BILL ANALYSIS �Ó
AB 2799
Page 1
Date of Hearing: April 12, 2016
ASSEMBLY COMMITTEE ON PRIVACY AND CONSUMER PROTECTION
Ed Chau, Chair
AB 2799
(Chau) - As Amended April 7, 2016
SUBJECT: Privacy: personal information: preschool and
prekindergarten purposes
SUMMARY: Prohibits operators of Internet websites, online
services, and mobile apps that are designed, marketed and used
primarily for prekindergarten and preschool pupils, from using
data about those pupils for targeting, marketing or profiling,
and prohibits selling or disclosing a pupil's information with
limited exceptions. Specifically, this bill:
1)Establishes the Early Learning Personal Information Protection
Act (ELPIPA), which prohibits an operator of an Internet
website, online service, online application, or mobile
application with actual knowledge that the site, service, or
application is used primarily for preschool or prekindergarten
purposes and was designed and marketed for preschool or
prekindergarten purposes (Operator) from knowingly engaging in
any of the following activities:
a) Engaging in targeted advertising on the Operator's site,
service, or application; or targeting advertising on any
other site, service, or application when the targeting of
the advertising is based upon any information, including
covered information and persistent unique identifiers, that
�
AB 2799
Page 2
the Operator has acquired because of the use of that
Operator's site, service, or application;
b) Using information, including persistent unique
identifiers, created or gathered by the Operator's site,
service, or application, to amass a profile about a pupil
except in furtherance of preschool or prekindergarten
purposes;
c) Selling or disclosing a pupil's information, except in
the case of a purchase, merger, or other type of
acquisition of an entity that operates an Internet website,
online service, online application, or mobile application
by another entity; and
d) Disclosing covered information, unless the disclosure is
made:
i) In furtherance of the preschool or
prekindergarten purposes of the site, service, or
application;
ii) To ensure legal and regulatory compliance;
iii) To respond to or participate in judicial
process;
iv) To protect the safety of users or others or
security of the site; or
v) To a service provider, provided the service
provider is contractually required to comply with
specified security procedures.
1)Specifies that ELPIPA does not prohibit an Operator from using
information to maintain, develop, support, improve, or
diagnose an Operator's website, service, or application.
2)Requires under ELPIPA that an Operator implement and maintain
reasonable security procedures and practices appropriate to
the nature of the covered information, to protect the personal
information from unauthorized access, destruction, use,
modification, or disclosure.
�
AB 2799
Page 3
3)Requires an Operator to delete a pupil's covered information
if the preschool or prekindergarten requests deletion of data
under the control of the preschool, prekindergarten, school or
district.
4)Permits an Operator to disclose the covered information of a
student under the following circumstances:
a) If other provisions of federal or state law require the
Operator to disclose the information, and the Operator
complies with the requirements of federal and state law in
protecting and disclosing that information;
b) For legitimate research purposes, as specified, if no
covered information is used for any purpose in furtherance
of advertising or to amass a profile on the student for
purposes other than preschool or prekindergarten purposes;
and
c) If the disclosure is to a state or local educational
agency, including preschools and prekindergartens, schools
and school districts as permitted by state or federal law.
5)Permits an Operator to use aggregated, de-identified covered
information of a pupil as follows:
a) Within the Operator's site, service, or application or
other sites, services, or applications owned by the
Operator to improve educational products;
b) To demonstrate the effectiveness of the Operator's
products, including in their marketing; and
c) To share aggregated de-identified pupil covered
information for the development and improvement of
educational sites, services, or applications.
6)Defines "pupil" as a child enrolled in a preschool or
�
AB 2799
Page 4
prekindergarten course of instruction.
7)Defines "online services" under ELPIPA to include cloud
computing services.
