California Protects Student Data Privacy with Two Bills

A laptop privacy sweater keeps other people from seeing what this person is doing. Similarly, student data privacy legislation in California is trying to keep student information private and only used for educational purposes. Meme Binge C.C. 2.0

Over the last year, student data privacy conversations have been percolating across the nation, but now state legislatures are doing something about it. 

California sent two bills to Gov. Jerry Brown last week that deal with two sides of the same coin. SB 1177 lays out privacy guidelines for operators of Internet websites, online services, online applications and mobile applications. Meanwhile, AB 1584 deals with contracts between local educational agencies and third-party technology vendors.

The reason for new legislation

These bills address a growing problem of mismanagement of student data. Federal student privacy legislation including FERPA and COPPA do address student data privacy, but educators, privacy advocates, legislators and industry members are split on whether that legislation does enough to protect privacy in the Digital Age we live in. While new federal legislation was introduced in late July, states have been stepping up to deal with the issue by introducing 110 bills in 36 states this year and signing 28 of them into law as of August 27, according to the Data Quality Campaign.

A balancing act

CUE Inc., a professional association of computer-using educators, said SB 1177 initially included language that would have limited the ability of students to take their cloud-based work with them when they graduated and share their work beyond school. It also would have prohibited third-party companies from suggesting relevant education products based on student performance data collected from their services.

The educator association quietly expressed concern about the unintentional negative effects of this language, and Steinberg’s office responded, largely addressing those concerns with the final wording.

What SB 1177 does

SB 1177 lays out a number of do’s and don’ts for operators of K-12 Internet websites, online services, online applications and mobile applications that apply broadly whether companies contract with schools or not:

  1. Do not target advertising on the site or another site based on information from K-12 users.
  2. Do not use information gathered through the service to build a profile about a K-12 student.
  3. Do not sell a student’s information.
  4. Do not disclose covered information unless it’s for legal, regulatory, judicial, safety or operational improvement reasons.
  5. Do protect student information through reasonable security procedures and practices.
  6. Do delete school- or district-controlled student information upon request from those entities.
  7. Do disclose student information when required by law, for legitimate research purposes and for K-12 purposes to education agencies.

Companies can use de-identified student data within their sites to improve educational products, demonstrate their effectiveness and improve their sites.

What AB 1584 does

AB 1584 dives into the details by spelling out what types of things local educational agencies should include in contracts with third-party digital record and educational software providers:

  1. Do establish that the local educational agency owns and controls student records.
  2. Do describe how students can keep control of their projects and other content created for school, along with a way to transfer their content to a personal account later.
  3. Do prohibit third parties from using student information for purposes outside of those named in the contract.
  4. Do describe how parents, legal guardians or students can review and correct personally identifiable information contained in their records.
  5. Do outline actions that third parties will take to make sure that student data is secure and confidential.
  6. Do describe procedures for notifying affected parents, legal guardians or eligible students when there is an unauthorized disclosure of student records.
  7. Do certify that student records will not be retained or available to the third party once the contract is over and lay out how that will be enforced.
  8. Do describe how local educational agencies and third parties will comply with the federal FERPA legislation.
  9. Do prohibit third parties from using personally identifiable information from student records to target advertising to students.

Along with these do’s, the bill says that contracts will be voided if they do not comply with the requirements laid out above after a reasonable amount of time and notice to do so.

Read the entire article by Tanya Roscorla on the Center for Digital Education at



This entry was posted in Articles/Reports and tagged , , , , , , , , . Bookmark the permalink.

Please tell us what you think?

Fill in your details below or click an icon to log in: Logo

You are commenting using your account. Log Out /  Change )

Google photo

You are commenting using your Google account. Log Out /  Change )

Twitter picture

You are commenting using your Twitter account. Log Out /  Change )

Facebook photo

You are commenting using your Facebook account. Log Out /  Change )

Connecting to %s