Codigo Alpha

Entenda a lei com clareza

Codigo Alpha

Entenda a lei com clareza

Digital & Privacy Law

Arkansas student data sharing limits and SOPIPA requirements

Código Alpha

Arkansas law strictly prohibits EdTech vendors from building commercial profiles or targeting advertisements based on student data collected in the classroom.

The digitization of the Arkansas classroom has brought incredible adaptive learning tools, but it has also opened a firehose of sensitive data flowing to third-party vendors. Parents and administrators often worry that the “free” apps used in K-12 schools are actually monetizing their children’s behavior, grades, and location. In the past, student privacy was governed mainly by the federal FERPA, which focused on the school’s release of records. Today, Arkansas has erected a much stricter state-level firewall directly regulating the vendors themselves.

The legal landscape is defined primarily by the Student Online Personal Information Protection Act (SOPIPA). Unlike federal laws that primarily penalize school districts for funding violations, SOPIPA places direct statutory liability on the “operator” of the website or application. This means the app developer in Silicon Valley is directly answerable to Arkansas law if they use a Little Rock student’s math scores to target ads for tutoring services or sell that data to a broker. The era of “move fast and break things” is over for EdTech in Arkansas; the new standard is “minimize, secure, and delete.”

This article navigates the specific limits Arkansas imposes on student data sharing. We will dissect the prohibition on “Targeted Advertising,” explain the narrow exceptions that allow vendors to use data for product improvement (but not profiling), and detail the mandatory security protocols required by the Student Data Privacy Act (SDPA). Whether you are a school technology director vetting a new software or a parent concerned about data mining, this guide clarifies where the legal line is drawn.

Critical Red Lines for EdTech Vendors in Arkansas:

  • No Targeted Ads: Operators cannot use any data collected via the school service to target advertising to the student, neither on their own site nor across the web.
  • No Profiling: Creating a persistent profile of a student for any purpose other than specific K-12 school purposes is illegal.
  • No Data Sales: Selling, renting, or trading student information is strictly prohibited, even if the school consents.
  • Mandatory Deletion: Vendors must delete student information when requested by the school district, not just when they feel like it.

See more in this category: Digital & Privacy Law

In this article:

Last updated: October 26, 2023.

Quick definition: A set of state statutes (SOPIPA and SDPA) that restrict how K-12 student data can be collected, used, and shared by third-party technology providers and school districts.

Who it applies to: “Operators” of websites/apps used for K-12 purposes, Arkansas public school districts, and third-party vendors.

Time, cost, and documents:

  • Compliance Timeline: Immediate; SOPIPA is currently in force.
  • Cost: Penalties for violations; cost of data auditing and DPA negotiation.
  • Key Documents: Vendor Data Privacy Agreement (DPA), Privacy Policy, Parent Notification Letters.

Key takeaways that usually decide disputes:

  • Whether the vendor had “actual knowledge” the data was from a student.
  • The distinction between “product improvement” (legal) and “commercial profiling” (illegal).

Quick guide to Student Data Limits

  • The “School Purpose” Rule: Data can only be used to provide the educational service requested. Using reading logs to market comic books is a violation.
  • Security is Not Optional: Operators must implement “reasonable security procedures.” A simple password might not be enough; encryption at rest is the standard expectation.
  • De-identified Data is the Exception: Vendors can use de-identified or aggregate data to improve their products or demonstrate effectiveness to other schools. This is the main loophole.
  • School Control: The data belongs to the school/student, not the vendor. If the school asks for the data back or asks for it to be wiped, the vendor must comply.
  • Amassing Profiles is Banned: Vendors cannot hoard data over years to build a “lifetime dossier” on a student that follows them into college or employment.

Understanding SOPIPA and SDPA in practice

Arkansas operates under a dual-layer protection system. The first layer is the Student Data Privacy Act (SDPA), which governs the school districts themselves. It mandates transparency, requiring the Department of Education to publish an inventory of what data is collected and why. It limits the state from collecting unnecessary data (like biometric or religious affiliation data) without explicit consent or statutory requirement. This prevents the government from overreaching.

