FPF Guide to Protecting Student Data Under SOPIPA: For K-12 ...

FPFGuidetoProtectingStudentDataUnderSOPIPA:

ForK-12SchoolAdministratorsandEdTechVendors

November2016

2

FPFGuidetoStudentDataProtectionUnderSOPIPA:ForK-12SchoolAdministratorsandEdTechVendors1

Introduction.................................................................................................................................................................4

StudentDataPrivacy–BackgroundandOverview....................................................................................6

ParentalConcerns.....................................................................................................................................................7

ConcernsAboutThirdParties..............................................................................................................................8

KeyDevelopments–theStudentPrivacyPledge......................................................................................10

LegalOverview.........................................................................................................................................................10

ComplianceandEnforcement............................................................................................................................12

COPPA...........................................................................................................................................................................12

PPRA..............................................................................................................................................................................13

StateLawsGenerally..............................................................................................................................................14

SOPIPA..........................................................................................................................................................................15

WhoMustComply?............................................................................................................................................16

Whatis“ActualKnowledge”?........................................................................................................................16

Whatare“K-12SchoolPurposes”?.............................................................................................................17

WhatInformationIsProtectedUnderSOPIPA(“CoveredInformation”)?................................18

SpecificRequirementsofSOPIPAforEdTechVendors.....................................................................19

WhatisTargetedAdvertising?......................................................................................................................20

WhenCananOperatorDiscloseCoveredInformation?....................................................................20

HowCanOperatorsUseStudentInformation?......................................................................................21

SOPIPARightsforStudents............................................................................................................................21

SchoolandDistrictGuidanceonSOPIPA–WhattoExpect.............................................................21

1 AuthoredbyBrendaLeong,FutureofPrivacyForum;LinnetteAttai,PlayWellLLC;AmeliaVance,NationalAssociationofStateBoardsofEducation;andDavidRubin,DavidB.Rubin,PC

3

GuidancefromtheStateofCalifornia........................................................................................................23

LegalRemedies....................................................................................................................................................23

WhichStatesAreFollowingCalifornia’sLead?..........................................................................................25

WhatShouldOperatorsDoNow?.....................................................................................................................26

Conclusion...................................................................................................................................................................26

ANNEXES.....................................................................................................................................................................28

A. RelevantLaws.............................................................................................................................................28

B. WhatisTargetedAdvertising?............................................................................................................28

C. WhatCanParentsAuthorize?..............................................................................................................28

D. Whatare“ReasonableSecurity”ProceduresandPractices?.................................................28

A. RelevantLaws.............................................................................................................................................29

B. WhatisTargetedAdvertising?............................................................................................................30

C. WhatCanParentsAuthorize?..............................................................................................................34

D. Whatare“ReasonableSecurity”ProceduresandPractices?.................................................36

4

FPFGuidetoStudentDataProtectionsUnderSOPIPA:ForK-12SchoolAdministratorsandEdTechVendors

IntroductionThisguideisdesignedtoprovideanoverviewoftheCaliforniaStudentOnlinePersonalInformationProtectionAct(“SOPIPA”),which–inconjunctionwithCalifornia Education Code section 49073.1 (formerly AB 1584)–wasthefirststatelawtocomprehensivelyaddressstudentprivacy.ItbecameeffectiveJanuary1,2016andappliestowebsites,applications,andonlineservicesthatprovideprogramsorservicesforK-12students.SOPIPAappliestooperators(asdefinedinthestatute)thatcollectcoveredinformationfromstudentsinthestateofCalifornia.Thisguideprovidesgeneralinformation,notlegaladvice,andfollowingtherecommendationsortipswithindoesnotguaranteecompliancewithanyparticularlaw.SOPIPAisimportantbecausemosteducationtechnologycompaniesdobusinesswithCaliforniaschools,andbecauseitbecameatemplateforsimilarstatutesaroundthecountry.Ourgoalistoclearlyexplainwhatcompaniesandinformationiscovered,andwhatthelawdoes(ordoesn’t)require.ThismaybeusefulforcompaniesandschoolsoperatinginCalifornianow,andalsomayprovehelpfultopolicymakersinthosestateswhomaystillbeconsideringupdatestotheirstudentprivacylaws,andareconsideringwhethertofollowtheCaliforniamodel.Ourdiscussionexpandson:

