Oliver Page
Case study
September 24, 2025
California's AB 1584: What Schools Must Know About Digital Contracts with EdTech Vendors starts with understanding that this groundbreaking law requires specific privacy protections in all contracts between schools and educational technology companies. Here's what every school leader needs to know:
Key Requirements:
As schools increasingly rely on digital tools and cloud-based services, protecting student information has become more complex than ever. During the COVID-19 pandemic, schools invested billions in EdTech using federal aid, creating an urgent need for stronger data protection frameworks.
California was the first state to comprehensively address student privacy through legislation. Since 2014, nearly 400 student privacy bills have been introduced across 49 states, with California's legislation serving as a template for other states' policies.
AB 1584 puts the legal framework directly into the hands of school districts. Think of it as your legal armor against data misuse. When your school works with any EdTech company, you need a contract that spells out exactly how student data will be protected.
The law is simple in concept but powerful in practice: vendors are just the custodian—never the owner of student data. This isn't just paperwork—it's your protective shield around students' digital information.
California’s AB 1584: What Schools Must Know About Digital Contracts with EdTech Vendors word guide:
California's AB 1584: What Schools Must Know About Digital Contracts with EdTech Vendors officially became California Education Code § 49073.1, and it emerged from a perfect storm of digital change in education. Picture this: schools were rapidly moving to cloud-based services and digital learning platforms, but the legal framework protecting student data hadn't caught up with the technology boom.
Before AB 1584 existed, school districts were essentially flying blind when it came to EdTech contracts. They'd sign agreements with vendors without clear, legally binding rules about how student information would be handled, stored, or protected. This created a massive gap in student privacy protection—one that grew wider as schools acceptd more digital tools.
The legislative intent was crystal clear: create a robust framework that puts schools back in the driver's seat when it comes to student data protection. California recognized that while technology offers incredible educational opportunities, it also comes with serious risks, especially when dealing with the vast amounts of student information being collected daily.
What makes this law particularly significant is that California became the first state to take such a comprehensive approach to student privacy through legislation. Our state's proactive stance created a ripple effect across the nation—more than 20 states have since adopted similar laws modeled after California's AB 1584 and SOPIPA framework.
If you want to dig deeper into the specifics, check out more info about Education Code 49073.1 or review the official AB 1584 bill text directly.
Understanding AB 1584's terminology isn't just legal homework—it's essential for navigating the law's requirements effectively. Let's break down the key terms that matter most to school leaders.
Pupil records cast a wide net, covering any information directly related to an identifiable student that your district maintains. This includes the obvious stuff like grades, attendance, and disciplinary records, but also extends to health information and special education plans. Here's the important part: under AB 1584, pupil records also include information students generate through instructional software or applications assigned by teachers. That means data from EdTech tools gets the same protection as traditional school records. You can find the complete definition in California's definition of Pupil Records.
Personally Identifiable Information (PII) refers to any data that can identify a specific individual. We're talking about names, addresses, birth dates, student ID numbers, email addresses, and even biometric data. Protecting PII sits at the heart of AB 1584's mission.
De-identified information has been stripped of all PII, making it impossible to reasonably identify individual students. While AB 1584 places strict limits on PII use, vendors can sometimes use de-identified data for legitimate educational purposes like improving their products—but never for targeted advertising.
Third party means any vendor or service provider that contracts with your school district to provide digital educational software or services requiring access to pupil records. These are your EdTech companies, plain and simple.
Pupil-generated content covers anything students create using EdTech applications—essays, projects, artwork, digital assignments, you name it. AB 1584 ensures students maintain rights over this content, including the ability to transfer it to personal accounts.
The law's reach extends throughout California's educational landscape, covering all Local Educational Agencies (LEAs). This broad category includes public school districts of every size, from massive urban systems to small rural districts. County offices of education that provide support services to districts within their boundaries also fall under AB 1584's requirements when they contract with EdTech vendors. Charter schools, as publicly funded institutions operating independently, must also comply with the law's mandates.
On the vendor side, AB 1584 impacts any EdTech company or third-party service provider that enters agreements with LEAs where they'll access, store, manage, or retrieve pupil records, or provide digital educational software. This covers an enormous range of companies—learning management systems, online assessment platforms, virtual reality educational tools, AI-driven tutoring services, and countless others. The rule is simple: if they handle student data, they're covered by AB 1584.
