BILL ANALYSIS �Ó
SB 1177
Page 1
Date of Hearing: June 25, 2014
ASSEMBLY COMMITTEE ON EDUCATION
Joan Buchanan, Chair
SB 1177 (Steinberg) - As Amended: June 10, 2014
SENATE VOTE : 35-0
SUBJECT : Privacy: students
[Note: This bill was double referred from the Assembly
Committee on Arts, Entertainment, Sports, Tourism, & Internet
Media and was heard as it relates to issues under its
jurisdiction.]
SUMMARY : Establishes the Student Online Personal Information
Protection Act to restrict the use and disclosure of information
about K-12 students. Specifically, this bill :
1) Requires operator of an Internet Web site, online
service, online application, or mobile application with
actual knowledge that the site, service, or application is
used primarily for K-12 school purposes and was designed
and marketed for K-12 school purposes to comply with all of
the following requirements:
a. It shall not use, share, disclose, or
compile covered information about a K-12 student for
any purpose other than the K-12 school purpose and
for maintaining, developing, and improving the
integrity and effectiveness of the site, service, or
application, as long as no personal information is
used for any purpose in furtherance of targeted
advertising or to amass a profile on the student for
purposes other than K-12 school purposes;
b. It shall not sell or disclose a student's
covered information;
c. It shall take reasonable steps to protect
the covered information at rest and in transmission
in a manner that meets or exceeds reasonable and
appropriate commercial best practices.
2) Requires an operator of an Internet Web site, online
service, online application, or mobile application with
actual knowledge that the site, service, or application is
�
SB 1177
Page 2
used primarily for K-12 school purposes and that it was
designed and marketed for K-12 school purposes shall delete
a student's covered information if the school or district
requests deletion.
3) Provides that an operator of an Internet Web site,
online service, online application, or mobile application
may disclose covered information of a student if other
provisions of federal or state law require the operator to
disclose the information, and the operator complies with
the requirements of federal and state law in protecting and
disclosing that information.
4) Defines an "online service" to include cloud computing
services.
5) Provides that an operator of an Internet Web site,
online service, online application, or mobile application
may disclose covered information of a student for
legitimate research purposes as required by state and
federal law and subject to the restrictions under state and
federal law or as allowed by state and federal law and
under the direction of a school, school district, or state
department of education, as long as no covered information
is used for any purpose in furtherance of advertising or to
amass a profile on the student for purposes other than K-12
school purposes.
6) Defines "covered information" to mean information or
materials in any media or format that meets any of the
following:
a. Are created or provided by a student, or the
student's parent or legal guardian, in the course of
the student's, parent's, legal guardian's, use of the
site, service, or application for K-12 school
purposes;
b. Are created or provided by an employee or
agent of the educational institution; and
c. Are gathered by the site, service, or
application, that is descriptive of a student or
otherwise identifies a student, including, but not
limited to, information in the student's educational
�
SB 1177
Page 3
record or email, first and last name, home address,
telephone number, email address, or other information
that allows physical or online contact, discipline
records, test results, special education data,
juvenile dependency records, grades, evaluations,
criminal records, medical records, health records,
social security number, biometric information,
disabilities, socioeconomic information, food
purchases, political affiliations, religious
information, text messages, documents, persistent
unique identifiers, search activity, photos, voice
recordings, or geolocation information.
7) Defines "K-12 school purposes to mean purposes that
customarily take place at the direction of the school,
teacher, or school district or aid in the administration of
school activities, including, but not limited to,
instruction in the classroom or at home, administrative
activities, and collaboration between students, school
personnel, or parents, or are for the use and benefit of
the school.
8) Provides that these requirements shall not be construed
to limit the authority of a law enforcement agency to
obtain any content or information from an operator as
authorized by law or pursuant to an order of a court of
competent jurisdiction.
9) Provides that these requirements to not apply to general
audience Internet Web sites, general audience online
services, general audience online applications, or general
audience mobile applications.
