BILL ANALYSIS �Ó
-----------------------------------------------------------------
|SENATE RULES COMMITTEE | AB 2799|
|Office of Senate Floor Analyses | |
|(916) 651-1520 Fax: (916) | |
|327-4478 | |
-----------------------------------------------------------------
THIRD READING
Bill No: AB 2799
Author: Chau (D)
Amended: 6/21/16 in Senate
Vote: 21
SENATE JUDICIARY COMMITTEE: 7-0, 6/14/16
AYES: Jackson, Moorlach, Anderson, Hertzberg, Leno, Monning,
Wieckowski
ASSEMBLY FLOOR: 78-0, 5/12/16 (Consent) - See last page for
vote
SUBJECT: Privacy: personal information: preschool and
prekindergarten purposes
SOURCE: Common Sense Kids Action
DIGEST: This bill creates the Early Learning Privacy
Information Protection Act (ELPIPA) to extend all of the
protections offered by the Student Online Personal Information
Protection Act (SOPIPA) to pupils enrolled in preschools and
pre-kindergarten. Provides that ELPIPA impose requirements
directly on Web sites, online services, and mobile applications
that are designed, marketed and used primarily by children
enrolled in a preschool or prekindergarten course of
instruction.
ANALYSIS:
Existing law:
�
AB 2799
Page 2
1) Provides that, among other rights, all people have an
inalienable right to pursue and obtain privacy.
2) Requires an operator of a commercial Web site or online
service that collects personally identifiable information
through the Internet about individual consumers residing in
California who use or visit its Web site to conspicuously
post its privacy policy.
3) Specifies that SOPIPA provides privacy protections to K-12
students.
4) Defines "operator" as the operator of an Internet Web site,
online service, online application, or mobile application
with actual knowledge that the site, service, or application
is used primarily for K-12 school purposes and was designed
and marketed for K-12 school purposes.
5) Defines "Covered information" as personally identifiable
information or materials, in any media or format that meets
any of the following:
Is created or provided by a student, or the student's
parent or legal guardian, to an operator in the course of
the student's, parent's, or legal guardian's use of the
operator's site, service, or application for K-12 school
purposes;
Is created or provided by an employee or agent of the
K-12 school, school district, local education agency, or
county office of education, to an operator; or
Is gathered by an operator through the operation of
their site, service, or application and is descriptive of a
�
AB 2799
Page 3
student or otherwise identifies a student, including, but
not limited to, information in the student's educational
record or email, first and last name, home address,
telephone number, email address, or other information that
allows physical or online contact, discipline records, test
results, special education data, juvenile dependency
records, grades, evaluations, criminal records, medical
records, health records, social security number, biometric
information, disabilities, socioeconomic information, food
purchases, political affiliations, religious information,
text messages, documents, student identifiers, search
activity, photos, voice recordings, or geolocation
information.
1) Specifies that:
"Online service" includes cloud computing services, and
are within the scope of SOPIPA if they otherwise meet the
definition of operator.
"K-12 school purposes" means purposes that customarily
take place at the direction of the K-12 school, teacher, or
school district or aid in the administration of school
activities, including, but not limited to, instruction in
the classroom or at home, administrative activities, and
collaboration between students, school personnel, or
parents, or are for the use and benefit of the school.
1) Provides that an operator shall not knowingly engage in any
of the following activities with respect to their site,
service, or application:
Engage in targeted advertising on the operator's site,
service, or application, or target advertising on any other
site, service, or application when the targeting of the
advertising is based upon any information, including
covered information and persistent unique identifiers, that
�
AB 2799
Page 4
the operator has acquired because of the use of that
operator's site, service, or application where the operator
had actual knowledge that it is used primarily for K-12
school purposes and was designed and marketed for K-12
school purposes;
Use information, including persistent unique
identifiers, created or gathered by the operator's site,
service, or application, to amass a profile about a K-12
student except in furtherance of K-12 school purposes; or
Sell a student's information, including covered
information.
