These laws include the 2014 Student Online Personal Information Protection Act (SOPIPA), which has become a model for 16 other states and prohibits ed tech providers from marketing to students or selling their information, among other things. The Legislature extended those protections to preschool and pre-kindergarten students in a bill passed this year.
To come up with the recommendations, Harris consulted with industry leaders including the Software & Information Industry Association (SIIA) and education organizations including the National Association of State Boards of Education, along with parents, academics and privacy experts.
"Most of our feedback was focused on ensuring that the report was cognizant of how technology actually works so we wouldn't have unintended consequences of misinterpretation of this report," said Brendan Desetti, director of education policy at the SIIA.
In Ready for School: Recommendations for the Ed Tech Industry to Protect the Privacy of Student Data, Harris' office identifies these best practices:
- Data Collection and Retention: Minimization is the goal.
- Data Use: Keep it educational.
- Data Disclosure: Make protections stick.
- Individual Control: Respect users’ rights.
- Data Security: Implement reasonable and appropriate safeguards.
- Transparency: Provide a meaningful privacy policy
Representatives from both the SIIA and the National Association of State Boards of Education said the guide provides high-quality recommendations, but they would like to see a more nuanced approach in general to metadata, which can include personally identifiable information or not identify anyone. Those two different types of metadata should be treated differently.
The report lists examples of metadata such as a student's location, how many times a student tried to answer a question or which type of device a student uses. It also recognizes that metadata can be used well for personalizing learning and improving education products, but that companies could also use it for marketing purposes.
"The line between personalized learning and marketing is one that must be clearly drawn in the use of ed tech," according to the report.
This line hasn't really been drawn, and because California's law was passed early on in the student data privacy legislation wave, it didn't include definitions of targeted advertising as other states including Hawaii have done, said Amelia Vance, director of education data and technology at the National Association of State Boards of Education. That means it's unclear whether a company is crossing the line if it suggests a math game that would help a student who struggled in a specific area in another math game.
With no regulatory power to issue binding legal interpretations of the law, Harris can't define targeted advertising or provide other nuances in this guidance as other states can through their boards or education departments. But her office does have the authority to enforce California's privacy laws, which means that a lot of these definitions will be decided in court based on lawsuits rather than pre-emptively. And other states maybe able to use the guidance if their legislatures have given them regulatory authority, Vance said.
"I really wish the Legislature had provided the AG's office with the authority to make this official."