10) Provides that these requirements to not limit Internet
service providers from providing Internet connectivity to
schools or students and their families.
11) Provides that an operator of an Internet Web site,
online service, online application, or mobile application
may use deidentified student covered information, including
aggregated deidentified student covered information for the
following purposes:
a. For adaptive learning purposes and
customized student learning;
�
SB 1177
Page 4
b. To demonstrate the effectiveness of the
operator's products, including in their marketing;
and
c. For the development and improvement of
educational sites, services, or applications.
12) Clarifies that these requirements shall not be construed
to prohibit an operator of an Internet Web site, online
service, online application, or mobile application from
marketing educational products directly to parents so long
as the marketing was not the result of student covered
information provided to the operator of the Internet Web
site, online service, online application, or mobile
application.
13) Provides that the Act shall become operative on January
1, 2016 and that its provisions are severable.
EXISTING LAW (both state and federal) provides different levels
of protection for different types of pupil records.
Specifically, existing law:
1)Requires school districts to adopt a policy identifying those
categories of directory information that may be released.
2)Defines "directory information" to mean one or more of the
following items: pupil's name, address, telephone number, date
of birth, email address, major field of study, participation
in officially recognized activities and sports, weight and
height of members of athletic teams, dates of attendance,
degrees and awards received, and the most recent previous
public or private school attended by the pupil.
3)Authorizes school districts to release directory information
without prior parental/guardian consent.
4)Requires an annual notice of the information the district
plans to release and the recipients.
5)Prohibits a district from releasing directory information of a
pupil if that pupil's parent has notified the district that it
shall not be released.
6)Prohibits the release on non-directory information (such as
�
SB 1177
Page 5
disciplinary records, Individualized Education Plans for
special needs pupils, eligibility for free or reduced price
meals, etc.) without prior written parental consent, except
for the following requesters, if they have a legitimate
educational interest:
a) School officials, employees of the district, and members
of a school attendance review board;
b) Officials and employees of other public schools where
the pupil intends to or is enrolled;
c) The Comptroller General of the U. S., the U. S.
Secretary of Education, state and local educational
authorities, or the U. S. Department of Education's Office
of Civil Rights, if the information is necessary to audit
or evaluate a federally funded program;
d) Other state and local officials if the information is
required to be reported pursuant to state law adopted
before November 19, 1974;
e) Parents of a pupil 18 years of age or older if the pupil
is a dependent;
f) A pupil who is 16 years of age or older or who has
completed 10th grade and a pupil who is 14 years of age or
older who is a homeless or unaccompanied youth;
g) A district attorney conducting a truancy mediation
program or investigating a violation of compulsory
attendance laws;
h) A probation officer, district attorney, or counsel of
record for a minor for purposes of conducting a criminal
investigation or an investigation in regards to declaring a
person a ward of the court or involving a violation of a
condition of probation;
i) A judge or probation officer in relation to a truancy
mediation program;
j) A county placing agency;
aa) A representative of a child welfare agency;
bb) Appropriate persons in connection with a health or
safety emergency;
cc) Agencies in connection with the application of a pupil
for financial aid;
dd) Accrediting associations;
ee) A contractor or consultant with a legitimate educational
interest who has a formal written agreement or contract
with the school district regarding the provision of
outsourced institutional services or functions;
�
SB 1177
Page 6
7)Prohibits a person, agency, or organization that has been
permitted access to pupil records from permitting access to
any other entity without written parental consent, and
requires them to certify in writing that they will not do so,
except as permitted by the federal Family Educational Rights
and Privacy Act (FERPA).
FISCAL EFFECT : This bill is keyed nonfiscal
COMMENTS : FERPA is the primary law that protects the privacy
of pupil records. It applies to all educational institutions
that receive federal funds. In general, state law mirrors
FERPA. However, the privacy protections of FERPA apply only to
information that is contained in records that are maintained by
an education agency. Information that is obtained directly from
a student or teacher is not protected, even if it is the same
information that would otherwise be protected if it is obtained
from school records.
