BILL ANALYSIS �Ó
SB 1177
Page 1
Date of Hearing: June 24, 2014
ASSEMBLY COMMITTEE ON ARTS, ENTERTAINMENT, SPORTS, TOURISM, AND
INTERNET MEDIA
Ian C. Calderon, Chair
SB 1177 (Steinberg) - As Amended: June 10, 2014
SENATE VOTE : 35-0
SUBJECT : Privacy: Students
SUMMARY : This bill would prohibit an Operator of an Internet
Web site, online service, online application, or mobile
application that is used, designed and marketed for K-12 school
purposes from using, sharing, disclosing, or compiling covered
information about a K-12 student in furtherance of targeted
advertising or to amass a profile of the student, as provided,
nor sell or disclose covered information. This bill would also
require an operator to ensure that reasonable steps are taken to
protect the covered information, and to delete a student's
personal information under specified circumstances.
Specifically, this bill :
1)Requires that an Operator of an Internet Web site, online
service, online application, or mobile application with actual
knowledge that the site, service, or application is used
primarily for K-12 school purposes and was designed and
marketed for K-12 school purposes (Operator) shall comply with
all of the following requirements:
a) The Operator shall not use, share, disclose, or compile
covered information about a K-12 student for any purpose
other than:
i) the K-12 school purpose, as defined;
ii) for maintaining, developing, and improving the
integrity and effectiveness of the site, service, or
application, as long as no personal information is used
for any purpose in furtherance of targeted advertising;
iii) to amass a profile on the student for purposes other
than for K-12 school purposes.
b) The Operator shall not sell or disclose a student's
�
SB 1177
Page 2
covered information.
c) The Operator shall take reasonable steps to protect the
covered information at rest and in transmission in a manner
that meets or exceeds reasonable and appropriate commercial
best practices.
2)Provides that an Operator shall delete a student's covered
information if the school or district requests deletion.
3)Allows an Operator to disclose covered information of a
student if other provisions of federal or state law require
the operator to disclose covered information, and the operator
complies with the requirements of federal and state law in
protecting and disclosing that information.
4)Provides that "online service" includes cloud computing
services.
5)Allows an Operator to disclose covered information of a
student for legitimate research purposes as required by state
and federal law and subject to the restrictions under state
and federal law or as allowed by state and federal law and
under the direction of a school, school district, or state
department of education, as long as no covered information is
used for any purpose in furtherance of advertising or to amass
a profile on the student for purposes other than K-12 school
purposes.
6)Contains the following definitions:
a) "Covered information" means information or materials in
any media or format that meets any of the following:
i) Are created or provided by a student, or the
student's parent or legal guardian, in the course of the
student's, parent's, legal guardian's, use of the site,
service, or application for K-12 school purposes.
ii) Are created or provided by an employee or agent of
the educational institution.
iii) Are gathered by the site, service, or application,
that is descriptive of a student or otherwise identified
a student, including, but not limited to, information in
�
SB 1177
Page 3
the student's educational record or email, first and last
name, home address, telephone number, email address, or
other information that allows physical or online contact,
discipline records, test results, special education data,
juvenile dependency records, grades, evaluations,
criminal records, medical records, health records, social
security number, biometric information, disabilities,
socioeconomic information, food purchases, political
affiliations, religious information, text messages,
documents, persistent unique identifiers, search
activity, photos, voice recordings, or geolocation
information.
b) "K-12 school purposes" means purposes that customarily
take place at the direction of the school, teacher, or
school district or aid in the administration of school
activities, including, but not limited to, instruction in
the classroom or at home, administrative activities, and
collaboration between students, school personnel, parents,
or are for the use and benefit of the school.
7)Clarifies that its provisions shall not be construed to limit
the authority of a law enforcement agency to obtain any
content or information from an operator as authorized by law
or pursuant to an order of a court of competent jurisdiction.
8)Further clarifies that this chapter does not apply to general
audience Internet Web sites, general audience online services,
general audience online applications, or general audience
mobile applications, nor does it prohibit Internet service
providers from providing Internet connectivity to schools or
students and their families.
9)Allows an Operator to use deidentified student covered
information, including aggregated deidentified student covered
information:
a) within the Operator's site, service, or application or
other sites, services, or applications owned by the
Operator to improve educational products, for adaptive
learning purposes, and for customizing student learning;
b) to demonstrate the effectiveness of the Operator's
products, including in their marketing.
