BILL ANALYSIS                                                                                                                                                                                                    Ó



                                                                    AB 2799


                                                                    Page  1





          Date of Hearing:  April 12, 2016


                ASSEMBLY COMMITTEE ON PRIVACY AND CONSUMER PROTECTION


                                   Ed Chau, Chair


          AB 2799  
          (Chau) - As Amended April 7, 2016


          SUBJECT:  Privacy:  personal information:  preschool and  
          prekindergarten purposes


          SUMMARY:  Prohibits operators of Internet websites, online  
          services, and mobile apps that are designed, marketed and used  
          primarily for prekindergarten and preschool pupils, from using  
          data about those pupils for targeting, marketing or profiling,  
          and prohibits selling or disclosing a pupil's information with  
          limited exceptions.  Specifically, this bill:  


          1)Establishes the Early Learning Personal Information Protection  
            Act (ELPIPA), which prohibits an operator of an Internet  
            website, online service, online application, or mobile  
            application with actual knowledge that the site, service, or  
            application is used primarily for preschool or prekindergarten  
            purposes and was designed and marketed for preschool or  
            prekindergarten purposes (Operator) from knowingly engaging in  
            any of the following activities: 

             a)   Engaging in targeted advertising on the Operator's site,  
               service, or application; or targeting advertising on any  
               other site, service, or application when the targeting of  
               the advertising is based upon any information, including  
               covered information and persistent unique identifiers, that  








                                                                    AB 2799


                                                                    Page  2





               the Operator has acquired because of the use of that  
               Operator's site, service, or application; 

             b)   Using information, including persistent unique  
               identifiers, created or gathered by the Operator's site,  
               service, or application, to amass a profile about a pupil  
               except in furtherance of preschool or prekindergarten  
               purposes; 

             c)   Selling or disclosing a pupil's information, except in  
               the case of a purchase, merger, or other type of  
               acquisition of an entity that operates an Internet website,  
               online service, online application, or mobile application  
               by another entity; and

             d)   Disclosing covered information, unless the disclosure is  
               made: 

                  i)        In furtherance of the preschool or  
                    prekindergarten purposes of the site, service, or  
                    application; 
                  ii)       To ensure legal and regulatory compliance; 
                  iii)      To respond to or participate in judicial  
                    process; 
                  iv)       To protect the safety of users or others or  
                    security of the site; or
                  v)        To a service provider, provided the service  
                    provider is contractually required to comply with  
                    specified security procedures.  

          1)Specifies that ELPIPA does not prohibit an Operator from using  
            information to maintain, develop, support, improve, or  
            diagnose an Operator's website, service, or application. 

          2)Requires under ELPIPA that an Operator implement and maintain  
            reasonable security procedures and practices appropriate to  
            the nature of the covered information, to protect the personal  
            information from unauthorized access, destruction, use,  
            modification, or disclosure. 








                                                                    AB 2799


                                                                    Page  3






          3)Requires an Operator to delete a pupil's covered information  
            if the preschool or prekindergarten requests deletion of data  
            under the control of the preschool, prekindergarten, school or  
            district. 

          4)Permits an Operator to disclose the covered information of a  
            student under the following circumstances: 

             a)   If other provisions of federal or state law require the  
               Operator to disclose the information, and the Operator  
               complies with the requirements of federal and state law in  
               protecting and disclosing that information; 

             b)   For legitimate research purposes, as specified, if no  
               covered information is used for any purpose in furtherance  
               of advertising or to amass a profile on the student for  
               purposes other than preschool or prekindergarten purposes;  
               and 

             c)   If the disclosure is to a state or local educational  
               agency, including preschools and prekindergartens, schools  
               and school districts as permitted by state or federal law. 

          5)Permits an Operator to use aggregated, de-identified covered  
            information of a pupil as follows: 

             a)   Within the Operator's site, service, or application or  
               other sites, services, or applications owned by the  
               Operator to improve educational products; 

             b)   To demonstrate the effectiveness of the Operator's  
               products, including in their marketing; and 

             c)   To share aggregated de-identified pupil covered  
               information for the development and improvement of  
               educational sites, services, or applications. 

          6)Defines "pupil" as a child enrolled in a preschool or  








                                                                    AB 2799


                                                                    Page  4





            prekindergarten course of instruction. 

          7)Defines "online services" under ELPIPA to include cloud  
            computing services. 