Need for the bill. The growing use of online educational
programs and mobile applications has led to an increasing flow
of personal information directly from students and teachers to
developers of educational programs and applications, and there
are no restrictions on how this information may be used, other
than restrictions that developers may impose on themselves in
their privacy policies and Terms of Service (TOS). A review of
several privacy policies revealed the following common features:
The company reserves the right to disclose or forward
student information to other companies.
The company assumes no responsibility for the
mishandling of information.
The company reserves the right to unilaterally change
its privacy policy at any time.
A recent article in Politico ("Data Mining Your Children," May
15, 2014) states that "Students shed streams of data about their
academic progress, work habits, learning styles and personal
interests as they navigate educational websites. All that data
has potential commercial value: It could be used to target ads
to the kids and their families, or to build profiles on them
that might be of interest to employers, military recruiters or
college admissions officers." The article points out that,
"Kathleen Styles, the [U.S.] Education Department's chief
�
SB 1177
Page 7
privacy officer, acknowledged in an interview that much of
[student information] is likely not protected by FERPA-and thus
can be commercialized by the companies that hold it."
In short, the use of online education programs and mobile
applications has open a back door through which student
information-even information that is otherwise protected by
FERPA-can be freely accessed and used by the company collecting
it. This bill addresses this problem by limiting the use of
personal information that is obtained through this means.
Amendments approved by the Assembly Committee on Arts,
Entertainment, Sports, Tourism, & Internet Media. This bill was
heard by the Arts Committee on June 24, 2014. Prior to that
hearing, the author and committee chair agree to amendments.
Due to the time constraints caused by back-go-back hearings,
however, the Arts committee action was a straight "Do Pass,"
with the understanding that the amendments would be adopted by
the Education Committee. Consistent with this understanding,
the Education Committee would need to pass this bill as amended
to do the following:
1) Eliminate duplicative language.
2) Specify that "covered information" means "personally
identifiable" information.
3) Clarify prohibited and allowed uses of covered
information by doing the following:
a) Specify that covered information about a K-12
student may not be used by an operator for any purpose in
furtherance of targeted advertising or to amass a provide
on a student for any purpose other than the school
purpose;
b) Clarify that operators are not prohibited from using
student information for maintaining, developing or
improving the site, service, or application;
c) Clarify that the prohibition against selling or
disclosing a student's information does not apply to the
purchase, merger or other type of acquisition of an
entity that operates an Internet Web site, online
service, online application, or mobile application by
another entity;
d) Requires the operator to implement and maintain
�
SB 1177
Page 8
reasonable security procedure and practices appropriate
to the nature of the information, to protect the personal
information from unauthorized access, destruction, use,
modification, or disclosure; and
e) Requires the operator to delete only data under the
control of the school or district, if requested by the
school or district.
4) Authorizes the operator to disclose covered information
of a student under the following circumstances, if other
provisions of federal or state law require the operator to
disclose the information, and the operator complies with
the requirements of federal and state law in protecting and
disclosing that information.
5) Provide that the requirements of this bill do not impose
a duty upon a provider of an electronic store, gateway,
marketplace or other means of purchasing or downloading
software or applications to review or enforce compliance
with these requirements on those applications or software.
6) Provide that this bill does not impede the ability of
students to download, export, or otherwise save or maintain
their own student created data or documents.
According to the Arts Committee analysis, these amendments serve
the following purposes:
1) Clarify provisions and definitions consistent with the
author's intent.
2) Allow operators to make real time changes to programs
and applications.
3) Allow students to keep their own work products.
4) Narrow the definition of "covered information" to
"personally identifiable" information.
REGISTERED SUPPORT / OPPOSITION :
Support
California Federation of Teachers
California State PTA
�
SB 1177
Page 9
Consumer Federation of California
Klaas Kids Foundation
Los Angeles Unified School District
Privacy Rights Clearinghouse
SEIU California
Opposition
None received
Analysis Prepared by : Rick Pratt / ED. / (916) 319-2087