10) Also allows an Operator to share aggregated deidentified
�
SB 1177
Page 4
student covered information for the development and
improvement of educational sites, services, or applications.
11)Clarifies that this section shall not be construed to
prohibit an Operator of an Internet Web site, online service,
online application, or mobile application from marketing
educational products directly to parents, so long as the
marketing was not the result of student covered information
provided to the Operator of the Internet Web site, online
service, online application, or mobile application.
12)Provides that this chapter shall become operative on January
1, 2016.
13)Declares that the provisions of this act are severable, and
that if any provision of this act or its application is held
invalid, that invalidity shall not affect other provisions or
applications that can be given effect without the invalid
provision or application.
EXISTING FEDERAL LAW provides the Federal Educational Rights and
Privacy Act (FERPA) generally seeks to protect the
confidentiality of educational records (and personally
identifiable information contained therein) by prohibiting the
funding of schools that permit the release of those records.
(20 U.S.C. Sec. 1232g(b)(1).) FERPA's prohibition only applies
to the school itself and contains various exemptions where the
data may be released without the written consent of the parents.
EXISTING STATE LAW:
1)Provides that, among other rights, all people have an
inalienable right to pursue and obtain privacy. (Cal. Const.,
art. I, Sec. 1.)
2)Requires an Operator of a commercial Web site or online
service that collects personally identifiable information
through the Internet about individual consumers residing in
California who use or visit its Web site to conspicuously post
its privacy policy. (Online Privacy Protection Act of 2003,
Bus. & Prof. Code Sec. 22575.)
3)Prohibits an Operator of an Internet Web site, online service,
online application, or mobile application from marketing or
�
SB 1177
Page 5
advertising specified types of products or services to a
minor; knowingly using, disclosing, compiling, or allowing a
third party to use, disclose, or compile, the personal
information of a minor for the purpose of marketing or
advertising specified types of products or services; requires
the Operator to permit a minor, who is a registered user of
the Operator to remove, or to request and obtain removal of,
content or information posted on the operator's Internet Web
site, service, or application, as specified. (Privacy Rights
for California Minors in the Digital World Act, Bus. & Prof.
Code Section 22580, et seq.)
Existing case law permits a person to bring an action in tort
for an invasion of privacy and provides that in order to state a
claim for violation of the constitutional right to privacy, a
plaintiff must establish the following three elements: (1) a
legally protected privacy interest; (2) a reasonable expectation
of privacy in the circumstances; and (3) conduct by the
defendant that constitutes a serious invasion of privacy. (Hill
v. National Collegiate Athletic Assn. (1994) 7 Cal.4th 1.)
Existing case law recognizes four types of activities considered
to be an invasion of privacy giving rise to civil liability,
including the public disclosure of private facts. (Id.)
FISCAL EFFECT : Unknown
COMMENTS :
1)Author and supporters urge limits on marketing students
personal information
According to the author, "Children's personal information is
sacred. The federal law that is supposed to protect student
personal information from disclosure is deficient in this new
digital age. The Student Online Personal Information
Protection Act ("SOPIPA") closes loopholes that can be
exploited by Internet companies for profit through collecting
and sharing students' personal information obtained through
online services marketed for school purposes. These companies
are operating with zero restrictions, except for the ones that
they themselves deem unilaterally appropriate. That is
unacceptable. Kids are in the classroom to learn and we value
the security of their personal information above private
profit.
�
SB 1177
Page 6
"Many companies provide online services to aide classroom
teaching but they require students to create accounts that
capture contact data and personal academic information such
as grades, disciplinary history, and chat records. In some
instances, companies are mining data from schoolchildren
beyond the needs of the classroom. Some Apps marketed to
teachers and kids could track a child's physical location.
"In many cases, the only agreement about how a student's
personal information is processed is the privacy policy
drafted by the online company. Some privacy policies state
that they are "subject to change" unilaterally and at any
time. Others include provisions which affirmatively state
that the online company has no liability if they mishandle
personal information.
"Current federal and state law puts the onus only on schools
and school districts to protect student personal
information, not online companies. The type of personal
information that these companies may gather is broad and
highly prized by online advertisers and marketers. We must
get ahead of this problem before it's too late."