• Whomustcomply?SOPIPAappliestooperatorsofwebsites,onlineservices(includingcloudcomputingservices),onlineapplicationsormobileapplicationswithactualknowledgethattheirsite,serviceorapplicationisusedprimarilyforK-12schoolpurposesandwasdesignedandmarketedforK-12schoolpurposes.SOPIPAdoesnotapplytooperatorsofgeneralaudienceproducts,evenifthoseproductsareaccessiblethroughaK-12operator’sproduct.

• Whatisactualknowledge?SOPIPAissilentonthequestion.TheexistingFederalTradeCommission(FTC)standardisareasonableguide:Theactualknowledgestandardislikelytobemetwhenanoperatoreithercommunicatesthenatureofitscontenttoathirdpartyorwhenarepresentativeofthethirdpartyrecognizesthenatureofthecontent.Ultimately,theFTCemphasizesacase-by-caseapproach.

• WhatareK-12schoolpurposes?Purposesthatcustomarilytakeplaceatthe

directionofaK–12school,teacher,orschooldistrict–thosedirectactivitiestraditionallyandroutinelydonebytheschoolaspartofcarryingouttheeducationofitsstudents.Further,K-12purposesmayincludesecondaryactivitieswhichaidoftheadministrationofschoolactivities,includingintheclassroomorathome,byschooladministration,betweenstudents,schoolpersonnel,orparents,orotherwisefortheuseandbenefitoftheschool.

5

• Whatiscoveredinformation?Coveredinformationisdefinedaspersonally

identifiableinformationormaterials,regardlessofmediaorformat,whichmeetanyofseveralspecifiedcriteria.MostcoveredinformationisalreadyidentifiedandprotectedunderFERPA.

• WhatisuniquetoSOPIPAforEdTechvendors?Operatorsmustnot:

• Engageintargetedadvertisingwhenthetargetingisbasedonanyinformationthathasbeenacquiredbecauseoftheuseofthatoperator’ssite,serviceorapplication

• UseinformationtoamassaprofileaboutaK-12student,exceptinfurtheranceofaK-12schoolpurpose

• Sellastudent’sinformation,includingcoveredinformation• Disclosecoveredinformationexceptinspecific,limitedcircumstances

Operatorsmust:

• Implementandmaintainreasonablesecurityproceduresandpracticesappropriatetothenatureofthecoveredinformation

• Protectcoveredinformationfromunauthorizedaccess,destruction,use,modification,ordisclosure

• Deleteastudent’scoveredinformationifrequestedbytheschoolordistrictthatcontrolstheinformation2

• WhatisTargetedAdvertising?Acomplicatedquestionthatiscoveredindetailbelow.

• Whencananoperatordisclosecoveredinformation?TofurthertheK-12purposeofthesite,serviceorapplication,providedthattherecipientislikewiserestricted;forlegalresponseandcompliance;forusersafety;toothereducationalagenciesforK-12schoolpurposes;andtootherserviceproviderswhentheyarelikewisecontractuallybound.

• Howelsecanoperatorsusestudentinformation?Operatorsmayusestudentdatatoconductlegitimateresearch,andmayusedeidentifiedinformationforproductimprovement,marketinganddevelopment,ormayuseaggregated,deidentifiedinformationtodevelopandimproveeducationalsites,servicesorapplications.

