BILL ANALYSIS �Ó
SENATE JUDICIARY COMMITTEE
Senator Hannah-Beth Jackson, Chair
2015-2016 Regular Session
AB 2799 (Chau)
Version: April 7, 2016
Hearing Date: June 14, 2016
Fiscal: No
Urgency: No
ME
SUBJECT
Privacy: personal information: preschool and prekindergarten
purposes
DESCRIPTION
This bill creates the Early Learning Privacy Information
Protection Act (ELPIPA) to extend all of the protections offered
by the Student Online Personal Information Protection Act
(SOPIPA) to pupils enrolled in preschools and pre-kindergarten.
ELPIPA imposes requirements directly on Websites, online
services, and mobile applications that are designed, marketed
and used primarily by children enrolled in a preschool or
prekindergarten course of instruction. ELPIPA would protect
early learners' privacy by:
prohibiting the sale of early learners' personal
information by operators of early learning online sites;
prohibiting targeted advertising on early learning
online sites;
prohibiting operators of early learning online sites
from using information they obtain on the early learning
site to target advertising on other sites;
prohibiting operators from amassing a profile about an
early learning student except in furtherance of early
learning school purposes;
prohibiting disclosure of early learner personal
information unless the disclosure is made in furtherance of
the early learning purpose; and
requiring early learning online operators to keep the
early learner personal information safe and secure.
BACKGROUND
The Federal Educational Rights and Privacy Act (FERPA) generally
�
AB 2799 (Chau)
PageB of?
seeks to protect the confidentiality of educational records (and
personally identifiable information contained therein) by
prohibiting the funding of schools that permit the release of
those records in violation of the Act. (20 U.S.C. Sec.
1232g(b)(1).) FERPA's prohibition only applies to the school
itself and contains various exemptions where the data may be
released without the written consent of the parents.
Since the enactment of FERPA in 1974, educational institutions
have undergone dramatic changes in the way that students are
taught, including the increased use of technology. With respect
to the use of technology and learning, the Department of
Education observes that:
Schools can use digital resources in a variety of ways to
support teaching and learning. Electronic grade books,
digital portfolios, learning games, and real-time feedback
on teacher and student performance, are a few ways that
technology can be utilized to power learning. (U.S.
Department of Education, Use of Technology in Teaching and
Learning
[as of June 8, 2016].)
In response to the increased use of technology in the classroom,
the Legislature unanimously passed the Student Online Personal
Information Protection Act (SOPIPA) in 2014. (SB 1177
(Steinberg, Ch. 839, Stats. 2014).) SOPIPA was enacted to
protect student personal information by closing loopholes that
allowed online companies in the education technology space to
profit from student personal information obtained through
student, parent, teacher, and administrator use of K-12 online
sites. Although preschools and pre-kindergartens increasingly
integrate tablets in the classroom and use cloud-computing
services to enrich student education and improve academic
operations, early learners are outside of the scope and not
protected by SOPIPA.
This bill creates the Early Learning Privacy Information
Protection Act (ELPIPA) to extend all of the protections offered
by SOPIPA to pupils enrolled in preschools and pre-kindergarten.
ELPIPA imposes requirements directly on Websites, online
services, and mobile applications that are designed, marketed
and used primarily by children enrolled in a preschool or
�
AB 2799 (Chau)
PageC of?
prekindergarten course of instruction. ELPIPA would protect
early learners' privacy in this digital age by:
prohibiting the sale of early learners' personal
information by operators of early learning online sites;
prohibiting targeted advertising on early learning
sites;
prohibiting operators of early learning online sites
from using information they obtain on the early learning
site to target advertising on other sites;
prohibiting operators from amassing a profile about an
early learning student except in furtherance of early
learning school purposes;
prohibiting disclosure of early learner personal
information unless the disclosure is made in furtherance of
the early learning purpose; and
requiring these early learning online operators to keep
the early learner personal information safe and secure.
CHANGES TO EXISTING LAW
Existing law provides that, among other rights, all people have
an inalienable right to pursue and obtain privacy. (Cal.
Const., art. I, Sec. 1.)
Existing law requires an operator of a commercial Web site or
online service that collects personally identifiable information
through the Internet about individual consumers residing in
California who use or visit its Web site to conspicuously post
its privacy policy. (Online Privacy Protection Act of 2003,
Bus. & Prof. Code Sec. 22575.)
