BILL ANALYSIS �Ó
SENATE JUDICIARY COMMITTEE
Senator Hannah-Beth Jackson, Chair
2013-2014 Regular Session
SB 1177 (Steinberg)
As Amended April 21, 2014
Hearing Date: April 29, 2014
Fiscal: No
Urgency: No
BCP
SUBJECT
Privacy: Students
DESCRIPTION
This bill would prohibit an operator of an Internet Web site,
online service, online application, or mobile application that
is used, designed and marketed for K-12 school purposes from
using, sharing, disclosing, or compiling personal information
about a K-12 student for commercial purposes. This bill would
also provide that those operators shall not allow, facilitate,
or aid in the marketing or advertising of a product or service
to a K-12 student on the site, service, or application.
This bill would also require an operator to ensure that
specified encryption processes are used and to delete a
student's personal information under specified circumstances.
BACKGROUND
Under existing federal law, the Federal Educational Rights and
Privacy Act (FERPA) generally seeks to protect the
confidentiality of educational records (and personally
identifiable information contained therein) by prohibiting the
funding of schools that permit the release of those records.
(20 U.S.C. Sec. 1232g(b)(1).) FERPA's prohibition only applies
to the school itself and contains various exemptions where the
data may be released without the written consent of the parents.
Since the enactment of FERPA in 1974, educational institutions
have undergone dramatic changes in the way that students are
(more)
�
SB 1177 (Steinberg)
Page 2 of ?
taught, including the increased use of technology. With respect
to the use of technology and learning, the Department of
Education observes that:
Schools can use digital resources in a variety of ways to
support teaching and learning. Electronic grade books,
digital portfolios, learning games, and real-time feedback
on teacher and student performance, are a few ways that
technology can be utilized to power learning.
High Tech High - High Tech High (HTH) is a network
of eleven California charter schools offering
project-based learning opportunities to students in
grades K-12. HTH links technical and academic studies
and focuses on personalization and the connection of
learning to the real world. To support student
learning and share the results of project-based
learning, HTH makes a wealth of resources available
online, including teacher and student portfolios,
videos, lessons, and other resources.
New Technology High School - At this California
school, student work is assessed across classes and
grades, and feedback is made available to students via
online grade books. These grade books are continually
updated so that students can see how they are doing not
only in each course, but also on each of their learning
outcomes, averaged across all their courses.
Electronic learning portfolios contain examples of
students' work and associated evaluations across all
classes and grades. New Tech High is part of the
national New Tech Network.
Quest to Learn - This school, located in New York,
utilizes games and other forms of digital media to
provide students with a curriculum that is design-led
and inquiry-based. The goal of this model is to use
education technologies to support students in becoming
active problem solvers and critical thinkers, and to
provide students with constant feedback on their
achievement.
(http://www.ed.gov/oii-news/use-technology-teaching-and-
learning.)
In response to the increased use of technology in the classroom,
this bill seeks to prohibit the K-12 online educational sites,
�
SB 1177 (Steinberg)
Page 3 of ?
services, and applications from compiling, sharing, or
disclosing student personal information and from facilitating
marketing, or advertising to K-12 students.
CHANGES TO EXISTING LAW
Existing law provides that, among other rights, all people have
an inalienable right to pursue and obtain privacy. (Cal.
Const., art. I, Sec. 1.)
Existing case law permits a person to bring an action in tort
for an invasion of privacy and provides that in order to state a
claim for violation of the constitutional right to privacy, a
plaintiff must establish the following three elements: (1) a
legally protected privacy interest; (2) a reasonable expectation
of privacy in the circumstances; and (3) conduct by the
defendant that constitutes a serious invasion of privacy. (Hill
v. National Collegiate Athletic Assn. (1994) 7 Cal.4th 1.)
Existing case law recognizes four types of activities considered
to be an invasion of privacy giving rise to civil liability,
including the public disclosure of private facts. (Id.)
Existing law requires an operator of a commercial Web site or
online service that collects personally identifiable information
through the Internet about individual consumers residing in
California who use or visit its Web site to conspicuously post
its privacy policy. (Online Privacy Protection Act of 2003,
Bus. & Prof. Code Sec. 22575.)
This bill , the Student Online Personal Information Protection
Act, would require an operator of an Internet Web site, online
service, online application, or mobile application with actual
knowledge that the site, service or application is used for K-12
school purposes and was designed and marketed for K-12 school
purposes to comply with the following:
it shall not use, share, disclose, or compile personal
information about a K-12 student for any purpose other than
the K-12 school purpose and for maintaining, developing,
and improving the integrity and effectiveness of the site,
service, or application, as long as no personal information
is used for any purpose in furtherance of advertising or to
amass a profile on the student for purposes other than K-12
school purposes;
it shall not use, share, disclose or compile a student's
personal information for any commercial purpose, including,
but not limited to, advertising or profiling;
�
SB 1177 (Steinberg)
Page 4 of ?
it shall not allow, facilitate, or aid in the marketing or
advertising of a product or service to a K-12 student on the
site, service, or application; and
it shall take reasonable steps to protect the personal
information data in a manner that meets or exceeds reasonable
and appropriate commercial best practices. An operator shall
be deemed to be in compliance if the operator uses specified
valid encryption processes.
