In keeping with its position as the nation’s leader on privacy issues, the state of California recently enacted significant new laws on student privacy and education data. The Student Online Personal Information Protection Act (SOPIPA) sets forth a variety of restrictions on how operators of online services offered in schools can use and disclose student information, and requires operators to implement reasonable security measures to protect student data. A separate law (A.B. 1584) sets forth privacy requirements for providers of digital storage services and educational software used in schools. A final law (A.B. 1442) establishes privacy requirements for companies that collect students’ social media information on behalf of schools. The laws were signed by Governor Jerry Brown on September 29, 2014.
SOPIPA applies to operators of websites, online services, and applications (services) that are designed, marketed, and primarily used for K-12 school purposes. The law prohibits operators from showing any targeted advertising on its own services, or from using any information collected through its services for targeted advertising or marketing. Operators are also prohibited from amassing profiles about students for reasons unrelated to school purposes and from selling student information.
Subject to certain exceptions, SOPIPA prohibits operators from disclosing personally identifiable information that is created or provided by a student, parent, or school employee, or that is gathered by the operator through its service (such as name, email, home address, telephone number, social security numbers, discipline records, test results, grades, medical records, food purchases, political affiliations, religious information, text messages, search activity, photos, voice recordings, or geolocation information). SOPIPA sets forth several exceptions, such as disclosures to schools for K-12 school purposes; disclosures to service providers where a contract provides privacy and security protections; and disclosures for legitimate research purposes (i.e., research required or allowed by law, and conducted by a school, district, or education department).
SOPIPA also requires operators to maintain reasonable security measures and comply with schools’ requests to delete student information.
California’s Education Code generally prohibits school districts from allowing access to student records without parental consent. One exception is for certain contractors that provide educational services or functions. A.B. 1584, which will become part of California’s Education Code, makes clear that school districts are permitted to enter into contracts with third parties for the purpose of providing digital storage services (including cloud-based services) for student records, and for the purpose of providing educational software that uses or accesses student records. Student records are defined broadly to include all information directly related to a student that is maintained by a school, and all information acquired from a student in the course of using educational software assigned by a teacher or school agent.1
A.B. 1584 requires that such contracts prohibit third parties from using student records for any purposes besides those permitted in the contract, and must specifically prohibit third parties from using students’ personally identifiable information to engage in targeted advertising. The contracts also must include descriptions of the third party’s security measures, how it will provide notification in the event of a data breach, and how a parent or student can review and correct personally identifiable information. The contract must prohibit the retention of student records after completion of the contract, unless the student chooses to establish an account with the third party to keep content they create (such as research, essays, and photos). Any contract that fails to include these provisions may be rendered void.
A.B. 1442, which will be incorporated into the California Education Code, applies to third parties who contract with schools to gather social media information on enrolled students. The bill requires that such contracts include provisions prohibiting the third party from using the social media information outside the scope of the contract or selling or sharing the information with anyone but the school, student, or the student’s parent or legal guardian. The contract also must require the third party to destroy the information after the contract is completed, or when a student turns 18 years of age or is no longer enrolled in the school.
Under the bill, social media includes, but is not limited to, electronic “videos, still photographs, blogs, video blogs, podcasts, instant and text messages, email, online services or accounts, or Internet website profiles or locations.” It does not include “electronic service[s] or account[s] used exclusively for educational purposes or primarily to facilitate creation of school-sponsored publications, such as a yearbook or pupil newspaper, under the direction or control of a school, teacher, or yearbook adviser.”2
California’s new student privacy laws will have a significant impact on technology companies that provide online services to California’s K-12 schools. A.B. 1442 and A.B. 1584 will govern all covered contracts that come into effect on or after January 1, 2015, while SOPIPA is set to become operative on January 1, 2016. Technology companies that offer educational software, digital storage services, or other services used in California schools should be cognizant of these newly enacted laws. Additionally, it is possible that other states may follow California’s lead and extend the scope of their own education codes. Companies should be aware of this expansion in California’s student privacy laws and ensure that their contracts and privacy practices comport with them.
1 A.B. 1584, Section 1, Section 49073.1(a)(2).
2 A.B. 1442, Section 1, Section 49073.6(a)(2).