California’s Student Data Privacy Laws Face New Challenges

For every aspect of a student’s life, there’s a tech company trying to digitize it. Inside the classroom, online tools proctor exams, create flashcards and submit assignments. Outside, technology coordinates school sports, helps bus drivers find the right route and maintains students’ health records. California has a number of laws aimed at protecting children’s data privacy, but those laws have exceptions that allow many tech companies to continue packaging and selling students’ personal information. This year, Assemblymember Dawn Addis, a San Luis Obispo Democrat, is carrying a high-profile state bill that would add new protections for students.

A History of Student Data Privacy in California

Historically, California has been a leader in data privacy. In 2014, California passed a landmark student privacy law that prohibited technology companies from selling students’ data, targeting students in advertising or disclosing their personal information. Then in 2018, the state passed another unprecedented bill that required all companies give California users certain privacy rights, such as a chance to opt out of data collection and delete some of their information. California Department of Education details these privacy laws and resources for families and educators.

Loopholes and Evolving Technology

However, as technology evolved and proliferated, privacy laws repeatedly fell short in protecting California’s students—at the same time that the federal government has tried to collect increasing amounts of personal information, according to Assemblymember Addis. Her bill, Assembly Bill 1159, would restrict how AI companies use student data and create new data protections for college students.

Powerful Opposition

Some of Sacramento’s most powerful players are paying close attention to the measure, including the California Labor Federation, which supports the bill, and the California Chamber of Commerce, which opposes it. Combined, these two groups spent nearly $8 million on campaign donations to state legislators or other political activities in 2024, according to CalMatters. TechNet, a trade association that represents many of the most powerful tech companies, also opposes the bill.

Closing Loopholes, But Is It Enough?

Assembly Bill 1159 would close certain loopholes in the state’s 2014 education privacy law, but experts say it may not be enough to prevent companies from selling students’ data.

The Challenges of Parental Consent and Data Tracking

Jen King, a privacy and data policy fellow at Stanford’s institute for AI, highlights the difficulties in protecting student data. Federal law requires companies to get parental consent before knowingly collecting or selling data from children 12 and under, but once a child turns 13, their data is generally treated much like an adult’s information. King’s experience with TeamSnap, a platform used by her son’s sports teams, illustrates this issue. She found that the platform requested extensive personal information, including her date of birth, and tracked her activity across other apps and websites.

How Companies Circumvent Privacy Laws

The 2014 California law only applies to products that “primarily” serve K-12 schools and are designed and marketed for students. Many tech companies argue that their products aren’t primarily intended for students or that their use isn’t mandatory. Apps or technologies serving extracurricular programs or sports teams can claim they weren’t designed and marketed for the classroom. This creates a “black hole” where there haven’t been protections, according to Amelia Vance, the president of the Public Interest Privacy Center.

Enforcement and the Right to Sue

To increase enforcement, Addis’ bill contains a new provision—the right for students and parents to sue tech companies in certain cases for privacy violations. Business and technology groups have opposed the bill, arguing that the new regulations and the right to sue would stifle investment in AI-powered learning tools.

Recent Enforcement Actions

In November, the California Attorney General’s office reached $5.1 million in settlements against Illuminate, an education technology company that uses data to track and evaluate students’ progress, following a data breach that exposed information from over 434,000 California students. The California Department of Education emphasizes the importance of protecting personally identifiable information (PII) about California’s students.

Resources for Student Data Privacy

The California IT in Education (CITE) offers resources, including a searchable database of applications and vendors who have signed the statewide agreement to comply with California’s student data privacy laws. This database creates transparency for teachers, parents, and others to determine if an application is compliant.