The second, and often more litigated layer, is SOPIPA (Arkansas Code § 6-18-109). This law targets the private sector. It applies to any operator of a website, online service, or application that is used primarily for K-12 school purposes and was designed and marketed for that purpose. This definition is broad. It captures the big Learning Management Systems (LMS) like Canvas or Google Classroom, but also the niche math app a teacher downloaded on a whim. If the vendor knows they are dealing with Arkansas students, they are locked into these rules.

The “Allowable Use” vs. “Prohibited Use” Matrix:

  • ALLOWED: Using data to customize the learning experience for that student (adaptive learning).
  • ALLOWED: Using de-identified aggregate data to show “our app improves test scores by 20%.”
  • PROHIBITED: Using reading history to build a profile for non-educational ads.
  • PROHIBITED: Selling the student list to a test-prep company or military recruiter (unless specific federal exceptions apply).

Legal and practical angles that change the outcome

A major point of contention is the definition of “Targeted Advertising.” Vendors often argue that recommending another one of their educational products inside the app is “service notification,” not advertising. Arkansas law is strict: if the recommendation is based on the student’s data (behavior, history), it is targeted advertising and likely prohibited. Contextual advertising (showing a math book ad because the student is on a math page, without knowing who the student is) is generally the only safe harbor, and even that is scrutinized in K-12 environments.

Another practical angle is Vendor Acquisition (M&A). When an EdTech startup is bought by a tech giant, the student data is often the most valuable asset. Arkansas law permits the disclosure of data during a merger or acquisition, provided the successor entity agrees to be bound by the same privacy terms. If the new owner changes the privacy policy to monetize the data retroactive to the acquisition, they are in violation of the original trust and statutory requirements.

Workable paths for Schools and Vendors

To resolve the friction between innovation and privacy, schools utilize the Data Privacy Agreement (DPA). Arkansas schools often use a standardized “National Data Privacy Agreement” (NDPA) with an Arkansas-specific exhibit. This contract forces the vendor to sign off on specific liabilities, creating a breach of contract claim in addition to the statutory violation if data is mishandled. For vendors, the workable path is “Data Segmentation.” They must architect their databases to segregate K-12 data from consumer data, ensuring that the strict deletion and non-profiling rules are applied automatically to the school accounts.

Practical application: Compliance Workflow

Whether you are a district administrator or a vendor, the workflow for compliance follows a specific lifecycle.

  1. Vetting and Selection: Before a tool enters the classroom, check the privacy policy. Does it explicitly mention SOPIPA or K-12 protections? If it says “we sell data to partners,” reject it immediately.
  2. Contracting (The DPA): Sign a Data Privacy Agreement. Ensure it specifies that the School District retains ownership of the data, not the vendor.
  3. Data Collection: The vendor must collect only what is necessary. If a math app asks for “Political Affiliation” or “Social Security Number,” this is a red flag and likely a violation of minimization principles.
  4. Active Use Monitoring: Ensure no ads are appearing. If a student sees a banner ad for sneakers while doing homework, the vendor is violating the “No Targeted Advertising” rule.
  5. Deletion/Transfer: At the end of the contract or school year, the district should certify that data has been archived or deleted. The vendor must provide a “Certificate of Destruction” if requested.
  6. Breach Response: If data is leaked, the vendor must notify the district immediately. The district then has specific obligations to notify parents under the SDPA.

Technical details and relevant updates

The technical standard for “Reasonable Security” under SOPIPA is not hard-coded but generally aligns with industry best practices like NIST or ISO 27001. This implies encryption in transit (TLS 1.2+) and encryption at rest. If a vendor stores student passwords in plain text, they are per se violating the “reasonable security” clause.

A critical technical detail is De-identification. The law allows vendors to use de-identified data. However, “de-identified” means there is no reasonable basis to believe the information can be used to identify an individual. If the vendor strips the name but keeps the GPS coordinates of the student’s home and their bus route, that is not de-identified. Re-identification attacks are a real risk, and vendors must technically ensure that their anonymization protocols are robust.