1) Provides that an operator shall not, with respect to their
site, service, or application, knowingly disclose covered
information unless the disclosure is made:
In furtherance of the K-12 purpose of the site, service,
or application, provided the recipient of the covered
information disclosed shall not further disclose the
information unless done to allow or improve operability and
functionality within that student's classroom or school and
is legally required to comply with encryption, deletion,
and security protocols;
To ensure legal and regulatory compliance;
To respond to or participate in judicial process;
To protect the safety of users or others or security of
the site; or
To a service provider, provided the operator
�
AB 2799
Page 5
contractually prohibits the service provider from using any
covered information for any purpose other than providing
the contracted service to, or on behalf of, the operator,
and prohibits the service provider from disclosing any
covered information provided by the operator with
subsequent third parties, and requires the service provider
to implement and maintain reasonable security procedures
and practices, as specified.
1) Provides that SOPIPA's prohibitions shall not be construed
to prohibit the operator's use of information for
maintaining, developing, supporting, improving, or diagnosing
the operator's site, service, or application.
2) Requires an operator to:
Implement and maintain reasonable security procedures
and practices appropriate to the nature of the covered
information, and protect that information from unauthorized
access, destruction, use, modification, or disclosure; and
Delete a student's covered information if the school or
district requests deletion of data under the control of the
school or district.
1) Allows for disclosure of covered information of a student,
as specified, and under the following circumstances:
If other provisions of federal or state law require the
operator to disclose the information, and the operator
complies with the requirements of federal and state law in
protecting and disclosing that information;
For legitimate research purposes as required by state or
federal law and subject to the restrictions under
�
AB 2799
Page 6
applicable state and federal law or as allowed by state or
federal law and under the direction of a school, school
district, or state department of education, if no covered
information is used for any purpose in furtherance of
advertising or to amass a profile on the student for
purposes other than K-12 school purposes; or
To a state or local educational agency, including
schools and school districts, for K-12 school purposes, as
permitted by state or federal law.
1) Specifies that SOPIPA:
Does not prohibit an operator from using deidentified
student covered information within the operator's site,
service, or application or other sites, services, or
applications owned by the operator to improve educational
products or to demonstrate the effectiveness of the
operator's products or services, including in their
marketing; and
Does not prohibit an operator from sharing aggregated
deidentified student covered information for the
development and improvement of educational sites, services,
or applications.
Shall not be construed to limit the authority of a law
enforcement agency to obtain any content or information
from an operator as authorized by law or pursuant to an
order of a court of competent jurisdiction;
Does not limit the ability of an operator to use student
data, including covered information, for adaptive learning
or customized student learning purposes;
�
AB 2799
Page 7
Does not apply to general audience Internet Web sites,
general audience online services, general audience online
applications, or general audience mobile applications, even
if login credentials created for an operator's site,
service, or application may be used to access those general
audience sites, services, or applications;
Does not limit Internet service providers from providing
Internet connectivity to schools or students and their
families;
Does not prohibit an operator of an Internet Web site,
online service, online application, or mobile application
from marketing educational products directly to parents so
long as the marketing did not result from the use of
covered information obtained by the operator through the
provision of services covered under this section;
Does not impose a duty upon a provider of an electronic
store, gateway, marketplace, or other means of purchasing
or downloading software or applications to review or
enforce compliance of this section on those applications or
software;
Does not impose a duty upon a provider of an interactive
computer service, as defined in Section 230 of Title 47 of
the United States Code, to review or enforce compliance
with this section by third-party content providers; and
Does not impede the ability of students to download,
export, or otherwise save or maintain their own student
created data or documents. (Bus. & Prof. Code Sec. 22584
(k)-(r).)
This bill creates ELPIPA providing pre-kindergarten and
pre-school students with the exact protections afforded to K-12
�
AB 2799
Page 8
students by SOPIPA (detailed above). ELPIPA protects early
learners' privacy by:
1)Prohibiting the sale of early learners' personal information
by operators of early learning online sites;
2)Prohibiting targeted advertising on early learning online
sites;
3)Prohibiting operators of early learning online sites from
using information they obtain on the early learning site to
target advertising on other sites;
4)Prohibiting operators from amassing a profile about an early
learning student except in furtherance of early learning
school purposes;
5)Prohibiting disclosure of early learner personal information
unless the disclosure is made in furtherance of the early
learning purpose; and
6)Requiring early learning online operators to keep the early
learner personal information safe and secure.
