BILL ANALYSIS ��
SB 1177
Page 1
SENATE THIRD READING
SB 1177 (Steinberg)
As Amended August 4, 2014
Majority vote
SENATE VOTE :35-0
ARTS, ENTERTAINMENT, SPORTS 7-0 EDUCATION
7-0
-----------------------------------------------------------------
|Ayes:|Ian Calderon, Waldron, |Ayes:|Buchanan, Olsen, Ch�vez, |
| |Bloom, Brown, Gomez, | |Gonzalez, Nazarian, |
| |Levine, Wilk | |Weber, Williams |
|-----+--------------------------+-----+--------------------------|
| | | | |
-----------------------------------------------------------------
SUMMARY : Establishes the Student Online Personal Information
Protection Act (Act) to restrict the use and disclosure of
information about K-12 students. Specifically, this bill :
1)Requires an operator of an Internet Web site, online service,
online application, or mobile application with actual
knowledge that the site, service, or application is used
primarily for K-12 school purposes and was designed and
marketed for K-12 school purposes (Operator) to comply with
all of the following requirements with respect to its site,
service, or application:
a) It shall not use, share, disclose, or compile
information about a K-12 student for any purpose in
furtherance of targeted advertising or to amass a profile
on a student for any purpose other than K-12 school
purposes. This provision shall not prohibit the use of
information for maintaining, developing, or improving the
application of the operator.
b) It shall not sell or disclose a student's information.
This prohibition does not apply to the purchase, merger, or
other type of acquisition of an entity that operates an
Internet Web site, online service, online application, or
mobile application by another entity.
c) It shall implement and maintain reasonable security
procedures and practices appropriate to the nature of the
�
SB 1177
Page 2
information, to protect the personal information from
unauthorized access, destruction, use, modification, or
disclosure.
2)Requires an Operator to delete a student's covered information
if the school or district requests deletion of data under the
control of the school or district.
3)Provides that an Operator may disclose covered information of
a student under the following circumstances:
a) If other provisions of federal or state law require the
Operator to disclose the information, and the Operator
complies with the requirements of federal and state law in
protecting and disclosing that information; or
b) For legitimate research purposes as required by state
and federal law and subject to the restrictions under state
and federal law or as allowed by state and federal law and
under the direction of a school, school district, or state
department of education, if no covered information is used
for any purpose in furtherance of advertising or to amass a
profile on the student for purposes other than K-12 school
purposes.
4)Provides than an Operator may use deidentified student covered
information, including aggregated and deidentified student
covered information, as follows:
a) Within the Operator's site, service, or application or
other sites, services, or applications owned by the
Operator to improve educational products, for adaptive
learning purposes, and for customizing student learning;
b) To demonstrate the effectiveness of the Operator's
products, including in their marketing; and
c) To share aggregated deidentified student covered
information for the development and improvement of
educational sites, services, or applications.
5)Defines "online services" to include cloud computing services.
6)Defines "covered information" to mean information or materials
in any media or format that meets any of the following:
�
SB 1177
Page 3
a) Are created or provided by a student, or the student's
parent or legal guardian, in the course of the student's,
parent's, legal guardian's, use of the site, service, or
application for K-12 school purposes;
b) Are created or provided by an employee or agent of the
educational institution; and
c) Are gathered by the site, service, or application, that
is descriptive of a student or otherwise personally
identifies a student, including, but not limited to,
information in the student's educational record or email,
first and last name, home address, telephone number, email
address, or other information that allows physical or
online contact, discipline records, test results, special
education data, juvenile dependency records, grades,
evaluations, criminal records, medical records, health
records, social security number, biometric information,
disabilities, socioeconomic information, food purchases,
political affiliations, religious information, text
messages, documents, persistent unique identifiers, search
activity, photos, voice recordings, or geolocation
information.
7)Defines "K-12 school purposes" to mean purposes that
customarily take place at the direction of the school,
teacher, or school district or aid in the administration of
school activities, including, but not limited to, instruction
in the classroom or at home, administrative activities, and
collaboration between students, school personnel, or parents,
or are for the use and benefit of the school.
8)Provides that these requirements shall not be construed to
limit the authority of a law enforcement agency to obtain any
content or information from an operator as authorized by law
or pursuant to an order of a court of competent jurisdiction
or to limit the ability of an Operator to use student data for
adaptive learning or customized student learning purposes.
9)Provides that these requirements do not apply to general
audience Internet Web sites, general audience online services,
general audience online applications, or general audience
mobile applications.
10)Provides that these requirements do not limit Internet
service providers from providing Internet connectivity to
�
SB 1177
Page 4
schools or students and their families.
11)Clarifies that these requirements shall not be construed to
prohibit an Operator from marketing educational products
directly to parents so long as the marketing was not the
result of student covered information obtained by the Operator
through the provision of services covered under this section.
12)Provides that this Act does not impose a duty upon a provider
of an electronic store, gateway, marketplace, or other means
of purchasing or downloading software or applications to
review or enforce compliance of this section on those
applications or software.
