All About

Why Student Data Privacy Matters in Oregon's Schools

All About Oregon's SB 187 Student Information Protection Requirements begins with a modern reality: students use digital tools for everything. While this technology offers incredible learning opportunities, it also creates significant privacy risks, as educational apps can track vast amounts of sensitive student data.

Quick Overview: What You Need to Know About Oregon's SB 187

• Official Name: Oregon Student Information Protection Act (OSIPA)
• Effective Date: July 1, 2016
• Primary Goal: Protect student data from commercial exploitation by EdTech companies.
• Key Prohibitions: Selling student data, targeted advertising, unauthorized profiling.
• Who It Applies To: Operators of websites, apps, and online services used for K-12 school purposes.
• Enforcement: Oregon Attorney General under the Unlawful Trade Practices Act.

As Oregon Attorney General Ellen Rosenblum noted, many students are "too young to understand the significance of being asked to share personal information." This poses a challenge for K-12 IT directors tasked with protecting this data while enabling digital learning.

Oregon's SB 187 was created to solve this problem. It sets clear rules for EdTech vendors, prohibiting them from mining student data for commercial purposes, using it for targeted advertising, or selling it. The law also requires vendors to implement reasonable security and delete data upon a school's request. Understanding OSIPA is crucial for protecting students from identity theft, commercial exploitation, and long-term privacy violations.

Basic All About Oregon’s SB 187 Student Information Protection Requirements vocab:

• All About FERPA: The Federal Student Privacy Law That Still Matters in 2025
• All About New York’s Education Law § 2-d: Student Data Privacy, Explained
• What to Know About California’s SB 1177 (SOPIPA Expansion) and Its Impact on K–12 Schools

What is Oregon's SB 187? A Deep Dive into OSIPA

The Oregon Student Information Protection Act (OSIPA) arose from a growing concern that students were vulnerable in the increasingly digital classroom. By 2015, educational platforms were tracking vast amounts of student data, often treating it as a commodity for analysis, profiling, and advertising.

The Legislative Journey

In response, Oregon Attorney General Ellen Rosenblum requested legislation to protect students from the commercial exploitation of their personal information. The resulting Senate Bill 187 passed with overwhelming bipartisan support and was signed into law, taking effect on July 1, 2016.

Supporters argued that federal laws like FERPA were not designed for the EdTech era and didn't adequately prevent third-party companies from misusing student data. While some tech lobbyists and privacy advocates raised concerns about the bill's final language, the primary goal remained to balance student privacy with educational innovation. The full legislative record is available at SB187 2015 Regular Session - Oregon Legislative Information System.

Key Definitions Under the Oregon Student Information Protection Act

To understand All About Oregon's SB 187 Student Information Protection Requirements, you must know the law's key terms from ORS 336.184.

• Operator: An entity running a website, online service, or app that has actual knowledge its service is designed, marketed, and used primarily for K-12 school purposes.
• K-12 School Purposes: Activities directed by a school or district, or that aid in school administration. This distinguishes school-sanctioned use from a student's personal browsing.
• Targeted Advertising: Showing ads to a student based on a profile built from their personal information or online behavior over time. The law prohibits this, though it permits contextual advertising (ads based on the current page content).

What is 'Covered Information'?

OSIPA protects a broad range of covered information, defined as any personally identifiable information or materials about a student gathered for K-12 purposes. This comprehensive scope recognizes that many data points can be combined to create detailed profiles of children.

Protected information includes:

• Educational Records: Grades, attendance, test results, and disciplinary records.
• Personal Identifiers: Name, address, phone number, email, Social Security number, and student ID.
• Sensitive Data: Health records, biometric information, socioeconomic status, disabilities, political or religious affiliations.
• Online Activity: Search history, geolocation data, food purchases, photos, and voice recordings.

By protecting this wide array of data, OSIPA helps ensure that a student's full digital footprint from their education is shielded from commercial use. For more on sensitive data, see our resource on Sensitive Data Definition and Types.

Core Mandates: What OSIPA Prohibits and Requires for EdTech Vendors

Understanding All About Oregon's SB 187 Student Information Protection Requirements means knowing the clear rules for your EdTech vendors. OSIPA provides a compliance framework with specific prohibitions and requirements to protect student data.

