BILL ANALYSIS Ó AB 2799 Page 1 Date of Hearing: April 12, 2016 ASSEMBLY COMMITTEE ON PRIVACY AND CONSUMER PROTECTION Ed Chau, Chair AB 2799 (Chau) - As Amended April 7, 2016 SUBJECT: Privacy: personal information: preschool and prekindergarten purposes SUMMARY: Prohibits operators of Internet websites, online services, and mobile apps that are designed, marketed and used primarily for prekindergarten and preschool pupils, from using data about those pupils for targeting, marketing or profiling, and prohibits selling or disclosing a pupil's information with limited exceptions. Specifically, this bill: 1)Establishes the Early Learning Personal Information Protection Act (ELPIPA), which prohibits an operator of an Internet website, online service, online application, or mobile application with actual knowledge that the site, service, or application is used primarily for preschool or prekindergarten purposes and was designed and marketed for preschool or prekindergarten purposes (Operator) from knowingly engaging in any of the following activities: a) Engaging in targeted advertising on the Operator's site, service, or application; or targeting advertising on any other site, service, or application when the targeting of the advertising is based upon any information, including covered information and persistent unique identifiers, that AB 2799 Page 2 the Operator has acquired because of the use of that Operator's site, service, or application; b) Using information, including persistent unique identifiers, created or gathered by the Operator's site, service, or application, to amass a profile about a pupil except in furtherance of preschool or prekindergarten purposes; c) Selling or disclosing a pupil's information, except in the case of a purchase, merger, or other type of acquisition of an entity that operates an Internet website, online service, online application, or mobile application by another entity; and d) Disclosing covered information, unless the disclosure is made: i) In furtherance of the preschool or prekindergarten purposes of the site, service, or application; ii) To ensure legal and regulatory compliance; iii) To respond to or participate in judicial process; iv) To protect the safety of users or others or security of the site; or v) To a service provider, provided the service provider is contractually required to comply with specified security procedures. 1)Specifies that ELPIPA does not prohibit an Operator from using information to maintain, develop, support, improve, or diagnose an Operator's website, service, or application. 2)Requires under ELPIPA that an Operator implement and maintain reasonable security procedures and practices appropriate to the nature of the covered information, to protect the personal information from unauthorized access, destruction, use, modification, or disclosure. AB 2799 Page 3 3)Requires an Operator to delete a pupil's covered information if the preschool or prekindergarten requests deletion of data under the control of the preschool, prekindergarten, school or district. 4)Permits an Operator to disclose the covered information of a student under the following circumstances: a) If other provisions of federal or state law require the Operator to disclose the information, and the Operator complies with the requirements of federal and state law in protecting and disclosing that information; b) For legitimate research purposes, as specified, if no covered information is used for any purpose in furtherance of advertising or to amass a profile on the student for purposes other than preschool or prekindergarten purposes; and c) If the disclosure is to a state or local educational agency, including preschools and prekindergartens, schools and school districts as permitted by state or federal law. 5)Permits an Operator to use aggregated, de-identified covered information of a pupil as follows: a) Within the Operator's site, service, or application or other sites, services, or applications owned by the Operator to improve educational products; b) To demonstrate the effectiveness of the Operator's products, including in their marketing; and c) To share aggregated de-identified pupil covered information for the development and improvement of educational sites, services, or applications. 6)Defines "pupil" as a child enrolled in a preschool or AB 2799 Page 4 prekindergarten course of instruction. 7)Defines "online services" under ELPIPA to include cloud computing services. 8)Defines "covered information" under ELPIPA to mean information or materials in any media or format that meets any of the following: a) Are created or provided by a pupil, or the pupil's parent or legal guardian, in the course of the pupil's, parent's, or legal guardian's use of the site, service, or application for preschool or prekindergarten purposes; b) Are created or provided by an employee or agent of the educational institution; and c) Are gathered by the site, service, or application, that is descriptive of a pupil or otherwise personally identifies a pupil, including, but not limited to, information in the pupil's educational record or email, first and last name, home address, telephone number, email address, or other information that allows physical or online contact, discipline records, test results, special education data, juvenile dependency records, grades, evaluations, criminal records, medical records, health records, social security number, biometric information, disabilities, socioeconomic information, food purchases, political affiliations, religious information, text messages, documents, student identifiers, search activity, photos, voice recordings, or geolocation information. 9)Defines "preschool or prekindergarten purposes" under ELPIPA to mean purposes that customarily take place at the direction of the preschool, prekindergarten, teacher, or school district, or aid in the administration of preschool or prekindergarten activities, including, but not limited to, instruction in the classroom or home, administrative activities, and collaboration between pupils, preschool or AB 2799 Page 5 prekindergarten personnel, or parents, or are for the use and benefit of the preschool or prekindergarten. 