The California State PTA states in support, "School districts
are increasingly integrating the use of computers and
technology in the classroom to personalize content, employing
virtual forums for interacting with other students and
teachers, and utilizing other interactive technologies to
enhance student learning. Many of these sites require
students to log in and create accounts where personal
information can be tracked, collected, stored and analyzed.
It is necessary to place restrictions on these online sites,
services and applications so that our student's personal
information is safe and is not used for secondary
non-educational purposes." Common Sense Media, also in
support, states that "the school zone should be a privacy
zone, a safe and trusted environment where our kids can learn
and explore, where educators can harness technology to enrich
their learning and where their sensitive information is safe
and secure." This sentiment is eched by Privacy Rights
Clearinghouse, who also state in support, "[o]nline
educational tools can be a useful adjunct to traditional
teaching methods. However, when students are using these
sites for school purposes, their time on these sites should be
�
SB 1177
Page 7
for learning, not advertising. Children are especially
impressionable, particularly at younger ages."
2)Background: Growth in use of electronic learning creates
privacy challenges
According to information provided by the author, since the
enactment of FERPA in 1974, educational institutions have
undergone dramatic changes in the way that students are
taught, including the increased use of technology. With
respect to the use of technology and learning, the Department
of Education observes that:
Schools can use digital resources in a variety of ways to
support teaching and learning. Electronic grade books,
digital portfolios, learning games, and real-time feedback
on teacher and student performance, are a few ways that
technology can be utilized to power learning.
High Tech High - High Tech High (HTH) is a network
of eleven California charter schools offering
project-based learning opportunities to students in
grades K-12. HTH links technical and academic studies
and focuses on personalization and the connection of
learning to the real world. To support student
learning and share the results of project-based
learning, HTH makes a wealth of resources available
online, including teacher and student portfolios,
videos, lessons, and other resources.
New Technology High School - At this California
school, student work is assessed across classes and
grades, and feedback is made available to students via
online grade books. These grade books are continually
updated so that students can see how they are doing not
only in each course, but also on each of their learning
outcomes, averaged across all their courses.
Electronic learning portfolios contain examples of
students' work and associated evaluations across all
classes and grades. New Tech High is part of the
national New Tech Network.
Quest to Learn - This school, located in New York,
utilizes games and other forms of digital media to
provide students with a curriculum that is design-led
�
SB 1177
Page 8
and inquiry-based. The goal of this model is to use
education technologies to support students in becoming
active problem solvers and critical thinkers, and to
provide students with constant feedback on their
achievement.
(http://www.ed.gov/oii-news/use-technology-teaching-and-
learning.)
Regarding the current practices of public schools, a December
13, 2013 study by Fordham Law School entitled Privacy and
Cloud Computing in Public Schools found that:
95% of districts rely on cloud services for a diverse
range of functions including data mining related to student
performance, support for classroom activities, student
guidance, data hosting, as well as special services such as
cafeteria payments and transportation planning.
Cloud services are poorly understood, non-transparent,
and weakly governed: only 25% of districts inform parents
of their use of cloud services, 20% of districts fail to
have policies governing the use of online services, and a
sizeable plurality of districts have rampant gaps in their
contract documentation, including missing privacy policies.
Districts frequently surrender control of student
information when using cloud services: fewer than 25 % of
the agreements specify the purpose for disclosures of
student information, fewer than 7% of the contracts
restrict the sale or marketing of student information by
vendors, and many agreements allow vendors to change the
terms without notice. [The Federal Educational Rights and
Privacy Act (FERPA)], however, generally requires districts
to have direct control of student information when
disclosed to third-party service providers.
An overwhelming majority of cloud service contracts do
not address parental notice, consent, or access to student
information. Some services even require parents to
activate accounts and, in the process, consent to privacy
policies that may contradict those in the district's
agreement with the vendor. . . .
School district cloud service agreements generally do
�
SB 1177
Page 9
not provide for data security and even allow vendors to
retain student information in perpetuity with alarming
frequency. Yet, basic norms of information privacy require
data security. (Fordham Law School, Center on Law and
Information Policy, Privacy and Cloud Computing in Public
Schools (Dec. 12, 2013) pp. 1-2.)
