Plain-Language Guide to AB 1584, FERPA & CIPA Compliance for K-12 Schools in 2025

This 2025 guide to AB 1584, FERPA, and CIPA helps K-12 schools stay compliant and protect student data.

If you’ve ever stared at a 12-page vendor agreement and wondered if you’re signing your district into a compliance nightmare, you’re not alone. California tech directors and ed leaders are doing more with less, and compliance jargon isn’t helping.

So, let’s break it down. Here’s what you really need to know about AB 1584, FERPA, and CIPA in 2025 — no legal degree required.

FERPA: Protecting Student Privacy Since 1974

What it is: The Family Educational Rights and Privacy Act protects the privacy of student education records.

What matters in 2025:

• You must have written agreements with vendors that access student data.
• Parents have the right to inspect and request corrections to their child’s records.
• Cloud services (like LMS platforms or SIS systems) must have data safeguards in place.

Plain-Language Takeaway: If a system holds student names, grades, or IEPs — it’s protected. If you’re using a third-party vendor, you need paperwork that spells out exactly how that data is used and stored.

CIPA: Internet Safety for Students

What it is: The Children’s Internet Protection Act requires schools using E-rate funding to filter harmful content and educate students about online safety.

What matters in 2025:

• Content filters and monitoring must be in place on all student-accessed devices.
• You need to document your digital citizenship curriculum.
• E-rate audits are getting stricter. If your filters aren’t working or policies aren’t followed, funding could be clawed back.

Plain-Language Takeaway: If you’re getting E-rate dollars, make sure your tech (and your teaching) aligns with CIPA. This isn’t optional — it’s audit bait.

AB 1584: California’s Student Data Shield

What it is: A state law that governs contracts with third-party digital vendors and ensures districts stay in control of student data.

What matters in 2025:

• Every vendor contract must have specific language about:
  • Who owns the data (hint: it should be the district)
  • How it’s used
  • How it’s deleted when no longer needed
  • What happens if there’s a breach
• Signed Data Privacy Agreements (DPAs) are non-negotiable.
• Vendor lists must be transparent and accessible to parents.

Plain-Language Takeaway: If a vendor touches student data, your contract better spell out exactly how that data is used, protected, and returned. No more verbal assurances.that data is used, protected, and returned. No more verbal assurances.

What School Leaders Should Do Now

1. Audit your current vendors. Who has access to what? Are their contracts updated?
2. Create a compliance checklist. Include FERPA, CIPA, and AB 1584 criteria for any new tech purchase.
3. Train your team. Admins, tech staff, and even site principals need to know what counts as a compliance red flag.
4. Use vetted contract templates. Don’t start from scratch. Use templates from CETPA or your county office.
5. Partner with an experienced MSP. Choose one that understands California edtech compliance and can help you stay audit-ready.

Compliance isn’t just a CYA tactic — it’s a commitment to protecting students and their families. When you break it down, these laws aren’t obstacles. They’re opportunities to build trust.

Cybersecure California is a resource hub dedicated to helping schools navigate the complexities of cybersecurity and compliance.

We encourage districts to seek out knowledgeable partners and stay connected to updates that empower safer, smarter decision-making.

You deserve more than vague vendor promises. You deserve compliance clarity.

🔍 Want More K–12 Cybersecurity Resources?

Explore free guides, toolkits, and policy templates made just for California public schools.
Visit the K–12 Cybersecurity Hub »