BILL ANALYSIS �Ó
AB 2799
Page 1
Date of Hearing: May 4, 2016
ASSEMBLY COMMITTEE ON EDUCATION
Patrick O'Donnell, Chair
AB 2799
(Chau) - As Amended April 7, 2016
[This bill was double referred to the Committee on Privacy and
Consumer Protection and was heard by that committee as it
relates to issues under its jurisdiction.]
SUBJECT: Privacy: personal information: preschool and
prekindergarten purposes
SUMMARY: Prohibits operators of Internet websites, online
services, and mobile apps that are designed, marketed and used
primarily for prekindergarten and preschool pupils, from using
data about those pupils for targeting, marketing or profiling,
and prohibits selling or disclosing a pupil's information with
limited exceptions. Specifically, this bill:
1)Establishes the Early Learning Personal Information Protection
Act (ELPIPA), which prohibits an operator of an Internet
website, online service, online application, or mobile
application with actual knowledge that the site, service, or
application is used primarily for preschool or prekindergarten
purposes and was designed and marketed for preschool or
prekindergarten purposes (Operator) from knowingly engaging in
any of the following activities:
�
AB 2799
Page 2
a) Engaging in targeted advertising on the Operator's site,
service, or application; or targeting advertising on any
other site, service, or application when the targeting of
the advertising is based upon any information, including
covered information and persistent unique identifiers, that
the Operator has acquired because of the use of that
Operator's site, service, or application;
b) Using information, including persistent unique
identifiers, created or gathered by the Operator's site,
service, or application, to amass a profile about a pupil
except in furtherance of preschool or prekindergarten
purposes;
c) Selling or disclosing a pupil's information, except in
the case of a purchase, merger, or other type of
acquisition of an entity that operates an Internet website,
online service, online application, or mobile application
by another entity; and
d) Disclosing covered information, unless the disclosure is
made:
i) In furtherance of the preschool or
prekindergarten purposes of the site, service, or
application;
ii) To ensure legal and regulatory compliance;
iii) To respond to or participate in judicial
process;
iv) To protect the safety of users or others or
security of the site; or
v) To a service provider, provided the service
provider is contractually required to comply with
specified security procedures.
1)Specifies that ELPIPA does not prohibit an Operator from using
information to maintain, develop, support, improve, or
diagnose an Operator's website, service, or application.
�
AB 2799
Page 3
2)Requires under ELPIPA that an Operator implement and maintain
reasonable security procedures and practices appropriate to
the nature of the covered information, to protect the personal
information from unauthorized access, destruction, use,
modification, or disclosure.
3)Requires an Operator to delete a pupil's covered information
if the preschool or prekindergarten requests deletion of data
under the control of the preschool, prekindergarten, school or
district.
4)Permits an Operator to disclose the covered information of a
student under the following circumstances:
a) If other provisions of federal or state law require the
Operator to disclose the information, and the Operator
complies with the requirements of federal and state law in
protecting and disclosing that information;
b) For legitimate research purposes, as specified, if no
covered information is used for any purpose in furtherance
of advertising or to amass a profile on the student for
purposes other than preschool or prekindergarten purposes;
and
c) If the disclosure is to a state or local educational
agency, including preschools and prekindergartens, schools
and school districts as permitted by state or federal law.
5)Permits an Operator to use aggregated, de-identified covered
information of a pupil as follows:
a) Within the Operator's site, service, or application or
other sites, services, or applications owned by the
Operator to improve educational products;
b) To demonstrate the effectiveness of the Operator's
products, including in their marketing; and
�
AB 2799
Page 4
c) To share aggregated de-identified pupil covered
information for the development and improvement of
educational sites, services, or applications.
6)Defines "pupil" as a child enrolled in a preschool or
prekindergarten course of instruction.
7)Defines "online services" under ELPIPA to include cloud
computing services.
8)Defines "covered information" under ELPIPA to mean information
or materials in any media or format that meets any of the
following:
a) Are created or provided by a pupil, or the pupil's
parent or legal guardian, in the course of the pupil's,
parent's, or legal guardian's use of the site, service, or
application for preschool or prekindergarten purposes;
b) Are created or provided by an employee or agent of the
educational institution; and
c) Are gathered by the site, service, or application, that
is descriptive of a pupil or otherwise personally
identifies a pupil, including, but not limited to,
information in the pupil's educational record or email,
first and last name, home address, telephone number, email
address, or other information that allows physical or
online contact, discipline records, test results, special
education data, juvenile dependency records, grades,
evaluations, criminal records, medical records, health
records, social security number, biometric information,
disabilities, socioeconomic information, food purchases,
political affiliations, religious information, text
messages, documents, student identifiers, search activity,
photos, voice recordings, or geolocation information.
