IE 11 Not Supported

For optimal browsing, we recommend Chrome, Firefox or Safari browsers.

California Protects Student Data Privacy with Two Bills

The state makes student data privacy a priority.

Over the last year, student data privacy conversations have been percolating across the nation, but now state legislatures are doing something about it. 

California sent two bills to Gov. Jerry Brown last week that deal with two sides of the same coin. SB 1177 lays out privacy guidelines for operators of Internet websites, online services, online applications and mobile applications. Meanwhile, AB 1584 deals with contracts between local educational agencies and third-party technology vendors.

The reason for new legislation

These bills address a growing problem of mismanagement of student data. Federal student privacy legislation including FERPA and COPPA do address student data privacy, but educators, privacy advocates, legislators and industry members are split on whether that legislation does enough to protect privacy in the Digital Age we live in. While new federal legislation was introduced in late July, states have been stepping up to deal with the issue, with at least 83 bills in 32 states being considered this year as of April, according to the Data Quality Campaign.

"There really was very little if any protection that would guard the security, the privacy, the confidentiality of student information," said Rick Pratt, chief consultant to the Assembly Education Committee, "and so hopefully bills 1584 and 1177 will provide some security and privacy where it doesn't exist in current law right now."

Some companies in the technology industry have built student data profiles for advertising purposes, targeted advertising to students with this information and used it for other non-educational purposes. Google made the news earlier this year for scanning student email for advertising purposes, though it later reversed its policy.

This type of activity is what SB 1177 is designed to stop. Senate President pro Tem Darrell Steinberg (D-Sacramento) introduced the bill earlier this year.

"It's a very positive piece of legislation that I hope will better protect student privacy," said Bradley S. Shear, a digital privacy lawyer with Shear Law in Maryland. "My hope is that the legislation helps spur bad actors in the ed tech space to really change their behavior and really make student privacy a priority."

A parent in Assemblymember Joan Buchanan's district discovered that unbeknownst to parents, his children's school district had a contract with a mobile app developer that did not put any restrictions on how the developer could use the student data that it collected. It didn't just happen in his school district either. That's why Buchanan (D-Alamo) introduced AB 1584 this year.

These two bills would give students stronger privacy protection, lay out clear rules of the road for vendors and establish requirements for third-party contracts with local educational agencies.

"Together, it's really a landmark regulatory scheme," said Joni Lupovitz, vice president of policy for Common Sense Media, which supported the bills. "The whole idea is not to stop education technology; the idea is to create a trusted online environment so kids can just be kids and focus on learning."

A balancing act

CUE Inc., a professional association of computer-using educators, said SB 1177 initially included language that would have limited the ability of students to take their cloud-based work with them when they graduated and share their work beyond school. It also would have prohibited third-party companies from suggesting relevant education products based on student performance data collected from their services.

The educator association quietly expressed concern about the unintentional negative effects of this language, and Steinberg's office responded, largely addressing those concerns with the final wording.

"They've been successful in putting in language that protects student privacy from advertising without limiting the innovation and the sharing and the ownership of student data," said Mike Lawrence, CEO of CUE.

It's important to balance technology innovation, student data needs and student privacy, particularly as educators look forward and try to build a teacher dashboard that provides real-time data on each student, Lawrence said. This real-time data allows teachers to have a digital assistant that immediately tells them which students are doing well and which ones need their help because they're struggling.

The last thing that anyone wants is to make it so onerous for education technology companies to offer services that they won't even bother, Lawrence said. Some companies are already choosing not to label their products "educational" because they anticipate additional regulatory requirements. 

The Software & Information Industry Association (SIIA) said in a statement that it agrees that the effective use of student information to improve learning requires a trust framework around its use. "While SIIA believes that current laws provide for this safeguarding of student privacy, we appreciate both Senator Steinberg’s leadership on this issue and his willingness to work with industry groups and other interested parties on SB 1177, the Student Online Personal Information Protection Act," the statement continued. "SIIA will work with our member high-tech and education service providers to support implementation.”

This legislation strikes the right balance and is a good step forward to deal with student data privacy, Lawrence said.

What SB 1177 does

SB 1177 lays out a number of do's and don'ts for operators of K-12 Internet websites, online services, online applications and mobile applications that apply broadly whether companies contract with schools or not:

  1. Do not target advertising on the site or another site based on information from K-12 users.
     
  2. Do not use information gathered through the service to build a profile about a K-12 student.
     
  3. Do not sell a student's information.
     
  4. Do not disclose covered information unless it's for legal, regulatory, judicial, safety or operational improvement reasons.
     
  5. Do protect student information through reasonable security procedures and practices.
     
  6. Do delete school- or district-controlled student information upon request from those entities.
     
  7. Do disclose student information when required by law, for legitimate research purposes and for K-12 purposes to education agencies.
Companies can use de-identified student data within their sites to improve educational products, demonstrate their effectiveness and improve their sites.

What AB 1584 does

AB 1584 dives into the details by spelling out what types of things local educational agencies should include in contracts with third-party digital record and educational software providers:

  1. Do establish that the local educational agency owns and controls student records.
     
  2. Do describe how students can keep control of their projects and other content created for school, along with a way to transfer their content to a personal account later.
     
  3. Do prohibit third parties from using student information for purposes outside of those named in the contract.
     
  4. Do describe how parents, legal guardians or students can review and correct personally identifiable information contained in their records.
     
  5. Do outline actions that third parties will take to make sure that student data is secure and confidential.
     
  6. Do describe procedures for notifying affected parents, legal guardians or eligible students when there is an unauthorized disclosure of student records.
     
  7. Do certify that student records will not be retained or available to the third party once the contract is over and lay out how that will be enforced.
     
  8. Do describe how local educational agencies and third parties will comply with the federal FERPA legislation.
     
  9. Do prohibit third parties from using personally identifiable information from student records to target advertising to students.
Along with these do's, the bill says that contracts will be voided if they do not comply with the requirements laid out above after a reasonable amount of time and notice to do so.

Gov. Jerry Brown has until Sept. 30 to sign or veto these bills, along with other bills that involve computer science education.

This story was originally published by the Center for Digital Education.