Tech Firms Find Loopholes in California Student Data Law
An investigative report found that technology companies are circumventing California's regulations designed to protect student data. The findings highlight an ongoing dynamic between product development and privacy regulation. The use of such workarounds poses potential regulatory and public relations risks for companies operating in the state.
- The primary California law designed to protect K-12 students' data is the Student Online Personal Information Protection Act (SOPIPA), which went into effect in 2016. It prohibits operators of online services used for school purposes from selling student data, building profiles for non-educational purposes, and using the data for targeted advertising. - A significant loophole in the law is that its restrictions apply to services that are "designed and marketed for K-12 school purposes," allowing general audience platforms to collect student data without being subject to the same stringent rules. - The recent investigative report by The Markup highlights that despite California's reputation as a leader in data privacy, existing laws have exceptions that permit tech companies to package and sell students' personal information. - Educational technology companies collect a wide array of student data, including academic performance, disciplinary records, family wealth indicators, and even sensitive information like medical conditions and special education accommodations. - A new legislative proposal, Assembly Bill 1159, aims to close existing loopholes by prohibiting the use of student data to train artificial intelligence systems and extending privacy protections to students in higher education. - In November 2025, California's Attorney General, as part of a multi-state settlement, took the first enforcement action under SOPIPA against Illuminate Education, an edtech company, for a data breach that exposed the sensitive information of millions of students, including over 434,000 in California. - Some tech companies have been found to obscure their data deletion instructions from search engines, making it difficult for parents and students to exercise their right to have their personal information removed. - While federal laws like the Family Educational Rights and Privacy Act (FERPA) exist, they are primarily aimed at schools rather than the tech vendors themselves, creating a regulatory gap that state laws like SOPIPA are intended to fill.
