BILL ANALYSIS Ó SB 1177 Page 1 SENATE THIRD READING SB 1177 (Steinberg) As Amended August 21, 2014 Majority vote SENATE VOTE : 35-0 EDUCATION 7-0 ARTS, ENTERTAINMENT, SPORTS 7-0 ----------------------------------------------------------------- |Ayes:|Buchanan, Olsen, Chávez, |Ayes:|Ian Calderon, Waldron, | | |Gonzalez, Nazarian, | |Bloom, Brown, Gomez, | | |Weber, Williams | |Levine, Wilk | |-----+--------------------------+-----+--------------------------| | | | | | ----------------------------------------------------------------- SUMMARY : Establishes the Student Online Personal Information Protection Act (Act) to restrict the use and disclosure of information about K-12 students. Specifically, this bill : 1)Prohibits an operator of an Internet Web site, online service, online application, or mobile application with actual knowledge that the site, service, or application is used primarily for K-12 school purposes and was designed and marketed for K-12 school purposes (Operator) from knowingly engaging in any of the following activities: a) Engaging in targeted advertising on the operator's site, service, or application; or targeting advertising on any other site, service, or application when the targeting of the advertising is based upon any information, including covered information and persistent unique identifiers, that the operator has acquired because of the use of that operator's site, service, or application; b) Using information, including persistent unique identifiers, created or gathered by the operator's site, service, or application, to amass a profile about a K-12 student except in furtherance of K-12 school purposes; c) Selling or disclosing a student's information. This prohibition does not apply to the purchase, merger, or other type of acquisition of an entity that operates an Internet Web site, online service, online application, or SB 1177 Page 2 mobile application by another entity; and d) Disclosing covered information, unless the disclosure is made: i) In furtherance of the K-12 purpose of the site, service, or application; ii) To ensure legal and regulatory compliance; iii) To respond to or participate in judicial process; iv) To protect the safety of users or others or security of the site; or v) To a service provider, provided the service provider is contractually required to comply with specified security procedures. 2)Requires the operator to implement and maintain reasonable security procedures and practices appropriate to the nature of the covered information, to protect the personal information from unauthorized access, destruction, use, modification, or disclosure. 3)Requires an Operator to delete a student's covered information if the school or district requests deletion of data under the control of the school or district. 4)Provides that an Operator may disclose covered information of a student under the following circumstances: a) If other provisions of federal or state law require the Operator to disclose the information, and the Operator complies with the requirements of federal and state law in protecting and disclosing that information; or b) For legitimate research purposes as required by state and federal law and subject to the restrictions under state and federal law or as allowed by state and federal law and under the direction of a school, school district, or state department of education, if no covered information is used for any purpose in furtherance of advertising or to amass a profile on the student for purposes other than K-12 school purposes. SB 1177 Page 3 c) To a state or local educational agency as permitted by state or federal law. 5)Provides than an Operator may use deidentified student covered information, including aggregated and deidentified student covered information, as follows: a) Within the Operator's site, service, or application or other sites, services, or applications owned by the Operator to improve educational products, for adaptive learning purposes, and for customizing student learning; b) To demonstrate the effectiveness of the Operator's products, including in their marketing; and c) To share aggregated deidentified student covered information for the development and improvement of educational sites, services, or applications. 6)Defines "online services" to include cloud computing services. 7)Defines "covered information" to mean information or materials in any media or format that meets any of the following: a) Are created or provided by a student, or the student's parent or legal guardian, in the course of the student's, parent's, legal guardian's, use of the site, service, or application for K-12 school purposes; b) Are created or provided by an employee or agent of the educational institution; and c) Are gathered by the site, service, or application, that is descriptive of a student or otherwise personally identifies a student, including, but not limited to, information in the student's educational record or email, first and last name, home address, telephone number, email address, or other information that allows physical or online contact, discipline records, test results, special education data, juvenile dependency records, grades, evaluations, criminal records, medical records, health records, social security number, biometric information, disabilities, socioeconomic information, food purchases, political affiliations, religious information, text SB 1177 Page 4 messages, documents, persistent unique identifiers, search activity, photos, voice recordings, or geolocation information. 8)Defines "K-12 school purposes" to mean purposes that customarily take place at the direction of the school, teacher, or school district or aid in the administration of school activities, including, but not limited to, instruction in the classroom or at home, administrative activities, and collaboration between students, school personnel, or parents, or are for the use and benefit of the school. 9)Provides that these requirements shall not be construed to limit the authority of a law enforcement agency to obtain any content or information from an operator as authorized by law or pursuant to an order of a court of competent jurisdiction or to limit the ability of an Operator to use student data for adaptive learning or customized student learning purposes. 10)Provides that these requirements do not apply to general audience Internet Web sites, general audience online services, general audience online applications, or general audience mobile applications, even if login credentials created for an operator's site, service or application may be used to access those general audience sites, services, or applications. 11)Provides that these requirements do not limit Internet service providers from providing Internet connectivity to schools or students and their families. 