BILL ANALYSIS �Ó
SENATE JUDICIARY COMMITTEE
Senator Hannah-Beth Jackson, Chair
2013-2014 Regular Session
AB 1584 (Buchanan)
As Amended June 3, 2014
Hearing Date: June 24, 2014
Fiscal: No
Urgency: No
TH
SUBJECT
Pupil records: privacy: third-party contracts: digital storage
services and digital educational software
DESCRIPTION
This bill would authorize a local educational agency to enter
into a contract with a third party to provide services for the
digital storage, management, and retrieval of pupil records,
provided the contract includes specific provisions about the
use, ownership, and control of the pupil records.
BACKGROUND
According to recent studies, school districts are increasingly
turning to technologies such as cloud computing to satisfy their
educational objectives. These new technologies often present
schools with new opportunities for cost savings, service
flexibility, and endurance, allowing schools to deploy on-demand
resources to users 24 hours a day. With the adoption of cloud
computing services, many schools are transferring large
quantities of student information to third-party providers,
raising concerns among stakeholders about maintaining student
privacy and keeping control over transferred information. A
recent nationwide survey examining this trend concluded that:
95 percent of districts rely on cloud services for a diverse
range of functions including data mining related to student
performance, support for classroom activities, student
guidance, data hosting, as well as special services such as
cafeteria payments and transportation planning;
cloud services are poorly understood, non-transparent, and
weakly governed: only 25 percent of districts inform parents
(more)
�
AB 1584 (Buchanan)
Page 2 of ?
of their use of cloud services, 20 percent of districts fail
to have policies governing the use of online services, and a
sizeable plurality of districts have rampant gaps in their
contract documentation, including missing privacy policies;
districts frequently surrender control of student information
when using cloud services: fewer than 25 percent of service
agreements specify the purpose for disclosures of student
information, fewer than 7 percent of the contracts restrict
the sale or marketing of student information by vendors, and
many agreements allow vendors to change the terms without
notice;
an overwhelming majority of cloud service contracts do not
address parental notice, consent, or access to student
information. Some services even require parents to activate
accounts and, in the process, consent to privacy policies that
may contradict those in a district's agreement with the
vendor; and
district cloud service agreements generally do not provide for
data security and may even allow vendors to retain student
information in perpetuity. (Privacy and Cloud Computing in
Public Schools (Dec. 2013)
(as of June 19, 2014).)
This bill would authorize a local educational agency to enter
into a contract with a third party to provide services for the
digital storage, management, and retrieval of pupil records, as
defined, provided that the contract includes specific provisions
about the use, ownership, and control of the pupil records.
Specifically, this bill would require such contracts to:
state that pupil records continue to be the property of and
under the control of the local educational agency;
prohibit the third party from using personally identifiable
information from pupil records for commercial or advertising
purposes;
prohibit the third party from using personally identifiable
information from pupil records for any purpose other than for
the requirements of the contract;
describe the procedures by which a parent, legal guardian, or
eligible pupil may review a pupil's records and correct
erroneous information, and by which notification will be given
in the event of an unauthorized disclosure of the records; and
certify that a pupil's records shall not be retained or
available to the third party upon completion of the terms of
the contract.
�
AB 1584 (Buchanan)
Page 3 of ?
This bill would also state that a contract which fails to comply
with these provisions shall become voidable and shall require
the third party to return all pupil records in its possession to
the educational agency.
CHANGES TO EXISTING LAW
Existing law provides that, among other rights, all people have
an inalienable right to pursue and obtain privacy. (Cal.
Const., art. I, Sec. 1.)
Existing case law permits a person to bring an action in tort
for an invasion of privacy and provides that in order to state a
claim for violation of the constitutional right to privacy, a
plaintiff must establish the following three elements: (1) a
legally protected privacy interest; (2) a reasonable expectation
of privacy in the circumstances; and (3) conduct by the
defendant that constitutes a serious invasion of privacy. (Hill
v. National Collegiate Athletic Assn. (1994) 7 Cal.4th 1.)
Existing law recognizes four types of activities considered to
be an invasion of privacy, giving rise to civil liability
including the public disclosure of private facts. (Id.)
Existing federal law requires an operator of an Internet Web
site or online service directed to a child, as defined, or an
operator of an Internet Web site or online service that has
actual knowledge that it is collecting personal information from
a child to provide notice of what information is being collected
and how that information is being used, and to give the parents
of the child the opportunity to refuse to permit the operator's
further collection of information from the child. (15 U.S.C.
