Public Entity Client Advisory: Landmark Software Privacy Laws-What Do They Mean for Schools?

I.    Senate Bill 568

On February 21, 2014, California State Senate Pro Tem Darrell Steinberg announced legislation intended to protect students’ online privacy. Senate Bill 568 will purportedly prohibit education-related websites from using or sharing personal information for anything other than education-related purposes. California, the birthplace of the Internet Revolution, should be on the cutting-edge of crafting model legislation to scrutinize the education technology software industry. This is particularly true in light of the recent Fordham Law School report which demonstrated that America’s schools and educators have not been able to keep pace with the rapidly changing technological landscape. The report highlighted that over 90% of parents are worried about students’ privacy data. It is undeniably the right place and time, but is it the right law?

II.    Existing Statutes

There is already federal statutory framework protecting students’ privacy. The Federal Educational Right to Privacy Act (“FERPA”) limits the release of student records by schools that receive federal funding. Schools cannot release “personally identifiable” information without parental consent. However, there must be many exceptions including, but not limited to, “directory” information, release to school officials with legitimate educational interests and organizations conducting certain studies for the school(s). Furthermore, the Children’s Online Privacy Protection Act (“COPPA”) requires verifiable parental consent and notification of privacy rights for online data collection of personal information by persons under 13 years old. Existing California law requires an online service that collects “personally identifiable” information to make its privacy policies available to consumers. Do these laws offer our students the protection they need?

III.    Differing Technological Models

To fully understand the necessity of state and local action we must first differentiate technological models. There are third-party providers that “host” data. This “cloud” environment is attractive to school districts because it can provide greater security and economy of scale. However, school employees have the keys to these electronic safety deposit boxes that may contain sensitive information such as disciplinary records or special education files. There is inconsistent local enforcement, regulation, and administration of this information. It is extremely difficult for over-strapped and under-resourced schools to devote personnel and energy to data protection. But, it is the law. It is critical that school districts have board policies, administrative regulations, and training to address this mandate. Does this new law address this need? Does the onus remain on the school personnel to protect student privacy?

The other important technological model is where students interact with a data program for the purpose of educational enhancement. Students interact with software to allow educators to engage in data-driven instruction in real time. Teachers have been doing extraordinary work by tracking student progress and quickly identifying both problems and solutions. iPads and iPods have become commonplace in our schools and true differentiated instruction is taking place. The pedagogical potential is as unlimited as the potential pitfalls; there are dangers of data mining that have not been seen before. We are in an evolutionary environment where the same software that is intended to teach can also collect data for marketing purposes. Information collected from electronic cafeteria cards can identify the food a child prefers. Teaching applications can collect such information as the number of siblings a child may have or the number of rooms in their house. This creates the unnerving specter of not only “Big Brother,” but also vendors marketing directly to our children. All experts agree that we should regulate operators to maximize the educational benefit and eliminate commercial use. The question is, does this law do that?

The new legislation is touted as prohibiting use beyond that which is intended by school officials. Curiously, school officials “intent” is not referenced in the legislative language. Additionally, the bill defines and prohibits operator marketing. However, it only applies when there is “actual knowledge” that a minor is using the website, service or application. Finally, it only limits the marketing and advertising of specified products or services such as alcohol, tobacco, firearms, tattoos and tanning. The purpose and message are undoubtedly praiseworthy. However, it is hardly the circumspect protection against commercial use that has been presented.

IV.    What Does SB 568 Mean for Your District?

While the debate over legislation versus enforcement and commerce versus privacy rages, the fact is parents are exceptionally worried about privacy. Existing laws and societal expectations will require our systems and our educators to be smarter so we can understand and adapt to technology. Consequently, districts should discuss policies, procedures, and technological guarantees to protect the right of access to student information. This includes, but is not limited to, server security as well as cloud security. More importantly, districts must revisit their relationships with their vendors. The contractual relationship between school districts and operators will become the battleground over who is responsible for student privacy. Districts should reevaluate their vendor contracts and license agreements as they pertain to any technology capable of collecting student information.

This document is intended to provide you with information about public entity/school district related developments. The contents of this document are not intended to provide specific legal advice. This communication may be considered advertising in some jurisdictions.

February 26, 2014