Here's where California's AB 1584: What Schools Must Know About Digital Contracts with EdTech Vendors gets really practical. The law doesn't just suggest that schools should protect student data—it requires specific language in every single contract with EdTech vendors. Think of these nine mandatory clauses as your non-negotiable checklist for data protection.
These contractual mandates create a powerful framework for vendor accountability and data misuse prevention. Every school district in California must ensure these clauses appear in their EdTech agreements—it's not optional, it's the law. For detailed examples of what these clauses should look like in practice, check out our comprehensive guide on Contract Clauses Every School Should Demand.
The beauty of AB 1584 lies in its specificity. Rather than leaving data protection up to chance or good intentions, it puts legal teeth behind student privacy. Each clause serves a distinct purpose in creating layers of protection around student information.
Data ownership and control forms the foundation—your school district owns the data, period. The vendor is simply the custodian, like a bank holding your money. Prohibitions on data use create clear boundaries about what vendors absolutely cannot do with student information. Limitation to contractual purpose ensures vendors stay in their lane and only use data for agreed-upon educational purposes.
Parent and student rights to access and correct data guarantee transparency and give families control over their information. Data security and training requirements ensure vendors have proper safeguards in place and trained staff handling student data. Data breach notification plans prepare for the worst-case scenario with clear communication protocols.
Data deletion and certification clauses ensure student information doesn't live forever on vendor servers once contracts end. Prohibition on targeted advertising specifically protects students from commercial exploitation in their learning environments. Finally, joint compliance with federal law creates alignment between state and federal privacy protections.
These nine clauses work together to create a comprehensive shield around student data. When your IT department reviews EdTech contracts, they should be able to check off each requirement. If any clause is missing or watered down, that's a red flag that needs immediate attention before signing anything.
The goal isn't to make contracting with EdTech vendors impossible—it's to make it safe and transparent. Good vendors will already have policies that align with these requirements. The ones that resist or try to negotiate around these protections? Those are the companies you want to avoid.
When you're trying to understand California's AB 1584: What Schools Must Know About Digital Contracts with EdTech Vendors, it helps to see the bigger picture. Student privacy laws don't exist in isolation—they work together like layers of protection, each one adding strength to the overall shield around student data.
Think of it this way: federal laws like FERPA and COPPA laid the foundation decades ago. But as schools moved online and EdTech exploded, those older laws couldn't keep up with all the new challenges. California stepped in to fill those gaps, creating stronger, more specific protections that work hand-in-hand with federal requirements.
This layered approach has become a model for the nation. The Student Privacy Compass' Guide to State Laws shows how California's pioneering work inspired nearly 400 student privacy bills across 49 states. When California leads on privacy, the rest of the country often follows.
Here's where things get interesting. FERPA has been protecting student records since 1974, giving parents the right to see their child's educational records and control who else gets access. COPPA protects kids under 13 from having their personal information collected online without parental consent. Both laws are crucial, but they weren't designed for today's digital classroom reality.
AB 1584 doesn't replace these federal laws—it makes them work better. It takes FERPA's "school official exception" (which allows schools to share data with vendors who provide educational services) and adds teeth to it. Instead of just saying vendors can access data, AB 1584 requires specific contract language that spells out exactly how that data will be protected.
The genius of AB 1584 is how it extends COPPA's protective spirit to all students, not just those under 13. While COPPA focuses on getting parental consent for young children, AB 1584 requires contracts to ensure joint compliance with both FERPA (Family Educational Rights and Privacy Act) and COPPA (Children's Online Privacy Protection Act) principles for students of all ages.
This means your high school seniors get the same data protection consideration as your kindergarteners when it comes to EdTech vendors. It's a comprehensive approach that recognizes students don't stop needing privacy protection when they turn 14.
California didn't stop with AB 1584. The state has built an entire ecosystem of privacy laws that work together to protect students and families.
SOPIPA (Student Online Personal Information Protection Act) works as AB 1584's partner in crime. While AB 1584 focuses on what must be in contracts, SOPIPA tells EdTech companies what they absolutely cannot do—like selling student data or using it for targeted advertising. Think of SOPIPA as setting the rules of the road, while AB 1584 makes sure those rules are written into every contract. Our guide All About SOPIPA explains how these laws complement each other.