2 The“schoolofficial”exceptionundertheFamilyEducationalRightsandProtectionsAct(FERPA)alreadyrequiresthatoperatorsbeunderthe“directcontrol”oftheeducationalagencyasaconditionofreceivingstudentdata.http://www.ecfr.gov/cgi-bin/text-idx?c=ecfr&SID=16796a773ac48f980cdfaed80b1fa94a&rgn=div5&view=text&node=34:1.1.1.1.33&idno=34

6

• SOPIPArightsforstudents:UnderSOPIPA,studentsmaydownload,exportorotherwisesaveormaintaindataordocumentsthattheycreate.

InadditiontoadetailedoverviewofSOPIPA,thisguidealsoprovidesageneraloverviewoffederalstudentprivacylaws,andacomparisontotheothermajorstate-levelstudentprivacylaw,theStudentUserPrivacyinEducationRightsAct(“SUPER”Act),thataswithSOPIPA,becameamodelformanystatesnationwide.TheSUPERActhasitsrootsintheStudentPrivacyPledgethattheFutureofPrivacyForumandSoftware&InformationIndustryAssociationfacilitatedwiththeeducationtechnologyindustry.Companiesthattakethepledgemake12commitments,suchas:notsellingstudentdata;notbuildingstudentprofilesfortheirownpurposes;anddisclosinghowtheyusestudentdata.Samplelanguageforabillbasedonthesecommitmentswasdraftedandincludedinavarietyofformsbymanystates.

StudentDataPrivacy–BackgroundandOverview

Datauseisnowessentialtomost,ifnotall,educationfunctions,andissointegraltotheworkingsofschoolsanddistrictsthatitwouldbeimpossibletodecoupledatafromeducation.Indeed,whendataisbeingusedeffectivelyitallowsparentstotrackandpromotetheirchildren’sprogress,helpsteachersimprovetheirinstructionandcatermoreaccuratelytostudents’needs,andassistsschoolanddistrictleadersinmakingmanagerialdecisions,allocatingresources,andcommunicatingwiththepublic.Constructiveuseofeducationaldataalsoincreasestransparency,holdsschoolsaccountable,andhelpsstateandfederalpolicymakersassesspoliciesandstrategiespriortotheenactmentofimportantchanges.

However,withthebenefitsofdatacomepotentialconcerns.Collection,storage,

access,anduseofdataallhaveinherentrisks.Safeguardingstudentprivacyisacriticalaspectofresponsibleeducationdatacollectionanduse.

Childrenandadolescentsareinherentlyvulnerable,andschoolshaveadutyto

protecttheirstudentsfromrisks.Thisincludesthemisuseof,unauthorizedaccessto,ortheftofschool-retainedinformation,whetheritexistsonpaperorisstoredonacomputerdrive,inanetwork,orisinformallyshared.Mostpeoplethinkthatmaintainingtheirprivacyisimportant.Despitenumerousarticlesbemoaningyoungpeople’slackofattentiontoprivacyissues,today’schildrendocareaboutprivacy;studieshavefoundthattheattitudesofolderandyoungerpeopleaboutprivacyaresimilar,anda2012Microsoftstudyfoundthat“[p]rivacyandsecurityrankascollegestudents’#1concernaboutonlineactivity.”3Despiteroutinesharingofpersonalinformationinthedigitalage,mostpeople,regardlessofage,wanttocontrolwhomayaccesstheirpersonaldata.43http://www.teachprivacy.com/do-young-people-care-about-privacy/4USCAnnenberg,IsOnlinePrivacyOver?,April22,2013:“Whenaskedaboutthestatement,‘Nooneshouldeverbeallowedtohaveaccesstomypersonaldataorwebbehavior,’70percentofMillennialsagreed,comparedwith77percentofusers35andolder.”(http://annenberg.usc.edu/News%20and%20Events/News/130422CDF_Millennials.aspx)

