California's Student Data Privacy Guide Offers Best Practices, Cannot Be Enforced

The state's attorney general provides recommendations for ed tech providers to keep student data private, but doesn't have the authority to enforce them.

by / November 4, 2016
FILE - In this Mar. 24, 2016, file photo, California Attorney General Kamala Harris points to a display showing the location of Corinthian Colleges located in California during a news conference in San Francisco. On Thursday, March 24, 2016, a San Francisco Superior Court judge awarded the state a nearly $1.2 billion default judgment against Corinthian Colleges Inc., the bankrupt operator of for-profit colleges. (AP Photo/Eric Risberg, File) AP

As data collection on technology platforms continues to increase in K-12 schools, California Attorney General Kamala D. Harris is doing what she can to help ed tech providers understand how to protect student data privacy. In this vein, she issued six recommendations in a 36-page November guide — but she can't create legally binding guidance based on California's privacy laws.

These laws include the 2014 Student Online Personal Information Protection Act (SOPIPA), which has become a model for 16 other states and prohibits ed tech providers from marketing to students or selling their information, among other things. The Legislature extended those protections to preschool and pre-kindergarten students in a bill passed this year. 

To come up with the recommendations, Harris consulted with industry leaders including the Software & Information Industry Association (SIIA) and education organizations including the National Association of State Boards of Education, along with parents, academics and privacy experts. 

"Most of our feedback was focused on ensuring that the report was cognizant of how technology actually works so we wouldn't have unintended consequences of misinterpretation of this report," said Brendan Desetti, director of education policy at the SIIA.

In Ready for School: Recommendations for the Ed Tech Industry to Protect the Privacy of Student Data, Harris' office identifies these best practices:

  1. Data Collection and Retention: Minimization is the goal.
  2. Data Use: Keep it educational.
  3. Data Disclosure: Make protections stick.
  4. Individual Control: Respect users’ rights.
  5. Data Security: Implement reasonable and appropriate safeguards.
  6. Transparency: Provide a meaningful privacy policy
The guide covers a lot of the same ground as SOPIPA and the Student Privacy Pledge that more than 300 ed tech industry organizations have signed. It just uses more words and provides more context, Desetti said. And in reality, much of what the laws protect against hasn't actually happened much and has been prohibited for years in federal law, whether it's actually targeting ads to students or selling student information.
 
Representatives from both the SIIA and the National Association of State Boards of Education said the guide provides high-quality recommendations, but they would like to see a more nuanced approach in general to metadata, which can include personally identifiable information or not identify anyone. Those two different types of metadata should be treated differently.
 
The report lists examples of metadata such as a student's location, how many times a student tried to answer a question or which type of device a student uses. It also recognizes that metadata can be used well for personalizing learning and improving education products, but that companies could also use it for marketing purposes. 

"The line between personalized learning and marketing is one that must be clearly drawn in the use of ed tech," according to the report.

This line hasn't really been drawn, and because California's law was passed early on in the student data privacy legislation wave, it didn't include definitions of targeted advertising as other states including Hawaii have done, said Amelia Vance, director of education data and technology at the National Association of State Boards of Education. That means it's unclear whether a company is crossing the line if it suggests a math game that would help a student who struggled in a specific area in another math game. 

With no regulatory power to issue binding legal interpretations of the law, Harris can't define targeted advertising or provide other nuances in this guidance as other states can through their boards or education departments. But her office does have the authority to enforce California's privacy laws, which means that a lot of these definitions will be decided in court based on lawsuits rather than pre-emptively. And other states maybe able to use the guidance if their legislatures have given them regulatory authority, Vance said.

"I really wish the Legislature had provided the AG's office with the authority to make this official." 

Tanya Roscorla Former Managing Editor

Tanya Roscorla covered ed tech from 2009-2017.

One Non-Profit’s Mission to Help Bridge the Broadband Gap

Broadband provides students in rural and underserved urban schools access to online resources that can help them better prepare for the workforce.

Innovative University Program Drives Employee Success

Why collaborating with industry can develop better employees.

Butler University Deploys 1,300+ APS to Provide Complete Access

Access to reliable Wi-Fi is not only a key attractor for students, but also a key competitive advantage for the University.

Platforms & Programs