On November 6, 2025, the California, Connecticut, and New York Attorneys General (collectively, the “Attorneys General”) announced a settlement with Illuminate Education, Inc. to resolve allegations that the company violated state privacy laws following a student data breach. The settlement marks the first enforcement actions under the California K-12 Pupil Online Personal Information Protection Act (KOPIPA, formerly known as SOPIPA) and Connecticut’s Student Data Privacy Law, and also constitutes the second major enforcement action under New York Education Law § 2-d.

The Data Breach at Illuminate Education

In 2022, Illuminate Education announced that it had experienced a data security incident. Its data breach notification explained that, on January 8, 2022, the company’s data security team discovered suspicious activity on systems used to store customer data. The company took affected systems offline and hired expert analysts to investigate what happened.

The company’s investigation subsequently confirmed that certain of its databases had been obtained without authorization between December 28, 2021, and January 8, 2022. The affected databases included student names, birth dates, email addresses, academic and behavior information (such as courses and disciplinary records), enrollment information, demographic information, special education information, and information about student accommodations.

Allegations at the Center of the Settlement

The Attorneys General have alleged that Illuminate Education did not have reasonable security controls in place.¹ The Attorneys General alleged that the incident involved the use of stolen access credentials associated with a former employee who had left the company years before the incident. They also alleged that the company failed to adequately monitor and alert for suspicious activity on its network, did not secure backup databases separately from active databases, failed to encrypt student data maintained at rest, failed to maintain data retention policies, failed to timely remediate high risk vulnerabilities, and initially failed to conduct an adequate investigation. The Attorneys General also alleged that the company made certain representations regarding the comprehensiveness of its information security practices that did not align with its practices.

Enforcement Based on EdTech Legislation

In addition to citing numerous laws of general application (e.g., state unfair or deceptive practices laws and laws requiring businesses to safeguard personal information),² all three Attorneys General alleged that Illuminate Education violated state student privacy laws, including provisions that distinctly apply to EdTech providers. Specifically, they cited:

• KOPIPA (Cal. Bus. & Prof. Code § 22584):
  • Applies to operators of websites, online services, or applications who design and market their product or service for K-12 school purposes and know that it is used primarily for K-12 school purposes.
  • Requires, in part, that operators implement and maintain reasonable security practices appropriate to the nature of the student information and protect it from unauthorized access.
• Connecticut Student Data Privacy Law (Conn. Gen. Stat. §§ 10-234aa-dd):
  • Applies to operators of websites, online services, or applications who design and market their product or service for K-12 school purposes, know that it is used for school purposes, and have access to student information.
  • Requires, in part, that the operator implement and maintain industry-standard security procedures designed to protect student information from unauthorized access.
• New York Education Law § 2-d:
  • Applies to third party contractors that enter into written agreements with educational agencies under which they will receive student, teacher, or principal data.
  • Requires, in part, that contractors maintain reasonable administrative, technical, and physical safeguards to protect the security, confidentiality, and integrity of student information. Additionally requires the use of encryption technology to protect data while in motion or at rest.

Unique California Enforcement Provisions

The California Attorney General also alleged violations of the California Online Privacy Protection Act (CalOPPA) and the Confidentiality of Medical Information Act (CMIA), highlighting the increasing importance of CalOPPA and a novel application of the CMIA.

The application of CalOPPA appears to be part of a continuing trend: the California Attorney General has recently emphasized alleged violations of CalOPPA within a range of complaints. This highlights the need for all companies that operate websites or provide online services to ensure that their privacy policies accurately reflect their practices.

• CalOPPA (Cal. Bus. & Prof. Code § 22575 et seq.):
  • Applies to operators of commercial websites or online services.
  • Requires operators to post a privacy policy with certain elements. Prohibits, in part, operators from negligently and materially failing to comply with the provisions in the posted privacy policy.

The CMIA is ostensibly focused on healthcare providers—and the law has not historically been applied to EdTech. Nevertheless, the California Attorney General asserted that Illuminate Education was subject to the CMIA because it allowed schools to maintain certain contextual information regarding a student’s accommodations (e.g., why an accommodation was necessary). This may signal that a broad range of technology vendors may be subject to the CMIA, even if they are not traditional healthcare providers or even business associates regulated by the Health Insurance Portability and Accountability Act, if their products and services support functions related to health.

• CMIA (Cal. Civ. Code § 56 et seq.):
  • Applies, in part, to “providers of health care.” Under this law, businesses can qualify as “providers of health care” if they 1) are organized for the purpose of maintaining medical information; 2) make such information available to an individual or “provider of health care” upon request; and 3) make such information available for the purposes of allowing the individual to manage the information or for the diagnosis and treatment of the individual. Businesses can also be considered “providers of health care” if they offer software that meets the three criteria.
  • Requires, in part, that the business maintains the same standards of confidentiality for medical information required of healthcare providers and not disclose such information without first obtaining a patient’s authorization, subject to limited exceptions. Negligent disclosure of medical information constitutes a violation of the law.

Settlement Terms

In order to resolve the matter, Illuminate Education agreed to pay a total of $5.1 million to California, Connecticut, and New York. The company also agreed to comply with applicable laws and implement an information security program that includes, for example, access and authentication controls and policies, network monitoring, backup database protections, data encryption, data retention policies and procedures, and an incident response plan.

The company must also, at least annually, obtain an information security assessment from an independent third-party assessor regarding its compliance with obligations concerning its information security program and its handling of personal information.

Select additional terms under the settlements include:

• reviewing and conforming all contracts with Connecticut school districts to comply with the state’s Student Data Privacy Law;
• implementing data minimization and purpose limitation measures;
• utilizing a data protection agreement with educational institution clients and notifying clients of material change(s) prior to said changes taking effect;
• annually notifying customers regarding retention and deletion of their data; and
• establishing a right to delete data.

Key Takeaways

State, federal, and international regulators have increasingly focused on children and teen privacy and online safety issues. The Illuminate Education settlement suggests an increased focus on how companies handle student data. Many state student privacy laws have been on the books for years but have not been the focus of enforcement actions. That’s likely to change going forward. Organizations that provide products and services for K-12 school purposes should pay careful attention to student privacy requirements under state law and ensure that they have reasonable security procedures in place to safeguard student data.

Additionally, this case highlights the growing trend of coordinated enforcement actions between states. For example, earlier this year, seven states and the California Privacy Protection Agency announced a formal collaboration to promote information sharing in an effort to safeguard consumer privacy. Two additional states joined the consortium thereafter. While the 10 regulators all hail from states with comprehensive consumer privacy laws, this collaboration generally signals a willingness among state enforcers to collaborate on topics related to privacy and cybersecurity.

Wilson Sonsini Goodrich & Rosati routinely helps companies navigate complex data, privacy, and cybersecurity issues. We have counseled numerous clients regarding compliance with student privacy laws and have helped companies navigate multi-jurisdiction investigations and enforcement actions. For more information, please contact Demian Ahn, Chris Olsen, Rebecca Weitzel Garcia, or another member of the firm’s Data, Privacy, and Cybersecurity practice.

---

^[1] The allegations by the Attorneys General were neither admitted nor denied by Illuminate Education.

^[2]See, e.g., Cal. Bus. & Prof. Code § 17200 et seq.; Cal. Civ. Code § 1798.81.5; Cal. Bus. & Prof. Code § 17500 et seq.; Conn. Gen. Stat. § 42-100b et seq.; Conn. Gen. Stat. § 42-471; N.Y. Exec. Law § 63(12); N.Y. Gen. Bus. Law § 349.