9)Defines "preschool or prekindergarten purposes" under ELPIPA
to mean purposes that customarily take place at the direction
�
AB 2799
Page 5
of the preschool, prekindergarten, teacher, or school
district, or aid in the administration of preschool or
prekindergarten activities, including, but not limited to,
instruction in the classroom or home, administrative
activities, and collaboration between pupils, preschool or
prekindergarten personnel, or parents, or are for the use and
benefit of the preschool or prekindergarten.
10)Specifies that ELPIPA does not limit the authority of a law
enforcement agency to obtain any content or information from
an Operator as authorized by law or pursuant to an order of a
court of competent jurisdiction.
11)Authorizes an Operator to use a pupil's educational data for
adaptive learning or customized early learning purposes.
12)Specifies that ELPIPA does not apply to general audience
Internet websites, general audience online services, general
audience online applications, or general audience mobile
applications, even if login credentials created for an
Operator's site, service or application may be used to access
those general audience sites, services, or applications.
13)Specifies that ELPIPA does not limit Internet service
providers from providing Internet connectivity to preschools,
prekindergartens, schools or pupils and their families.
14)Clarifies that ELPIPA does not prohibit an Operator from
marketing educational products directly to parents as long as
the marketing was not the result of covered information
obtained by the Operator through the provision of services
covered under this section.
15)Clarifies that ELPIPA does not impose a duty upon a provider
of an electronic store, gateway, marketplace, interactive
computer service, or other means of purchasing or downloading
software or applications to review or enforce compliance of
this section on those applications or software.
�
AB 2799
Page 6
16)Provides that ELPIPA does not impede the ability of minors to
download, export, or otherwise save or maintain their own
student created data or documents.
EXISTING LAW:
1)Establishes the Student Online Privacy Protection Act
(SOPIPA), which prohibits an operator of a website, online
service, online application, or mobile application from
knowingly engaging in targeted advertising to students or
their parents or legal guardians using covered information, as
defined, amassing a profile of a K-12 student, selling a
student's information, or disclosing covered information, as
provided. (Business and Professions Code (BPC) Section
22584-85)
2)Defines an "Operator" as the operator of a website, online
service, online application, or mobile application with actual
knowledge that the site, service, or application is used
primarily for K-12 school purposes and was designed and
marketed for K-12 school purposes. (BPC 22584(a))
3)Requires an Operator of a commercial website or online service
that collects personally identifiable information through the
Internet about individual consumers residing in California who
use or visit its website to conspicuously post its privacy
policy. (BPC 22575)
4)Protects, pursuant to the federal Family Educational Rights
and Privacy Act (FERPA), the confidentiality of educational
�
AB 2799
Page 7
records (and personally identifiable information contained
therein) by prohibiting the funding of schools that permit the
release of those records. It applies to all schools that
receive funds under an applicable program of the U.S.
Department of Education. Generally, schools must have written
permission from the parent or eligible student in order to
release any information from a student's education record.
FERPA's prohibition only applies to the school itself and
contains various exemptions where the data may be released
without the written consent of the parents. (20 U.S.C. Sec.
1232g(b)(1))
5)Prohibits, pursuant to the federal Children's Online Privacy
Protection Act of 1998, an Operator of a website or online
service directed to pupils under the age of 13 from collecting
personal information from a pupil, including a pupil's first
and last name, home or other physical address including street
name and name of a city or town, e-mail address, telephone
number, or Social Security number. (5 U.S.C. 6501-6505)
FISCAL EFFECT: This bill is keyed nonfiscal
COMMENTS:
1)Purpose of this bill. This bill is intended to close a gap in
current online student privacy laws for prekindergarten and
preschool pupils by applying to those pupils the existing
privacy protections that currently apply to K-12 students. AB
2799 is sponsored by Common Sense Media.
2)Author's statement. According to the author's office, "In
2014, California became the national leader on student privacy
�
AB 2799
Page 8
protections with the unanimous passage of SB 1177 (Steinberg),
the Student Online Personal Information Protection Act
(SOPIPA). While SOPIPA protects privacy for K-12 students,
our new law does not protect children in pre-kindergarten and
preschool classrooms. Preschools should also be safe-havens
for learning just as K-12 classrooms are today under SOPIPA.
