EdLawConnect Blog

SB 1177 Restricts Private Companies from Exploiting Personal Student Information
Under existing law, the federal Family Educational Rights and Privacy Act (“FERPA”) prohibits a person, agency, or organization that has been permitted access to educational records from disclosing information in a student record without parental consent or a judicial order, unless disclosure is expressly authorized by statute. In most respects, California law mirrors FERPA. (See Education Code §§ 49073-49079.7.) In committee hearings on AB 1584 and SB 1177, legislators expressed concern that FERPA’s protections apply only to schools, not to third parties that operate K-12 websites, services, or applications. These gaps mean FERPA cannot be enforced against private businesses that receive FERPA-regulated data.(Sen. Com. on Judiciary, Analysis of Sen. Bill No. 1177 (2013-2014 Reg. Sess.) as amended Apr. 21, 2014.)

SB 1177, the “Student Online Personal Information and Privacy Act,” closes loopholes in state law and FERPA by restricting private companies from exploiting personal student information. The Act prohibits the operator of an Internet website, online service, online application, or mobile application that is used for the K-12 setting from using or disclosing a student’s personal information or “persistent unique identifiers,” acquired through use of the operator’s site, for any unauthorized purpose. (Sen. Bill No. 1177 (2013-2014 Reg. Sess.) as approved Sept. 29, 2014.) For example, when a student uses a third-party K-12 website to log in or create an account as part of his or her schoolwork, that third party cannot compile personal information about the student except for a K-12 school purpose. Online operators are also prohibited from marketing or advertising products or services to a K-12 student who uses the site, service, or application.

The Act is not intended to hamper innovation of technology in the K-12 context. It specifies that operators of K-12 technologies can use “de-identified” student information (information that cannot be used to identify an individual student) to further marketing or improve effectiveness of its educational products.

AB 1584 Focuses Student Privacy Regulation on Third Party Contracts
AB 1584 addresses weaknesses in FERPA by focusing on contracts between school districts and third-party service providers. AB 1584 authorizes school districts to enter into contracts with third parties for the digital storage, management, and retrieval of student records and requires the contracts to include specified provisions about the security, use, ownership, and control of the records.

FERPA’s “studies exception” allows disclosure of educational records to entities conducting studies for the school district. (See also Education Code § 49076(a)(2)(E).) Legislators noted that school districts typically use this exception when contracting with entities for instructional software or programs. (Assem. Com. on Education, Rep. on Assem. Bill No. 1584 (2013-2014 Reg. Sess.) April 9, 2014, p. 4.) AB 1584 requires these contracts to describe specific steps parties will take to ensure compliance with FERPA, and describe the means by which students can retain possession over their own student-generated content (such as essays or account information). It also prohibits third parties from using any information in the student record for advertising.

AB 1442 Protects Student Privacy in Districts Engaged in Social Media Monitoring
AB 1442 addresses the privacy implications of social media monitoring, a function school districts use to address problems of “cyber-bullying” by contracting with a private company to monitor services such as Facebook, Twitter, and Instagram. Social media monitoring involves flagging any words that suggest bullying, abuse, or hate speech circulating among students. (Assem. Com. on Judiciary, Rep. on Assem. Bill No. 1442 (2013-2014 Reg. Sess.) as amended Mar. 25, 2014.) Opportunities for cyber-bullying have increased as students spend more time communicating with each other through mobile devices and social network applications. Despite monitoring’s perceived benefits, personalized student information in the hands of the private monitoring service might be disclosed without the student’s consent or obtained by hackers who gain access to the information.

AB 1442 reflects two points of consensus reached by the Assembly and Senate in earlier hearings related to the general security of digital information: (1) government agencies should collect only as much information as necessary to complete a transaction; and (2) people should know what, when, how, and why their personal data is being collected. AB 1442 requires a school district that gathers from social media and maintains information about a student to: notify parents and provide an opportunity for public comment before adopting such a program; limit the information it collects to that which pertains to student or school safety; and destroy the information when it is no longer needed. AB 1442 also expressly prohibits a private company from selling, sharing, or disclosing the information to any entity other than the school district, the student, or his or her guardian.