Sec. 6502.)
Existing federal law , the Federal Educational Rights and Privacy
Act, restricts a school that receives federal funds from
releasing educational records (or personally identifiable
information contained therein) of students without the written
consent of their parents, as specified. Existing law also gives
the parents of students who are or have been in attendance at a
school the right to inspect and review the education records of
their children. (20 U.S.C. Sec. 1232g.)
This bill would provide that a local educational agency, as
defined, may enter into a contract with a third party for either
or both of the following purposes:
to provide services, including cloud-based services, for the
�
AB 1584 (Buchanan)
Page 4 of ?
digital storage, management, and retrieval of pupil records;
and
to provide digital educational software that authorizes a
third-party provider of digital educational software to access
and acquire pupil records.
This bill would require a local educational agency that enters
into such a contract with a third party to ensure the contract
contains:
a statement that pupil records continue to be the property of
and under the control of the local educational agency;
a prohibition against the third party using personally
identifiable information in individual pupil records for
commercial or advertising purposes;
a prohibition against the third party using any information in
the pupil record for any purpose other than for the
requirements of the contract;
a description of the procedures by which a parent, legal
guardian, or eligible pupil may review the pupil's records and
correct erroneous information;
a description of the actions the third party will take,
including the designation and training of responsible
individuals, to ensure the security of pupil records;
a description of the procedures for notifying the affected
parent, legal guardian, and eligible pupil in the event of an
unauthorized disclosure of the pupil's records;
a certification that a pupil's records shall not be retained
or available to the third party upon completion of the terms
of the contract;
a description of how the local educational agency and the
third party will jointly ensure compliance with relevant
federal law; and
a provision stating that a contract that fails to comply with
these requirements shall be voidable and all pupil records in
possession of the third party shall be returned to the local
educational agency.
This bill would define "local educational agency" to mean school
districts, county offices of education, and charter schools.
This bill would define "pupil records" to mean both any
information directly related to a pupil that is maintained by
the local educational agency, and any information acquired
directly from the pupil through the use of instructional
software or applications assigned to the pupil by a teacher or
other local educational agency employee. However, pupil records
�
AB 1584 (Buchanan)
Page 5 of ?
would not mean records of teachers and school administrators
that are kept in their sole possession and not revealed to any
other individual except a substitute teacher.
This bill would state that if its provisions are in conflict
with the terms of a contract in effect before January 1, 2015,
these provisions shall not apply to the local educational agency
or the third party subject to that agreement until the
expiration, amendment, or renewal of the agreement.
COMMENT
1. Stated need for the bill
The author writes:
The Federal Educational Rights and Privacy Act (FERPA) does a
poor job of protecting student records that are transferred to
third parties in electronic form. It is silent on how its
provisions should be implemented and its protections ensured.
In addition, private companies are beyond the regulatory reach
of the U.S. Department of Education, which has the
responsibility of enforcing FERPA.
AB 1584 fills this gap by outlining specific actions and
specifying certain provisions that third parties must
contractually agree to that ensure student privacy. The bill
ensures that the protections of FERPA apply when student
records are maintained by a school district and are not lost
simply because those records have been transferred to a third
party in electronic form. It does so by specifying provisions
that must be addressed in a contract between a local
educational agency and a third party that involves
cloud-based, online or other Internet services.
2. Maintaining student privacy
Staff notes that the right to privacy is a fundamental right
protected by Section 1 of Article I of the Constitution of
California. This bill builds upon that fundamental right by
requiring contracts entered into with third party technology
providers to include specific terms to help keep student records
private and to prevent student records from being used for
unauthorized purposes, such as advertising. Aside from
requiring privacy protections, this bill also requires these
contracts to provide means for parents, legal guardians, and
�
AB 1584 (Buchanan)
Page 6 of ?
students themselves (upon reaching 18 years of age) to review
pupil records in the possession of third party contractors and
to correct erroneous information. The Association of California
School Administrators, writing in support, states:
School districts continue to expand their learning platforms
in order to personalize learning providing teachers with
real-time feedback. The increased collection, storage, and
sharing of educational data poses real threats to students and
their families. Standard vendor user agreements often come up
short with respect to security of student data.