While FERPA generally protects personally identifiable
information from unauthorized disclosure, that provision
applies only to schools, not to third parties who operate K-12
Web sites, services, or applications. Furthermore, a recent
article by Paul Schwartz and Daniel Solove entitled The Battle
for Leadership in Education Privacy Law: Will California Seize
the Throne? observed:
There are notable gaps in FERPA that make it largely
ineffective in protecting student privacy in today's
digital age. For example, FERPA lacks meaningful
enforcement. Students and their parents have no right to
sue for FERPA violations. Only the Department of
Education can enforce the law. FERPA only allows one
sanction -- the removal of all federal funding for an
educational institution. This sanction is so impractical
and severe that the Department has never used it in
FERPA's four-decade history. Thus, enforcement of the
statute is essentially nonexistent.
Moreover, FERPA enforcement only applies to schools.
Unlike HIPAA, which gives the Department of Health and
Human Services (HHS) the authority to enforce against
nearly all entities that receive HIPAA-regulated
information, the Department of Education lacks similar
authority. The Department of Education is unable to
enforce against businesses that are not schools, but that
receive FERPA-regulated data.
FERPA also says little about selecting a cloud provider
or about the responsibilities of such an entity. . . .
FERPA [also] does not have much more to say about the
responsibilities of a cloud computing provider. In fact,
it contains a potentially broad loophole. If a school
discloses education records for outsourcing its
functions, the FERPA Regulations allow the school to
designate the cloud computing provider as a "school
official" in order to facilitate the sharing. When a
�
SB 1177
Page 10
school shares student data with a cloud service provider,
the duties of the provider to protect the data are
governed by the contract into which the school and the
provider enter. (Paul Schwartz, Daniel Solove, SafeGov,
The Battle for Leadership in Education Privacy Law: Will
California Seize the Throne? (Mar. 27, 2014)
.)
1)Summary of major provisions
This bill has three major provisions, and many exceptions,
which are as follows:
a) Prohibition on sharing personal information, called
"covered information"
This bill would prohibit an Operator from sharing,
disclosing, or compiling covered information about a
student for any purpose other than the K-12 school purpose
and for maintaining, developing, and improving the
integrity and effectiveness of the site, service, or
application, so long as no personal information is used for
any purpose in furtherance of targeted advertising or to
amass a profile on the student for purposes other than K-12
school purposes.
The bill would define "K-12 school purposes" to mean:
purposes that customarily take place at the direction of
the school, teacher, or school district or aid in the
administration of school activities, including, but not
limited to, instruction in the classroom or at home,
administrative activities, and collaboration between
students, school personnel, or parents, or are for the use
and benefit of the school.
"Covered information" means information or materials in any
media or format that meets any of the following:
Are created or provided by a student, or the student's
parent or legal guardian, in the course of the student's,
parent's, legal guardian's, use of the site, service, or
application for K-12 school purposes.
�
SB 1177
Page 11
Are created or provided by an employee or agent of the
educational institution.
Are gathered by the site, service, or application, that
is descriptive of a student or otherwise identified a
student, including, but not limited to, information in the
student's educational record or email, first and last name,
home address, telephone number, email address, or other
information that allows physical or online contact,
discipline records, test results, special education data,
juvenile dependency records, grades, evaluations, criminal
records, medical records, health records, social security
number, biometric information, disabilities, socioeconomic
information, food purchases, political affiliations,
religious information, text messages, documents, persistent
unique identifiers, search activity, photos, voice
recordings, or geolocation information.
a) Limitation on advertising
This bill would also prohibit the Operator of a Web site,
service, or application that is used, designed and marketed
for K-12 school purposes from using, sharing, disclosing or
compiling a student's covered information for targeted
advertising. However, the bill would allow an Operator to
market educational products directly to parents, so long as
the marketing was not the result of student covered
information provided to the Operator (through activities
which are regulated under the bill).
b) Deletion and data protection requirements
This bill would require an Operator to delete a student's
covered information if the school or school district
requests deletion. To further ensure that student's
covered information is protected, whether at rest or in
transmission, this bill would require Operators to take all
reasonable steps to protect the covered information in a
manner that meets or exceeds reasonable and appropriate
commercial best practices.
d) Workability exemptions
This bill includes various exceptions in order to permit
the use of student information under certain circumstances.
