BILL ANALYSIS Ó SB 1177 Page 1 Date of Hearing: June 25, 2014 ASSEMBLY COMMITTEE ON EDUCATION Joan Buchanan, Chair SB 1177 (Steinberg) - As Amended: June 10, 2014 SENATE VOTE : 35-0 SUBJECT : Privacy: students [Note: This bill was double referred from the Assembly Committee on Arts, Entertainment, Sports, Tourism, & Internet Media and was heard as it relates to issues under its jurisdiction.] SUMMARY : Establishes the Student Online Personal Information Protection Act to restrict the use and disclosure of information about K-12 students. Specifically, this bill : 1) Requires operator of an Internet Web site, online service, online application, or mobile application with actual knowledge that the site, service, or application is used primarily for K-12 school purposes and was designed and marketed for K-12 school purposes to comply with all of the following requirements: a. It shall not use, share, disclose, or compile covered information about a K-12 student for any purpose other than the K-12 school purpose and for maintaining, developing, and improving the integrity and effectiveness of the site, service, or application, as long as no personal information is used for any purpose in furtherance of targeted advertising or to amass a profile on the student for purposes other than K-12 school purposes; b. It shall not sell or disclose a student's covered information; c. It shall take reasonable steps to protect the covered information at rest and in transmission in a manner that meets or exceeds reasonable and appropriate commercial best practices. 2) Requires an operator of an Internet Web site, online service, online application, or mobile application with actual knowledge that the site, service, or application is SB 1177 Page 2 used primarily for K-12 school purposes and that it was designed and marketed for K-12 school purposes shall delete a student's covered information if the school or district requests deletion. 3) Provides that an operator of an Internet Web site, online service, online application, or mobile application may disclose covered information of a student if other provisions of federal or state law require the operator to disclose the information, and the operator complies with the requirements of federal and state law in protecting and disclosing that information. 4) Defines an "online service" to include cloud computing services. 5) Provides that an operator of an Internet Web site, online service, online application, or mobile application may disclose covered information of a student for legitimate research purposes as required by state and federal law and subject to the restrictions under state and federal law or as allowed by state and federal law and under the direction of a school, school district, or state department of education, as long as no covered information is used for any purpose in furtherance of advertising or to amass a profile on the student for purposes other than K-12 school purposes. 6) Defines "covered information" to mean information or materials in any media or format that meets any of the following: a. Are created or provided by a student, or the student's parent or legal guardian, in the course of the student's, parent's, legal guardian's, use of the site, service, or application for K-12 school purposes; b. Are created or provided by an employee or agent of the educational institution; and c. Are gathered by the site, service, or application, that is descriptive of a student or otherwise identifies a student, including, but not limited to, information in the student's educational SB 1177 Page 3 record or email, first and last name, home address, telephone number, email address, or other information that allows physical or online contact, discipline records, test results, special education data, juvenile dependency records, grades, evaluations, criminal records, medical records, health records, social security number, biometric information, disabilities, socioeconomic information, food purchases, political affiliations, religious information, text messages, documents, persistent unique identifiers, search activity, photos, voice recordings, or geolocation information. 7) Defines "K-12 school purposes to mean purposes that customarily take place at the direction of the school, teacher, or school district or aid in the administration of school activities, including, but not limited to, instruction in the classroom or at home, administrative activities, and collaboration between students, school personnel, or parents, or are for the use and benefit of the school. 8) Provides that these requirements shall not be construed to limit the authority of a law enforcement agency to obtain any content or information from an operator as authorized by law or pursuant to an order of a court of competent jurisdiction. 9) Provides that these requirements to not apply to general audience Internet Web sites, general audience online services, general audience online applications, or general audience mobile applications. 10) Provides that these requirements to not limit Internet service providers from providing Internet connectivity to schools or students and their families. 11) Provides that an operator of an Internet Web site, online service, online application, or mobile application may use deidentified student covered information, including aggregated deidentified student covered information for the following purposes: a. For adaptive learning purposes and customized student learning; SB 1177 Page 4 b. To demonstrate the effectiveness of the operator's products, including in their marketing; and c. For the development and improvement of educational sites, services, or applications. 12) Clarifies that these requirements shall not be construed to prohibit an operator of an Internet Web site, online service, online application, or mobile application from marketing educational products directly to parents so long as the marketing was not the result of student covered information provided to the operator of the Internet Web site, online service, online application, or mobile application. 13) Provides that the Act shall become operative on January 1, 2016 and that its provisions are severable. EXISTING LAW (both state and federal) provides different levels of protection for different types of pupil records. Specifically, existing law: 1)Requires school districts to adopt a policy identifying those categories of directory information that may be released. 2)Defines "directory information" to mean one or more of the following items: pupil's name, address, telephone number, date of birth, email address, major field of study, participation in officially recognized activities and sports, weight and height of members of athletic teams, dates of attendance, degrees and awards received, and the most recent previous public or private school attended by the pupil. 3)Authorizes school districts to release directory information without prior parental/guardian consent. 4)Requires an annual notice of the information the district plans to release and the recipients. 5)Prohibits a district from releasing directory information of a pupil if that pupil's parent has notified the district that it shall not be released. 