This bill would require an operator of an Internet Web site,
online service or application with actual knowledge that the
site, service, or application is used for K-12 school purposes
and that it was designed and marketed for K-12 school purposes,
to delete a student's personal information if any of the
following occurs:
the site, service, or application has actual knowledge
that it is no longer used for K-12 school purposes, unless
the information is being used or maintained at the
direction of a school or district and is under the direct
control of the school or district;
the student requests deletion, unless it is being used at the
direction of a school or district and is under the control of
the school or district; or
the school or school district requests deletion.
This bill would allow an operator to disclose personal
information of a student if other provisions of federal or state
law require the operator to disclose the information, and the
operator complies with the requirements of federal and state law
in protecting and disclosing that information.
This bill would also permit an operator to disclose personal
information of a student for legitimate research purposes as
required by state and federal law and subject to the
restrictions under state and federal law, or, as allowed by
state and federal law and under the direction of a school,
school district, or state department of education, as long as no
personal information is used for any purpose in furtherance of
advertising or to amass a profile on the student for purposes
other than K-12 school purposes. This bill would also allow the
operator to use deidentified student personal information within
the site service or application to improve educational products,
for adaptive learning purposes, and for customizing student
learning, as specified.
This bill would define "online service" to include cloud
�
SB 1177 (Steinberg)
Page 5 of ?
computing services, and define "personal information" as any
information or materials in any media or format created or
provided by a student, or the student's parent or legal
guardian, in the course of the student's, or parent's or legal
guardian's, use of the site, service, or application or an
employee or agent of the educational institution, or gathered by
the site, service, or application, that is related to a student,
as specified.
COMMENT
1. Stated need for the bill
According to the author:
The Student Online Personal Information Protection Act
("SOPIPA") closes loopholes that can be exploited by
Internet companies for profit through collecting and sharing
students' personal information obtained through online
services marketed for school purposes.
These companies are operating with zero restrictions, except
for the ones that they themselves deem unilaterally
appropriate. That is unacceptable. Kids are in the classroom
to learn and we value the security of their personal
information above private profit.
Many companies provide online services to aide classroom
teaching but they require students to create accounts that
capture contact data and personal academic information such
as grades, disciplinary history, and chat records. In some
instances, companies are mining data from schoolchildren
beyond the needs of the classroom. Some Apps marketed to
teachers and kids could track a child's physical location.
In many cases, the only agreement about how a student's
personal information is processed is the privacy policy
drafted by the online company. Some privacy policies state
that they are "subject to change" unilaterally and at any
time. Others include provisions which affirmatively state
that the online company has no liability if they mishandle
personal information.
Current federal and state law puts the onus only on schools
and school districts to protect student personal
information, not online companies. The type of personal
�
SB 1177 (Steinberg)
Page 6 of ?
information that these companies may gather is broad and
highly prized by online advertisers and marketers.
SOPIPA would prohibit the commercial use of student personal
information for any secondary purposes including
advertising, require online companies to properly encrypt
student data, and require deletion of student personal
information in certain instances.
We must get ahead of this problem before it's too late. I
intend to put safeguards around student personal information
while allowing the industry to continue innovating.
2. Prohibition on sharing personal information
This bill seeks to protect the personal information of students
by generally prohibiting the operator of an Internet Web site,
service or application that is used, designed and marketed for
K-12 school purposes from sharing, disclosing, or compiling
personal information about a student for any purpose other than
the K-12 school purpose. That broad prohibition ensures that
when a student uses a third party K-12 Web site, or application,
as part of his or her schoolwork, that third-party cannot
compile personal information about the student unless it is for
the school purpose. By preventing the compilation of that
personal information, this bill would prevent an operator from
creating a profile about a student that could then be used for
purposes of marketing or advertising.
In support of the privacy protections proposed by this bill, the
California State PTA notes that: "School districts are
increasingly integrating the use of computers and technology in
the classroom to personalize content, employing virtual forums
for interacting with other students and teachers, and utilizing
other interactive technologies to enhance student learning.
