BILL ANALYSIS ��
-----------------------------------------------------------------
|SENATE RULES COMMITTEE | SB 1177|
|Office of Senate Floor Analyses | |
|1020 N Street, Suite 524 | |
|(916) 651-1520 Fax: (916) | |
|327-4478 | |
-----------------------------------------------------------------
UNFINISHED BUSINESS
Bill No: SB 1177
Author: Steinberg (D)
Amended: 8/21/14
Vote: 21
SENATE EDUCATION COMMITTEE : 9-0, 3/26/14
AYES: Liu, Wyland, Block, Correa, Galgiani, Hancock, Hueso,
Huff, Monning
SENATE JUDICIARY COMMITTEE : 7-0, 4/29/14
AYES: Jackson, Anderson, Corbett, Lara, Leno, Monning, Vidak
SENATE FLOOR : 35-0, 5/8/14
AYES: Anderson, Beall, Berryhill, Block, Cannella, Corbett,
Correa, De Le�n, DeSaulnier, Evans, Fuller, Galgiani, Hancock,
Hernandez, Hill, Hueso, Huff, Jackson, Lara, Leno, Lieu, Liu,
Mitchell, Monning, Morrell, Nielsen, Padilla, Pavley, Roth,
Steinberg, Torres, Vidak, Walters, Wolk, Wyland
NO VOTE RECORDED: Calderon, Gaines, Knight, Wright, Yee
ASSEMBLY FLOOR : 79-0, 8/25/14 - See last page for vote
SUBJECT : Student Online Personal Information Protection Act
SOURCE : Author
DIGEST : This bill establishes the Student Online Personal
Information Protection Act (Act) to restrict the use and
disclosure of information about K-12 students.
CONTINUED
�
SB 1177
Page
2
Assembly Amendments make it clear that Operators of the K-12
sites may not target advertising on their K-12 sites and may not
use information, including persistent unique identifiers, that
they obtain on their K-12 site to target advertising on other
on-line sites and services; make it clear that the K-12 site
operators may not amass a profile on K-12 students, except in
furtherance of a K-12 school purpose; allow appropriate
disclosure of student information for operability and
functionality of K-12 sites while maintaining protections on
that student's information; state K-12 online site is prohibited
from sharing student personal information unless the disclosure
is made, as specified; and make other technical and clarifying
changes.
ANALYSIS : Existing law provides that, among other rights, all
people have an inalienable right to pursue and obtain privacy.
Existing law also allows a person to bring an action in tort for
an invasion of privacy and provides that in order to state a
claim for violation of the constitutional right to privacy, the
following three elements must be established:
1.Legally protected privacy interest.
2.Reasonable expectation of privacy in the circumstances.
3.Conduct by the defendant that constitutes a serious invasion
of privacy.
Existing law provides that there is no reasonable expectation of
privacy in information posted on an Internet Web site.
Additionally, federal law requires an operator on an Internet
Web site or online service that has actual knowledge that it is
collecting personal information from a child to provide notice
of what information is being collected and how that information
is being used, and to give the parents of the child the
opportunity to refuse to permit the operator's further
collection of information from the child.
Existing law requires an operator of a commercial Web site or
online service that collects personally identifiable information
through the Internet about individual consumers residing in
California who use or visit its Web site to conspicuously post
its privacy policy.
Existing federal law makes it unlawful for an operator of a Web
CONTINUED
�
SB 1177
Page
3
site or online service directed to children under the age of 13
to collect personal information from a child, including a
child's first and last name, home or other physical address
including street name and name of a city or town, e-mail
address, telephone number, or Social Security number.
The Family Educational Rights and Privacy Act (Act) protects the
privacy of student education records. It applies to all schools
that receive funds under an applicable program of the U.S.
Department of Education. Generally, schools must have written
permission from the parent or eligible student in order to
release any information from a student's education record.
However, the Act allows schools to disclose those records,
without consent, to the following parties or under the following
conditions:
1.School officials with legitimate educational interest.
