What to Know About

Why Virginia's Student Privacy Laws Matter More Than Ever

What to Know About Virginia's Student Privacy in Online Education Act is critical for every parent, educator, and school administrator in the Commonwealth. Here's what you need to know right now:

Quick Answer:

1. The Law: Virginia's Student Online Personal Information Protection Act (SOPIPA/SB 951) regulates how online education services collect, use, and share K-12 student data.
2. Who It Covers: School service providers, EdTech vendors, and online platforms used by Virginia schools.
3. Key Protections: Bans targeted advertising to students, prohibits selling student data, and requires strong data security measures.
4. Breach Rules: Schools must notify parents "as soon as practicable" after a data breach, including what information was exposed and what steps are being taken.
5. Your Rights: Parents can inspect records, request corrections, opt out of directory information sharing, and file complaints if violations occur.

The massive shift to online learning means students spend hours on digital platforms, creating a vast digital footprint with every click and submission.

But here's the problem: Not all EdTech companies handle student data responsibly.

Recognizing this risk, Virginia strengthened its privacy laws, which work with the federal Family Educational Rights and Privacy Act (FERPA) to shield student information. For K-12 IT directors, these laws are about protecting the school community from data breaches and privacy violations with lasting consequences for students.

The challenge is that many breaches start with a simple phishing email. Even the strongest privacy laws can't prevent human error.

What to Know About Virginia's Student Privacy in Online Education Act glossary:

• All About FERPA: The Federal Student Privacy Law That Still Matters in 2025
• What to Know About NY Education Law Section 2-c: Vendor Contracts and Student Data Use
• What to Know About New Jersey's Student Online Privacy Protection Act (SOPPA-NJ)

Understanding Virginia's Student Privacy in Online Education Act (SOPIPA)

Virginia's Student Online Personal Information Protection Act (SOPIPA), passed as SB 951, is the state's commitment to keeping K-12 student data safe. It's designed to prevent the misuse of personal information by the very tools meant to help students learn. SOPIPA modernizes privacy standards for online education, bringing protections into the 21st century.

The Primary Purpose and Scope of the Act

Virginia needed this law because federal laws like FERPA were written long before the rise of EdTech. SOPIPA fills these gaps by regulating vendors and ensuring student data is used strictly for educational purposes--not for marketing or sales. The law applies to any website, mobile app, or online service designed for K-12 school use.

If a company creates a tool for K-12 education, they must now play by Virginia's rules, which mandate strict data handling practices and create real accountability. You can read the specific legal requirements for school service providers in the 2023 Code of Virginia, but the bottom line is that companies that don't comply face real consequences.

How SOPIPA Defines 'School Service' and Covered Entities

SOPIPA casts a wide net. The law defines a 'school service' as any digital tool that is designed and marketed for K-12 education, used at the direction of school staff, and collects student personal information.

This means website operators, online service providers, and mobile application developers who create educational tools are all covered. A student's typical day involves multiple digital touchpoints, from learning management systems to educational apps. Each service provider involved is now bound by SOPIPA's requirements.

Some exceptions exist, such as tools for college readiness assessments or general public use. But if a vendor markets its product to schools and collects student data, it is almost certainly covered.

What Categories of Student Personal Information Are Protected?

SOPIPA protects a wide range of information that could identify a student or detail their educational experience, covering their entire digital footprint. This includes obvious identifiers like names and email addresses, but also educational records, student-generated content, and modern data types.

The law explicitly protects biometric data (like fingerprints) and geolocation information. Even disciplinary records and participation in extracurricular activities fall under SOPIPA's umbrella.

Here's a complete picture of what's protected:

• Student names, email addresses, and phone numbers
• Dates and places of birth
• Social security numbers
• Medical and health records
• Grades, grade point averages, and academic performance data
• Attendance and enrollment information
• Student-generated content (assignments, projects, posts)
• Biometric data (fingerprints, facial recognition)
• Geolocation information
• Disciplinary records
• Juvenile dependency records
• Special education data
• Participation in extracurricular activities

This comprehensive approach ensures a student's personal information is protected by law during any online educational activity. The data belongs to the student and their family, not the EdTech companies.

Key Responsibilities and Restrictions for Schools and Vendors

Under SOPIPA, partnerships between Virginia schools and EdTech companies are built on a framework of accountability. Both schools and vendors have clear responsibilities to protect students while allowing for innovation.

Schools must vet companies before signing contracts, ensuring vendors have comprehensive security programs with administrative, technological, and physical safeguards. Contracts must also guarantee the timely deletion of student data when it's no longer needed for educational purposes. These contractual obligations are legal requirements that explicitly prohibit unauthorized data use.

However, contracts can't stop phishing attacks that trick staff members. Legal protections are the first step; robust cybersecurity training is essential to prevent breaches before they happen.