Many of these sites require students to log in and create
accounts where personal information can be tracked, collected,
stored and analyzed. It is necessary to place restrictions on
these online sites, services and applications so that our
student's personal information is safe and is not used for
secondary non-educational purposes." Common Sense Media, in
support, states that "the school zone should be a privacy zone,
a safe and trusted environment where our kids can learn and
explore, where educators can harness technology to enrich their
learning and where their sensitive information is safe and
secure." Regarding the current practices of public schools, a
�
SB 1177 (Steinberg)
Page 7 of ?
December 13, 2013 study by Fordham Law School entitled Privacy
and Cloud Computing in Public Schools found that:
95 [percent] of districts rely on cloud services for a
diverse range of functions including data mining related to
student performance, support for classroom activities,
student guidance, data hosting, as well as special services
such as cafeteria payments and transportation planning.
Cloud services are poorly understood, non-transparent,
and weakly governed: only 25[percent] of districts inform
parents of their use of cloud services, 20% of districts
fail to have policies governing the use of online services,
and a sizeable plurality of districts have rampant gaps in
their contract documentation, including missing privacy
policies.
Districts frequently surrender control of student
information when using cloud services: fewer than 25
[percent] of the agreements specify the purpose for
disclosures of student information, fewer than 7 [percent]
of the contracts restrict the sale or marketing of student
information by vendors, and many agreements allow vendors
to change the terms without notice. [The Federal
Educational Rights and Privacy Act (FERPA)], however,
generally requires districts to have direct control of
student information when disclosed to third-party service
providers.
An overwhelming majority of cloud service contracts do
not address parental notice, consent, or access to student
information. Some services even require parents to
activate accounts and, in the process, consent to privacy
policies that may contradict those in the district's
agreement with the vendor. . . .
School district cloud service agreements generally do
not provide for data security and even allow vendors to
retain student information in perpetuity with alarming
frequency. Yet, basic norms of information privacy require
data security. (Fordham Law School, Center on Law and
Information Policy, Privacy and Cloud Computing in Public
Schools (Dec. 12, 2013) pp. 1-2.)
While FERPA generally protects personally identifiable
information from unauthorized disclosure, that provision applies
�
SB 1177 (Steinberg)
Page 8 of ?
only to schools, not to third parties who operate K-12 Web
sites, services, or applications. Furthermore, a recent article
by Paul Schwartz and Daniel Solove entitled The Battle for
Leadership in Education Privacy Law: Will California Seize the
Throne? observed:
There are notable gaps in FERPA that make it largely
ineffective in protecting student privacy in today's digital
age. For example, FERPA lacks meaningful enforcement.
Students and their parents have no right to sue for FERPA
violations. Only the Department of Education can enforce
the law. FERPA only allows one sanction -- the removal of
all federal funding for an educational institution. This
sanction is so impractical and severe that the Department
has never used it in FERPA's four-decade history. Thus,
enforcement of the statute is essentially nonexistent.
Moreover, FERPA enforcement only applies to schools. Unlike
HIPAA, which gives the Department of Health and Human
Services (HHS) the authority to enforce against nearly all
entities that receive HIPAA-regulated information, the
Department of Education lacks similar authority. The
Department of Education is unable to enforce against
businesses that are not schools, but that receive
FERPA-regulated data.
FERPA also says little about selecting a cloud provider or
about the responsibilities of such an entity. . . . FERPA
[also] does not have much more to say about the
responsibilities of a cloud computing provider. In fact, it
contains a potentially broad loophole. If a school
discloses education records for outsourcing its functions,
the FERPA Regulations allow the school to designate the
cloud computing provider as a "school official" in order to
facilitate the sharing. When a school shares student data
with a cloud service provider, the duties of the provider to
protect the data are governed by the contract into which the
school and the provider enter. (Paul Schwartz, Daniel
Solove, SafeGov, The Battle for Leadership in Education
Privacy Law: Will California Seize the Throne? (Mar. 27,
2014)
.)
It should be noted that the bill would allow the site, service,
or application to use, share, disclose, or compile information
�
SB 1177 (Steinberg)
Page 9 of ?
about a K-12 student in order to maintain, develop, or improve
the integrity and effectiveness of the site, service, or
application. That allowance arguably permits those sites to
perform necessary maintenance as well as to examine student
performance in order to further enhance the product in a way
that facilitates student learning. For example, a site could
look at answers to a certain test question and see that students
were performing poorly as compared to the rest of the test. The
site could then reexamine both the question and materials to
determine why students were not succeeding in that particular
area. The bill conditions the ability to use, share, disclose
or compile the information under the exception by specifically
stating that no personal information may be used for any purpose
in furtherance of advertising or to amass a profile on the
student for purposes other than K-12 student purposes. That
condition arguably ensures that the language that allows the use
of student information to develop, maintain, and improve the
site does not create a loophole.
