Senate President Pro Tem Darrell Steinberg introduced the Student Online Personal Information Protection Act on Thursday, Feb. 20, to hold private companies accountable for how they handle K-12 student data. Currently, federal and state laws place the responsibility on schools to protect personal information including phone numbers, emails and addresses.
SB 1177 would allow operators of websites, online services, online applications or mobile applications to use student data strictly for school purposes. They couldn't use, share, disclose or compile personal information about students for commercial purposes, including advertising and profiling. They also couldn't advertise a product to a student on their site.
Companies would need to encrypt information used for educational purposes. In addition, once a class no longer uses the site, companies must delete students' personal information.
"What Sen. Steinberg's bill does is it requires that the private online companies maintain this information in a safe way through encryption and also keep it to themselves and not share it and not use it for any secondary purposes," said Margie Estrada, policy consultant for Steinberg.
If this bill becomes law, companies that violate it could open themselves up to legal action. School districts or citizens could ask the courts for an order to stop companies from misusing data. They could also make a case against companies in court based on Section 17.200 of the California business and professions code, which deals with unfair competition.
The problem with data
This legislation addresses a major public concern about student data privacy. With the proliferation of educational sites, services and applications online, teachers sometimes sign up their students for one-off sites that collect personal information. In these cases, the use of that personal information is only governed by the company's privacy policy, which can change at any time.This situation cuts schools out of the picture because the service is not going through the normal contracting process, and therefore it falls outside the federal Family Educational Rights and Privacy Act, Estrada said. That leaves companies the opportunity to do what they want with the data.
And in some cases they ask students unrelated questions, sell their information to third-party advertisers and expose information online. For example, students are sometimes asked how many bedrooms are in their house and who they live with, Estrada said.
The data privacy standards outlined in the bill could have been helpful in a recent incident involving a vendor for Loudoun County Public Schools in Ashburn, Va. In January, Leesburg Today reported a data breach of thousands of documents containing school emergency management plans and student and staff information. The vendor, Risk Solutions International, posted these documents on a webpage that was supposed to be password protected, but it wasn't. In addition, the data wasn't encrypted, so anyone could see it.
"Technology's just booming in this area, and we're trying also to get ahead of a problem," Estrada said.
This bill is an extension of Steinberg's efforts to protect minors when they're online. Last year, SB 568 was signed into law, which requires Internet companies to allow minors to delete anything they post online and prohibits companies from marketing products and services to minors that they can't legally purchase, including alcohol, tobacco and diet pills.
Nationally, Sen. Edward J. Markey of Massachusetts is also preparing to introduce legislation that would protect student data when it's shared with private companies. If this issue is taken care of at the federal level, then states wouldn't have to pass individual laws governing student data privacy.
Student Online Personal Information Protection Act