Vendor duties under Virginia’s Student Privacy in Online Education Act

In practice, Virginia’s Student Privacy in Online Education Act means vendors are guardians of sensitive student information. The law mandates specific duties for every school service provider.

Vendors must be transparent, clearly explaining what data they collect, how it's used, and who it's shared with. Privacy policies must be readable and prominent notice must be given for any material changes. The law also requires vendors to implement and maintain a comprehensive information security program to protect student data from unauthorized access or disclosure.

Vendors must provide a way for students and parents to access and correct personal information. Parental consent is required for collecting, using, or sharing personal information for students under 18. If a vendor is acquired, the successor entity must honor the same privacy commitments.

SOPIPA establishes several key prohibitions for vendors:

• Prohibiting targeted advertising: Vendors cannot use student personal information to serve targeted ads to students.
• Banning the sale of student data: School service providers are prohibited from selling student personal information.
• Forbidding the creation of student profiles for non-educational purposes: Vendors cannot build student profiles for purposes unrelated to education.
• Implementing security procedures: Vendors must actively maintain security measures and demonstrate compliance.

These requirements signal a fundamental shift: EdTech companies working with Virginia schools are entering a trust relationship, not just a business transaction.

How Virginia Law Addresses Directory Information and Social Media

Virginia law distinguishes directory information, which includes basic details like a student's name, address, dates of attendance, and participation in activities. While schools can share this information for things like yearbooks or honor rolls, parents have the right to opt-out of disclosure. This gives families control over even seemingly harmless information.

Regarding social media, Virginia law prohibits schools (particularly in higher education) from requiring students to disclose usernames or passwords for personal accounts. A student's personal social media is private. You can find more details on this protection in Virginia law on social media account privacy.

Additionally, public institutions of higher education are restricted from selling student contact information. These provisions create a balanced approach, allowing schools to function while respecting student and family privacy.

How Virginia's SOPIPA Complements Federal Law (FERPA)

Student privacy in Virginia is governed by two key laws: the federal Family Educational Rights and Privacy Act (FERPA) and the state's SOPIPA. FERPA is the foundation, while SOPIPA is the modern update for the digital age.

FERPA was enacted in 1974, long before today's online learning environment. Virginia created SOPIPA to address the specific challenges of EdTech vendors and online platforms. SOPIPA doesn't replace FERPA--it works alongside it, filling in gaps created by decades of technological change.

Key Differences and Improvements Over FERPA

While FERPA sets broad rules for schools, SOPIPA directly targets school service providers (EdTech companies, app developers), placing clear obligations on them. This creates a more direct line of accountability for the third parties handling student data.

SOPIPA offers several key improvements over FERPA's framework:

• Targeted Advertising: SOPIPA includes an explicit ban on using student data for targeted advertising, a topic not directly addressed by FERPA.
• Sale of Data: The law outright prohibits vendors from selling student data, making the restriction more direct than FERPA's general disclosure rules.
• Data Deletion: SOPIPA gives parents the right to request that vendors delete their child's personal information, a power not explicitly granted under federal law.
• Modern Data Types: It specifically protects modern data like geolocation and biometric information, which were unimaginable when FERPA was written.
• Student Profiles: SOPIPA forbids vendors from creating student profiles for non-educational purposes without consent.

Think of it this way: FERPA established student privacy as a right. SOPIPA is the modern supplement designed for the online service operators that are now central to education.

Parental rights under Virginia’s Student Privacy in Online Education Act

Both FERPA and Virginia law empower parents with control over their children's educational information. These fundamental rights are reinforced and extended by SOPIPA for the digital field.

Under FERPA, parents have several core rights:

• The right to inspect and review their child's education records. Schools must typically comply with requests within 45 days.
• The right to request amendments to records they believe are inaccurate or misleading. If the school refuses, parents have a right to a hearing.
• The right to consent to disclosures of personally identifiable information (PII). Schools cannot share PII without written permission, outside of specific exceptions like sharing with school officials with a legitimate educational interest.

If you believe a school has violated FERPA, you can file a complaint with the U.S. Department of Education's Family Policy Compliance Office.

In short, Virginia’s law applies these foundational FERPA protections to cloud services and EdTech platforms. Parents are encouraged to exercise these rights by asking questions about digital tools and reviewing privacy policies. Your engagement is critical to keeping student data secure.

Data Breach Notifications: What Virginia Schools Must Do

When data breaches happen, Virginia law (Code Section 22.1-287.02) mandates transparency and swift action. The law establishes clear requirements for how schools must respond when electronic records with personally identifiable information (PII) are compromised. This applies to both the Virginia Department of Education and local school divisions, ensuring you won't be left in the dark if your child's information is exposed.

The Breach Notification Process and Timeline

After a data breach, Virginia law requires schools to notify parents 'as soon as practicable' after finding an unauthorized disclosure of PII. This flexible timeline allows for a preliminary investigation to gather accurate facts but prohibits unreasonable delays.

