California Sets the Curve with New Regulations on Collection and Use of Student Data
When one thinks of the use of technology in school, often the first image to comes to mind is of students sending ill-advised Snapchats and making in-app purchases that line the pockets of the Kardashian family, rather than paying attention in geometry. As a tool for teachers, however, online educational tech products can be a valuable resource to deliver materials to students in dynamic fashion and collect detailed information regarding learning habits. As a result, there has been a substantial increase in classroom technology products that operate online and collect and process student data, including many products that may not subject to the provisions of the Family Educational Rights and Privacy Act (FERPA) because they are being used at the direction of a faculty member, rather than under a contract with the school. Now, California is aiming to close this regulatory gap and reign in the use of student data for commercial gain.
Senate Bill 1177, referred to as the Student Online Personal Information Protection Act (SOPIPA), has been passed by the California legislature and is expected to be signed into law. SOPIPA applies to operators of online services (including web sites and mobile applications) with actual knowledge that the online service is used for K-12 school purposes, where the service was designed and marketed for K-12 school purposes. SOPIPA imposes restrictions with respect to the collection, use, storage and destruction of student personal information. As defined in the bill, student “personal information” includes any information or materials created by the student (or his or her parent or guardian) while using the service, as well as information gathered by the online service that is related to the student. If signed into law, SOPIPA will require the following:
Use Restrictions. Education service providers who are subject to SOPIPA will not be permitted to use, share, disclose or compile personal information about K-12 students other than for the K-12 school purpose for which it was collected and for maintaining the service. SOPIPA also explicitly bars use, sharing, disclosure or compilation of student information for commercial purposes, such as advertising or profiling.
Marketing Restrictions. Education service providers will be prohibited from marketing or advertising products and services to the students on the online service, or allowing any third party to do so.
Protection of Student Data. Education service providers will also be required to take all reasonable steps to protect student data at rest and in motion in a manner that meets commercial best practices standards. For clarity, SOPIPA provides that operators are deemed to have complied with this requirement if (i) its encryption process for data at rest is consistent with NIST Special Publication 800-111 and (ii) data in motion is encrypted in compliance with NIST Special Publication 800-52, 800-77 or 800-113 or other manner validated by the Federal Information Processing Standards.
Third Party Subcontractors and Advertisers. If a secondary online service is accessible through the operator’s educational service, then the educational service operator is required to put the third party on notice that the online service is used, designed and marketed for K-12 school purposes. If that notice is not provided to the secondary service provider, then under SOPIPA the educational service provider will be liable for the secondary service’s compliance with SOPIPA, unless the secondary service had actual knowledge that the primary service is being used and was designed for K-12 purposes.
Deletion of Student Data. Education service providers will be required to delete K-12 student data at the point where (i) the data is no longer being used for the educational purposes for which it was collected (whether before or after the student’s graduation or transfer to a different educational institution) or (ii) at the student’s request.
If SOPIPA is enacted, we can expect to see the biggest hit in the areas of targeted advertising and educational services analytics, particularly to the degree that those services rely on building a profile of the individual student. With SOPIPA heading to the Governor’s desk, online service providers (who should already be in the process of preparing for new restrictions on marketing toward children and requirements to delete children’s data that go into effect on January 1, 2015) should begin thinking about what kind of changes they may need to make to stay compliant.