          8)Defines "covered information" under ELPIPA to mean information  
            or materials in any media or format that meets any of the  
            following: 

             a)   Are created or provided by a pupil, or the pupil's  
               parent or legal guardian, in the course of the pupil's,  
               parent's, or legal guardian's use of the site, service, or  
               application for preschool or prekindergarten purposes; 

             b)   Are created or provided by an employee or agent of the  
               educational institution; and 

             c)   Are gathered by the site, service, or application, that  
               is descriptive of a pupil or otherwise personally  
               identifies a pupil, including, but not limited to,  
               information in the pupil's educational record or email,  
               first and last name, home address, telephone number, email  
               address, or other information that allows physical or  
               online contact, discipline records, test results, special  
               education data, juvenile dependency records, grades,  
               evaluations, criminal records, medical records, health  
               records, social security number, biometric information,  
               disabilities, socioeconomic information, food purchases,  
               political affiliations, religious information, text  
               messages, documents, student identifiers, search activity,  
               photos, voice recordings, or geolocation information. 

          9)Defines "preschool or prekindergarten purposes" under ELPIPA  
            to mean purposes that customarily take place at the direction  
            of the preschool, prekindergarten, teacher, or school  
            district, or aid in the administration of preschool or  
            prekindergarten activities, including, but not limited to,  
            instruction in the classroom or home, administrative  
            activities, and collaboration between pupils, preschool or  








                                                                    AB 2799


                                                                    Page  5





            prekindergarten personnel, or parents, or are for the use and  
            benefit of the preschool or prekindergarten.  

          10)Specifies that ELPIPA does not limit the authority of a law  
            enforcement agency to obtain any content or information from  
            an Operator as authorized by law or pursuant to an order of a  
            court of competent jurisdiction.

          11)Authorizes an Operator to use a pupil's educational data for  
            adaptive learning or customized early learning purposes. 

          12)Specifies that ELPIPA does not apply to general audience  
            Internet websites, general audience online services, general  
            audience online applications, or general audience mobile  
            applications, even if login credentials created for an  
            Operator's site, service or application may be used to access  
            those general audience sites, services, or applications. 

          13)Specifies that ELPIPA does not limit Internet service  
            providers from providing Internet connectivity to preschools,  
            prekindergartens, schools or pupils and their families. 

          14)Clarifies that ELPIPA does not prohibit an Operator from  
            marketing educational products directly to parents as long as  
            the marketing was not the result of covered information  
            obtained by the Operator through the provision of services  
            covered under this section. 

          15)Clarifies that ELPIPA does not impose a duty upon a provider  
            of an electronic store, gateway, marketplace, interactive  
            computer service, or other means of purchasing or downloading  
            software or applications to review or enforce compliance of  
            this section on those applications or software. 

          16)Provides that ELPIPA does not impede the ability of minors to  
            download, export, or otherwise save or maintain their own  
            student created data or documents. 
          









                                                                    AB 2799


                                                                    Page  6






          EXISTING LAW:  
          1)Establishes the Student Online Privacy Protection Act  
            (SOPIPA), which prohibits an operator of a website, online  
            service, online application, or mobile application from  
            knowingly engaging in targeted advertising to students or  
            their parents or legal guardians using covered information, as  
            defined, amassing a profile of a K-12 student, selling a  
            student's information, or disclosing covered information, as  
            provided.  (Business and Professions Code (BPC) Section  
            22584-85)



          2)Defines an "Operator" as the operator of a website, online  
            service, online application, or mobile application with actual  
            knowledge that the site, service, or application is used  
            primarily for K-12 school purposes and was designed and  
            marketed for K-12 school purposes.  (BPC 22584(a))



          3)Requires an Operator of a commercial website or online service  
            that collects personally identifiable information through the  
            Internet about individual consumers residing in California who  
            use or visit its website to conspicuously post its privacy  
            policy.  (BPC 22575)



          4)Protects, pursuant to the federal Family Educational Rights  
            and Privacy Act (FERPA), the confidentiality of educational  
            records (and personally identifiable information contained  
            therein) by prohibiting the funding of schools that permit the  
            release of those records.  It applies to all schools that  
            receive funds under an applicable program of the U.S.  
            Department of Education.  Generally, schools must have written  
            permission from the parent or eligible student in order to  
            release any information from a student's education record.   