13)Provides that this Act does not impede the ability of
students to download, export, or otherwise save or maintain
their own student created data or documents.
14)Provides that this Act shall become operative on January 1,
2016, and that its provisions are severable.
EXISTING LAW (both state and federal) provides different levels
of protection for different types of pupil records.
Specifically, existing law:
1)Requires school districts to adopt a policy identifying those
categories of directory information that may be released.
2)Defines "directory information" to mean one or more of the
following items: pupil's name, address, telephone number, date
of birth, email address, major field of study, participation
in officially recognized activities and sports, weight and
height of members of athletic teams, dates of attendance,
degrees and awards received, and the most recent previous
public or private school attended by the pupil.
3)Authorizes school districts to release directory information
without prior parental/guardian consent.
4)Requires an annual notice of the information the district
plans to release and the recipients.
5)Prohibits a district from releasing directory information of a
pupil if that pupil's parent has notified the district that it
shall not be released.
�
SB 1177
Page 5
6)Prohibits the release on non-directory information (such as
disciplinary records, Individualized Education Plans for
special needs pupils, eligibility for free or reduced price
meals, etc.) without prior written parental consent, except
for the following requesters, if they have a legitimate
educational interest:
a) School officials, employees of the district, and members
of a school attendance review board;
b) Officials and employees of other public schools where
the pupil intends to or is enrolled;
c) The Comptroller General of the United States (U.S.), the
U.S. Secretary of Education, state and local educational
authorities, or the U.S. Department of Education's Office
of Civil Rights, if the information is necessary to audit
or evaluate a federally funded program;
d) Other state and local officials if the information is
required to be reported pursuant to state law adopted
before November 19, 1974;
e) Parents of a pupil 18 years of age or older if the pupil
is a dependent;
f) A pupil who is 16 years of age or older or who has
completed 10th grade and a pupil who is 14 years of age or
older who is a homeless or unaccompanied youth;
g) A district attorney conducting a truancy mediation
program or investigating a violation of compulsory
attendance laws;
h) A probation officer, district attorney, or counsel of
record for a minor for purposes of conducting a criminal
investigation or an investigation in regards to declaring a
person a ward of the court or involving a violation of a
condition of probation;
i) A judge or probation officer in relation to a truancy
mediation program;
j) A county placing agency;
�
SB 1177
Page 6
aa) A representative of a child welfare agency;
bb) Appropriate persons in connection with a health or
safety emergency;
cc) Agencies in connection with the application of a pupil
for financial aid;
dd) Accrediting associations; or
ee) A contractor or consultant with a legitimate educational
interest who has a formal written agreement or contract
with the school district regarding the provision of
outsourced institutional services or functions.
7)Prohibits a person, agency, or organization that has been
permitted access to pupil records from permitting access to
any other entity without written parental consent, and
requires them to certify in writing that they will not do so,
except as permitted by the federal Family Educational Rights
and Privacy Act (FERPA).
FISCAL EFFECT : None. This bill is keyed non-fiscal by the
Legislative Counsel.
COMMENTS : FERPA is the primary law that protects the privacy
of pupil records. It applies to all educational institutions
that receive federal funds. In general, state law mirrors
FERPA. However, the privacy protections of FERPA apply only to
information that is contained in records that are maintained by
an education agency. Information that is obtained directly from
a student or teacher (such as information obtained through the
use of an online programs or mobile application) is not
protected by FERPA, even if it is the same information that
would otherwise be protected if it is obtained from school
records.
Need for the bill. The growing use of online educational
programs and mobile applications has led to an increasing flow
of personal information directly from students and teachers to
developers of educational programs and applications, and there
are no restrictions on how this information may be used, other
than restrictions that developers may impose on themselves in
their privacy policies and Terms of Service (TOS). A review of
�
SB 1177
Page 7
several privacy policies revealed the following common features:
1)The company reserves the right to disclose or forward student
information to other companies.
2)The company assumes no responsibility for the mishandling of
information.
3)The company reserves the right to unilaterally change its
privacy policy at any time.
A recent article in Politico (Data Mining Your Children, May 15,
2014) states that "Students shed streams of data about their
academic progress, work habits, learning styles and personal
interests as they navigate educational websites. All that data
has potential commercial value: It could be used to target ads
to the kids and their families, or to build profiles on them
that might be of interest to employers, military recruiters or
college admissions officers." The article points out that,
"Kathleen Styles, the [U.S.] Education Department's chief
privacy officer, acknowledged in an interview that much of
[student information] is likely not protected by FERPA - and
thus can be commercialized by the companies that hold it."
In short, the use of online education programs and mobile
applications has open a back door through which student
information - even information that is otherwise protected by
FERPA - can be freely accessed and used by the company
collecting it. This bill addresses this problem by limiting the
use of personal information that is obtained through this means.
Analysis Prepared by : Rick Pratt / ED. / (916) 319-2087
FN: 0004271