10)Specifies that ELPIPA does not limit the authority of a law enforcement agency to obtain any content or information from an Operator as authorized by law or pursuant to an order of a court of competent jurisdiction. 11)Authorizes an Operator to use a pupil's educational data for adaptive learning or customized early learning purposes. 12)Specifies that ELPIPA does not apply to general audience Internet websites, general audience online services, general audience online applications, or general audience mobile applications, even if login credentials created for an Operator's site, service or application may be used to access those general audience sites, services, or applications. 13)Specifies that ELPIPA does not limit Internet service providers from providing Internet connectivity to preschools, prekindergartens, schools or pupils and their families. 14)Clarifies that ELPIPA does not prohibit an Operator from marketing educational products directly to parents as long as the marketing was not the result of covered information obtained by the Operator through the provision of services covered under this section. 15)Clarifies that ELPIPA does not impose a duty upon a provider of an electronic store, gateway, marketplace, interactive computer service, or other means of purchasing or downloading software or applications to review or enforce compliance of this section on those applications or software. 16)Provides that ELPIPA does not impede the ability of minors to download, export, or otherwise save or maintain their own student created data or documents. AB 2799 Page 6 EXISTING LAW: 1)Establishes the Student Online Privacy Protection Act (SOPIPA), which prohibits an operator of a website, online service, online application, or mobile application from knowingly engaging in targeted advertising to students or their parents or legal guardians using covered information, as defined, amassing a profile of a K-12 student, selling a student's information, or disclosing covered information, as provided. (Business and Professions Code (BPC) Section 22584-85) 2)Defines an "Operator" as the operator of a website, online service, online application, or mobile application with actual knowledge that the site, service, or application is used primarily for K-12 school purposes and was designed and marketed for K-12 school purposes. (BPC 22584(a)) 3)Requires an Operator of a commercial website or online service that collects personally identifiable information through the Internet about individual consumers residing in California who use or visit its website to conspicuously post its privacy policy. (BPC 22575) 4)Protects, pursuant to the federal Family Educational Rights and Privacy Act (FERPA), the confidentiality of educational records (and personally identifiable information contained therein) by prohibiting the funding of schools that permit the release of those records. It applies to all schools that receive funds under an applicable program of the U.S. Department of Education. Generally, schools must have written permission from the parent or eligible student in order to release any information from a student's education record. AB 2799 Page 7 FERPA's prohibition only applies to the school itself and contains various exemptions where the data may be released without the written consent of the parents. (20 U.S.C. Sec. 1232g(b)(1)) 5)Prohibits, pursuant to the federal Children's Online Privacy Protection Act of 1998, an Operator of a website or online service directed to pupils under the age of 13 from collecting personal information from a pupil, including a pupil's first and last name, home or other physical address including street name and name of a city or town, e-mail address, telephone number, or Social Security number. (5 U.S.C. 6501-6505) FISCAL EFFECT: None. This bill is keyed nonfiscal by the Legislative Counsel. COMMENTS: 1)Purpose of this bill . This bill is intended to close a gap in current online student privacy laws for prekindergarten and preschool pupils by applying to those pupils the existing privacy protections that currently apply to K-12 students. AB 2799 is sponsored by Common Sense Media. 2)Author's statement . According to the author's office, "In 2014, California became the national leader on student privacy protections with the unanimous passage of SB 1177 (Steinberg), the Student Online Personal Information Protection Act (SOPIPA). While SOPIPA protects privacy for K-12 students, our new law does not protect children in pre-kindergarten and preschool classrooms. Preschools should also be safe-havens for learning just as K-12 classrooms are today under SOPIPA. AB 2799 Page 8 This bill, the Early Learning Privacy Information Protection Act (ELPIPA), simply extends the protections offered by SOPIPA to preschool and pre-kindergarten kids." "ELPIPA protects privacy but still enables innovation, because it allows companies to use de-identified kids' information internally to improve educational products and services. The bill also allows sharing of aggregated de-identified personal data for the development of educational sites, services, and apps." 3)Technology in the preschool classroom. Technology is an integral part of learning for today's kids, even for the youngest among them. Preschool and prekindergarten teachers are increasingly integrating tablets into the classroom and using cloud-computing services to enrich student education and improve academic operations. According to a recent study conducted by Common Sense Media, technology and media use begins at an increasingly young age, with as many as 38% of kids under the age of two using mobile devices for media in 2013. The report also found that half (50%) of all children ages zero to eight have used mobile apps, up from just 16% in 2011. According to the study, the most frequently used apps are educational games (43%), games that are just for fun (42%), and creative apps such as those for drawing, music, or photos (38%). ("Zero to Eight: Children's Media Use in America" Common Sense Media, 2013.) A 2015 industry survey that examined early childhood education and marketing educational products for 4-year-olds found that 65% of preschool educators are already using digital devices and materials in their classrooms. The report focused