November 10, 2016
For many years, California has been a leader when it comes to regulating consumer privacy, and California Attorney General, now Senator-elect, Kamala Harris has taken a particular interest in data privacy and security. In October 2016, the AG launched a crowdsourcing online forum that allows consumers to alert the AG about online privacy policies that they suspect may violate the California Online Privacy Protection Act. For example, consumers may report that a particular website or app operator appears to have failed to post clear and conspicuous information about how they respond to "do not track" requests. A few weeks later, on November 2, 2016, the AG released recommendations about protecting the privacy of student data collected and maintained by educational technology ("Ed Tech"). This latest non-binding guidance from the AG is aimed at a wide audience: not just schools, but also technology companies that provide services to teachers, administrators, and students, as well as any company that collects data about students in California. And it comes on top of an already crowded regulatory field dominated by the federal Family Educational Rights and Privacy Act of 1974 ("FERPA") and the Children’s Online Privacy Protection Act of 1998 ("COPPA").
The AG’s Ed Tech guidance was issued in response to two bills signed into law by Governor Brown in 2014: (1) AB 1584, which addresses education agency contracts with third parties for data storage and digital education software that stores students’ records; and (2) SB 1177, the Student Online Personal Information Privacy Act ("SOPIPA"), which requires Ed Tech companies to comply with certain baseline privacy and security protections. The AG’s guidance also addresses AB 2799, the Early Leaning Privacy Information Protection Act ("ELPIPA"), which takes effect on July 1, 2017, and applies SOPIPA’s protections to students in pre-school and prekindergarten. The chief purposes of California’s student privacy legislation and the AG’s related guidance are ensuring that sensitive student data is properly safeguarded, and that education technology is used primarily for educational purposes.
The AG’s guidance relates to several topics, including data collection and retention, data use, data disclosure, data control, data security, and transparency. Key recommendations include:
Ed Tech companies should also be aware of the differences and potential conflicts between the AG’s new non-binding recommendations and the existing laws related to children’s privacy, including in particular the federal laws, FERPA and COPPA. For example, COPPA applies only to children under 13, while the AG’s guidance applies to individuals under 18. And while COPPA applies only to personal information collected directly from children, the AG’s guidance covers student information provided to them by other third parties (in addition to student-provided information). This patchwork of recommended and mandatory practices, which vary across the nation, continues to create a difficult environment for organizations to create effective, compliant programs. Accordingly, all companies, and particularly Ed Tech companies, must carefully evaluate their responsibilities.
 See Kamala Harris, Ready for School: Recommendations for the Ed Tech Industry to Protect the Privacy of Student Data, https://iapp.org/media/pdf/resource_center/ready-for-school-11-16.pdf (November 2016).
 See https://leginfo.legislature.ca.gov/faces/billNavClient.xhtml?bill_id=201320140SB1177. SOPIPA applies to "an Internet Web site, online service, online application, or mobile application with actual knowledge that the site, service, or application is used primarily for K–12 school purposes and was designed and marketed for K–12 school purposes." While the Act does not define what it means by "designed and marketed for K–12 purposes," any company that collects data from K–12 students in California may fall under SOPIPA’s purview. Companies need not be based in California to fall within the purview of SOPIPA.
 See Ready for School, supra note 2.
 Notably, California’s "Digital Eraser" law already allows children under 18 to request deletion of content of their own creation posted on websites and apps "directed" to minors, or that have actual knowledge that a minor is using its site. See Alexander Southwell, California’s new ‘Digital eraser’ Evaporates Embarrassment, Law Technology News (Nov. 13, 2013), http://www.gibsondunn.com/wp-content/uploads/documents/publications/SouthwellCaliforniaPrivacyPartTwo.pdf.
 See Kamala Harris, California Data Breach Report (February 2016), https://oag.ca.gov/breachreport2016#recommendations.
 See Kamala Harris, Making Your Privacy Practices Public (May 2014), https://oag.ca.gov/sites/all/files/agweb/pdfs/cybersecurity/making_your_privacy_practices_public.pdf.
 See Ready for School, supra note 2, at 8.
 See id. at 6.
 See id.
Gibson, Dunn & Crutcher lawyers are available to assist in addressing any questions you may have regarding the developments discussed above. To learn more about these issues, please contact the Gibson Dunn lawyer with whom you usually work, any member of the firm’s Privacy, Cybersecurity and Consumer Protection practice group, or the authors:
Alexander H. Southwell – New York (+1 212-351-3981, firstname.lastname@example.org)
Eric D. Vandevelde – Los Angeles (+1 213-229-7186, email@example.com)
James Zelenay – Los Angeles (+1 213-229-7449, firstname.lastname@example.org)
Jeremy S. Smith – Los Angeles (+1 213-229-7973, email@example.com)
Danielle Serbin – Orange County (+1 949-451-3895, firstname.lastname@example.org)
© 2016 Gibson, Dunn & Crutcher LLP
Attorney Advertising: The enclosed materials have been prepared for general informational purposes only and are not intended as legal advice.