Existing law , the Student Online Personal Information Protection
Act (SOPIPA) provides privacy protections to K-12 students.
(Bus. & Prof. Code Sec. 22584.)
Existing law , defines "operator" as the operator of an Internet
Web site, online service, online application, or mobile
application with actual knowledge that the site, service, or
application is used primarily for K-12 school purposes and was
designed and marketed for K-12 school purposes. (Bus. & Prof.
Code Sec. 22584(a).)
Existing law defines "Covered information" as personally
identifiable information or materials, in any media or format
�
AB 2799 (Chau)
PageD of?
that meets any of the following:
is created or provided by a student, or the student's
parent or legal guardian, to an operator in the course
of the student's, parent's, or legal guardian's use of
the operator's site, service, or application for K-12
school purposes;
is created or provided by an employee or agent of the
K-12 school, school district, local education agency, or
county office of education, to an operator; or
is gathered by an operator through the operation of
their site, service, or application and is descriptive
of a student or otherwise identifies a student,
including, but not limited to, information in the
student's educational record or email, first and last
name, home address, telephone number, email address, or
other information that allows physical or online
contact, discipline records, test results, special
education data, juvenile dependency records, grades,
evaluations, criminal records, medical records, health
records, social security number, biometric information,
disabilities, socioeconomic information, food purchases,
political affiliations, religious information, text
messages, documents, student identifiers, search
activity, photos, voice recordings, or geolocation
information. (Bus. & Prof. Code Sec. 22584(i) (1)-(3).)
Existing law specifies that:
"Online service" includes cloud computing services, and
are within the scope of SOPIPA if they otherwise meet the
definition of operator. (Bus. & Prof. Code Sec. 22584(h).)
"K-12 school purposes" means purposes that customarily
take place at the direction of the K-12 school, teacher, or
school district or aid in the administration of school
activities, including, but not limited to, instruction in
the classroom or at home, administrative activities, and
collaboration between students, school personnel, or
parents, or are for the use and benefit of the school.
(Bus. & Prof. Code Sec. 22584(j).)
Existing law provides that an operator shall not knowingly
engage in any of the following activities with respect to their
site, service, or application:
engage in targeted advertising on the operator's site,
service, or application, or target advertising on any other
site, service, or application when the targeting of the
�
AB 2799 (Chau)
PageE of?
advertising is based upon any information, including
covered information and persistent unique identifiers, that
the operator has acquired because of the use of that
operator's site, service, or application where the operator
had actual knowledge that it is used primarily for K-12
school purposes and was designed and marketed for K-12
school purposes;
use information, including persistent unique
identifiers, created or gathered by the operator's site,
service, or application, to amass a profile about a K-12
student except in furtherance of K-12 school purposes; or
sell a student's information, including covered
information. (Bus. & Prof. Code Sec. 22584(b) (1)-(3).)
Existing law provides that an operator shall not, with respect
to their site, service, or application, knowingly disclose
covered information unless the disclosure is made:
in furtherance of the K-12 purpose of the site, service,
or application, provided the recipient of the covered
information disclosed shall not further disclose the
information unless done to allow or improve operability and
functionality within that student's classroom or school and
is legally required to comply with encryption, deletion,
and security protocols;
to ensure legal and regulatory compliance;
to respond to or participate in judicial process;
to protect the safety of users or others or security of
the site; or
to a service provider, provided the operator
contractually prohibits the service provider from using any
covered information for any purpose other than providing
the contracted service to, or on behalf of, the operator,
and prohibits the service provider from disclosing any
covered information provided by the operator with
subsequent third parties, and requires the service provider
to implement and maintain reasonable security procedures
and practices as specified. (Bus. & Prof. Code Sec.
22584(b)(4)).
Existing law provides that SOPIPA's prohibitions shall not be
construed to prohibit the operator's use of information for
maintaining, developing, supporting, improving, or diagnosing
the operator's site, service, or application. (Bus. & Prof. Code
Sec. 22584(c).)
�
AB 2799 (Chau)
PageF of?