2.Other schools to which a student is transferring.
3.Specified officials for audit or evaluation purposes.
4.Appropriate parties in connection with financial aid to a
student.
5.Organizations conducting certain studies for or on behalf of
the school.
6.Accrediting organizations.
7.To comply with a judicial order or lawfully issued subpoena.
8.Appropriate officials in cases of health and safety
emergencies.
9.State and local authorities, within a juvenile justice system,
pursuant to specific State law.
Schools may disclose, without consent, "directory" information
such as a student's name, address, telephone number, and date
and place of birth. However, schools must tell parents and
eligible students about directory information and allow them a
reasonable amount of time to request that the school not
disclose such information. Schools must also notify parents and
eligible students annually of their rights under Act.
This bill:
1.Prohibits an operator of an Internet Web site, online service,
online application, or mobile application with actual
knowledge that the site, service, or application is used
primarily for K-12 school purposes and was designed and
CONTINUED
�
SB 1177
Page
4
marketed for K-12 school purposes (Operator) from knowingly
engaging in any of the following activities:
A. Engaging in targeted advertising on the operator's site,
service, or application; or targeting advertising on any
other site, service, or application when the targeting of
the advertising is based upon any information, including
covered information and persistent unique identifiers, that
the operator has acquired because of the use of that
Operator's site, service, or application;
B. Using information, including persistent unique
identifiers, created or gathered by the operator's site,
service, or application, to amass a profile about a K-12
student except in furtherance of K-12 school purposes;
C. Selling or disclosing a student's information. This
prohibition does not apply to the purchase, merger, or
other type of acquisition of an entity that operates an
Internet Web site, online service, online application, or
mobile application by another entity; and
D. Disclosing covered information, unless the disclosure is
made:
In furtherance of the K-12 purpose of the site,
service, or application;
To ensure legal and regulatory compliance;
To respond to or participate in judicial process;
To protect the safety of users or others or security
of the site; or
To a service provider, provided the service provider
is contractually required to comply with specified
security procedures.
1.Requires the Operator to implement and maintain reasonable
security procedures and practices appropriate to the nature of
the covered information, to protect the personal information
from unauthorized access, destruction, use, modification, or
disclosure.
2.Requires an Operator to delete a student's covered information
if the school or district requests deletion of data under the
control of the school or district. The purpose of this
CONTINUED
�
SB 1177
Page
5
provision is to ensure that the school or district may request
deletion of information and materials that have been provided
to or gathered by the Operator for school purposes. The
school's or district's control of the data covered by this Act
is not affected by the possession of the data by an Operator.
3.Provides that an Operator may disclose covered information of
a student under the following circumstances:
A. If other provisions of federal or state law require the
Operator to disclose the information, and the Operator
complies with the requirements of federal and state law in
protecting and disclosing that information;
B. For legitimate research purposes as required by state
and federal law and subject to the restrictions under state
and federal law or as allowed by state and federal law and
under the direction of a school, school district, or state
department of education, if no covered information is used
for any purpose in furtherance of advertising or to amass a
profile on the student for purposes other than K-12 school
purposes; or
C. To a state or local educational agency as permitted by
state or federal law.
1.Provides than an Operator may use deidentified student covered
information, including aggregated and deidentified student
covered information, as follows:
A. Within the Operator's site, service, or application or
other sites, services, or applications owned by the
Operator to improve educational products, for adaptive
learning purposes, and for customizing student learning;
B. To demonstrate the effectiveness of the Operator's
products, including in their marketing; and
C. To share aggregated deidentified student covered
information for the development and improvement of
educational sites, services, or applications.
1.Defines "online services" to include cloud computing services.
