⚖️ Compliance & Data Privacy

Childcare Data Privacy & Title 22 Compliance in California: An Owner's Guide

You hold some of the most sensitive data anyone can collect — information about young children and their families. Here's how to protect it, stay compliant, and sleep at night.

By Eshan de Silva · · 9 min read

Running a childcare center means you collect things almost no other small business touches: children's birthdates and medical histories, parents' home addresses and work schedules, emergency contacts, immunization records, and sometimes financial details. If that information leaked, the damage wouldn't be measured in dollars — it would be measured in trust you can never fully rebuild. The good news is that protecting it isn't complicated once you understand what the rules actually require and which handful of IT controls do most of the work.

This guide breaks down the three sets of rules that apply to California childcare centers — Title 22, COPPA, and FERPA — and then translates them into the practical, day-to-day steps that keep you compliant. No legalese, no fear-mongering.

Quick note: This article is general guidance, not legal advice. Privacy rules change and every center's situation is different — confirm specifics with your licensing analyst or attorney before making decisions.

The three rule sets that apply to your center

1. California Title 22 — your records obligations

Title 22 of the California Code of Regulations is the rulebook for licensed childcare. It requires that you keep a separate, complete, and current record for each child, and that those records are readily available for review by a Licensing Program Analyst (LPA). That "readily available" phrase is the one that trips centers up — if your records are scattered across a filing cabinet, three staff laptops, and someone's personal phone, you're not ready for a visit.

Title 22 does not require paper. Digital records are perfectly acceptable as long as you can produce them quickly and keep them secure. It also sets retention rules: for example, the signed Notification of Parents' Rights (LIC 995) must be kept for at least three years after a child's care ends. Because different documents carry different retention periods, most centers keep core child and staff files for several years after a family leaves.

2. COPPA — the apps you choose, not just your center

The Children's Online Privacy Protection Act (COPPA) is the federal law governing how online services collect data from children under 13. Your center isn't usually a direct COPPA "operator" — but the tools you put in front of children and families often are: parent-communication apps, photo-sharing platforms, learning apps on classroom tablets. When you select those tools, you become responsible for vetting that the vendor is COPPA-compliant and that the required parental consent is in place. A good rule: if an app collects a child's name, photo, or voice, you need to know exactly what it does with that data.

3. FERPA — if you run a preschool or receive certain funding

The Family Educational Rights and Privacy Act (FERPA) protects education records and applies to programs that receive federal education funding — which can include some preschools and state-funded pre-K programs. If FERPA applies to you, parents have the right to access and request corrections to their child's education records, and you have obligations around how you share them. Not every daycare is covered, but if you run an educational program, it's worth confirming whether you are.

From rules to reality: the controls that keep you compliant

Here's the part most compliance articles skip. Knowing the rules is useless without the systems that enforce them. These are the controls that do the heavy lifting — roughly in order of impact:

  • Multi-factor authentication (MFA) on everything. The single highest-value step you can take. Most breaches at small organizations start with a stolen password. MFA blocks the overwhelming majority of those attacks, and it's free on virtually every platform you already use.
  • Role-based access control. Not everyone needs to see everything. A front-desk staffer doesn't need access to medical records or payroll. Limiting who can open what dramatically shrinks the damage if any one account is compromised.
  • Encrypted storage and devices. If a laptop or tablet holding family data is lost or stolen, encryption means the thief gets a brick, not a database. Full-disk encryption is built into modern Windows, Mac, iPad, and Android — it just needs to be turned on and managed.
  • Daily, tested backups. Compliance requires records to be available. A failed hard drive or a ransomware attack can wipe years of data in seconds. Automated daily backups — stored securely off-site — mean you can restore and keep operating. (See our cybersecurity guide for the 3-2-1 backup rule.)
  • A clear retention & deletion routine. Keep what the rules require, and securely delete what you no longer need. Old data you don't need is pure liability.
  • Staff training. Your team is the front line. A 30-minute session on spotting phishing emails and handling family data prevents more incidents than any single piece of software.
The 10-minute audit: Right now, ask three questions. Is MFA on for your email and your childcare software? Could you produce any child's complete record in under five minutes? If a staff laptop vanished today, is the data on it encrypted? If you hesitated on any of these, that's your starting point.

Choosing software that keeps you compliant (instead of creating gaps)

Every platform you adopt — Procare, Brightwheel, your visitor check-in system, your camera storage — becomes part of your compliance footprint. Before you sign up for anything that touches family data, ask the vendor:

  • Where is our data stored, and is it encrypted? You want encryption both in transit and at rest, on U.S.-based infrastructure.
  • Are you COPPA-compliant, and will you sign a data processing agreement? A confident vendor says yes to both without hesitation.
  • Can we export and delete our data if we leave? Data portability matters — you should never be held hostage by a platform.
  • Who at your company can access our records? The answer should be "almost no one, and only with controls."

This is also where the right technology partner earns their keep. A digital visitor-management system like SenLobby.ai, for instance, replaces the paper sign-in sheet that exposes every visitor's information to everyone who walks in — turning a quiet compliance liability into a secure, audit-ready log.

What happens if you get this wrong

Compliance gaps rarely announce themselves until it's too late. A licensing visit where records can't be produced can put your license at risk. A data breach involving children's information can trigger California breach-notification obligations, reputational damage, and the kind of parent conversations no director wants to have. And because childcare staff are busy and trusting, centers have become a favorite target for phishing and ransomware attacks specifically.

The reassuring flip side: nearly all of it is preventable with a modest, well-configured setup. You don't need an enterprise security budget. You need the right handful of controls turned on, maintained, and monitored — which is exactly what good managed IT for childcare centers provides. EDCON works with centers across Los Angeles, Oxnard, Ventura, and Azusa to close these gaps before they become incidents.

Common questions from childcare directors

Does COPPA apply to childcare centers?

COPPA regulates online services that collect personal information from children under 13. A childcare center isn't usually a direct COPPA "operator," but the apps and platforms you use often are. As the center choosing those tools, you're responsible for vetting that your vendors are COPPA-compliant and that you've obtained the parental consent they require.

How long do California childcare centers have to keep records?

Under Title 22, each child's record must be kept complete, current, and readily available while the child is enrolled. Certain documents have set retention periods — for example, the signed Notification of Parents' Rights (LIC 995) must be kept at least three years after care ends. Because requirements vary by document, most centers keep core records for several years after a child leaves. Confirm specifics with your licensing analyst.

Can childcare records be stored digitally in California?

Yes. Title 22 requires records to be complete, current, and readily available for review — it does not require paper. Digital records are acceptable as long as they can be produced quickly during a licensing visit and are protected with access controls, encryption, and reliable backup.

What's the single most important data protection step for a small center?

Turn on multi-factor authentication (MFA) everywhere and limit who can see sensitive data with role-based access. Most breaches start with a stolen password; MFA blocks the vast majority of those attacks, costs little to nothing, and takes minutes per account.

Not sure where your center stands?

EDCON helps California childcare centers protect family data and stay audit-ready — MFA, secure storage, backups, and compliance-friendly systems. Book a free 30-minute consultation and we'll run through your setup, flag any gaps, and give you a clear, no-pressure plan.

Book a Free Consultation

More articles you'll find useful

🏫
Childcare Operations

How to Choose a Managed IT Provider for Your Childcare Center

Read article →
🛡️
Cybersecurity

Cybersecurity for Small Businesses in 2026: A No-Jargon Guide

Read article →
⚖️
Compliance & Regulation

California AI Laws Are Here: What Small Businesses Need to Do in 2026

Read article →