California S.B. 1177 and A.B. 1584
California S.B. 1177, known as the Student Online Personal Information Protection Act (SOPIPA), imposes rigorous rules on operators of websites or providers of Internet services or mobile applications with actual knowledge that the services are used primarily for “K-12 school purposes” and were designed and marketed for K–12 school purposes. Among other things, it prohibits the use of student data for targeted advertising on the website, service or app and the sale of student data. Operators of educational online services must also implement and maintain reasonable security procedures and practices, as well as protect that student data from unauthorized access, destruction, use, modification, or disclosure. “Operator” is broadly defined as any service provider whose services are primarily used for K-12 educational purposes and designed and marketed for K-12 school purposes.
California A.B. 1584 requires that contracts between a school district and third parties specify, among other things, that the student data remains the property of the educational agency; how students and parents may access their data; how the third party will ensure the confidentiality and security of student data; and how to notify students and parents in the event of a security breach.
Source: DLA Piper