Student Online Personal Protection Act

Effective July 1, 2021, each school shall post and maintain on its website, or make available for inspection at its administrative office the following information:
a “layperson” explanation of the data elements of covered information under the Student Online Protection Act that the school collects, maintains, or discloses to any person or entity, and how the school uses and discloses the information, and the purpose of the use of such information;
a list of operators that the school has written agreements with, a copy of each written agreement, and a business address for each operator;
for each operator, a list of any subcontractors to whom covered information may be disclosed, or a link to the operator’s website that lists that information;
a written description of procedures a parent may use to exercise rights granted by the Act;
a list of any breaches of covered information that includes: the number of students involved (unless disclosure violates Personal Information Protection Act);
the date or estimated date range of the breach; and
if an operator breach, the name of the operator.

Schools must update items (1)(3)(4)and (5) no later than 30 calendar days following the start of a fiscal year, and no later than 30 days following the beginning of a calendar year.
If the number of students whose covered information involved in the breach is less than 10% of enrollment, the school may omit such breach. Each school must post on its website, or make available at its administrative office for inspection, each written agreement entered into under the Student Online Personal Protection Act.