CALIFORNIA, U.S. NEEDS TO ADD TO STUDENT ONLINE PRIVACY RULES

SB 1177, The Student Online Personal Information Protection Act  - a bill by state Sen. Darrell Steinberg would ban private firms contracting with public schools from selling California student's records.

Editorial By The LA Times editorial board| http://lat.ms/1gaaRfQ

State Senate leader Darrell Steinberg (D-Sacramento) has introduced a bill that would help close a loophole in federal regulations -- at least in California -- in an effort to safeguard personal information of public school students. (John Konstantaras / Associated Press / March 1, 2014

March 5, 2014  ::  As more of our children's education moves online, there are increased opportunities for abusing the collection of their personal data. Last month, state Senate leader Darrell Steinberg (D-Sacramento) introduced a bill that would help close a loophole in federal regulations — at least in California — in an effort to safeguard personal information of public school students. The potential privacy violations could be significant, and it makes sense for the Legislature to act now.

Under the federal Family and Educational Rights Protection Act, schools that receive federal funding are rightly barred from making disclosures about students' education records without permission. But schools and their direct employees are not the only ones with access to such records. These days, private contractors play an enhanced role in teaching, through online math and language-training games and other Web-based programs. To be effective, they often need to track performance by individual students. Many require students to create a personal online profile, and the resulting data caches often are stored off-site, out of the schools' direct control.

Schools are supposed to be in charge of what private contractors do with student records, but there is significant confusion over what information and which contractors are affected by the law. In response, the U.S. Department of Education last week released new guidelines directing schools to review contracts on a case-by-case basis. Yet there is a general sense that many schools are ill-equipped to police their contractors or those firms' subcontractors.

And that's where the loophole comes in. According to the children's advocacy group Common Sense Media, few mechanisms exist to preclude contractors or subcontractors from compiling students' personal data and selling it to other businesses without the knowledge of the students, their parents or the schools that hired them. Yes, there should be school oversight, but that's not enough. The Steinberg bill would bar contractors from sharing student data, placing the responsibility for complying with the contractors themselves, where it belongs. Experts say most such firms have privacy policies in place, but formalizing their responsibility is a sensible step.

Note, though, that this fix applies only to California. The federal government — either Congress or a regulatory agency such as the Federal Trade Commission — needs to address this issue as well. The online world is fast-evolving, and government tends to be slow to respond. But protecting the privacy rights of children should be a high priority.

 

 