12)Clarifies that these requirements shall not be construed to prohibit an Operator from marketing educational products directly to parents so long as the marketing was not the result of student covered information obtained by the Operator through the provision of services covered under this section. 13)Provides that this Act does not impose a duty upon a provider of an electronic store, gateway, marketplace, or other means of purchasing or downloading software or applications to review or enforce compliance of this section on those applications or software. 14)Provides that this Act does not impede the ability of students to download, export, or otherwise save or maintain their own student created data or documents. SB 1177 Page 5 15)Provides that this Act shall become operative on January 1, 2016, and that its provisions are severable. EXISTING LAW (both state and federal) provides different levels of protection for different types of pupil records. Specifically, existing law: 1)Requires school districts to adopt a policy identifying those categories of directory information that may be released. 2)Defines "directory information" to mean one or more of the following items: pupil's name, address, telephone number, date of birth, email address, major field of study, participation in officially recognized activities and sports, weight and height of members of athletic teams, dates of attendance, degrees and awards received, and the most recent previous public or private school attended by the pupil. 3)Authorizes school districts to release directory information without prior parental/guardian consent. 4)Requires an annual notice of the information the district plans to release and the recipients. 5)Prohibits a district from releasing directory information of a pupil if that pupil's parent has notified the district that it shall not be released. 6)Prohibits the release on non-directory information (such as disciplinary records, Individualized Education Plans for special needs pupils, eligibility for free or reduced price meals, etc.) without prior written parental consent, except for the following requesters, if they have a legitimate educational interest: a) School officials, employees of the district, and members of a school attendance review board; b) Officials and employees of other public schools where the pupil intends to or is enrolled; c) The Comptroller General of the United States (U.S.), the U.S. Secretary of Education, state and local educational authorities, or the U.S. Department of Education's Office SB 1177 Page 6 of Civil Rights, if the information is necessary to audit or evaluate a federally funded program; d) Other state and local officials if the information is required to be reported pursuant to state law adopted before November 19, 1974; e) Parents of a pupil 18 years of age or older if the pupil is a dependent; f) A pupil who is 16 years of age or older or who has completed 10th grade and a pupil who is 14 years of age or older who is a homeless or unaccompanied youth; g) A district attorney conducting a truancy mediation program or investigating a violation of compulsory attendance laws; h) A probation officer, district attorney, or counsel of record for a minor for purposes of conducting a criminal investigation or an investigation in regards to declaring a person a ward of the court or involving a violation of a condition of probation; i) A judge or probation officer in relation to a truancy mediation program; j) A county placing agency; aa) A representative of a child welfare agency; bb) Appropriate persons in connection with a health or safety emergency; cc) Agencies in connection with the application of a pupil for financial aid; dd) Accrediting associations; or ee) A contractor or consultant with a legitimate educational interest who has a formal written agreement or contract with the school district regarding the provision of outsourced institutional services or functions. 7)Prohibits a person, agency, or organization that has been SB 1177 Page 7 permitted access to pupil records from permitting access to any other entity without written parental consent, and requires them to certify in writing that they will not do so, except as permitted by the federal Family Educational Rights and Privacy Act (FERPA). FISCAL EFFECT : None. This bill is keyed non-fiscal by the Legislative Counsel. COMMENTS : FERPA is the primary law that protects the privacy of pupil records. It applies to all educational institutions that receive federal funds. In general, state law mirrors FERPA. However, the privacy protections of FERPA apply only to information that is contained in records that are maintained by an education agency. Information that is obtained directly from a student or teacher (such as information obtained through the use of an online programs or mobile application) is not protected by FERPA, even if it is the same information that would otherwise be protected if it is obtained from school records. Need for the bill. The growing use of online educational programs and mobile applications has led to an increasing flow of personal information directly from students and teachers to developers of educational programs and applications, and there are no restrictions on how this information may be used, other than restrictions that developers may impose on themselves in their privacy policies and Terms of Service (TOS). A review of several privacy policies revealed the following common features: 1)The company reserves the right to disclose or forward student information to other companies. 2)The company assumes no responsibility for the mishandling of information. 3)The company reserves the right to unilaterally change its privacy policy at any time. A recent article in Politico (Data Mining Your Children, May 15, 2014) states that "Students shed streams of data about their academic progress, work habits, learning styles and personal interests as they navigate educational websites. All that data has potential commercial value: It could be used to target ads to the kids and their families, or to build profiles on them SB 1177 Page 8 that might be of interest to employers, military recruiters or college admissions officers." The article points out that, "Kathleen Styles, the [U.S.] Education Department's chief privacy officer, acknowledged in an interview that much of [student information] is likely not protected by FERPA - and thus can be commercialized by the companies that hold it." In short, the use of online education programs and mobile applications has open a back door through which student information - even information that is otherwise protected by FERPA - can be freely accessed and used by the company collecting it. This bill addresses this problem by limiting the use of personal information that is obtained through this means. Analysis Prepared by : Rick Pratt / ED. / (916) 319-2087 FN: 0005203