Existing law requires an operator to:
implement and maintain reasonable security procedures
and practices appropriate to the nature of the covered
information, and protect that information from unauthorized
access, destruction, use, modification, or disclosure; and
delete a student's covered information if the school or
district requests deletion of data under the control of the
school or district. (Bus. & Prof. Code Sec. 22584(d)
(1)-(2).)
Existing law allows for disclosure of covered information of a
student, as specified, and under the following circumstances:
if other provisions of federal or state law require the
operator to disclose the information, and the operator
complies with the requirements of federal and state law in
protecting and disclosing that information;
for legitimate research purposes as required by state or
federal law and subject to the restrictions under
applicable state and federal law or as allowed by state or
federal law and under the direction of a school, school
district, or state department of education, if no covered
information is used for any purpose in furtherance of
advertising or to amass a profile on the student for
purposes other than K-12 school purposes; or
to a state or local educational agency, including
schools and school districts, for K-12 school purposes, as
permitted by state or federal law. (Bus. & Prof. Code Sec.
22584(e)).
Existing law specifies that SOPIPA
does not prohibit an operator from using deidentified
student covered information within the operator's site,
service, or application or other sites, services, or
applications owned by the operator to improve educational
products or to demonstrate the effectiveness of the
operator's products or services, including in their
marketing; and
does not prohibit an operator from sharing aggregated
deidentified student covered information for the
development and improvement of educational sites, services,
or applications. (Bus. & Prof. Code Sec. 22584(f) & (g).)
�
AB 2799 (Chau)
PageG of?
Existing law specifies that SOPIPA:
shall not be construed to limit the authority of a law
enforcement agency to obtain any content or information
from an operator as authorized by law or pursuant to an
order of a court of competent jurisdiction;
does not limit the ability of an operator to use student
data, including covered information, for adaptive learning
or customized student learning purposes;
does not apply to general audience Internet Web sites,
general audience online services, general audience online
applications, or general audience mobile applications, even
if login credentials created for an operator's site,
service, or application may be used to access those general
audience sites, services, or applications;
does not limit Internet service providers from providing
Internet connectivity to schools or students and their
families;
does not prohibit an operator of an Internet Web site,
online service, online application, or mobile application
from marketing educational products directly to parents so
long as the marketing did not result from the use of
covered information obtained by the operator through the
provision of services covered under this section;
does not impose a duty upon a provider of an electronic
store, gateway, marketplace, or other means of purchasing
or downloading software or applications to review or
enforce compliance of this section on those applications or
software;
does not impose a duty upon a provider of an interactive
computer service, as defined in Section 230 of Title 47 of
the United States Code, to review or enforce compliance
with this section by third-party content providers; and
does not impede the ability of students to download,
export, or otherwise save or maintain their own student
created data or documents. (Bus. & Prof. Code Sec. 22584
(k)-(r).)
This bill creates the Early Learning Privacy Information
Protection Act (ELPIPA) providing pre-kindergarten and
pre-school students with the exact protections afforded to K-12
students by the Student Online Personal Information Protection
Act (SOPIPA) (detailed above).
�
AB 2799 (Chau)
PageH of?
COMMENT
1. Stated Need for the bill :
According to the author:
Technology is an integral part of learning for today's kids,
even the youngest among them. Preschools and
pre-kindergartens increasingly integrate tablets in the
classroom and use cloud-computing services to enrich student
education and improve academic operations. In a recent
survey, 65% of preschool educators report using digital
devices and materials in their classrooms.
While young children can benefit from guided early online
learning, more needs to be done to ensure the safety of their
private information. Online services, websites, apps, and
digital platforms collect a wealth of personal data that is
vulnerable to exploitation. The recent Vtech data breach,
which exposed the personal information of nearly 6.4 million
children, is just one example that shows the necessity of
protecting kids' private information as they engage with
education technology.
California became the national leader on student privacy
protections with the unanimous passage of SB 1177
(Steinberg), known as the Student Online Personal Information
Protection Act (SOPIPA), in 2014. This law, which went into
effect on January 1, 2016, ensures the privacy and security
of personal and academic data in 21st century K-12
classrooms.
SOPIPA was passed in response to the massive amounts of
sensitive student data that online services could collect -
including academic performance, health records, and more -
�
AB 2799 (Chau)
PageI of?
without clearly limiting the use of that data for educational
purposes.