  • Third-Party Tagging: Vendors must ensure they don’t allow third-party trackers (like Meta Pixel or Google Analytics for Ads) to run on pages where students are logged in. This “data leakage” is a common technical violation.
  • Single Sign-On (SSO): Using Google or Microsoft SSO is standard, but the data passed during the handshake (token exchange) must be limited to authentication, not profiling.

Statistics and scenario reads

The tension in student privacy comes from the sheer volume of apps used in schools. Districts often manage hundreds of vendors, making manual oversight difficult.

Data indicates that “Freemium” apps are the highest risk category for non-compliance, as their business model often relies on data monetization or upselling, which conflicts with SOPIPA.

Freemium Apps Risk

High

Paid/Enterprise Apps

Low

Teacher-Selected Apps

Med

Monitorable points for Districts:

  • DPA Coverage: % of active software titles with a signed DPA.
  • Rogue Apps: Number of apps detected on network not vetted by IT.
  • Parent Inquiries: Volume of requests to view/delete student data.

Practical examples of Student Data Sharing

Scenario A: The Compliant Adaptive Learning

A reading app tracks that Student X struggles with phonics. The app uses this data only to suggest phonics exercises to Student X within the app. At the end of the year, the district requests deletion. The vendor wipes the individual records but keeps the aggregated statistics (“80% of 3rd graders improved”).

Verdict: Compliant. The profiling was for an educational purpose (adaptive learning), and the vendor honored the deletion and de-identification rules.

Scenario B: The “Free” Game & The Sneaker Ad

A “free” geography game is used in class. The vendor tracks that the student is located in a wealthy zip code in Little Rock. The vendor uses this location data to serve an ad for expensive sneakers on the sidebar of the game.

Verdict: Violation. This is targeted advertising based on information acquired via the school service. Even if the student didn’t click, the targeting itself is illegal under SOPIPA.

Common mistakes in Student Privacy Compliance

Click-Wrap Consent: Teachers clicking “I Agree” on a standard Terms of Service does not waive the vendor’s obligations under Arkansas law. The statute overrides the TOS.

“It’s just metadata”: Believing that collecting metadata (device type, time of use, IP address) doesn’t count. If it can be used to profile the student, it is protected.

Ignoring “Teacher Freebies”: Teachers signing up for free accounts individually bypass district vetting. These “shadow IT” accounts are often the biggest source of data leakage.

Forever Storage: Vendors retaining data “just in case” the student returns five years later. Data must be deleted when the educational purpose is served.

FAQ about Arkansas Student Data Sharing

Can schools sell student directory information?

No. While FERPA allows schools to share “directory information” (name, address, sports participation) unless parents opt out, Arkansas law generally prohibits the sale of this data. Sharing it for school purposes (like a yearbook vendor) is allowed; selling it to a credit card company is not.

The “directory information” exception is for school-related publicity and operations, not for commercial exploitation by third parties.

Can vendors use student data to improve their product?

Yes, but with limits. Vendors can use data to improve the educational site/service itself (e.g., fixing bugs, refining the algorithm). They can also use de-identified/aggregate data to develop new products.

However, they cannot use identifiable student data to build a completely unrelated product or for marketing purposes.

Does this apply to college students?

Generally, SOPIPA and the SDPA are focused on K-12 education (Kindergarten through Grade 12). Higher education is governed by FERPA and general consumer privacy laws, but the specific “no targeted ads” strictures of SOPIPA are K-12 specific.

Colleges have different data governance structures and students are often adults, changing the consent framework.

What if a parent wants to see the data a vendor holds?

Parents should contact the school district, not the vendor directly. The school is the data controller. The school can then request the data from the vendor.

The vendor is contractually obligated to assist the school in fulfilling these parental inspection requests.

Can a vendor share data with a subcontractor?

Yes, provided the subcontractor is essential to delivering the service (e.g., a cloud hosting provider like AWS). However, the subcontractor must be bound by the same privacy obligations as the primary vendor.