Background
The Federal Educational Rights and Privacy Act (FERPA) generally
seeks to protect the confidentiality of educational records (and
personally identifiable information contained therein) by
prohibiting the funding of schools that permit the release of
those records in violation of the Act. (20 U.S.C. Sec.
1232g(b)(1).) FERPA's prohibition only applies to the school
itself and contains various exemptions where the data may be
released without the written consent of the parents.
�
AB 2799
Page 9
Since the enactment of FERPA in 1974, educational institutions
have undergone dramatic changes in the way that students are
taught, including the increased use of technology. With respect
to the use of technology and learning, the Department of
Education observes that:
Schools can use digital resources in a variety of ways to
support teaching and learning. Electronic grade books,
digital portfolios, learning games, and real-time feedback on
teacher and student performance, are a few ways that
technology can be utilized to power learning. (U.S.
Department of Education, Use of Technology in Teaching and
Learning
Page 10
operators of early learning online sites; (2) prohibiting
targeted advertising on early learning sites; (3) prohibiting
operators of early learning online sites from using information
they obtain on the early learning site to target advertising on
other sites; (4) prohibiting operators from amassing a profile
about an early learning student except in furtherance of early
learning school purposes; (5) prohibiting disclosure of early
learner personal information unless the disclosure is made in
furtherance of the early learning purpose; and (6) requiring
these early learning online operators to keep the early learner
personal information safe and secure.
Comments
The author writes:
Technology is an integral part of learning for today's kids,
even the youngest among them. Preschools and pre-kindergartens
increasingly integrate tablets in the classroom and use
cloud-computing services to enrich student education and
improve academic operations. In a recent survey, 65% of
preschool educators report using digital devices and materials
in their classrooms.
While young children can benefit from guided early online
learning, more needs to be done to ensure the safety of their
private information. Online services, websites, apps, and
digital platforms collect a wealth of personal data that is
vulnerable to exploitation. The recent Vtech data breach,
which exposed the personal information of nearly 6.4 million
children, is just one example that shows the necessity of
protecting kids' private information as they engage with
education technology.
California became the national leader on student privacy
protections with the unanimous passage of SB 1177 (Steinberg),
known as the Student Online Personal Information Protection
�
AB 2799
Page 11
Act (SOPIPA), in 2014. This law, which went into effect on
January 1, 2016, ensures the privacy and security of personal
and academic data in 21st century K-12 classrooms.
SOPIPA was passed in response to the massive amounts of
sensitive student data that online services could collect -
including academic performance, health records, and more -
without clearly limiting the use of that data for educational
purposes.
Preschools and pre-kindergartens should be safe-havens for
learning and benefit from the same privacy protections for
children as California's K-12 schools.
FISCAL EFFECT: Appropriation: No Fiscal
Com.:NoLocal: No
SUPPORT: (Verified6/14/16)
Common Sense Kids Action (source)
California State PTA
California School Boards Association
Los Angeles Unified School District
Privacy Rights Clearinghouse
OPPOSITION: (Verified6/22/16)
None received
ASSEMBLY FLOOR: 78-0, 5/12/16
�
AB 2799
Page 12
AYES: Achadjian, Alejo, Travis Allen, Arambula, Atkins, Baker,
Bigelow, Bloom, Bonilla, Bonta, Brough, Brown, Calderon,
Campos, Chang, Chau, Chávez, Chiu, Chu, Cooley, Cooper,
Dababneh, Dahle, Daly, Dodd, Eggman, Frazier, Beth Gaines,
Gallagher, Cristina Garcia, Eduardo Garcia, Gatto, Gipson,
Gomez, Gonzalez, Gordon, Gray, Grove, Hadley, Harper, Roger
Hernández, Holden, Irwin, Jones, Kim, Lackey, Levine, Linder,
Lopez, Low, Maienschein, Mathis, Mayes, McCarty, Medina,
Melendez, Mullin, Nazarian, Obernolte, O'Donnell, Olsen,
Patterson, Quirk, Ridley-Thomas, Rodriguez, Salas, Santiago,
Steinorth, Mark Stone, Thurmond, Ting, Wagner, Waldron, Weber,
Wilk, Williams, Wood, Rendon
NO VOTE RECORDED: Burke, Jones-Sawyer
Prepared by: Margie Estrada / JUD. / (916) 651-4113
8/15/16 10:07:45
**** END ****