�
SB 1177
Page 12
For example, an operator may disclose the information if
required by other provisions of federal or state law,
provided that the Operator complies with the requirements
of those laws in protecting and disclosing that
information. Similarly, an Operator may disclose
information for legitimate research purposes as required by
law, or, as allowed by law under the direction of a school
(provided that no information is used in furtherance of
advertising or to amass a profile for non K-12 purposes).
Under the bill an Operator may use deidentified student
personal information within the operator's site, service,
or application or other sites, services, or applications
owned by the operator to improve educational products, for
adaptive learning purposes, and for customizing student
learning; to demonstrate the effectiveness of the
operator's products, including in their marketing, and
allows an Operator to share aggregated deidentified student
covered information for the development and improvement of
educational sites, services, or applications.
1)Committee comments: The author has agreed, working with
committee staff, to the following amendments which will be
taken in Education Committee should the bill be approved :
a) Restructure (a) to clarify prohibited and allowed uses
of covered information .
Concern was raised that the structure of this section of
the bill was confusing, and did not clearly identify the
harm which the author sought to prevent. Also the
interjection of exceptions for allowed uses within the
section defining prohibited uses of covered information was
problematic. Further concern was raised that a sale or
acquisition of an operator entity which was maintaining
student information as a service provider with an active
contract might be read to be a prohibited sale of covered
information under this Act. Finally, the data maintenance
language was in conflict with existing Civil Code language
on the same subject. The author has agreed to restructure
this section, and clarify his intent on these issues as
follows:
(a) An Operator shall comply with all of the following
requirements with respect to that Web site, service or
�
SB 1177
Page 13
application:
(1) It shall not use, share, disclose, or compile
information about a K-12 student for any purpose in
furtherance of targeted advertising or to amass a profile
on a student for any purpose other than K-12 school
purpose(s). Nothing in this provision shall be construed to
prohibit the use of information for maintaining,
developing, or improving the site, service, or application.
(2) It shall not sell or disclose a student's information.
This prohibition does not apply to the purchase, merger or
other type of acquisition of an entity that operates an
Internet Web site, online service, online application, or
mobile application by another entity.
(3) It shall implement and maintain reasonable security
procedures and practices appropriate to the nature of the
information, to protect the personal information from
unauthorized access, destruction, use, modification, or
disclosure. (Existing Civil Code 1798.81.5)
b) Move "adaptive learning purposes" to K-12 purpose
section of the bill.
In order to allow Operators to make real time changes to
the programs and applications they offer for K-12 purposes
to meet the needs of specific users, operators may need to
use covered personally identifying information of the
student user. The author has agreed to move the permissive
use of covered information for "adaptive learning purposes"
under the bill to meet this recognized need and make his
intent express.
(j) This section shall not limit the ability of an Operator
of an Internet Web site, online service, online
application, or mobile application to use student data for
adaptive learning or customized student learning purposes.
c) Let kids keep the work they generate
Concern was raised that the prohibition against use of
covered information was so broad as to preclude even
children from keeping their own work product. This was not
the author's intent, and he has inserted the following to
�
SB 1177
Page 14
clarify.
(o) This section does not impede the ability of students to
download, export or otherwise save or maintain their own
student created data or documents.
d) Consistent definition of operator.
Concern was raised that in various subsections of the bill,
the definition of Operator varied. In order to provide
consistency, the author has agreed to add a definition of
"Operator" as follows: (f) An "Operator" means the Operator
of an Internet Web site, online service, online
application, or mobile application with actual knowledge
that the site, service, or application is used primarily
for K-12 school purposes and was designed and marketed for
K-12 school purposes.
e) Clarify source of marketing information, to say where
the information must come from.
Concern was raised that the provision in the bill which
allowed marketing of information directly to parents so
long as the marketing did not result from "information
provided to" the operator, did not identify the supposed
source of the information. This could create confusion. The
author agreed to clarify, as follows:
(m) This section shall not be construed to prohibit an
Operator of an Internet Web site, online service, online
application, or mobile application from marketing
educational products directly to parents so long as the
marketing was not the result of student covered information
obtained by the operator through provision of services
covered under this section.
f) Restore sentence inadvertently deleted in last set of
amendments regarding deletion of covered information by
schools or districts.