CONTINUED
�
SB 1177
Page
6
2.Defines "covered information" to mean information or materials
in any media or format that meets any of the following:
A. Are created or provided by a student, or the student's
parent or legal guardian, in the course of the student's,
parent's, legal guardian's, use of the site, service, or
application for K-12 school purposes;
B. Are created or provided by an employee or agent of the
educational institution; and
C. Are gathered by the site, service, or application, that
is descriptive of a student or otherwise personally
identifies a student, including, but not limited to,
information in the student's educational record or email,
first and last name, home address, telephone number, email
address, or other information that allows physical or
online contact, discipline records, test results, special
education data, juvenile dependency records, grades,
evaluations, criminal records, medical records, health
records, social security number, biometric information,
disabilities, socioeconomic information, food purchases,
political affiliations, religious information, text
messages, documents, student identifiers, search activity,
photos, voice recordings, or geolocation information.
1.Defines "K-12 school purposes" to mean purposes that
customarily take place at the direction of the school,
teacher, or school district or aid in the administration of
school activities, including, but not limited to, instruction
in the classroom or at home, administrative activities, and
collaboration between students, school personnel, or parents,
or are for the use and benefit of the school.
2.Provides that these requirements shall not be construed to
limit the authority of a law enforcement agency to obtain any
content or information from an operator as authorized by law
or pursuant to an order of a court of competent jurisdiction
or to limit the ability of an Operator to use student data for
adaptive learning or customized student learning purposes.
3. Provides that these requirements do not apply to general
audience Internet Web sites, general audience online
CONTINUED
�
SB 1177
Page
7
services, general audience online applications, or general
audience mobile applications, even if login credentials
created for an Operator's site, service or application may be
used to access those general audience sites, services, or
applications.
4. Provides that these requirements do not limit Internet
service providers from providing Internet connectivity to
schools or students and their families.
5. Clarifies that these requirements shall not be construed to
prohibit an Operator from marketing educational products
directly to parents so long as the marketing was not the
result of student covered information obtained by the
Operator through the provision of services covered under this
section.
6. Provides that this Act does not impose a duty upon a
provider of an electronic store, gateway, marketplace, or
other means of purchasing or downloading software or
applications to review or enforce compliance of this section
on those applications or software.
7. Provides that this Act does not impede the ability of
students to download, export, or otherwise save or maintain
their own student created data or documents.
8. Provides that this Act shall become operative on January 1,
2016, and that its provisions are severable.
FISCAL EFFECT : Appropriation: No Fiscal Com.: No Local:
No
SUPPORT : (Verified 8/25/14)
California Federation of Teachers
California State PTA
California Teachers Association
Citizens for Law and Order
Common Sense Media
Crime Victims Action Alliance
K-12 Inc.
Klaas Kids Foundation
McGraw Hill Education
CONTINUED
�
SB 1177
Page
8
Privacy Rights Clearinghouse
Services Employees International Union
ASSEMBLY FLOOR : 79-0, 8/25/14
AYES: Achadjian, Alejo, Allen, Ammiano, Bigelow, Bloom,
Bocanegra, Bonilla, Bonta, Bradford, Brown, Buchanan, Ian
Calderon, Campos, Chau, Ch�vez, Chesbro, Conway, Cooley,
Dababneh, Dahle, Daly, Dickinson, Donnelly, Eggman, Fong, Fox,
Frazier, Beth Gaines, Garcia, Gatto, Gomez, Gonzalez, Gordon,
Gorell, Gray, Grove, Hagman, Hall, Harkey, Roger Hern�ndez,
Holden, Jones, Jones-Sawyer, Levine, Linder, Logue, Lowenthal,
Maienschein, Mansoor, Medina, Melendez, Mullin, Muratsuchi,
Nazarian, Nestande, Olsen, Pan, Patterson, Perea, John A.
P�rez, V. Manuel P�rez, Quirk, Quirk-Silva, Rendon,
Ridley-Thomas, Rodriguez, Salas, Skinner, Stone, Ting, Wagner,
Waldron, Weber, Wieckowski, Wilk, Williams, Yamada, Atkins
NO VOTE RECORDED: Vacancy
PQ:nl 8/26/14 Senate Floor Analyses
SUPPORT/OPPOSITION: SEE ABOVE
**** END ****
CONTINUED