                                                                    AB 2799


                                                                    Page  7





            FERPA's prohibition only applies to the school itself and  
            contains various exemptions where the data may be released  
            without the written consent of the parents.  (20 U.S.C. Sec.  
            1232g(b)(1))



          5)Prohibits, pursuant to the federal Children's Online Privacy  
            Protection Act of 1998, an Operator of a website or online  
            service directed to pupils under the age of 13 from collecting  
            personal information from a pupil, including a pupil's first  
            and last name, home or other physical address including street  
            name and name of a city or town, e-mail address, telephone  
            number, or Social Security number.  (5 U.S.C. 6501-6505)


          FISCAL EFFECT:  None.  This bill is keyed nonfiscal by the  
          Legislative Counsel.


          COMMENTS:  


           1)Purpose of this bill  .  This bill is intended to close a gap in  
            current online student privacy laws for prekindergarten and  
            preschool pupils by applying to those pupils the existing  
            privacy protections that currently apply to K-12 students.  AB  
            2799 is sponsored by Common Sense Media.   



           2)Author's statement  .  According to the author's office, "In  
            2014, California became the national leader on student privacy  
            protections with the unanimous passage of SB 1177 (Steinberg),  
            the Student Online Personal Information Protection Act  
            (SOPIPA).  While SOPIPA protects privacy for K-12 students,  
            our new law does not protect children in pre-kindergarten and  
            preschool classrooms.  Preschools should also be safe-havens  
            for learning just as K-12 classrooms are today under SOPIPA.   








                                                                    AB 2799


                                                                    Page  8





            This bill, the Early Learning Privacy Information Protection  
            Act (ELPIPA), simply extends the protections offered by SOPIPA  
            to preschool and pre-kindergarten kids."





            "ELPIPA protects privacy but still enables innovation, because  
            it allows companies to use de-identified kids' information  
            internally to improve educational products and services.  The  
            bill also allows sharing of aggregated de-identified personal  
            data for the development of educational sites, services, and  
            apps."



           3)Technology in the preschool classroom.   Technology is an  
            integral part of learning for today's kids, even for the  
            youngest among them.  Preschool and prekindergarten teachers  
            are increasingly integrating tablets into the classroom and  
            using cloud-computing services to enrich student education and  
            improve academic operations. 

          According to a recent study conducted by Common Sense Media,  
            technology and media use begins at an increasingly young age,  
            with as many as 38% of kids under the age of two using mobile  
            devices for media in 2013.  The report also found that half  
            (50%) of all children ages zero to eight have used mobile  
            apps, up from just 16% in 2011.  According to the study, the  
            most frequently used apps are educational games (43%), games  
            that are just for fun (42%), and creative apps such as those  
            for drawing, music, or photos (38%).  ("Zero to Eight:  
            Children's Media Use in America" Common Sense Media, 2013.)

            A 2015 industry survey that examined early childhood education  
            and marketing educational products for 4-year-olds found that  
            65% of preschool educators are already using digital devices  
            and materials in their classrooms.  The report focused on  








                                                                    AB 2799


                                                                    Page  9





            children who were enrolled in Head Start, state and locally  
            funded public prekindergarten classrooms, and private  
            childcare centers.  ("Market Opportunities for PreK  
            Instructional Materials 2015-2016" Simba Information, 2015)  

           4)Federal student privacy law  .  FERPA protects the  
            confidentiality of school records by prohibiting federal  
            funding of schools that permit the release of those records.   
            FERPA's prohibition only applies to the school itself - not  
            technology vendors - and contains various exemptions allowing  
            data to be released without the written consent of the  
            parents. 

            Since the enactment of FERPA in 1974, educational institutions  
            have undergone dramatic changes in the way students are  
            taught.  Schools now routinely use computers, the Internet,  
            and digital resources in a variety of ways to support teaching  
            and learning.  Electronic grade books, digital portfolios,  
            learning games, and real-time feedback on teacher and student  
            performance are just a few of the ways technology is now  
            integrated into classroom learning.  More recently, these  
            changes led California to pass its own student privacy law,  
            discussed below.


           5)California's student privacy law.   In 2014, California became  
            the national leader on student privacy protections with the  
            unanimous passage of SB 1177 (Steinberg), known SOPIPA.   
            SOPIPA went into effect on January 1, 2016, and mandates  
            privacy and data security requirements on websites, online  
            services, and mobile apps that are designed, marketed and used  
            primarily for K-12 students.  