While this bill includes a number of robust privacy protections,
it does not require contracts to explicitly state how student
privacy will be ensured. To correct this oversight, the author
offers the following amendment:
Author's Amendment :
On page 2, line 27, following "security" insert: and
confidentiality
3. Scope of definitions
In its current form, this bill defines "pupil records" to mean
both any information directly related to a pupil that is
maintained by the local educational agency, and any information
acquired directly from the pupil through the use of
instructional software or applications assigned to the pupil by
a teacher or other local educational agency employee. However,
the bill specifies that pupil records would not mean records of
teachers and school administrators that are kept in their sole
possession and not revealed to any other individual except a
substitute teacher. The Internet Association, writing in
opposition, has expressed concern that this definition is too
broad, and may cause confusion for parties entering into
educational services contracts. They write:
This [definition] would conceivably include any information
generated through the student's use of the educational
application or software, whether that information is sensitive
- like a student's home address or social security number - or
not, like data on a student's user experience with the
educational software, including what features improved
learning outcomes for the student, what features were less
helpful, and other pieces of information that could otherwise
�
AB 1584 (Buchanan)
Page 7 of ?
be used by the third party to innovate and improve the
educational product. When combined with the other provisions
of the bill . . . the inclusion of this expansive "catch all"
provision in the definition of "pupil records" will create
technological compliance challenges for third party providers,
limit their ability to innovate and improve their products,
and provide no perceivable benefit to schools, teachers, or
students who gain from the use of these educational
technologies.
The Technology Association of America similarly suggests that
this definition:
[goes] far beyond what is in current law and practice. We
believe the new definition would include non-identifiable
information as well as "any information acquired directly from
the pupil" which could include de-identified metadata which is
necessary for the operation and improvement of the software
application and would interfere with necessary and legitimate
education activities.
The author recognizes that the definition of "pupil records" is
crucial to setting the scope of information or data to be
covered by this bill should it become law. As such, a balance
must be struck between ensuring student privacy and preventing
the commodification and sale of student data on one side, and
allowing technology companies an appropriate measure of freedom
to innovate and operate their products on the other. The author
offers the following amendments to more acutely define the
breadth of information enveloped by this bill:
Author's Amendments :
On page 2, line 15, following "agency." insert: For purposes
of this subparagraph, "pupil records" do not include
pupil-generated content.
(2) A description of the means by which pupils may retain
possession and control of their own pupil-generated content,
if any.
On page 2, strike lines 16 through 18
On page 3, strike lines 27 through 29
On page 3, between lines 35 and 36, insert:
(4) "Pupil records" does not mean any of the following:
�
AB 1584 (Buchanan)
Page 8 of ?
(i) De-identified information, including aggregated
de-identified information, used by the third party to
improve educational products, for adaptive learning
purposes, and for customizing student learning;
(ii) De-identified information, including aggregated
de-identified information, used to demonstrate the
effectiveness of the operator's products, including in
their marketing; and
(iii) De-identified information, including aggregated
de-identified information, used for the development and
improvement of educational sites, services, or
applications.
On page 3, strike lines 36 through 38
On page 4, between lines 3 and 4, insert:
(5) "Pupil-generated content" means materials created by a
pupil, including, but not limited to, essays, research
reports, portfolios, creative writing, music or other audio
files, and photographs.
(6) "De-identified" means information that cannot be used to
identify an individual pupil.
Staff notes that these amendments to the definition of "pupil
record" not only refine the scope of information subject to the
restrictions in this bill, but also ensure that students do not
lose whatever intellectual property interest they may have in
their own original works and creations. These amendments also
remove "de-identified information" -- data that cannot be linked
back to a particular student -- from the scope of pupil records
to ensure that technology providers are able to gather
"metadata" necessary to ensure the proper operation of
instructional software and applications.
4. Consequences for noncompliance
Independent of any other penalties, this bill would provide that
a contract that fails to comply with the requirements of this
bill shall be voidable and shall require all pupil records in
the possession of the third party to be returned to the local
educational agency. The bill, however, fails to specify exactly
who has the option to void a non-conforming contract.
