California's Student Data Privacy Guide Offers Best Practices, Cannot Be Enforced

The state's attorney general provides recommendations for ed tech providers to keep student data private, but doesn't have the authority to enforce them.

by Tanya Roscorla / November 4, 2016
FILE - In this Mar. 24, 2016, file photo, California Attorney General Kamala Harris points to a display showing the location of Corinthian Colleges located in California during a news conference in San Francisco. On Thursday, March 24, 2016, a San Francisco Superior Court judge awarded the state a nearly $1.2 billion default judgment against Corinthian Colleges Inc., the bankrupt operator of for-profit colleges. (AP Photo/Eric Risberg, File) AP

As data collection on technology platforms continues to increase in K-12 schools, California Attorney General Kamala D. Harris is doing what she can to help ed tech providers understand how to protect student data privacy. In this vein, she issued six recommendations in a 36-page November guide — but she can't create legally binding guidance based on California's privacy laws.

These laws include the 2014 Student Online Personal Information Protection Act (SOPIPA), which has become a model for 16 other states and prohibits ed tech providers from marketing to students or selling their information, among other things. The Legislature extended those protections to preschool and pre-kindergarten students in a bill passed this year. 

To come up with the recommendations, Harris consulted with industry leaders including the Software & Information Industry Association (SIIA) and education organizations including the National Association of State Boards of Education, along with parents, academics and privacy experts. 

"Most of our feedback was focused on ensuring that the report was cognizant of how technology actually works so we wouldn't have unintended consequences of misinterpretation of this report," said Brendan Desetti, director of education policy at the SIIA.

In Ready for School: Recommendations for the Ed Tech Industry to Protect the Privacy of Student Data, Harris' office identifies these best practices:

  1. Data Collection and Retention: Minimization is the goal.
  2. Data Use: Keep it educational.
  3. Data Disclosure: Make protections stick.
  4. Individual Control: Respect users’ rights.
  5. Data Security: Implement reasonable and appropriate safeguards.
  6. Transparency: Provide a meaningful privacy policy
The guide covers a lot of the same ground as SOPIPA and the Student Privacy Pledge that more than 300 ed tech industry organizations have signed. It just uses more words and provides more context, Desetti said. And in reality, much of what the laws protect against hasn't actually happened much and has been prohibited for years in federal law, whether it's actually targeting ads to students or selling student information.
Representatives from both the SIIA and the National Association of State Boards of Education said the guide provides high-quality recommendations, but they would like to see a more nuanced approach in general to metadata, which can include personally identifiable information or not identify anyone. Those two different types of metadata should be treated differently.
The report lists examples of metadata such as a student's location, how many times a student tried to answer a question or which type of device a student uses. It also recognizes that metadata can be used well for personalizing learning and improving education products, but that companies could also use it for marketing purposes. 

"The line between personalized learning and marketing is one that must be clearly drawn in the use of ed tech," according to the report.

This line hasn't really been drawn, and because California's law was passed early on in the student data privacy legislation wave, it didn't include definitions of targeted advertising as other states including Hawaii have done, said Amelia Vance, director of education data and technology at the National Association of State Boards of Education. That means it's unclear whether a company is crossing the line if it suggests a math game that would help a student who struggled in a specific area in another math game. 

With no regulatory power to issue binding legal interpretations of the law, Harris can't define targeted advertising or provide other nuances in this guidance as other states can through their boards or education departments. But her office does have the authority to enforce California's privacy laws, which means that a lot of these definitions will be decided in court based on lawsuits rather than pre-emptively. And other states maybe able to use the guidance if their legislatures have given them regulatory authority, Vance said.

"I really wish the Legislature had provided the AG's office with the authority to make this official." 

At UNCP, Cybersecurity is Part of a Campus Culture

Taking steps to stay safe online is a year-round effort, but every October — during National Cybersecurity Awareness Month — things are ramped up a notch. Individuals and organizations of all types stop to remind themselves about the importance of cybersecurity and of making sure that everyone has the resources they need to protect themselves online.

Ransomware in Education: How to use your Network to Stay Ahead of Attacks

Educational institution systems store a large amount of sensitive data, including student and employee records. They rely heavily on these systems for day-to-day operations. So any disruption or loss of access can be a game changer. But these same institutions also often have tight budgets and can’t afford to employ large security teams. That’s one reason they’re perceived as easy and lucrative targets by online adversaries.

The Future of Education

Today’s stop while exploring #TheFutureofPublicSector takes us to education and what the future will make possible for teaching and learning. So, what does the future hold for education as we know it?

Platforms & Programs