The primary vendor remains liable for the actions of their subcontractors.

Are yearbooks considered a violation?

No. Yearbook companies are vendors providing a school service. Sharing names and photos for the purpose of creating the yearbook is allowed under the “school purpose” exception.

However, the yearbook company cannot take that data and sell it to a class ring company without separate consent or authorization.

What happens if a vendor breaches the law?

Enforcement is typically handled by the Attorney General under consumer protection statutes (Deceptive Trade Practices). Violations can lead to civil penalties.

Furthermore, the vendor would likely be blacklisted by school districts and could face breach of contract lawsuits.

Can students waive these rights?

No. A minor student cannot waive statutory privacy rights. Even parents generally cannot waive the “no sale” provisions for school-mandated software.

The law is designed to be a baseline of protection that cannot be eroded by “click-through” agreements.

Is biometric data treated differently?

Yes. Arkansas has specific restrictions on the collection of biometric data (fingerprints, facial scans) by state entities and schools. It generally requires explicit notification and consent, and sometimes is prohibited entirely for certain uses.

Vendors collecting biometrics face much higher scrutiny and liability risks.

How does this interact with COPPA?

Federal COPPA (Children’s Online Privacy Protection Act) requires parental consent for collecting data from kids under 13. Schools can often consent on behalf of parents for educational tools.

Arkansas SOPIPA goes further than COPPA by regulating what can be done with the data (no ads, no profiling) regardless of consent, and applies to K-12 students of all ages, not just under 13.

References and next steps

  • Audit Your Apps: Parents should ask schools for a list of approved apps. Schools should run an inventory of all active vendor contracts.
  • Review the Privacy Policy: Look for the “SOPIPA” or “K-12” section in any app’s terms. If it’s missing, ask why.
  • Contact the Department of Ed: The Arkansas Department of Education (ADE) provides resources and model policies for student data privacy.

Related reading:

  • Arkansas Code § 6-18-109 (SOPIPA Full Text)
  • Student Data Privacy Act of 2015 (Ark. Code Ann. § 6-18-1901)
  • FERPA vs. SOPIPA: Understanding the difference
  • Department of Education: Data Privacy & Security

Legal basis

The primary statute governing vendor behavior is the Student Online Personal Information Protection Act (SOPIPA), codified at Ark. Code Ann. § 6-18-109. This law mirrors California’s landmark legislation and sets the operational boundaries for EdTech companies.

Parallel to this is the Student Data Privacy Act (SDPA), codified at Ark. Code Ann. § 6-18-1901 et seq., which governs the duties of the Arkansas Department of Education and local school districts regarding data transparency, collection limits, and parental rights. Together, they form a comprehensive mesh of regulation covering both the public purchaser (school) and the private provider (vendor).

Final considerations

The era of treating student data as a “free resource” for tech companies is over in Arkansas. The law is clear: when a student logs in to learn, they are not logging in to be sold. For vendors, compliance is not just about avoiding fines; it is a condition of entry into the Arkansas market. A product that cannot segregate data or guarantee non-profiling is a product that cannot legally be sold to an Arkansas school.

For schools and parents, vigilance is the key. Laws like SOPIPA provide the shield, but consistent enforcement requires asking the right questions. Is this app free? If so, how does it make money? Is there a Data Privacy Agreement in place? By demanding transparency and adhering to the “school purpose” rule, we ensure that technology remains a tool for education, not surveillance.

Key point 1: Vendors are statutorily barred from using student data for non-educational profiling.

Key point 2: Targeted advertising based on school data is illegal, regardless of student age.

Key point 3: Data deletion is mandatory upon request or contract termination.

  • Check for the “Arkansas Student Data Privacy Agreement” in vendor contracts.
  • Avoid “freemium” apps that do not have a clear revenue model unrelated to data.
  • Report suspected violations to the Arkansas Attorney General.

This content is for informational purposes only and does not replace individualized legal analysis by a licensed attorney or qualified professional.

Deixe um comentário

O seu endereço de e-mail não será publicado. Campos obrigatórios são marcados com *