California Continues to Take the Lead on Consumer Privacy – Attorney General Issues New Guidance to the Ed Tech Sector About Student Data

November 10, 2016

For many years, California has been a leader when it comes to regulating consumer privacy, and California Attorney General, now Senator-elect, Kamala Harris has taken a particular interest in data privacy and security.  In October 2016, the AG launched a crowdsourcing online forum that allows consumers to alert the AG about online privacy policies that they suspect may violate the California Online Privacy Protection Act.  For example, consumers may report that a particular website or app operator appears to have failed to post clear and conspicuous information about how they respond to "do not track" requests.[1]  A few weeks later, on November 2, 2016, the AG released recommendations about protecting the privacy of student data collected and maintained by educational technology ("Ed Tech").  This latest non-binding guidance from the AG is aimed at a wide audience:  not just schools, but also technology companies that provide services to teachers, administrators, and students, as well as any company that collects data about students in California.  And it comes on top of an already crowded regulatory field dominated by the federal Family Educational Rights and Privacy Act of 1974 ("FERPA") and the Children’s Online Privacy Protection Act of 1998 ("COPPA").[2]  

The AG’s Ed Tech guidance was issued in response to two bills signed into law by Governor Brown in 2014:  (1) AB 1584, which addresses education agency contracts with third parties for data storage and digital education software that stores students’ records[3]; and (2) SB 1177, the Student Online Personal Information Privacy Act ("SOPIPA"), which requires Ed Tech companies to comply with certain baseline privacy and security protections.[4]  The AG’s guidance also addresses AB 2799, the Early Leaning Privacy Information Protection Act ("ELPIPA"), which takes effect on July 1, 2017, and applies SOPIPA’s protections to students in pre-school and prekindergarten.[5]  The chief purposes of California’s student privacy legislation and the AG’s related guidance are ensuring that sensitive student data is properly safeguarded, and that education technology is used primarily for educational purposes.[6]   

The AG’s guidance relates to several topics, including data collection and retention, data use, data disclosure, data control, data security, and transparency.  Key recommendations include:  

• Data collection:  Collect only the student information necessary to accomplish the school purposes your service is designed to achieve. 
• Data retention:  Retain student data only as long as allowed or required by the school; do not set the "default" retention period as "indefinite."
• Data use:  Use data for educational purposes.  Do not use information acquired through your website or service as a basis for targeted advertising.  Do not use information acquired through your website or service to create student profiles (except those necessary for the school purposes).
• Data disclosures:  Contractually require service providers who receive sensitive student information to agree not to further disclose the information and to implement reasonable security measures.  Do not sell any student data, except as part of a merger or acquisition.
• User controls:  Implement policies and procedures that allow parents, legal guardians, and students over 18 to review their protected information maintained by your company.  Implement a mechanism to allow students to delete their own student-created content.[7]
• Data security:  Implement reasonable security measures to protect student data.  Develop and describe a process for responding to data breaches.  (Note that the AG issued guidance on how to plan, prepare, and respond to a data breach incident in February 2016.[8])
• Transparency:  Provide a meaningful, comprehensive privacy policy, and provide it to the school or district for posting on their website.  (The AG issued guidance on what to include in a privacy policy in 2014.[9]) 

In light of the new recommendations, Ed Tech companies should be particularly careful about how they use student data, and should think seriously about whether there are any arguably non-educational purposes for which they are currently using such data.  Much of the other guidance provided by the AG echoes recommendations made by others in the field and governmental bodies, e.g., guidance about posting a clear and conspicuous privacy policy and implementing data security measures and a data breach incident response plan.  Yet with the recent legislation and guidance focused on student privacy, companies should pay particular attention to their practices related to student data, and should be aware of any different or heightened protections such data should receive.  This recommendation does not only apply to data about students residing in California.  While California was the first to pass privacy legislation specifically targeting the Ed Tech industry, several other states have followed suit, and Congress has introduced a number of bills on the subject.  As of May 2016, seven other states had enacted legislation similar to SOPIPA, and an additional 19 states had introduced similar legislation.[10] 

Ed Tech companies should also be aware of the differences and potential conflicts between the AG’s new non-binding recommendations and the existing laws related to children’s privacy, including in particular the federal laws, FERPA and COPPA.  For example, COPPA applies only to children under 13, while the AG’s guidance applies to individuals under 18.[11]  And while COPPA applies only to personal information collected directly from children, the AG’s guidance covers student information provided to them by other third parties (in addition to student-provided information).[12]  This patchwork of recommended and mandatory practices, which vary across the nation, continues to create a difficult environment for organizations to create effective, compliant programs.  Accordingly, all companies, and particularly Ed Tech companies, must carefully evaluate their responsibilities. 

[1] See Allison Grande, Calif. AG Launches Tool To Report Privacy Policy Violations, Law 360 (Oct. 17, 2016), https://www.law360.com/privacy/articles/852323/calif-ag-launches-tool-to-report-privacy-policy-violations.

[2] See Kamala Harris, Ready for School:  Recommendations for the Ed Tech Industry to Protect the Privacy of Student Data, https://iapp.org/media/pdf/resource_center/ready-for-school-11-16.pdf (November 2016).

[3] See  https://leginfo.legislature.ca.gov/faces/billNavClient.xhtml?bill_id=201320140AB158

[4] See https://leginfo.legislature.ca.gov/faces/billNavClient.xhtml?bill_id=201320140SB1177.  SOPIPA applies to "an Internet Web site, online service, online application, or mobile application with actual knowledge that the site, service, or application is used primarily for K–12 school purposes and was designed and marketed for K–12 school purposes."  While the Act does not define what it means by "designed and marketed for K–12 purposes," any company that collects data from K–12 students in California may fall under SOPIPA’s purview.  Companies need not be based in California to fall within the purview of SOPIPA.

[5] See http://leginfo.legislature.ca.gov/faces/billNavClient.xhtml?bill_id=201520160AB2799

[6] See Ready for School, supra note 2.

[7] Notably, California’s "Digital Eraser" law already allows children under 18 to request deletion of content of their own creation posted on websites and apps "directed" to minors, or that have actual knowledge that a minor is using its site.  See Alexander Southwell, California’s new ‘Digital eraser’ Evaporates Embarrassment, Law Technology News (Nov. 13, 2013), http://www.gibsondunn.com/wp-content/uploads/documents/publications/SouthwellCaliforniaPrivacyPartTwo.pdf.

[8] See Kamala Harris, California Data Breach Report (February 2016), https://oag.ca.gov/breachreport2016#recommendations.

[9] See Kamala Harris, Making Your Privacy Practices Public (May 2014), https://oag.ca.gov/sites/all/files/agweb/pdfs/cybersecurity/making_your_privacy_practices_public.pdf.

[10] See Ready for School, supra note 2, at 8.

[11] See id. at 6.

[12] See id.