Then there's the CCPA and CPRA (California Consumer Privacy Act and California Privacy Rights Act). These broader privacy laws give all California consumers—including students and parents—rights over their personal data. While education-specific laws usually take priority for student records, the CCPA principles still matter, especially for parental rights over their children's data. You can learn more about how this affects schools in our article CCPA for Schools.
What makes California's approach so powerful is how all these laws reinforce each other. California's AB 1584: What Schools Must Know About Digital Contracts with EdTech Vendors creates the contractual framework, SOPIPA sets the behavioral boundaries for vendors, and the CCPA provides overarching consumer rights that can apply in educational settings.
It's like having multiple locks on your front door—each one adds another layer of security, making it much harder for anyone to misuse student data.
Understanding California's AB 1584: What Schools Must Know About Digital Contracts with EdTech Vendors isn't just about checking boxes for legal compliance—it's about fundamentally changing how we approach EdTech partnerships to create genuinely secure learning environments. The ripple effects touch every corner of school operations, from the superintendent's office to the classroom teacher using a new math app.
Think of it this way: before AB 1584, many schools were essentially handing over the keys to student data without really knowing what the vendor would do with them. Now, we have a detailed roadmap that ensures we maintain control while still benefiting from innovative educational technology.
For school districts, California's AB 1584: What Schools Must Know About Digital Contracts with EdTech Vendors represents a shift toward proactive data stewardship rather than reactive damage control. We're no longer just hoping vendors will do the right thing—we're legally requiring them to prove it.
Contract vetting becomes a team sport. Your legal team needs to verify the language meets AB 1584's requirements, but your IT department must understand the technical implications. What does "reasonable security procedures" actually mean for this specific vendor? How will they implement data deletion? These aren't just legal questions—they're operational ones that affect your daily technology management.
Vendor relationships require ongoing attention. Signing a compliant contract is just the beginning. We need systems to monitor whether vendors are actually following through on their promises. This might mean quarterly check-ins, annual security reviews, or requesting updated compliance certifications. It's like having a trusted babysitter—you don't just hire them and forget about it; you maintain communication to ensure everything's going well.
Internal policies need regular updates. As new technologies emerge (like AI-powered tutoring systems), our data privacy policies must evolve too. The core principles of AB 1584 apply to any EdTech tool that touches student data, even if the technology didn't exist when the law was written.
Staff training becomes absolutely critical. Here's where the human element comes in. Even the strongest legal protections can be undermined by a teacher who unknowingly shares student data inappropriately or an administrator who doesn't recognize a phishing attempt targeting school systems. Everyone from classroom teachers to district administrators needs to understand their role in protecting student privacy. This includes recognizing social engineering attacks that could compromise student data systems. For comprehensive guidance on building this security culture, check out Cybersecurity for Educational Institutions.
IT departments gain new authority and responsibility. Your IT team becomes the gatekeeper for EdTech adoption. They need the resources and decision-making power to say "no" to tools that don't meet AB 1584 standards, even if teachers really want to use them. This requires ongoing professional development and clear support from district leadership.
For EdTech companies, the stakes couldn't be higher. Non-compliance isn't just a slap on the wrist—it can fundamentally threaten their business model in California and beyond.
Contracts become legally voidable when they don't include the required nine clauses. This means school districts can terminate agreements immediately, potentially cutting off significant revenue streams. Imagine a learning management system suddenly losing access to dozens of California school districts because their contract language was inadequate.
Data return requirements create operational nightmares. When a contract is voided, vendors must return all student data to the school district. For companies managing millions of student records across cloud-based systems, this process can be technically complex and expensive. They can't just delete everything—they need to carefully extract and transfer data while maintaining its integrity and security.
Reputation damage spreads quickly in the tight-knit education community. Superintendents and IT directors talk to each other. When word gets out that a vendor mishandled student data or failed to comply with privacy requirements, it doesn't just affect their California business—it impacts their national credibility. We've seen major EdTech companies face public scrutiny and lawsuits when their data practices came under fire.
Legal liability extends beyond contract disputes. While AB 1584 focuses on contractual requirements, vendors who misuse student data may also face action under other California laws like SOPIPA and the CCPA, plus potential federal violations. The legal exposure can be substantial, especially given the sensitive nature of children's personal information.
The law creates a clear message: if you want to do business with California schools, student privacy isn't optional—it's the entry fee. This has pushed many vendors to improve their practices not just for California, but for all their school clients nationwide, raising the bar for student data protection everywhere.