on AB 2799 Page 9 children who were enrolled in Head Start, state and locally funded public prekindergarten classrooms, and private childcare centers. ("Market Opportunities for PreK Instructional Materials 2015-2016" Simba Information, 2015) 4)Federal student privacy law . FERPA protects the confidentiality of school records by prohibiting federal funding of schools that permit the release of those records. FERPA's prohibition only applies to the school itself - not technology vendors - and contains various exemptions allowing data to be released without the written consent of the parents. Since the enactment of FERPA in 1974, educational institutions have undergone dramatic changes in the way students are taught. Schools now routinely use computers, the Internet, and digital resources in a variety of ways to support teaching and learning. Electronic grade books, digital portfolios, learning games, and real-time feedback on teacher and student performance are just a few of the ways technology is now integrated into classroom learning. More recently, these changes led California to pass its own student privacy law, discussed below. 5)California's student privacy law. In 2014, California became the national leader on student privacy protections with the unanimous passage of SB 1177 (Steinberg), known SOPIPA. SOPIPA went into effect on January 1, 2016, and mandates privacy and data security requirements on websites, online services, and mobile apps that are designed, marketed and used primarily for K-12 students. SOPIPA was passed in response to the massive amounts of sensitive student data that online educational products and services were collecting about students, including academic performance, health records, and personal interests. However, AB 2799 Page 10 SOPIPA only applies to K-12 students, leaving younger children in preschool and pre-kindergarten classrooms without the same privacy protections, despite the fact that many were using educational technology. 6)ELPIPA in practice. This bill, dubbed the "Early Learning Personal Information Protection Act," is modeled on SOPIPA and expands the same privacy and data security requirements that exist today for K-12 oriented websites, online services, and mobile apps to those designed primarily for prekindergarten and preschool pupils. The major provisions of this bill would: Prohibit using pupils' personal information for targeted advertising; Prohibit using pupils' personal information for profiling (except for school purposes); Prohibit selling pupils' personal information; Prohibit disclosing pupils' personal information (with limited exceptions to permit site functionality or as required by law); Require reasonable data security for the pupils' information; and AB 2799 Page 11 Require companies to delete pupils' information upon the school's request. 1)Recent amendments harmonize the bill with current law. As the model for this bill, SOPIPA (which is located in the Business and Professions Code) explicitly describes the K-12 students protected by the bill as "students," while the Education Code generally refers to K-12 students as well as preschool students as "pupils." The prior version of this bill used the term "child" and "minor" to describe the children in pre-kindergarten and preschool protected by its provisions. For the sake of consistency and to help alleviate a concern that the bill, as introduced, may have applied to young children who are not yet in preschool or prekindergarten, the author amended the bill to replace the terms "child" and "minor" with the term "pupil." The term pupil is defined in the bill as "a child enrolled in a preschool or prekindergarten course of instruction." 2)Arguments in support . The California State PTA states in support of this bill, "Schools are increasingly integrating the use of computers and technology in the classroom even with our youngest students. Preschools and pre-kindergartens are integrating tablets in the class room and utilizing other interactive technologies to enhance student learning. California is recognized as a leader in student online privacy protections with the passage of AB 1177 (Steinberg) in 2014. California State PTA was a strong supporter of the bill which assured the privacy and security of personal and academic AB 2799 Page 12 information for K-12 students. Preschoolers and pre-kindergarteners need to be provided with the same protections." Los Angeles Unified School District notes in support that "preschools and pre-kindergartens were not afforded the same privacy protections under [SOPIPA] as California's K-12 schools. Because of this, AB 2799 (The Early Learning Privacy Information Protection Act [ELPIPA]) would extend the protections offered under SOPIPA to early education programs. The use of technology in the classroom provides an opportunity for our students to learn and explore while preparing them for a 21st century workforce. It is important to allow these technologies to flourish, but there needs to be constraint and restriction in how the information gathered is utilized." The bill's sponsor, Common Sense Kids Action, states in support that this bill "is among seven bills and one budget proposal chosen by our team of skilled policy staff and advisors to receive a For Kids rating and Common Sense Star through our Common Sense Legislative Ratings initiative." 3)Prior Legislation . SB 1177 (Steinberg), Chapter 839, Statutes of 2014, known SOPIPA, prohibits websites, online services, and mobile apps that are designed, marketed and used primarily for K-12 students from using student data for targeting marketing or profiling, and prohibits selling or disclosing student information with limited exceptions. SB 1177 also requires reasonable security procedures and the deletion of AB 2799 Page 13 student data upon a school's request. 4)Double-referral . This bill was double-referred to the Assembly Education Committee, where it will be heard if passed by this Committee. REGISTERED SUPPORT / OPPOSITION: Support Common Sense Media (sponsor) California State PTA Los Angeles Unified School District Privacy Rights Clearinghouse Opposition None on file. AB 2799 Page 14 Analysis Prepared by:Jennie Bretschneider / P. & C.P. / (916) 319-2200