Prohibited Activities for EdTech Operators

OSIPA establishes several clear prohibitions for operators of services used for K-12 school purposes:

• No Targeted Advertising: Companies cannot use data collected from students to target them with ads, either on the educational platform or elsewhere online.
• No Commercial Profiling: Operators are forbidden from creating student profiles for any purpose other than education. While a platform can track a student's academic progress to personalize learning, it cannot build a profile for commercial use.
• No Selling Student Data: Selling a student's covered information to any third party, such as data brokers or marketers, is strictly prohibited.
• No Unauthorized Disclosure: The default rule is that student data must remain confidential and cannot be shared with third parties unless a specific legal exemption applies.

Data Security and Deletion Requirements

OSIPA also mandates proactive data protection measures:

• Reasonable Security: Operators must implement and maintain reasonable security procedures and practices appropriate for the type of data they handle. This includes technical, administrative, and physical safeguards to protect covered information.
• Data Deletion: Schools have the right to request the deletion of student data. Operators must comply with these requests within a reasonable timeframe, giving districts control over the data lifecycle and minimizing long-term risk.

When vetting vendors, look for a comprehensive Data Security and Privacy Plan that details their security practices.

Permitted Uses and Exemptions Under OSIPA

OSIPA is not meant to hinder education, so it allows for several beneficial uses of student data under strict conditions:

• For School Purposes: Data can be used and disclosed to facilitate learning, such as sharing assignments with teachers or reporting results to the school, provided the recipient is also bound by OSIPA's privacy rules.
• Research and Product Improvement: Operators can use data for legitimate educational research or to improve their products, including for adaptive learning technologies. This data is often required to be de-identified.
• De-identified or Aggregated Data: Information that has been stripped of personal identifiers or combined so no individual student can be identified can be used for analysis and product development.
• Legal and Safety Compliance: Disclosure is permitted when required by law, such as in response to a subpoena or to protect user safety, as detailed in ORS 336.187.
• With Service Providers: Operators can work with subcontractors (e.g., cloud hosting) if they are contractually bound to the same security and privacy standards.

These exemptions create a balance, allowing for innovation in EdTech while ensuring student privacy remains the priority.

All About Oregon's SB 187 Student Information Protection Requirements: Enforcement and National Context

Understanding All About Oregon's SB 187 Student Information Protection Requirements includes knowing how the law is enforced and how it fits within the broader landscape of student privacy legislation.

How is OSIPA Enforced and What Are the Penalties?

OSIPA is enforced by the Oregon Attorney General. A violation of the act is considered an unlawful trade practice under ORS 646.607. This gives the law significant teeth, as EdTech companies face investigations, civil penalties, and mandatory corrective actions for non-compliance.

For school districts, parents, or educators, suspected violations can be reported directly to the Oregon Attorney General's Consumer Protection Hotline. The Oregon Department of Justice provides resources and guidance on its Oregon Student Privacy page, outlining the enforcement process and how to file a complaint. This structure ensures OSIPA is a requirement with real consequences.

How OSIPA Complements Federal Laws like FERPA and COPPA

Federal laws like FERPA and COPPA provide a foundation for student privacy, but they have gaps that OSIPA was designed to fill.

• FERPA (Family Educational Rights and Privacy Act) primarily regulates how schools handle student education records. It is less effective at governing how third-party EdTech companies collect and use data directly from students. OSIPA closes this gap by placing direct obligations on the vendors themselves. Learn more in our guide, All About FERPA: The Federal Student Privacy Law That Still Matters in 2025.

• COPPA (Children's Online Privacy Protection Act) applies only to children under 13 and focuses on parental consent for data collection. OSIPA offers broader protection by covering all K-12 students and regulating how their data is used, shared, and profiled after collection.

Together, these laws create a layered protection model, with OSIPA adding a crucial layer specifically custom to the risks of modern educational technology.

Oregon's Law in the National Landscape

Oregon was part of a national movement to strengthen student privacy, modeling SB 187 on California's SOPIPA (Student Online Personal Information Protection Act). By adopting a framework similar to California's landmark law, Oregon benefited from a well-vetted approach to regulating EdTech companies while allowing for innovation.

