BILL ANALYSIS                                                                                                                                                                                                    Ó



                                                                  SB 1177
                                                                  Page  1

          SENATE THIRD READING
          SB 1177 (Steinberg)
          As Amended  August 4, 2014
          Majority vote 

           SENATE VOTE  :35-0  
           
           ARTS, ENTERTAINMENT, SPORTS   7-0                   EDUCATION    
          7-0                 
           
           ----------------------------------------------------------------- 
          |Ayes:|Ian Calderon, Waldron,    |Ayes:|Buchanan, Olsen, Chávez,  |
          |     |Bloom, Brown, Gomez,      |     |Gonzalez, Nazarian,       |
          |     |Levine, Wilk              |     |Weber, Williams           |
          |-----+--------------------------+-----+--------------------------|
          |     |                          |     |                          |
           ----------------------------------------------------------------- 
           SUMMARY  :  Establishes the Student Online Personal Information  
          Protection Act (Act) to restrict the use and disclosure of  
          information about K-12 students.  Specifically,  this bill  :   

          1)Requires an operator of an Internet Web site, online service,  
            online application, or mobile application with actual  
            knowledge that the site, service, or application is used  
            primarily for K-12 school purposes and was designed and  
            marketed for K-12 school purposes (Operator) to comply with  
            all of the following requirements with respect to its site,  
            service, or application:

             a)   It shall not use, share, disclose, or compile  
               information about a K-12 student for any purpose in  
               furtherance of targeted advertising or to amass a profile  
               on a student for any purpose other than K-12 school  
               purposes.  This provision shall not prohibit the use of  
               information for maintaining, developing, or improving the  
               application of the operator.

             b)   It shall not sell or disclose a student's information.   
               This prohibition does not apply to the purchase, merger, or  
               other type of acquisition of an entity that operates an  
               Internet Web site, online service, online application, or  
               mobile application by another entity.

             c)   It shall implement and maintain reasonable security  
               procedures and practices appropriate to the nature of the  








                                                                  SB 1177
                                                                  Page  2

               information, to protect the personal information from  
               unauthorized access, destruction, use, modification, or  
               disclosure.

          2)Requires an Operator to delete a student's covered information  
            if the school or district requests deletion of data under the  
            control of the school or district. 

          3)Provides that an Operator may disclose covered information of  
            a student under the following circumstances:

             a)   If other provisions of federal or state law require the  
               Operator to disclose the information, and the Operator  
               complies with the requirements of federal and state law in  
               protecting and disclosing that information; or

             b)   For legitimate research purposes as required by state  
               and federal law and subject to the restrictions under state  
               and federal law or as allowed by state and federal law and  
               under the direction of a school, school district, or state  
               department of education, if no covered information is used  
               for any purpose in furtherance of advertising or to amass a  
               profile on the student for purposes other than K-12 school  
               purposes.
          4)Provides than an Operator may use deidentified student covered  
            information, including aggregated and deidentified student  
            covered information, as follows:

             a)   Within the Operator's site, service, or application or  
               other sites, services, or applications owned by the  
               Operator to improve educational products, for adaptive  
               learning purposes, and for customizing student learning;

             b)   To demonstrate the effectiveness of the Operator's  
               products, including in their marketing; and 

             c)   To share aggregated deidentified student covered  
               information for the development and improvement of  
               educational sites, services, or applications.

          5)Defines "online services" to include cloud computing services.

          6)Defines "covered information" to mean information or materials  
            in any media or format that meets any of the following:









                                                                  SB 1177
                                                                  Page  3

             a)   Are created or provided by a student, or the student's  
               parent or legal guardian, in the course of the student's,  
               parent's, legal guardian's, use of the site, service, or  
               application for K-12 school purposes;

             b)   Are created or provided by an employee or agent of the  
               educational institution; and

             c)   Are gathered by the site, service, or application, that  
               is descriptive of a student or otherwise personally  
               identifies a student, including, but not limited to,  
               information in the student's educational record or email,  
               first and last name, home address, telephone number, email  
               address, or other information that allows physical or  
               online contact, discipline records, test results, special  
               education data, juvenile dependency records, grades,  
               evaluations, criminal records, medical records, health  
               records, social security number, biometric information,  
               disabilities, socioeconomic information, food purchases,  
               political affiliations, religious information, text  
               messages, documents, persistent unique identifiers, search  
               activity, photos, voice recordings, or geolocation  
               information.

          7)Defines "K-12 school purposes" to mean purposes that  
            customarily take place at the direction of the school,  
            teacher, or school district or aid in the administration of  
            school activities, including, but not limited to, instruction  
            in the classroom or at home, administrative activities, and  
            collaboration between students, school personnel, or parents,  
            or are for the use and benefit of the school.

          8)Provides that these requirements shall not be construed to  
            limit the authority of a law enforcement agency to obtain any  
            content or information from an operator as authorized by law  
            or pursuant to an order of a court of competent jurisdiction  
            or to limit the ability of an Operator to use student data for  
            adaptive learning or customized student learning purposes.

          9)Provides that these requirements do not apply to general  
            audience Internet Web sites, general audience online services,  
            general audience online applications, or general audience  
            mobile applications.
          10)Provides that these requirements do not limit Internet  
            service providers from providing Internet connectivity to  








                                                                  SB 1177
                                                                  Page  4

            schools or students and their families.

          11)Clarifies that these requirements shall not be construed to  
            prohibit an Operator from marketing educational products  
            directly to parents so long as the marketing was not the  
            result of student covered information obtained by the Operator  
            through the provision of services covered under this section.