Conceivably, any of the following individuals or entities could
have cause to void such a contract under the right scenario:
the third party technology provider, the local educational
�
AB 1584 (Buchanan)
Page 9 of ?
agency, the parent or guardian of a student as a third party
beneficiary, or perhaps even the students themselves. To avoid
potential confusion about who may render a nonconforming
contract void, the author offers the following amendments to
clarify the conditions upon which a contract becomes void for
noncompliance with this bill:
Author's Amendments :
On page 3, strike lines 18 through 20
On page 3, between lines 20 and 21, insert: (c) In addition
to any other penalties, a contract that fails to comply with
the requirements of this section shall be rendered void if,
upon notice and a reasonable opportunity to cure, the
non-compliant party fails to come into immediate compliance
and cure any defect. Notice of non-compliance may be given by
any party or intended beneficiary of the contract, and must be
in writing. All parties subject to a contract avoided under
this subdivision shall immediately return all pupil records in
their possession to the local educational agency.
On page 3, line 21, strike "(c)" and insert "(d)"
On page 4, line 4, strike "(d)" and insert "(e)"
Support : Association of California School Administrators;
California State PTA
Opposition : Internet Association; Technology Association of
America
HISTORY
Source : Author
Related Pending Legislation :
SB 501 (Corbett) would require social networking Web sites to
remove the personal information of a registered user, upon
request, and permit a parent or legal guardian of a registered
user who identifies himself or herself as under 18 years of age
to request the social networking Internet Web sites to remove
personal identifying information of their children. This bill
is in the Assembly Arts, Entertainment, Sports, Tourism, and
Internet Media Committee.
�
AB 1584 (Buchanan)
Page 10 of ?
SB 1177 (Steinberg) would prohibit an operator of an Internet
Web site, online service, online application, or mobile
application designed and marketed for K-12 school purposes from
using, sharing, disclosing, or compiling specified information
about a K-12 student for any purpose other than the K-12 school
purpose or for maintaining, developing, and improving the
integrity and effectiveness of the site, service, or
application. This bill is in the Assembly Arts, Entertainment,
Sports, Tourism, and Internet Media Committee.
AB 1442 (Gatto) would authorize a school district, county office
of education, or charter school to adopt a program to gather or
maintain personal information from social media on enrolled
pupils only if certain specified conditions are met. This bill
is set for hearing in the Senate Judiciary Committee.
Prior Legislation :
SB 568 (Steinberg, Ch. 336, Stats. 2013) prohibits an operator
of an Internet Web site, online service, online application, or
mobile application, from marketing or advertising a product or
service to a minor if the minor cannot legally purchase the
product or participate in the service in the State of
California. This bill also prohibits an operator from using,
disclosing, or compiling, or allowing a third party to knowingly
use, disclose, or compile, the personal information of a minor
for the purpose of marketing goods or services that minors
cannot legally purchase or engage in the State of California.
AB 1291 (Lowenthal, 2013) would have created the Right to Know
act of 2013, repealing and reorganizing certain provisions of
existing law pertaining to the disclosure of a consumer's
personal information. This bill died in the Assembly Judiciary
Committee.
SB 761 (Lowenthal, 2012) would have required the Attorney
General, by July 1, 2012, to adopt regulations that would
require online businesses to provide California consumers with a
method for the consumer to opt out of the collection or use of
his or her information by the business. This bill died in the
Senate Appropriations Committee.
SB 242 (Corbett, 2011) would have prohibited a social networking
Internet Web site from displaying the home address or telephone
number, in specified text fields, of a registered user who
identifies himself or herself as under 18 years of age. This
�
AB 1584 (Buchanan)
Page 11 of ?
bill failed passage on the Senate floor.
SB 1361 (Corbett, 2010) would have prohibited a social
networking Internet Web site, as defined, from displaying, to
the public or other registered users, the home address or
telephone number of a registered user of that Internet Web site
who is under 18 years of age, as provided. This bill failed
passage in the Assembly Arts, Entertainment, Sports, Tourism,
and Internet Media Committee.
SB 632 (Davis, 2009) would have required a social networking
Internet Web site to provide a disclosure to users that an image
which is uploaded onto the Web site is capable of being copied,
without consent, by persons who view the image, or copied in
violation of the privacy policy, terms of use, or other policy
of the site. This bill was vetoed.
ACR 106 (Nava, 2008) would have urged user-generated content Web
sites to work with the Safety Technical Task Force and law
enforcement to reduce the use of those Web sites for purposes of
criminal behavior. This resolution died on the Assembly Floor.
Prior Vote :
Senate Education Committee (Ayes 7, Noes 0)
Assembly Floor (Ayes 75, Noes 0)
Assembly Committee on Education (Ayes 10, Noes 0)
Assembly Committee on Judiciary (Ayes 7, Noes 0)
**************