7

ParentalConcerns

AsaCommonSenseMediapollrevealed,90percentofadultscareaboutthewaysthatstudents’personaldatabecomesaccessibletonon-educationalinterestsafteritiscollectedasapartofinstruction.5Forsome,“[e]venifgovernmentweretokeeptheinformationprivate,theveryexistenceofa‘dossier’isimmenselyintimidatingandinhibiting.”6

Otherparentsandstudentssimplywanttokeepinformationtheyfeelisembarrassing—whetherpoortestscoresoraminordisciplinaryevent—private.Whetherlegitimatefearorparanoia,parentswanttomakesurechildhoodmisjudgments,suchasafightinmiddleschool,willnotharmtheirchild’sfutureabilitytoattendcollegeorgetajob.

Moreover,asthescopeandamountofeducationalandnon-educationalinformationthatschoolscollectincreases,therisksincrease,asshouldsecuritydesignedtomitigatethoserisks.Indeed,aspublicschoolsbecomemorethanjustacademicinstitutions—providing,forexample,medicalandpsychologicaltreatmentin2,000school-basedhealthcentersaroundthecountry—theyarecontinuallycollectingmoreinformationthatishighlysensitive.7

Atthesametime,asexamplesoflarge-scalesecuritybreachesatbusinessesandgovernmentagenciesemphasize,itisimpossibleforacompanyoraschooltopromisethatitcankeepinformationcompletelysafe.AsprivacyadvocateJoelReidenbergobserved,“Youhavefailuresatinstitutionsthatarespendingmillionstryingtoprotectthesecurityoftheirdata.Isthereanyreasontobelievethatschoolsystemsaregoingtobemoresuccessful?”8

Educationleadersandstatepolicymakershearconcernsfrommanystakeholdersaboutthecollectionanduseofstudentdata.Apprehensionsabound,fromthosewhofear“behaviormodification”9tothosewhoworrythatchildrenarelearningtoacceptintrusionsintotheirprivacy.10Someconcernsarepartofmorebroadlyheldbeliefsaboutprivacyingeneralorabouttheroleofgovernmentandpubliceducation.Otherconcernsreflectalack

5CommonSenseMedia,NationalPollCommissionedbyCommonSenseMediaRevealsDeepConcernforHowStudents’PersonalInformationIsCollected,Used,andShared,January22,2014(https://www.commonsensemedia.org/about-us/news/press-releases/national-poll-commissioned-by-common-sense-media-reveals-deep-concern).6PioneerInstitute:BigData,CommonCore,andNationalTesting7PioneerInstitute:BigData,CommonCore,andNationalTesting8Reidenberg,NPR:WhatParentsNeedToKnowAboutBigDataAndStudentPrivacy.9PioneerInstitute:BigData,CommonCore,andNationalTesting10JayStanley,“NewestSchoolRFIDSchemeisReminderofTechnology’sSurveillancePotential”www.aclu.org.June29,2012.

8

ofbasic,accurateinformationaboutdatacollectionanduse.Manyconcerns,however,arevalidandimportant,especiallythoseabouttheextentofdatacollectedandthesecurityofthetechnologyusedindatacollectionandstorage.

Forexample,separatefromconcernsoverdatabreachesandidentitytheft,manyparentsareworriedaboutthepotentialramificationsofcollectingsomuchdataaboutchildren.Theyfearthatthepeople,companiesandgovernmententitiesthatcreateandmaintaindatabasesmaymisuseinformationorhandleitpoorly.11Inits2015BigDatareport,theWhiteHousewarnedthat“[o]nceinformationaboutcitizensiscompiledforadefinedpurpose,thetemptationtouseitforotherpurposescanbeconsiderable…Ifunchecked,bigdatacouldbeatoolthatsubstantiallyexpandsgovernmentpowerovercitizens.”12Asanexample,thereportpointstotheuseofsupposedlyconfidentialcensusdatathatwasusedtoidentifyJapaneseAmericansforinternmentduringtheWorldWarII.13

