The state's attorney general provides recommendations for ed tech providers to keep student data private, but doesn't have the authority to enforce them.
As data collection on technology platforms continues to increase in K-12 schools, California Attorney General Kamala D. Harris is doing what she can to help ed tech providers understand how to protect student data privacy. In this vein, she issued six recommendations in a 36-page November guide — but she can't create legally binding guidance based on California's privacy laws.
These laws include the 2014 Student Online Personal Information Protection Act (SOPIPA), which has become a model for 16 other states and prohibits ed tech providers from marketing to students or selling their information, among other things. The Legislature extended those protections to preschool and pre-kindergarten students in a bill passed this year.
To come up with the recommendations, Harris consulted with industry leaders including the Software & Information Industry Association (SIIA) and education organizations including the National Association of State Boards of Education, along with parents, academics and privacy experts.
"Most of our feedback was focused on ensuring that the report was cognizant of how technology actually works so we wouldn't have unintended consequences of misinterpretation of this report," said Brendan Desetti, director of education policy at the SIIA.
In Ready for School: Recommendations for the Ed Tech Industry to Protect the Privacy of Student Data, Harris' office identifies these best practices:
"The line between personalized learning and marketing is one that must be clearly drawn in the use of ed tech," according to the report.
This line hasn't really been drawn, and because California's law was passed early on in the student data privacy legislation wave, it didn't include definitions of targeted advertising as other states including Hawaii have done, said Amelia Vance, director of education data and technology at the National Association of State Boards of Education. That means it's unclear whether a company is crossing the line if it suggests a math game that would help a student who struggled in a specific area in another math game.
With no regulatory power to issue binding legal interpretations of the law, Harris can't define targeted advertising or provide other nuances in this guidance as other states can through their boards or education departments. But her office does have the authority to enforce California's privacy laws, which means that a lot of these definitions will be decided in court based on lawsuits rather than pre-emptively. And other states maybe able to use the guidance if their legislatures have given them regulatory authority, Vance said.
"I really wish the Legislature had provided the AG's office with the authority to make this official."