8)Defines "covered information" under ELPIPA to mean information
or materials in any media or format that meets any of the
following:
a) Are created or provided by a pupil, or the pupil's
parent or legal guardian, in the course of the pupil's,
parent's, or legal guardian's use of the site, service, or
application for preschool or prekindergarten purposes;
b) Are created or provided by an employee or agent of the
educational institution; and
c) Are gathered by the site, service, or application, that
is descriptive of a pupil or otherwise personally
identifies a pupil, including, but not limited to,
information in the pupil's educational record or email,
first and last name, home address, telephone number, email
address, or other information that allows physical or
online contact, discipline records, test results, special
education data, juvenile dependency records, grades,
evaluations, criminal records, medical records, health
records, social security number, biometric information,
disabilities, socioeconomic information, food purchases,
political affiliations, religious information, text
messages, documents, student identifiers, search activity,
photos, voice recordings, or geolocation information.
9)Defines "preschool or prekindergarten purposes" under ELPIPA
to mean purposes that customarily take place at the direction
of the preschool, prekindergarten, teacher, or school
district, or aid in the administration of preschool or
prekindergarten activities, including, but not limited to,
instruction in the classroom or home, administrative
activities, and collaboration between pupils, preschool or
�
AB 2799
Page 5
prekindergarten personnel, or parents, or are for the use and
benefit of the preschool or prekindergarten.
10)Specifies that ELPIPA does not limit the authority of a law
enforcement agency to obtain any content or information from
an Operator as authorized by law or pursuant to an order of a
court of competent jurisdiction.
11)Authorizes an Operator to use a pupil's educational data for
adaptive learning or customized early learning purposes.
12)Specifies that ELPIPA does not apply to general audience
Internet websites, general audience online services, general
audience online applications, or general audience mobile
applications, even if login credentials created for an
Operator's site, service or application may be used to access
those general audience sites, services, or applications.
13)Specifies that ELPIPA does not limit Internet service
providers from providing Internet connectivity to preschools,
prekindergartens, schools or pupils and their families.
14)Clarifies that ELPIPA does not prohibit an Operator from
marketing educational products directly to parents as long as
the marketing was not the result of covered information
obtained by the Operator through the provision of services
covered under this section.
15)Clarifies that ELPIPA does not impose a duty upon a provider
of an electronic store, gateway, marketplace, interactive
computer service, or other means of purchasing or downloading
software or applications to review or enforce compliance of
this section on those applications or software.
16)Provides that ELPIPA does not impede the ability of minors to
download, export, or otherwise save or maintain their own
student created data or documents.
�
AB 2799
Page 6
EXISTING LAW:
1)Establishes the Student Online Privacy Protection Act
(SOPIPA), which prohibits an operator of a website, online
service, online application, or mobile application from
knowingly engaging in targeted advertising to students or
their parents or legal guardians using covered information, as
defined, amassing a profile of a K-12 student, selling a
student's information, or disclosing covered information, as
provided. (Business and Professions Code (BPC) Section
22584-85)
2)Defines an "Operator" as the operator of a website, online
service, online application, or mobile application with actual
knowledge that the site, service, or application is used
primarily for K-12 school purposes and was designed and
marketed for K-12 school purposes. (BPC 22584(a))
3)Requires an Operator of a commercial website or online service
that collects personally identifiable information through the
Internet about individual consumers residing in California who
use or visit its website to conspicuously post its privacy
policy. (BPC 22575)
4)Protects, pursuant to the federal Family Educational Rights
and Privacy Act (FERPA), the confidentiality of educational
records (and personally identifiable information contained
therein) by prohibiting the funding of schools that permit the
release of those records. It applies to all schools that
receive funds under an applicable program of the U.S.
Department of Education. Generally, schools must have written
permission from the parent or eligible student in order to
release any information from a student's education record.
�
AB 2799
Page 7
FERPA's prohibition only applies to the school itself and
contains various exemptions where the data may be released
without the written consent of the parents. (20 U.S.C. Sec.