6)Prohibits the release on non-directory information (such as SB 1177 Page 5 disciplinary records, Individualized Education Plans for special needs pupils, eligibility for free or reduced price meals, etc.) without prior written parental consent, except for the following requesters, if they have a legitimate educational interest: a) School officials, employees of the district, and members of a school attendance review board; b) Officials and employees of other public schools where the pupil intends to or is enrolled; c) The Comptroller General of the U. S., the U. S. Secretary of Education, state and local educational authorities, or the U. S. Department of Education's Office of Civil Rights, if the information is necessary to audit or evaluate a federally funded program; d) Other state and local officials if the information is required to be reported pursuant to state law adopted before November 19, 1974; e) Parents of a pupil 18 years of age or older if the pupil is a dependent; f) A pupil who is 16 years of age or older or who has completed 10th grade and a pupil who is 14 years of age or older who is a homeless or unaccompanied youth; g) A district attorney conducting a truancy mediation program or investigating a violation of compulsory attendance laws; h) A probation officer, district attorney, or counsel of record for a minor for purposes of conducting a criminal investigation or an investigation in regards to declaring a person a ward of the court or involving a violation of a condition of probation; i) A judge or probation officer in relation to a truancy mediation program; j) A county placing agency; aa) A representative of a child welfare agency; bb) Appropriate persons in connection with a health or safety emergency; cc) Agencies in connection with the application of a pupil for financial aid; dd) Accrediting associations; ee) A contractor or consultant with a legitimate educational interest who has a formal written agreement or contract with the school district regarding the provision of outsourced institutional services or functions; SB 1177 Page 6 7)Prohibits a person, agency, or organization that has been permitted access to pupil records from permitting access to any other entity without written parental consent, and requires them to certify in writing that they will not do so, except as permitted by the federal Family Educational Rights and Privacy Act (FERPA). FISCAL EFFECT : This bill is keyed nonfiscal COMMENTS : FERPA is the primary law that protects the privacy of pupil records. It applies to all educational institutions that receive federal funds. In general, state law mirrors FERPA. However, the privacy protections of FERPA apply only to information that is contained in records that are maintained by an education agency. Information that is obtained directly from a student or teacher is not protected, even if it is the same information that would otherwise be protected if it is obtained from school records. Need for the bill. The growing use of online educational programs and mobile applications has led to an increasing flow of personal information directly from students and teachers to developers of educational programs and applications, and there are no restrictions on how this information may be used, other than restrictions that developers may impose on themselves in their privacy policies and Terms of Service (TOS). A review of several privacy policies revealed the following common features: The company reserves the right to disclose or forward student information to other companies. The company assumes no responsibility for the mishandling of information. The company reserves the right to unilaterally change its privacy policy at any time. A recent article in Politico ("Data Mining Your Children," May 15, 2014) states that "Students shed streams of data about their academic progress, work habits, learning styles and personal interests as they navigate educational websites. All that data has potential commercial value: It could be used to target ads to the kids and their families, or to build profiles on them that might be of interest to employers, military recruiters or college admissions officers." The article points out that, "Kathleen Styles, the [U.S.] Education Department's chief SB 1177 Page 7 privacy officer, acknowledged in an interview that much of [student information] is likely not protected by FERPA-and thus can be commercialized by the companies that hold it." In short, the use of online education programs and mobile applications has open a back door through which student information-even information that is otherwise protected by FERPA-can be freely accessed and used by the company collecting it. This bill addresses this problem by limiting the use of personal information that is obtained through this means. Amendments approved by the Assembly Committee on Arts, Entertainment, Sports, Tourism, & Internet Media. This bill was heard by the Arts Committee on June 24, 2014. Prior to that hearing, the author and committee chair agree to amendments. Due to the time constraints caused by back-go-back hearings, however, the Arts committee action was a straight "Do Pass," with the understanding that the amendments would be adopted by the Education Committee. Consistent with this understanding, the Education Committee would need to pass this bill as amended to do the following: 1) Eliminate duplicative language. 2) Specify that "covered information" means "personally identifiable" information. 3) Clarify prohibited and allowed uses of covered information by doing the following: a) Specify that covered information about a K-12 student may not be used by an operator for any purpose in furtherance of targeted advertising or to amass a provide on a student for any purpose other than the school purpose; b) Clarify that operators are not prohibited from using student information for maintaining, developing or improving the site, service, or application; c) Clarify that the prohibition against selling or disclosing a student's information does not apply to the purchase, merger or other type of acquisition of an entity that operates an Internet Web site, online service, online application, or mobile application by another entity; d) Requires the operator to implement and maintain SB 1177 Page 8 reasonable security procedure and practices appropriate to the nature of the information, to protect the personal information from unauthorized access, destruction, use, modification, or disclosure; and e) Requires the operator to delete only data under the control of the school or district, if requested by the school or district. 4) Authorizes the operator to disclose covered information of a student under the following circumstances, if other provisions of federal or state law require the operator to disclose the information, and the operator complies with the requirements of federal and state law in protecting and disclosing that information. 5) Provide that the requirements of this bill do not impose a duty upon a provider of an electronic store, gateway, marketplace or other means of purchasing or downloading software or applications to review or enforce compliance with these requirements on those applications or software. 6) Provide that this bill does not impede the ability of students to download, export, or otherwise save or maintain their own student created data or documents. According to the Arts Committee analysis, these amendments serve the following purposes: 1) Clarify provisions and definitions consistent with the author's intent. 2) Allow operators to make real time changes to programs and applications. 3) Allow students to keep their own work products. 4) Narrow the definition of "covered information" to "personally identifiable" information. REGISTERED SUPPORT / OPPOSITION : Support California Federation of Teachers California State PTA SB 1177 Page 9 Consumer Federation of California Klaas Kids Foundation Los Angeles Unified School District Privacy Rights Clearinghouse SEIU California Opposition None received Analysis Prepared by : Rick Pratt / ED. / (916) 319-2087