3. Prohibition on advertising
This bill would additionally prohibit the operator of a site,
service, or application that is used, designed and marketed for
K-12 school purposes from using, sharing, disclosing or
compiling a student's personal information for any commercial
purpose. Similarly, the operator would be prohibited from
allowing, facilitating, or aiding in the marketing or
advertising of a product or service to a K-12 student on the
site, service, or application. As a result, this bill would
prevent the operator from either directly advertising or selling
student information (or a profile about the student) that could
later be used by another party to advertise to that student.
Privacy Rights Clearinghouse, in support, asserts that "[o]nline
educational tools can be a useful adjunct to traditional
teaching methods. However, when students are using these sites
for school purposes, their time on these sites should be for
learning, not advertising. Children are especially
impressionable, particularly at younger ages."
It should be noted that this bill would limit advertising
("commercial speech") under the First Amendment. Commercial
speech is not afforded full protection under the First
Amendment, but, legislation that regulates speech concerning
lawful activity must generally meet the following criteria: (1)
the government interest must be substantial; and (2) the
government regulation must directly advance the governmental
�
SB 1177 (Steinberg)
Page 10 of ?
interest asserted and be not more extensive than necessary to
serve that interest. (See Cent. Hudson Gas & Elec. Corp. v.
Public Serv. Comm'n (1980) 447 U.S. 557, 561.) In this case,
assuming the advertisements are lawful (although there are other
restrictions on advertisements to children), the bill's
restriction would be upheld if California's interest in
restricting these advertisements is substantial, this bill
directly advances that interest, and is not more extensive than
necessary to serve that interest. Given that children are
vulnerable to advertisements they may be exposed to as a result
of required education, and that this bill is narrowly tailored
only to K-12 sites that are used, designed, and marketed for
school purposes, the bill would arguably withstand scrutiny
under the First Amendment.
4. Deletion requirement
This bill would also require sites, services or applications
that are used, designed and marketed for K-12 school purposes to
delete a student's personal information if: (1) the site,
service or application has actual knowledge that it is no longer
used for K-12 school purposes, unless it is used or maintained
at the direction of the school and under the direct control of
the school; (2) the student requests deletion, unless it is
being used at the direction of, and is under the control of, a
school; or (3) the school or school district requests deletion.
Those provisions seek to ensure that data is deleted when it is
no longer necessary for the original purpose, and, to provide
students with a level of control over their personal information
gathered by the site, service, or application. From a policy
standpoint, the deletion of personal information is an effective
way to address a wide range of privacy issues, including, risk
of data breach and that the information may be sold to a third
party or otherwise used to profile an individual.
5. Data protection
To further ensure that K-12 sites, services, or applications
protect a student's personal information, this bill would
require those entities to take all reasonable steps to protect
the personal information in a manner that exceeds reasonable and
appropriate commercial best practices. In order to provide
reassurance to those entities as to what would qualify as
reasonable steps, the bill codifies that an operator shall be
deemed to comply with the data protection requirement if the
operator complies with specified standards formulated by the
�
SB 1177 (Steinberg)
Page 11 of ?
National Institute of Standards and Technology.
6. Workability exemptions
This bill includes various exceptions in order to permit the use
of student information under certain circumstances. For
example, an operator may disclose the information if required by
other provisions of federal or state law, provided that the
operator complies with the requirements of those laws in
protecting and disclosing that information. Similarly, an
operator may disclose information for legitimate research
purposes as required by law, or, as allowed by law under the
direction of a school (provided that no information is used in
furtherance of advertising or to amass a profile for non K-12
purposes). Finally, an operator may use deidentified student
personal information to improve educational products, for
adaptive learning purposes, and for customizing student
learning.
Support : California Federation of Teachers; California State
PTA; Common Sense Media; Klaas Kids Foundation; Privacy Rights
Clearinghouse; Services Employees International Union
Opposition : None Known
HISTORY
Source : Author
Related Pending Legislation : None Known
Prior Legislation : SB 568 (Steinberg, Chapter 336, Statutes of
2013) prohibited an operator of an Internet Web site, online
service, online application, or mobile application, as
specified, from marketing or advertising specified types of
products or services to a minor; prohibited an operator from
knowingly using, disclosing, compiling, or allowing a third
party to use, disclose, or compile, the personal information of
a minor for the purpose of marketing or advertising specified
types of products or services; required the operator of an
Internet Web site, online service, online application, or mobile
application to permit a minor, who is a registered user of the
operator's Internet Web site, online service, online
application, or mobile application, to remove, or to request and
obtain removal of, content or information posted on the
�
SB 1177 (Steinberg)
Page 12 of ?
operator's Internet Web site, service, or application by the
minor, as specified.
Prior Vote : Senate Committee on Education (Ayes 9, Noes 0)
**************