          12)Provides that this Act does not impose a duty upon a provider  
            of an electronic store, gateway, marketplace, or other means  
            of purchasing or downloading software or applications to  
            review or enforce compliance of this section on those  
            applications or software.

          13)Provides that this Act does not impede the ability of  
            students to download, export, or otherwise save or maintain  
            their own student created data or documents.

          14)Provides that this Act shall become operative on January 1,  
            2016, and that its provisions are severable.
           
           EXISTING LAW  (both state and federal) provides different levels  
          of protection for different types of pupil records.   
          Specifically, existing law:

          1)Requires school districts to adopt a policy identifying those  
            categories of directory information that may be released.

          2)Defines "directory information" to mean one or more of the  
            following items: pupil's name, address, telephone number, date  
            of birth, email address, major field of study, participation  
            in officially recognized activities and sports, weight and  
            height of members of athletic teams, dates of attendance,  
            degrees and awards received, and the most recent previous  
            public or private school attended by the pupil.

          3)Authorizes school districts to release directory information  
            without prior parental/guardian consent.

          4)Requires an annual notice of the information the district  
            plans to release and the recipients.

          5)Prohibits a district from releasing directory information of a  
            pupil if that pupil's parent has notified the district that it  
            shall not be released.








                                                                  SB 1177
                                                                  Page  5


          6)Prohibits the release on non-directory information (such as  
            disciplinary records, Individualized Education Plans for  
            special needs pupils, eligibility for free or reduced price  
            meals, etc.) without prior written parental consent, except  
            for the following requesters, if they have a legitimate  
            educational interest:

             a)   School officials, employees of the district, and members  
               of a school attendance review board;

             b)   Officials and employees of other public schools where  
               the pupil intends to or is enrolled;

             c)   The Comptroller General of the United States (U.S.), the  
               U.S. Secretary of Education, state and local educational  
               authorities, or the U.S. Department of Education's Office  
               of Civil Rights, if the information is necessary to audit  
               or evaluate a federally funded program;

             d)   Other state and local officials if the information is  
               required to be reported pursuant to state law adopted  
               before November 19, 1974;

             e)   Parents of a pupil 18 years of age or older if the pupil  
               is a dependent;

             f)   A pupil who is 16 years of age or older or who has  
               completed 10th grade and a pupil who is 14 years of age or  
               older who is a homeless or unaccompanied youth;

             g)   A district attorney conducting a truancy mediation  
               program or investigating a violation of compulsory  
               attendance laws;

             h)   A probation officer, district attorney, or counsel of  
               record for a minor for purposes of conducting a criminal  
               investigation or an investigation in regards to declaring a  
               person a ward of the court or involving a violation of a  
               condition of probation;

             i)   A judge or probation officer in relation to a truancy  
               mediation program;

             j)   A county placing agency;








                                                                  SB 1177
                                                                  Page  6


             aa)  A representative of a child welfare agency;

             bb)  Appropriate persons in connection with a health or  
               safety emergency;

             cc)  Agencies in connection with the application of a pupil  
               for financial aid;

             dd)  Accrediting associations; or

             ee)  A contractor or consultant with a legitimate educational  
               interest who has a formal written agreement or contract  
               with the school district regarding the provision of  
               outsourced institutional services or functions.

          7)Prohibits a person, agency, or organization that has been  
            permitted access to pupil records from permitting access to  
            any other entity without written parental consent, and  
            requires them to certify in writing that they will not do so,  
            except as permitted by the federal Family Educational Rights  
            and Privacy Act (FERPA).

           FISCAL EFFECT  :  None.  This bill is keyed non-fiscal by the  
          Legislative Counsel.

           COMMENTS  :   FERPA is the primary law that protects the privacy  
          of pupil records.  It applies to all educational institutions  
          that receive federal funds.  In general, state law mirrors  
          FERPA.  However, the privacy protections of FERPA apply only to  
          information that is contained in records that are maintained by  
          an education agency.  Information that is obtained directly from  
          a student or teacher (such as information obtained through the  
          use of an online programs or mobile application) is not  
          protected by FERPA, even if it is the same information that  
          would otherwise be protected if it is obtained from school  
          records.

          Need for the bill.  The growing use of online educational  
          programs and mobile applications has led to an increasing flow  
          of personal information directly from students and teachers to  
          developers of educational programs and applications, and there  
          are no restrictions on how this information may be used, other  
          than restrictions that developers may impose on themselves in  
          their privacy policies and Terms of Service (TOS).  A review of  








                                                                  SB 1177
                                                                  Page  7

          several privacy policies revealed the following common features:

          1)The company reserves the right to disclose or forward student  
            information to other companies.

          2)The company assumes no responsibility for the mishandling of  
            information.

          3)The company reserves the right to unilaterally change its  
            privacy policy at any time.

          A recent article in Politico (Data Mining Your Children, May 15,  
          2014) states that "Students shed streams of data about their  
          academic progress, work habits, learning styles and personal  
          interests as they navigate educational websites.  All that data  
          has potential commercial value:  It could be used to target ads  
          to the kids and their families, or to build profiles on them  
          that might be of interest to employers, military recruiters or  
          college admissions officers."  The article points out that,  
          "Kathleen Styles, the [U.S.] Education Department's chief  
          privacy officer, acknowledged in an interview that much of  
          [student information] is likely not protected by FERPA - and  
          thus can be commercialized by the companies that hold it."

          In short, the use of online education programs and mobile  
          applications has open a back door through which student  
          information - even information that is otherwise protected by  
          FERPA - can  be freely accessed and used by the company  
          collecting it.  This bill addresses this problem by limiting the  
          use of personal information that is obtained through this means.


           Analysis Prepared by  :    Rick Pratt / ED. / (916) 319-2087 


                                                                FN: 0004271