The notification requirement is triggered by any unauthorized disclosure of PII from electronic student records, whether from a cyberattack or an accidental security lapse. The only time notification can be delayed is at the request of law enforcement to protect an ongoing criminal investigation. For complete legal text, you can review the details on Virginia's breach notification law.

What Information Must Be Included in a Breach Notification?

Breach notifications must include specific details to help parents understand the incident and take protective action. This transparency is critical for empowering families.

Every notification must include:

• The date of the unauthorized disclosure (when the incident occurred or was found).
• The type of personal information that was exposed, such as names, email addresses, or more sensitive data like social security numbers or health records.
• The steps the school is taking to address the breach, including its investigation, mitigation efforts, and measures to prevent future incidents.

This information gives parents what they need to assess their family's risk and decide on next steps, like monitoring credit or updating passwords.

Are There Exceptions to Mandatory Notification?

The law includes a few strict exceptions to mandatory notification to prevent unnecessary alarm and protect law enforcement investigations. A school may forgo notification under these conditions:

• Good faith employee acquisition: An employee accesses data in good faith without malicious intent, and the information is not further used or disclosed.
• No reasonable belief of harm: After a thorough investigation, the school determines there is no reasonable belief that the disclosure will result in harm to the student. This decision must be carefully documented.
• Law enforcement investigation delays: Notification can be temporarily delayed if a law enforcement agency determines it would impede a criminal investigation.

Any decision to withhold notification must be made thoughtfully and with students' best interests at heart.

Practical Steps for Parents and Educators

Understanding Virginia's privacy law is the first step; putting it into practice is the next. True digital safety requires proactive data protection and a strong partnership between schools and homes, as laws alone cannot prevent every threat. When parents and educators work together, we create a protective shield around our students that is far stronger than any single law.

How Parents Can Safeguard Their Child's Data

As a parent, you are your child's primary privacy advocate. You don't need to be a tech expert to take meaningful action. Key steps include:

• Review school privacy policies. These documents explain how your school handles student data and its agreements with EdTech vendors. Ask for clarification on anything that is unclear.
• Ask questions about EdTech tools. Contact the teacher or IT department to ask what data a tool collects, how it is used and secured, and if it is shared with third parties.
• Exercise your right to opt-out. You have the right to opt out of sharing directory information (name, photo, etc.) if you have privacy or safety concerns.
• Talk to your child about online privacy. Have age-appropriate conversations about creating strong passwords, recognizing phishing attempts, and avoiding oversharing personal information online.

For additional resources, organizations like ConnectSafely offer excellent guidance for parents on keeping children safe online.

Where to Report Concerns or Seek Help

If you suspect a privacy violation, you need to know where to turn. Raising concerns helps protect the entire school community. Your vigilance is crucial for improving security for all students.

Follow this path to report your concerns:

1. Start with the child's teacher or school administrator. They are closest to the situation and can often address concerns quickly.
2. Contact the school district's privacy officer or IT department. If your initial concerns aren't resolved, escalate to the district level. These individuals are responsible for overseeing data security and privacy compliance.
3. Escalate to the Virginia Department of Education (VDOE). The VDOE oversees compliance with state privacy laws like SOPIPA and can provide guidance or launch investigations.
4. File a complaint with the U.S. Department of Education. For violations related to federal law, you can file a formal complaint with the Family Policy Compliance Office, which enforces FERPA nationwide.

Conclusion: Building a Culture of Privacy in Virginia's Schools

The bottom line: Virginia’s Student Privacy in Online Education Act provides a strong legal framework for student data protection. Virginia's SOPIPA and breach notification laws (Code Section 22.1-287.02) work with FERPA to create a comprehensive defense for student data.

However, laws can't stop threats like phishing, where a single mistaken click by a staff member can lead to a massive data breach. True security requires a shared commitment from schools, vendors, and parents working together.

This is why continuous education and training are absolutely essential to mitigate risks. Staff and students need to recognize threats before they click. It's about building a culture where everyone is vigilant about cybersecurity.

At CyberNut, our mission is to empower school communities with practical cybersecurity knowledge. We provide specialized, gamified cybersecurity training for K-12 schools, focusing on phishing awareness. Our training is custom, low-touch, and designed for busy school staff. It delivers engaging, bite-sized lessons that stick, turning everyone into a vigilant protector of student data.

Building a culture of privacy starts with understanding the law, but it continues with action--with training, vigilance, and the right partners supporting you.

If you're ready to strengthen your school's defenses, we invite you to get your school audited for phishing vulnerabilities. This assessment will show you exactly where your risks are and how prepared your staff is to spot phishing attempts.

Ready to take the next step? Visit CyberNut to learn how our engaging, effective cybersecurity training can help your school build lasting resilience.