1232g(b)(1))
5)Prohibits, pursuant to the federal Children's Online Privacy
Protection Act of 1998, an Operator of a website or online
service directed to pupils under the age of 13 from collecting
personal information from a pupil, including a pupil's first
and last name, home or other physical address including street
name and name of a city or town, e-mail address, telephone
number, or Social Security number. (5 U.S.C. 6501-6505)
FISCAL EFFECT: None. This bill is keyed nonfiscal by the
Legislative Counsel.
COMMENTS:
1)Purpose of this bill . This bill is intended to close a gap in
current online student privacy laws for prekindergarten and
preschool pupils by applying to those pupils the existing
privacy protections that currently apply to K-12 students. AB
2799 is sponsored by Common Sense Media.
2)Author's statement . According to the author's office, "In
2014, California became the national leader on student privacy
protections with the unanimous passage of SB 1177 (Steinberg),
the Student Online Personal Information Protection Act
(SOPIPA). While SOPIPA protects privacy for K-12 students,
our new law does not protect children in pre-kindergarten and
preschool classrooms. Preschools should also be safe-havens
for learning just as K-12 classrooms are today under SOPIPA.
�
AB 2799
Page 8
This bill, the Early Learning Privacy Information Protection
Act (ELPIPA), simply extends the protections offered by SOPIPA
to preschool and pre-kindergarten kids."
"ELPIPA protects privacy but still enables innovation, because
it allows companies to use de-identified kids' information
internally to improve educational products and services. The
bill also allows sharing of aggregated de-identified personal
data for the development of educational sites, services, and
apps."
3)Technology in the preschool classroom. Technology is an
integral part of learning for today's kids, even for the
youngest among them. Preschool and prekindergarten teachers
are increasingly integrating tablets into the classroom and
using cloud-computing services to enrich student education and
improve academic operations.
According to a recent study conducted by Common Sense Media,
technology and media use begins at an increasingly young age,
with as many as 38% of kids under the age of two using mobile
devices for media in 2013. The report also found that half
(50%) of all children ages zero to eight have used mobile
apps, up from just 16% in 2011. According to the study, the
most frequently used apps are educational games (43%), games
that are just for fun (42%), and creative apps such as those
for drawing, music, or photos (38%). ("Zero to Eight:
Children's Media Use in America" Common Sense Media, 2013.)
A 2015 industry survey that examined early childhood education
and marketing educational products for 4-year-olds found that
65% of preschool educators are already using digital devices
and materials in their classrooms. The report focused on
�
AB 2799
Page 9
children who were enrolled in Head Start, state and locally
funded public prekindergarten classrooms, and private
childcare centers. ("Market Opportunities for PreK
Instructional Materials 2015-2016" Simba Information, 2015)
4)Federal student privacy law . FERPA protects the
confidentiality of school records by prohibiting federal
funding of schools that permit the release of those records.
FERPA's prohibition only applies to the school itself - not
technology vendors - and contains various exemptions allowing
data to be released without the written consent of the
parents.
Since the enactment of FERPA in 1974, educational institutions
have undergone dramatic changes in the way students are
taught. Schools now routinely use computers, the Internet,
and digital resources in a variety of ways to support teaching
and learning. Electronic grade books, digital portfolios,
learning games, and real-time feedback on teacher and student
performance are just a few of the ways technology is now
integrated into classroom learning. More recently, these
changes led California to pass its own student privacy law,
discussed below.
5)California's student privacy law. In 2014, California became
the national leader on student privacy protections with the
unanimous passage of SB 1177 (Steinberg), known SOPIPA.
SOPIPA went into effect on January 1, 2016, and mandates
privacy and data security requirements on websites, online
services, and mobile apps that are designed, marketed and used
primarily for K-12 students.