Advocacy from groups like Common Sense Media helped shape this national trend, raising awareness about the need for stronger state-level protections. Today, Oregon stands with other states that have recognized that as digital learning evolves, the laws protecting student data must evolve with it. For more on California's law, see All About SOPIPA: California's Law Protecting Student Data in the Digital Age.

A Practical Guide for Oregon School Districts

For Oregon school districts, complying with All About Oregon's SB 187 Student Information Protection Requirements means integrating privacy into daily operations, from vendor selection to staff training.

All About Oregon's SB 187 Student Information Protection Requirements for Vendor Contracts

Your EdTech contracts are your first line of defense. Before signing any agreement, it's critical to vet vendors and ensure your contracts contain strong privacy protections.

• Vet Your Vendors: Ask potential partners how they comply with OSIPA. Review their privacy policies and use agreements to ensure they meet Oregon's standards.
• Mandate Contractual Obligations: Your contracts must explicitly prohibit vendors from selling student data, engaging in targeted advertising, or creating commercial profiles. These are non-negotiable requirements under the law.
• Use Data Processing Agreements (DPAs): A strong DPA should define what data is shared, for what specific school purposes, and how it will be secured. It must also include provisions for data deletion upon your request.
• Include Downstream Restrictions: If your vendor uses subcontractors, the contract must ensure those third parties are also bound by OSIPA's privacy and security requirements. This prevents data from being passed along without protection.

For specific language to include, our resource on Contract Clauses Every School Should Demand in EdTech Agreements can help.

All About Oregon's SB 187 Student Information Protection Requirements and Staff Training

Even with perfect contracts, your district's security is vulnerable if staff are not trained to recognize and avoid cyber threats. The human element is often the weakest link in cybersecurity.

Phishing and social engineering attacks are a major risk, as criminals target school staff to gain access to sensitive student data. A single click on a malicious link or a moment of misplaced trust can lead to a significant data breach, undermining your OSIPA compliance efforts.

Building a culture of security is essential. This means providing regular, engaging training that empowers everyone—from teachers to administrators—to be a part of the solution. Compliance isn't just a legal checkbox; it's a daily practice of protecting students.

However, your staff is busy. They need training that is effective without being a burden. At CyberNut, we specialize in cybersecurity training for K-12 schools. Our automated, gamified micro-trainings are designed to be engaging and low-touch for your IT team, with a strong focus on phishing awareness. We help turn your staff into your strongest defense. Learn more about Cybersecurity Training Empowering K-12 Staff Against Cyber Threats.

Unsure how your staff would fare against a real phishing attempt? Get a complimentary phishing audit to assess your vulnerabilities and identify where to focus your training.

Securing Oregon's Digital Classrooms for the Future

We've explored the key aspects of All About Oregon's SB 187 Student Information Protection Requirements. Since 2016, OSIPA has provided a critical framework to protect students from commercial exploitation by prohibiting data selling, targeted advertising, and non-educational profiling. It empowers schools with data deletion rights and mandates reasonable security from EdTech vendors, all backed by the enforcement power of the Oregon Attorney General.

This law ensures students can use digital tools to learn without their privacy being compromised. But a law alone cannot stop a data breach. The reality is that your staff—the people who interact with student data daily—are the primary target of cybercriminals.

Phishing emails and other social engineering tactics are designed to trick well-meaning employees into making a mistake that can bypass all your technical defenses. This is where compliance meets reality. You can have ironclad contracts, but you're still exposed if your team isn't trained to spot and avoid these threats.

At CyberNut, we believe that your staff can be your strongest line of defense. They just need the right training—not boring, one-off videos, but engaging, relevant, and continuous learning that prepares them for real-world attacks. Our automated, gamified micro-trainings are designed specifically for the K-12 environment to build a resilient culture of security without overwhelming your busy educators.

Is your district truly prepared to defend against the sophisticated phishing attacks targeting student data today? We can help you find out. Get a complimentary phishing audit to identify your vulnerabilities and see how strong your human firewall really is. There's no obligation—just actionable insights.

Securing Oregon's digital classrooms is a shared responsibility. By empowering your staff, you can turn policy into practice and ensure a safer digital future for every student. Explore our resources to learn more.