California’s two student privacy laws 2014
UPDATED January 12, 2015: Student Privacy Matters, a parent advocacy group, points out weaknesses in the California student privacy laws and says that the President’s proposed federal law is even weaker than the California state ones. Some of the weaknesses include:
-
Bans vendors using personally identifiable information (PII) student data to target advertising or selling of data, but not in case of merger or acquisitions, or presumably in case of bankruptcy, as in the recent Connectedu case. The President’s proposal would be even weaker, as it would apparently allow the sale of student data for unspecified “educational purposes”;
-
Only regulates online vendors but not the data-sharing activities of schools, districts or states;
-
Provides no notification requirements for parents, nor provides them with the ability to correct, delete, or opt out of their child’s participation in programs operated by data-mining vendors;
-
Unlike HIPAA, sets no specific security or encryption standards for the storage or transmission of children’s personal information, but only that standards should be “reasonable”;
-
Allows tech companies to use children’s PII to create student profiles for “educational” purposes or even to improve products;
-
Allows tech companies to share PII with additional and unlimited “service” providers, without either parent or district/school knowledge or consent – as long as they abide by similarly vague “reasonable” security provisions;
-
Allows tech companies to redisclose PII for undefined “research” purposes to unlimited third parties, without parental knowledge or consent –without requiring ANY sort of security provisions for these third parties or even that they have recognized status as actual researchers;
-
Contains no enforcement or oversight mechanisms;
-
Would not have stopped inBloom or other similar massive “big data” schemes designed to hand off PII to data-mining vendors – and like inBloom, would also be able to charge vendors or “service providers” fees to access the data, as long as states/districts consented.
UPDATED January 10, 2015: James Steyer, head of Common Sense Media, the advocacy group that helped write the student privacy laws now on the books in California, had this to say upon its passage:
The measure will prohibit K-12 websites, online services and apps from using students’ personal information for targeted advertising or creating a commercial profile of any student and prohibit the selling of a student’s information. The legislation will also require K-12 websites, services and apps to maintain reasonable security procedures for students’ personal information, and to delete the information upon the school’s request.
…
Although other states recently enacted laws that regulate ed tech contracts or certain types of cloud-service vendors, California’s new law is the only one that will cover a broad range of K-12 focused websites, services and apps, whether a contract exists or not.
…
SOPIPA will permit innovation without encroaching on student privacy because it will allow the use of de-identified K-12 student info internally to improve educational products and services and to demonstrate the effectiveness of the products. It will also allow sharing of aggregated de-identified student info for development and improvement of educational sites, services, and apps. The key is that the data can still be used to improve educational products and services without being linked to specific students.
In late September, 2014, California’s Governor Brown signed into law AB 1584 and SB 1177, two laws that together form the strongest student privacy laws in the nation.
Together, the laws mandate that Local Education Agencies (LEAs), such as school districts, must take proactive steps to protect student privacy.
Under AB 1584, school districts that contract with third party providers of digital services (storage, software, hardware) relating to curriculum or student records will own and keep private the student records and the third party providers will not be able to use the information for marketing or other commercial purposes.
Under SB1177, businesses serving primarily the K-12 market with schools or school-aged children as users cannot use personal information gathered or provided by the students in order to market goods or services to them. Among other provisions of the law they must observe, they must delete any information that a school requests them to.
The big questions which is unanswered at this time (given that as of October 4, 2014, the ink is barely dry on the law): are testing companies considered “operators” as defined by SB1177?
Steinberg – SB 1179 Student Privacy Law (click to download pdf)
Buchanan – Pupil records privacy AB1584 2014 (click to download pdf)