SOPIPA was passed in response to the massive amounts of
sensitive student data that online educational products and
services were collecting about students, including academic
performance, health records, and personal interests. However,
�
AB 2799
Page 10
SOPIPA only applies to K-12 students, leaving younger children
in preschool and pre-kindergarten classrooms without the same
privacy protections, despite the fact that many were using
educational technology.
6)ELPIPA in practice. This bill, dubbed the "Early Learning
Personal Information Protection Act," is modeled on SOPIPA and
expands the same privacy and data security requirements that
exist today for K-12 oriented websites, online services, and
mobile apps to those designed primarily for prekindergarten
and preschool pupils.
The major provisions of this bill would:
Prohibit using pupils' personal information for targeted
advertising;
Prohibit using pupils' personal information for
profiling (except for school purposes);
Prohibit selling pupils' personal information;
Prohibit disclosing pupils' personal information (with
limited exceptions to permit site functionality or as
required by law);
Require reasonable data security for the pupils'
information; and
�
AB 2799
Page 11
Require companies to delete pupils' information upon the
school's request.
1)Recent amendments harmonize the bill with current law. As the
model for this bill, SOPIPA (which is located in the Business
and Professions Code) explicitly describes the K-12 students
protected by the bill as "students," while the Education Code
generally refers to K-12 students as well as preschool
students as "pupils." The prior version of this bill used the
term "child" and "minor" to describe the children in
pre-kindergarten and preschool protected by its provisions.
For the sake of consistency and to help alleviate a concern that
the bill, as introduced, may have applied to young children
who are not yet in preschool or prekindergarten, the author
amended the bill to replace the terms "child" and "minor" with
the term "pupil." The term pupil is defined in the bill as "a
child enrolled in a preschool or prekindergarten course of
instruction."
2)Arguments in support . The California State PTA states in
support of this bill, "Schools are increasingly integrating
the use of computers and technology in the classroom even with
our youngest students. Preschools and pre-kindergartens are
integrating tablets in the class room and utilizing other
interactive technologies to enhance student learning.
California is recognized as a leader in student online privacy
protections with the passage of AB 1177 (Steinberg) in 2014.
California State PTA was a strong supporter of the bill which
assured the privacy and security of personal and academic
�
AB 2799
Page 12
information for K-12 students. Preschoolers and
pre-kindergarteners need to be provided with the same
protections."
Los Angeles Unified School District notes in support that
"preschools and pre-kindergartens were not afforded the same
privacy protections under [SOPIPA] as California's K-12
schools. Because of this, AB 2799 (The Early Learning Privacy
Information Protection Act [ELPIPA]) would extend the
protections offered under SOPIPA to early education programs.
The use of technology in the classroom provides an opportunity
for our students to learn and explore while preparing them for
a 21st century workforce. It is important to allow these
technologies to flourish, but there needs to be constraint and
restriction in how the information gathered is utilized."
The bill's sponsor, Common Sense Kids Action, states in
support that this bill "is among seven bills and one budget
proposal chosen by our team of skilled policy staff and
advisors to receive a For Kids rating and Common Sense Star
through our Common Sense Legislative Ratings initiative."
3)Prior Legislation . SB 1177 (Steinberg), Chapter 839, Statutes
of 2014, known SOPIPA, prohibits websites, online services,
and mobile apps that are designed, marketed and used primarily
for K-12 students from using student data for targeting
marketing or profiling, and prohibits selling or disclosing
student information with limited exceptions. SB 1177 also
requires reasonable security procedures and the deletion of
�
AB 2799
Page 13
student data upon a school's request.
4)Double-referral . This bill was double-referred to the
Assembly Education Committee, where it will be heard if passed
by this Committee.
REGISTERED SUPPORT / OPPOSITION:
Support
Common Sense Media (sponsor)
California State PTA
Los Angeles Unified School District
Privacy Rights Clearinghouse
Opposition
None on file.
�
AB 2799
Page 14
Analysis Prepared by:Jennie Bretschneider / P. & C.P. / (916)
319-2200