Preschools and pre-kindergartens should be safe-havens for
learning and benefit from the same privacy protections for
children as California's K-12 schools.
2. ELPIPA extends protections in SOPIPA to pre-school
students
California became the national leader on student privacy when it
unanimously passed the Student Online Personal Information
Protection Act (SOPIPA). (SB 1177 (Steinberg, Ch. 839, Stats.
2014).) SOPIPA was California's response to reports regarding
uses of student information and the inadequacies of state and
federal law in protecting student personal information.<1>
While the Family Educational Rights and Privacy Act (FERPA) (20
U.S.C. Sec. 1232g(b)(1)) generally protects personally
identifiable information from unauthorized disclosure, that
provision applies only to schools, not to third parties who
operate early education through 12th grade Web sites, services,
or applications. Furthermore, an article by Paul Schwartz and
---------------------------
<1> Fordham Law School Center for Law and Information Policy
Report, Privacy and Cloud Computing in Public Schools (Dec. 13,
2013); Stephanie Simon, Politico, Data Mining Your Children (May
15, 2014); Paul Schwartz, The Battle for Leadership in Education
Privacy Law: Will California Seize the Throne? (March 27,
2014); Benjamin Herold, Education Week, Google Under Fire for
Data-Mining Student Email Messages (March 26, 2014); Los Angeles
Times Editorial Board, U.S. Needs To Add Student Online Privacy
Rules: A Bill By State Sen. Darrell Steinberg Would Ban Private
Firms Contracting With Public Schools From Selling California
Student's Records (March 5, 2014); The Sacramento Bee Editorial
Board, State Should Not Wait For Congress to Protect Kids'
Privacy (March 3, 2014); Natasha Singer, The New York Times,
Scrutiny in California For Software In Schools (Feb. 20, 2014).
�
AB 2799 (Chau)
PageJ of?
Daniel Solove, entitled, The Battle for Leadership in Education
Privacy Law: Will California Seize the Throne? observed:
There are notable gaps in FERPA that make it largely
ineffective in protecting student privacy in today's digital
age. For example, FERPA lacks meaningful enforcement.
Students and their parents have no right to sue for FERPA
violations. Only the Department of Education can enforce
the law. FERPA only allows one sanction -- the removal of
all federal funding for an educational institution. This
sanction is so impractical and severe that the Department
has never used it in FERPA's four-decade history. Thus,
enforcement of the statute is essentially nonexistent.
Moreover, FERPA enforcement only applies to schools. Unlike
HIPAA, which gives the Department of Health and Human
Services (HHS) the authority to enforce against nearly all
entities that receive HIPAA-regulated information, the
Department of Education lacks similar authority. The
Department of Education is unable to enforce against
businesses that are not schools, but that receive
FERPA-regulated data.
FERPA also says little about selecting a cloud provider or
about the responsibilities of such an entity. . . . FERPA
[also] does not have much more to say about the
responsibilities of a cloud computing provider. In fact, it
contains a potentially broad loophole. If a school
discloses education records for outsourcing its functions,
the FERPA Regulations allow the school to designate the
cloud computing provider as a "school official" in order to
facilitate the sharing. When a school shares student data
with a cloud service provider, the duties of the provider to
protect the data are governed by the contract into which the
school and the provider enter. (Paul Schwartz, Daniel
Solove, SafeGov, The Battle for Leadership in Education
Privacy Law: Will California Seize the Throne? (Mar. 27,
2014)
[as of June 4, 2016].)
Moreover, FERPA "did not anticipate the explosion in online
�
AB 2799 (Chau)
PageK of?
learning. Students shed streams of data about their academic
progress, work habits, learning styles and personal interests as
they navigate educational Websites. All that data has potential
commercial value: It could be used to target ads to the kids
and their families, or to build profiles on them ..." (Stephanie
Simon, Politico, Data Mining Your Children, (May 15, 2014.)
Prior to SOPIPA, online companies in the K-12 education
technology space could collect and sell student personal
information obtained through student, parent, and teacher use of
the online sites used for K-12 school purposes. Because SOPIPA
only covers the K-12 online space, online companies in the early
learning education technology space can collect and sell student
personal information obtained through student, parent, and
teacher use of online sites used for early learning purposes.
