Center for Digital Education & Converge: research in education technology for K-12 and higher education

Student Data Privacy Bill Would Close a Loophole in Current Law

on February 21, 2014

A California bill seeks to close a loophole in federal and state privacy laws that allows companies to use student data for non-educational purposes.

Senate President Pro Tem Darrell Steinberg introduced the Student Online Personal Information Protection Act on Thursday, Feb. 20, to hold private companies accountable for how they handle K-12 student data. Currently, federal and state laws place the responsibility on schools to protect personal information including phone numbers, emails and addresses.

SB 1177 would allow operators of websites, online services, online applications or mobile applications to use student data strictly for school purposes. They couldn't use, share, disclose or compile personal information about students for commercial purposes, including advertising and profiling. They also couldn't advertise a product to a student on their site.

Companies would need to encrypt information used for educational purposes. In addition, once a class no longer uses the site, companies must delete students' personal information.

"What Sen. Steinberg's bill does is it requires that the private online companies maintain this information in a safe way through encryption and also keep it to themselves and not share it and not use it for any secondary purposes," said Margie Estrada, policy consultant for Steinberg.

If this bill becomes law, companies that violate it could open themselves up to legal action. School districts or citizens could ask the courts for an order to stop companies from misusing data. They could also make a case against companies in court based on Section 17.200 of the California business and professions code, which deals with unfair competition.

The problem with data

This legislation addresses a major public concern about student data privacy. With the proliferation of educational sites, services and applications online, teachers sometimes sign up their students for one-off sites that collect personal information. In these cases, the use of that personal information is only governed by the company's privacy policy, which can change at any time.

This situation cuts schools out of the picture because the service is not going through the normal contracting process, and therefore it falls outside the federal Family Educational Rights and Privacy Act, Estrada said. That leaves companies the opportunity to do what they want with the data.

And in some cases they ask students unrelated questions, sell their information to third-party advertisers and expose information online. For example, students are sometimes asked how many bedrooms are in their house and who they live with, Estrada said.

The data privacy standards outlined in the bill could have been helpful in a recent incident involving a vendor for Loudoun County Public Schools in Ashburn, Va. In January, Leesburg Today reported a data breach of thousands of documents containing school emergency management plans and student and staff information. The vendor, Risk Solutions International, posted these documents on a webpage that was supposed to be password protected, but it wasn't. In addition, the data wasn't encrypted, so anyone could see it.

"Technology's just booming in this area, and we're trying also to get ahead of a problem," Estrada said.

This bill is an extension of Steinberg's efforts to protect minors when they're online. Last year, SB 568 was signed into law, which requires Internet companies to allow minors to delete anything they post online and prohibits companies from marketing products and services to minors that they can't legally purchase, including alcohol, tobacco and diet pills.

Nationally, Sen. Edward J. Markey of Massachusetts is also preparing to introduce legislation that would protect student data when it's shared with private companies. If this issue is taken care of at the federal level, then states wouldn't have to pass individual laws governing student data privacy.

Student Online Personal Information Protection Act


You may use or reference this story with attribution and a link to
http://www.centerdigitaled.com/news/Student-Data-Privacy-Bill-California.html


If you enjoyed this story, subscribe for updates.

View Sample

Tanya Roscorla

Tanya Roscorla covers education technology in the classroom, behind the scenes and on the legislative agenda. Likes: Experimenting in the kitchen, cooking up cool crafts, reading good books.

E-mail: troscorla@centerdigitaled.com
Twitter: twitter.com/reportertanya
Google+: Gplus.to/reportertanya

Comments

Add a Comment

Add a Comment

on Feb 26, 2014
I do not think it is appropriate for private industry to use student data for any purpose other than the intended purpose. In this highly connected age a student has basic rights to privacy, states and school districts should protect those rights as students are citizens with rights. California is moving in the right direction.


 

Resources and Solutions

Common Core Standards
The Common Core Standard, adopted by 45 states, is a benchmark for education that can only be reached through new teaching methods and leveraging technology to make learning more effective. Learn how video collaboration has proven to be an effective learning tool in this new culture of education.

Case Study: Community College Helps Put Mississippi Residents Back to Work with Video Distance Learning





Infographic: Video-enhanced learning is affordable, scalable, anytime, and anywhere.