In the last set of amendments the end of a sentence was
unintentionally left off which changed the meaning of the
section. The author wishes to restore the entire sentence,
which will now read:
�
SB 1177
Page 15
(b) An Operator shall delete a student's covered
information if the school or district requests deletion of
data under the control of the school or district.
g) Clarify that covered information must be "personally
identifiable" to the student
Concern was raised that the definition of covered
information, which included information which is
descriptive of a student, was too broad. The author has
agreed to insert "personally identifiable" into the
definition in order to address this issue, as follows:
(g) "Covered information" means personally identifiable
information or materials in any media or format that meets
any of the following:
(1) Are created or provided by a student, or the student's
parent or legal guardian, in the course of the student's,
parent's, legal guardian's, use of the site, service, or
application for K-12 school purposes.
(2) Are created or provided by an employee or agent of the
educational institution.
(3) Are gathered by the site, service, or application, that
is descriptive of a student or otherwise personally
identifies a student, including, but not limited to,
information in the student's educational record or email,
first and last name, home address, telephone number, email
address, or other information that allows physical or
online contact, discipline records, test results, special
education data, juvenile dependency records, grades,
evaluations, criminal records, medical records, health
records, social security number, biometric information,
disabilities, socioeconomic information, food purchases,
political affiliations, religious information, text
messages, documents, persistent unique identifiers, search
activity, photos, voice recordings, or geolocation
information.
h) Organizational changes in structure of bill
The author has agreed to restructure the bill to make its
provisions more user friendly by placing related provisions
�
SB 1177
Page 16
together or adjacent to each other.
2)Remaining Tech industry "concerns"
The committee received an "oppose unless amended" letter from
the Internet Association. However, the author has agreed to
accept all the proposed amendments, so it is unclear whether
their opposition remains. Nevertheless, there are members of
the Tech industry who have shared their ongoing negotiations
with the author with committee staff, which have not yet
reached the level of opposition. They all agree that this
bill is the product of many hours of work and compromise on
the part of industry and the author's office. While the bill
before this Committee has many of the opposing and community
of interest's concerns addressed, in addition to staff's,
there are a couple of issues which the parties continue to
negotiate on. These include the following:
a) Define "Advertise "
Some members of the Tech community would like to see a
definition of advertise in the bill, given that the main
thrust of the legislation is a prohibition of targeted
advertising. Other members of the Tech community prefer to
have no definition in the bill. Supporters are very
concerned that the definition, if any, be sufficiently
inclusive as to prevent the marketing to children the bill
aspires to. The author continues to work with all parties
to divine an acceptable solution.
b) Limit subsection (a) to K-12 purposes
Some members of the Tech community have proposed to the
author that he limit the prohibition on disclosure of
covered personally identifiable information, suggesting a
subdivision (a) (3) which would read "It shall not disclose
a student's information for any purpose other than K-12
purposes." The author is concerned about allowing an
Operator to share information about a student with any
third party associate entity unfettered could mean that a
student's information can be transmitted for any ostensible
K-12 school purpose, and not limited to the K-12 school
purpose of using the original application or program. The
parties continue to negotiate on this point.
�
SB 1177
Page 17
3)Prior Legislation : SB 568 (Steinberg), Chapter 336, Statutes
of 2013, prohibited an Operator of an Internet Web site,
online service, online application, or mobile application, as
specified, from marketing or advertising specified types of
products or services to a minor; prohibited an Operator from
knowingly using, disclosing, compiling, or allowing a third
party to use, disclose, or compile, the personal information
of a minor for the purpose of marketing or advertising
specified types of products or services; required the Operator
of an Internet Web site, online service, online application,
or mobile application to permit a minor, who is a registered
user of the Operator's Internet Web site, online service,
online application, or mobile application, to remove, or to
request and obtain removal of, content or information posted
on the Operator's Internet Web site, service, or application
by the minor, as specified.
4)Double referral : Should this bill pass out of this committee,
it will be re-referred to the Assembly Committee on Education
and heard in its hearing Wednesday, June 25, 2014.
REGISTERED SUPPORT / OPPOSITION :
Support
California Federation of Teachers
California State PTA
Common Sense Media
Consumer Federation of California
Klaas Kids Foundation
Privacy Rights Clearinghouse
Services Employees International Union
Opposition
The Internet Association
Analysis Prepared by : Dana Mitchell / A.,E.,S.,T. & I.M. /
(916) 319-3450