The misuse of student personal information that could legally
take place in the K-12 space before SOPIPA took effect on
January 1, 2016 can currently take place in the early education
space. Accordingly, this bill creates the Early Learning
Privacy Information Protection Act (ELPIPA) to extend all of the
protections offered by SOPIPA to pupils enrolled in preschools
and pre-kindergarten. ELPIPA imposes requirements directly on
Websites, online services, and mobile applications that are
designed, marketed and used primarily by children enrolled in a
preschool or prekindergarten course of instruction. ELPIPA
would protect early learners' privacy in this digital age by:
prohibiting the sale of early learners' personal
information by operators of early learning online sites;
prohibiting targeted advertising on early learning
sites;
prohibiting operators of early learning online sites
from using information they obtain on the early learning
site to target advertising on other sites;
prohibiting operators from amassing a profile about an
early learning student except in furtherance of early
learning school purposes;
prohibiting disclosure of early learner personal
information unless the disclosure is made in furtherance of
the early learning purpose; and
requiring these early learning online operators to keep
the early learner personal information safe and secure.
�
AB 2799 (Chau)
PageL of?
3. Conforming Amendments
The author proposes the following technical amendments to
conform ELPIPA to SOPIPA:
On page 3, in line 4, strike out "if" and insert: "when"
On page 3, in line 22, strike out "Is prohibited from
further disclosure of" and insert: "Shall not further
disclose"
On page 3, in line 26, after "Is" insert: "legally"
On page 3, in line 26, strike out "(d)." and insert:
"(d);"
On page 3, in line 27, strike out "compliance." and
insert: "compliance;"
On page 3, in line 28, strike out "process." and insert:
"process;"
On page 3, in line 29, strike out "others, or the" and
insert: "others or security of the site; or"
On page 3, in line 31, strike out "if" and insert:
"provided"
On page 3, in line 35, strike out "to" and insert: "by"
On page 4, in line 10, strike out the first "the"
On page 4, in line 13, strike out "pupil if" and insert:
"pupil, as long as"
On page 4, in line 14, strike out "violated" and insert:
"violated,"
On page 4, in line 20, after "For" insert: "legitimate"
On page 4, in line 20, strike out "purposes" and insert:
"purposes:"
�
AB 2799 (Chau)
PageM of?
On page 4, in line 21, strike out "or" and insert: "and"
On page 4, in line 26, strike out "of" and insert: "on"
On page 4, in line 38, after "including" insert: "in"
On page 4, in line 40, after "deidentified" insert:
"pupil"
On page 4, in line 40, strike out "of a pupil"
On page 5, in line 4, strike out "it" and insert: "they"
On page 5, in line 4, strike out "meets" and insert:
"meet"
On page 5, in line 16, strike out the second "the" and
insert: "a"
On page 5, in line 35, strike out "classroom," and insert:
"classroom"
On page 6, in line 6, strike out "pupil's educational" and
insert: "pupil"
On page 6, in line 9, strike out "site," and insert:
"sites,"
On page 6, in line 22, strike out "by" and insert:
"under"
Support : California State PTA; California School Boards
Association; Los Angeles Unified School District; Privacy Rights
Clearinghouse
Opposition : None Known
HISTORY
Source : Common Sense Kids Action
Related Pending Legislation : None Known
Prior Legislation :
�
AB 2799 (Chau)
PageN of?
SB 1177 (Steinberg, Ch. 839, Stats. 2014) See background.
SB 568 (Steinberg, Ch. 336, Stats. 2013) prohibited an operator
of an Internet Web site, online service, online application, or
mobile application, as specified, from marketing or advertising
specified types of products or services to a minor; prohibited
an operator from knowingly using, disclosing, compiling, or
allowing a third party to use, disclose, or compile, the
personal information of a minor for the purpose of marketing or
advertising specified types of products or services; required
the operator of an Internet Web site, online service, online
application, or mobile application to permit a minor, who is a
registered user of the operator's Internet Web site, online
service, online application, or mobile application, to remove,
or to request and obtain removal of, content or information
posted on the operator's Internet Web site, service, or
application by the minor, as specified.
Prior Vote :
Assembly Floor (Ayes 78, Noes 0)
Assembly Education Committee (Ayes 7, Noes 0)
Assembly Privacy and Consumer Protection Committee (Ayes 10,
Noes 0)
**************