CALIFORNIA LEGISLATURE— 2013–2014 REGULAR SESSION Senate Bill No. 1177 Introduced by Senator Steinberg                                                                                            February 20, 2014 An act to add Chapter 22.2 (commencing with Section 22584) to Division 8 of the Business and Professions Code, relating to privacy. LEGISLATIVE COUNSEL'S DIGEST SB 1177, as introduced, Steinberg. Privacy: students. Existing law, on and after January 1, 2015, prohibits an operator of an Internet Web site or online service from knowingly using, disclosing, compiling, or allowing a 3rd party to use, disclose, or compile the personal information of a minor for the purpose of marketing or advertising specified types of products or services. Existing law also makes this prohibition applicable to an advertising service that is notified by an operator of an Internet Web site, online service, online application, or mobile application that the site, service, or application is directed to a minor. This bill would prohibit an operator of an Internet Web site, online service, online application, or mobile application with actual knowledge that the site, service, or application is used for K–12 school purposes and was designed and marketed for K–12 school purposes from using, sharing, disclosing, or compiling personal information about a K–12 student for commercial purposes. This bill would require an operator of an Internet Web site, online service, online application, or mobile application with actual knowledge that the site, service, or application is used for K–12 school purposes and was designed and marketed for K–12 school purposes to ensure that specified encryption processes are used, to provide a notice to the operator of a secondary site, service, or application that is accessible through the noticing operator’s site, service, or application that their secondary site, service, or application is used for K–12 school purposes on a site, service, or application designed and marketed for K–12 school purposes, and to delete a student’s personal information under specified circumstances. Digest Key Vote: MAJORITY Appropriation: NO Fiscal Committee: NO Local Program: NO Bill Text The people of the State of California do enact as follows: SECTION 1.   Chapter 22.2 (commencing with Section 22584) is added to Division 8 of the Business and Professions Code, to read: CHAPTER  22.2. Student Online Personal Information Protection Act 22584.   (a) An operator of an Internet Web site, online service, online application, or mobile application with actual knowledge that the site, service, or application is used for K–12 school purposes and was designed and marketed for K–12 school purposes shall comply with all of the following requirements: (1) It shall not use, share, disclose, or compile personal information about a K–12 student for any purpose other than the K–12 school purpose and for maintaining the integrity of the site, service, or application. (2) It shall not use, share, disclose, or compile a student’s personal information for any commercial purpose, including, but not limited to, advertising or profiling. (3) It shall not allow, facilitate, or aid in the marketing or advertising of a product or service to a K–12 student on the site, service, or application. (4) It shall take all reasonable steps to protect the data at rest and in motion in a manner that meets or exceeds commercial best practices. An operator shall be deemed to be in compliance with this paragraph if the operator ensures the following: (A) Valid encryption processes for data at rest are consistent with NIST Special Publication 800-111, Guide to Storage Encryption Technologies for End User Devices. (B) Valid encryption processes for data in motion are those that comply, as appropriate, with NIST Special Publications 800-52, Guidelines for the Selection and Use of Transport Layer Security (TLS) Implementations; 800-77, Guide to IPsec VPNs; or 800-113, Guide to SSL VPNs, or others that are Federal Information Processing Standards (FIPS) 140-2 validated. (b) (1) An operator of an Internet Web site, online service, online application, or mobile application with actual knowledge that the site, service, or application is used for K–12 school purposes and the site, service, or application was designed and marketed for K–12 school purposes shall provide a notice to the operator of a secondary site, service, or application that is accessible through the noticing operator’s site, service, or application that the secondary site, service, or application is used for K–12 school purposes on a site, service, or application designed and marketed for K–12 school purposes. (2) An operator of a site, service, or application designed and marketed for K–12 school purposes shall comply with this section upon either receiving notice under paragraph (1) that the site, service, or application is used for K–12 school purposes or if the operator otherwise has actual knowledge that the site, service, or application is used for K–12 school purposes. (3) An operator that fails to provide the notice required by paragraph (1) to a secondary site, service, or application shall be liable for the secondary site, service, or application’s compliance with this section, unless that secondary site, service, or application had actual knowledge it was being used for K–12 purposes and was designed and marketed for K–12 school purposes. (c) An operator of an Internet Web site, online service, online application, or mobile application with actual knowledge that the site, service, or application is used for K–12 school purposes and that it was designed and marketed for K–12 school purposes shall delete a student’s personal information if any of the following occurs: (1) The site, service or application is no longer used for the original K–12 school purpose. (2) The student requests deletion, unless it is being used at the direction of a school or district for legitimate educational purposes and is under the control of the school or district. (3) The student ceases to be a student at the institution and the operator becomes aware the student is no longer a student, unless it is being used at the direction of a school or district for legitimate educational purposes and is under the control of the school or district. (d) Notwithstanding subdivision (a), an operator of an Internet Web site, online service, online application, or mobile application may disclose personal information of a student if other provisions of federal or state law require the operator to disclose the information, and the operator complies with the requirements of federal and state law in disclosing that information. (e) An “online service” includes cloud computing services. (f) Notwithstanding subdivision (a), an operator of an Internet Web site, online service, online application, or mobile application may disclose personal information of a student for legitimate research purposes as required by state and federal law and subject to the restrictions under state and federal law. (g) For purposes of this section, “personal information” shall mean any information or materials in any media or format created or provided by a student, or the student’s parent or legal guardian, in the course of the student’s, or parent’s or legal guardian’s, use of the site, service, or application or an employee or agent of the educational institution, or gathered by the site, service, or application, that is related to a student and shall include, but not be limited to, information in the student’s educational record, the student’s email address, first and last name, home address, telephone number, other information that permits physical or online contact of a specific individual, discipline records, test results, special education data, juvenile delinquency records, grades, evaluations, criminal records, medical records, health records, social security number, biometric information, disabilities, socioeconomic information, food purchases, political affiliations, religious information, email messages, documents, unique identifiers, profile, search activity, location information, Internet Protocol (IP) address, metadata, any aggregation or derivative thereof, or any information gained through tracking, including login and logoff information, searches, typing, photos, voice recordings, and geolocation information. (h) This section shall not be construed to limit the authority of a law enforcement agency to obtain any content or information from an operator as authorized by law or pursuant to an order of a court of competent jurisdiction. (i) It is not the intent of the Legislature for this chapter to apply to general audience Internet Web sites. SEC. 2.   The provisions of this act are severable. If any provision of this act or its application is held invalid, that invalidity shall not affect other provisions or applications that can be given effect without the invalid provision or application.