California Tightens Privacy Focus
California’s regulatory landscape is sharpening around privacy, AI and enforcement in 2026 — schools should expect evolving rules that affect edtech, data governance and student-level analytics noted. The brief flagged that districts and private schools will need clearer policies on platforms and AI tools.
Final regulations approved by the California Office of Administrative Law on Sept. 22, 2025 and effective Jan. 1, 2026 introduce mandatory risk assessments for automated decision‑making technologies (ADMT) used in contexts that include education enrollment or opportunities [approval jdsupra.com; definition thompsoncoburn.com]. Businesses and school vendors that engaged in covered activities before Jan. 1, 2026 must complete risk assessments by Dec. 31, 2027 and submit attestation by Apr. 1, 2028, and the rules also add mandatory cybersecurity audits and record‑keeping obligations for high‑risk processing. jdsupra.com jdsupra.com CalPrivacy’s March 3, 2026 settlement with PlayOn Sports imposed a $1.1 million fine after an investigation spanning Jan. 1, 2023–Dec. 31, 2024 and noted PlayOn contracts with about 1,400 California schools, signaling heightened enforcement on student‑facing platforms. privacymatters.dlapiper.com CPPA also launched a Data Broker Enforcement Strike Force in November 2025 to target registrants and undisclosed data sales. cppa.ca.gov Contract and procurement changes are now common: legal guidance for K‑12 recommends that school–vendor agreements expressly list categories of student data, ban use for advertising, and require vendor risk assessments and breach notification timeframes edtech contracting [guidance jdsupra.com]; California’s Department of Education already mandates annual data‑privacy training for staff with access to student data as part of local compliance efforts. cde.ca.gov
