educational research organizations or educational agencies? If so, who are they, and when and where can we have access to this research?
Q: Who has to comply with SOPIPA?
A: Websites, online services, and mobile apps that are designed, marketed, and used primarily for K–12 school purposes have to comply with SOPIPA. It doesn't matter whether they have a contract with a school or district.
Q: What does SOPIPA mean for districts?
A: If you work in a school district, you have another way of evaluating how well educational software vendors protect the student data they collect. From the district perspective, this allows you to ask vendors one specific question: Do you comply with SOPIPA?
Q: What does SOPIPA require of me?
A: SOPIPA puts the burden of protecting students on those handling the students' information: the edtech providers. SOPIPA does not place any requirements on educators, schools, or districts. Teachers bringing their own apps into the classroom or looking for more guidance on best practices can check out the additional questions below.
Q: What should I ask my vendors?
A: Ask your vendors if they comply with SOPIPA. If they don't comply or don't know, you should hold off on using that vendor. Though SOPIPA does not create liability for educators, you don't want to share students' sensitive personal information with those who cannot prove they will protect it.
Q: What does compliance with SOPIPA mean?
A: Starting in January 2016, when you ask a vendor if they comply with SOPIPA, the answer to this question needs to be an unequivocal "yes." SOPIPA requires that vendors meet all these standards and does not place any additional burdens on districts.
Q: I'm a teacher. What impact does SOPIPA have on how I bring apps into the classroom?
A: Because vendors are required to comply with SOPIPA, it doesn't create any burden on teachers looking to integrate technology. If you are a teacher and you want to use an app, ask if your school or district has an existing contract with the vendor and whether the vendor has been asked if it complies with SOPIPA.
If your school or district doesn't have a contract with the vendor (as will often be the case with many small apps), SOPIPA still applies to the vendor because students should be protected whether or not there is a contract between a school and a vendor. But it's always a good idea to do a quick review of a product's data-use policies. Major red flags include: companies that sell students' data; companies that share or use students' data for providing targeted ads; companies that amass profiles of students for noneducational purposes; and companies that have no or inadequate security provisions.
In general, free apps are more likely to engage in practices that violate student privacy, because many of these apps use data collected by the app as a means of earning money.
Though SOPIPA doesn't require listing apps used in the classroom, this is frequently recommended as a best practice.
If an app has any of the red flags listed above, don't use it.
Q: What should I tell parents?
A: SOPIPA allows the school zone to be a privacy zone, so kids can focus on learning, knowing that their information will be used only for educational purposes, won't be sold or used for targeted ads, and will be kept securely.
Q: Are there any other best practices for educators?
A: You should continue to use due diligence in evaluating products and providers. Treat all student data with care. Be cautious of "free" things that may have hidden costs, such as your students' personal information. And always be up front with parents and students.