This bill, the Early Learning Privacy Information Protection
Act (ELPIPA), simply extends the protections offered by SOPIPA
to preschool and pre-kindergarten kids."
"ELPIPA protects privacy but still enables innovation, because
it allows companies to use de-identified kids' information
internally to improve educational products and services. The
bill also allows sharing of aggregated de-identified personal
data for the development of educational sites, services, and
apps."
3)Technology in the preschool classroom. Technology is an
integral part of learning for today's kids, even for the
youngest among them. Preschool and prekindergarten teachers
are increasingly integrating tablets into the classroom and
using cloud-computing services to enrich student education and
improve academic operations.
According to a recent study conducted by Common Sense Media,
technology and media use begins at an increasingly young age,
with as many as 38% of kids under the age of two using mobile
devices for media in 2013. The report also found that half
(50%) of all children ages zero to eight have used mobile
apps, up from just 16% in 2011. According to the study, the
most frequently used apps are educational games (43%), games
that are just for fun (42%), and creative apps such as those
for drawing, music, or photos (38%). ("Zero to Eight:
�
AB 2799
Page 9
Children's Media Use in America" Common Sense Media, 2013.)
A 2015 industry survey that examined early childhood education
and marketing educational products for 4-year-olds found that
65% of preschool educators are already using digital devices
and materials in their classrooms. The report focused on
children who were enrolled in Head Start, state and locally
funded public prekindergarten classrooms, and private
childcare centers. ("Market Opportunities for PreK
Instructional Materials 2015-2016" Simba Information, 2015)
4)Federal student privacy law. FERPA protects the
confidentiality of school records by prohibiting federal
funding of schools that permit the release of those records.
FERPA's prohibition only applies to the school itself - not
technology vendors - and contains various exemptions allowing
data to be released without the written consent of the
parents.
Since the enactment of FERPA in 1974, educational institutions
have undergone dramatic changes in the way students are
taught. Schools now routinely use computers, the Internet,
and digital resources in a variety of ways to support teaching
and learning. Electronic grade books, digital portfolios,
learning games, and real-time feedback on teacher and student
performance are just a few of the ways technology is now
integrated into classroom learning. More recently, these
changes led California to pass its own student privacy law,
discussed below.
5)California's student privacy law. In 2014, California became
the national leader on student privacy protections with the
unanimous passage of SB 1177 (Steinberg, Chapter 839, Statutes
of 2014)), known SOPIPA. SOPIPA went into effect on January
1, 2016, and mandates privacy and data security requirements
on websites, online services, and mobile apps that are
designed, marketed and used primarily for K-12 students.
�
AB 2799
Page 10
SOPIPA was passed in response to the massive amounts of
sensitive student data that online educational products and
services were collecting about students, including academic
performance, health records, and personal interests. However,
SOPIPA only applies to K-12 students, leaving younger children
in preschool and pre-kindergarten classrooms without the same
privacy protections, despite the fact that many were using
educational technology.
While SOPIPA dealt with the protection of student information
obtained through the use of websites, online services, and
mobile apps by students and teachers, AB 1584 (Buchanan,
Chapter 800, Statutes of 2014) dealt with contracts that local
education agencies enter into with third parties for digital
educational software and services for the digital storage,
management, and retrieval of student records. AB 1584
requires such contracts to contain specified provisions that
prohibit the third party from using information in student
records for any purposes other than those required or
specifically permitted by the contract.
6)ELPIPA in practice. This bill, dubbed the "Early Learning
Personal Information Protection Act," is modeled on SOPIPA and
expands the same privacy and data security requirements that
exist today for K-12 oriented websites, online services, and
mobile apps to those designed primarily for prekindergarten
and preschool pupils.
The major provisions of this bill would:
Prohibit using pupils' personal information for targeted
advertising;
�
AB 2799
Page 11
Prohibit using pupils' personal information for
profiling (except for school purposes);
Prohibit selling pupils' personal information;
Prohibit disclosing pupils' personal information (with
limited exceptions to permit site functionality or as
required by law);
Require reasonable data security for the pupils'
information; and
Require companies to delete pupils' information upon the
school's request.
REGISTERED SUPPORT / OPPOSITION:
Support
Privacy Rights Clearinghouse
Opposition
�
AB 2799
Page 12
None received
Analysis Prepared by:Rick Pratt / ED. / (916) 319-2087