Understanding California's AB 1584: What Schools Must Know About Digital Contracts with EdTech Vendors often raises questions from school leaders, IT directors, and parents. Let's address the most common concerns we hear from California schools.
The law creates a clear firewall between educational use and commercial exploitation of student data. Vendors are prohibited from using student Personally Identifiable Information (PII) for targeted advertising, which means your fifth-grader won't see ads for math tutoring just because they struggled with fractions in their learning app.
Selling student data is completely off-limits. Think of it this way: student information isn't a commodity to be traded. It's educational data that belongs to the school and should stay within the educational context.
The law also prohibits creating student profiles for any non-educational purpose. This prevents vendors from building detailed dossiers about students that could follow them beyond their school years. All data use must be strictly limited to the purposes outlined in the contract with the school district.
These restrictions ensure that when students log into educational software, they're entering a learning environment—not a marketplace where their data becomes the product.
Parents and eligible students gain significant control over their educational data through AB 1584's requirements. The law ensures that contracts provide a clear way for parents and eligible students to review and correct their personally identifiable information. If there's an error in the data—say, an incorrect grade or demographic information—families have the right to request corrections.
One of the most empowering aspects is how the law handles student-created content. When students write essays, create digital art, or complete projects using EdTech tools, they retain ownership of that work. AB 1584 ensures students can access and transfer their "pupil-generated content" to a personal account, even after the school's contract with the vendor ends.
This means a high school senior can take their digital portfolio with them to college, or a middle schooler can keep their creative writing projects when the school switches to a different platform. It's about preserving student ownership of their own intellectual contributions.
Data security isn't left to chance under AB 1584. The law requires all contracts to describe the vendor's specific security procedures for protecting student data from unauthorized access. These aren't generic promises—they must be reasonable security measures appropriate to the type of data being handled.
Vendors must also designate and train specific individuals within their organization to handle student data securely. Importantly, even if a vendor follows all their stated procedures, they remain liable for any unauthorized disclosures. This creates a strong incentive for vendors to go above and beyond minimum security requirements.
When breaches do occur—and unfortunately, they sometimes do—AB 1584 requires contracts to include clear notification procedures. The vendor must notify the school district, which then notifies affected parents and students. Timely and transparent communication is essential for maintaining trust and allowing families to take protective action if needed.
This dual approach of prevention and response helps create a more secure environment for student data while ensuring everyone stays informed when problems arise.
California's AB 1584: What Schools Must Know About Digital Contracts with EdTech Vendors represents more than just another piece of legislation—it's a game-changer that puts real power back in the hands of school districts. When this law was enacted, it sent a clear message: student data deserves the highest level of protection, and schools have both the authority and responsibility to demand it.
Think of AB 1584 as your digital guardian. It ensures that student data remains where it belongs—with the school, not floating around in vendor databases for unknown purposes. The vendors? They're just the babysitters, not the parents. This distinction matters tremendously when it comes to protecting the privacy and safety of our students.
Building a culture of privacy starts with understanding that we're all in this together. Every teacher who uses a new app, every administrator who signs a contract, and every IT director who evaluates security measures plays a crucial role. The law's nine mandatory clauses aren't just legal requirements—they're our roadmap for creating learning environments where students can explore, create, and grow without worrying about their personal information being misused.
Proactive compliance is always better than reactive damage control. When we take the time to properly vet contracts, train our staff, and maintain ongoing oversight of our EdTech partnerships, we're not just checking boxes—we're building trust with families and creating sustainable practices that will serve our students well into the future.
The human element remains our strongest defense. Even with the best contracts and policies in place, the human firewall—our trained and aware staff—is what makes the difference between a secure school environment and a vulnerable one. Every person in our school community needs to understand their role in protecting student data, from recognizing phishing attempts to using EdTech tools responsibly.
To understand your district's vulnerability to common threats, get a free phishing audit to test your staff's awareness. This simple step can reveal gaps in your security posture before they become problems.
At CyberNut, we understand the unique challenges facing K-12 schools in today's digital landscape. Our automated, gamified micro-trainings are designed specifically for educational institutions, helping you build that essential human firewall through engaging, bite-sized lessons that actually stick. Because when it comes to protecting our students' data and digital futures, we're all on the same team.
Oliver Page
Some more Insigths
Back