          SOPIPA was passed in response to the massive amounts of  
            sensitive student data that online educational products and  
            services were collecting about students, including academic  
            performance, health records, and personal interests.  However,  








                                                                    AB 2799


                                                                    Page  10





            SOPIPA only applies to K-12 students, leaving younger children  
            in preschool and pre-kindergarten classrooms without the same  
            privacy protections, despite the fact that many were using  
            educational technology.



           6)ELPIPA in practice.   This bill, dubbed the "Early Learning  
            Personal Information Protection Act," is modeled on SOPIPA and  
            expands the same privacy and data security requirements that  
            exist today for K-12 oriented websites, online services, and  
            mobile apps to those designed primarily for prekindergarten  
            and preschool pupils. 



            The major provisions of this bill would:



                 Prohibit using pupils' personal information for targeted  
               advertising;


                 Prohibit using pupils' personal information for  
               profiling (except for school purposes);


                 Prohibit selling pupils' personal information;


                 Prohibit disclosing pupils' personal information (with  
               limited exceptions to permit site functionality or as  
               required by law);


                 Require reasonable data security for the pupils'  
               information; and









                                                                    AB 2799


                                                                    Page  11






                 Require companies to delete pupils' information upon the  
               school's request.





           1)Recent amendments harmonize the bill with current law.   As the  
            model for this bill, SOPIPA (which is located in the Business  
            and Professions Code) explicitly describes the K-12 students  
            protected by the bill as "students," while the Education Code  
            generally refers to K-12 students as well as preschool  
            students as "pupils."  The prior version of this bill used the  
            term "child" and "minor" to describe the children in  
            pre-kindergarten and preschool protected by its provisions.  



          For the sake of consistency and to help alleviate a concern that  
            the bill, as introduced, may have applied to young children  
            who are not yet in preschool or prekindergarten, the author  
            amended the bill to replace the terms "child" and "minor" with  
            the term "pupil."  The term pupil is defined in the bill as "a  
            child enrolled in a preschool or prekindergarten course of  
            instruction."  



           2)Arguments in support  .  The California State PTA states in  
            support of this bill, "Schools are increasingly integrating  
            the use of computers and technology in the classroom even with  
            our youngest students.  Preschools and pre-kindergartens are  
            integrating tablets in the class room and utilizing other  
            interactive technologies to enhance student learning.   
            California is recognized as a leader in student online privacy  
            protections with the passage of AB 1177 (Steinberg) in 2014.  
            California State PTA was a strong supporter of the bill which  
            assured the privacy and security of personal and academic  








                                                                    AB 2799


                                                                    Page  12





            information for K-12 students. Preschoolers and  
            pre-kindergarteners need to be provided with the same  
            protections."



            Los Angeles Unified School District notes in support that  
            "preschools and pre-kindergartens were not afforded the same  
            privacy protections under [SOPIPA] as California's K-12  
            schools.  Because of this, AB 2799 (The Early Learning Privacy  
            Information Protection Act [ELPIPA]) would extend the  
            protections offered under SOPIPA to early education programs.   
            The use of technology in the classroom provides an opportunity  
            for our students to learn and explore while preparing them for  
            a 21st century workforce.  It is important to allow these  
            technologies to flourish, but there needs to be constraint and  
            restriction in how the information gathered is utilized."





            The bill's sponsor, Common Sense Kids Action, states in  
            support that this bill "is among seven bills and one budget  
            proposal chosen by our team of skilled policy staff and  
            advisors to receive a For Kids rating and Common Sense Star  
            through our Common Sense Legislative Ratings initiative."  





           3)Prior Legislation  .  SB 1177 (Steinberg), Chapter 839, Statutes  
            of 2014, known SOPIPA, prohibits websites, online services,  
            and mobile apps that are designed, marketed and used primarily  
            for K-12 students from using student data for targeting  
            marketing or profiling, and prohibits selling or disclosing  
            student information with limited exceptions.  SB 1177 also  
            requires reasonable security procedures and the deletion of  








                                                                    AB 2799


                                                                    Page  13





            student data upon a school's request. 





           4)Double-referral  .  This bill was double-referred to the  
            Assembly Education Committee, where it will be heard if passed  
            by this Committee. 


          REGISTERED SUPPORT / OPPOSITION:




          Support


          Common Sense Media (sponsor)


          California State PTA


          Los Angeles Unified School District


          Privacy Rights Clearinghouse




          Opposition


          None on file.










                                                                    AB 2799


                                                                    Page  14







          Analysis Prepared by:Jennie Bretschneider / P. & C.P. / (916)  
          319-2200