Anotherreasonparentsareoftenconcernedaboutdatacollectionisthatchildrenandadolescentsoftenmakemistakeswhentheyareyoungthat,ifexposed,mayaffecttheiropportunitieslaterinlife.Ifdisciplinerecordsbecamepubliclyaccessible,itcouldbemuchharderforstudentstomovepasttheirbadchoices.Yetmanystatescollectinformationaboutstudentdisciplinaryincidents,ofteningreatdetail,andtiethoserecordstostudents’names.Forexample,Louisianahas32differentcodesfordisciplinaryactions,andFloridahaswide-rangingcategoriesforstudentcodeviolations.14Theworryisthatifdisciplinaryinformationisnotexpungedfromschoolrecords,itcouldbeusedtodenystudentsaccesstojobsinthefuture.Conversely,ifitweretobeexpunged,itmayhinderthosewhomightintervenetohelpstudentsmakemorepositivebehaviorchoices.

Criminalrecordsarealsoincludedinmanyeducationalfiles.Asof2009,atleast17statesincludedacodeforincarcerationasacauseofwithdrawal.15AsresearchersfromFordhamUniversityhaveobserved,the“collectionofdatapertainingtothecriminaljusticesystemcanbeespeciallydamagingtoastudent.Manystatesprovidethatjuvenilecriminalrecordscanbesealedandeventuallyexpunged.However,theincidentswillstillremainpartofthestudent’seducationfileintheabsenceofacomparabledatapurgerequirement.”16Thequestionofcost/benefitofretainingsuchdataiscomplexandraisesconcernsonallsidesoftheargument.

ConcernsAboutThirdParties

11NPR:WhatParentsNeedToKnowAboutBigDataAndStudentPrivacy12BIGDATA:SEIZINGOPPORTUNITIES,PRESERVINGVALUES,2213BIGDATA:SEIZINGOPPORTUNITIES,PRESERVINGVALUES,2214FordhamReport:Children’sEducationalRecordsandPrivacy200915FordhamReport:Children’sEducationalRecordsandPrivacy200916FordhamReport:Children’sEducationalRecordsandPrivacy2009

9

Finally,thereareever-increasingnumbersofthirdpartyeducationalapplicationsusedintheclassroom,forpurposesrangingfrommarkingattendanceandmonitoringclassbehaviortolearningnewmathskills.Becausetheseappsareabletocollectandmaintainmorestudentinformationthanwouldeverhavebeenmaintainedwithouttechnology—and,concernsaboutholdingdatawithoutcleardeletionoruserestrictions—parentsareconcernedaboutwhatdatatheseappproviderscollectregardingtheirchild,andifthedatacouldbeusedinappropriately.

Inmanyways,parentalworriesaboutwhatschoolsorothergovernmentalentitiesmightdowiththeirchild’sdataarethesameastheirworriesaboutwhatthirdpartiesmightdowiththedata.Focusonthirdpartiesandtheiraccesstostudentdatahasintensifiedoverthepastdecade,notonlybecauseoftheuseofthirdpartyapps,butalsobecausemostschoolsoutsourcetheelectronicstorageofeducationalrecordstothirdparties:ninety-fivepercentofdistrictsrelyoncloud-basedservicesforadiverserangeoffunctions,includingdatastorage(“hosting”)relatedtostudentperformance,supportforclassroomactivities,studentguidance,andevencafeteriapaymentsandtransportationplanning.17

Whileitmayseemthatstudentandschooldatawouldbemoresecureifstoredonalocalcomputerwithoutaccesstotheinternet,likethepaperfilesofoldwerekeptintheschool’slockedbackoffice,suchacomputerissubjecttotheftanddamage.Storingdatathiswaywouldalsoremovemanyofthebenefitstechnologyhasbroughttoeducation,suchasensuringthattransientstudents’recordsfollowthemsotheydon’tfallbehind,orallowingparentstoknowhowtheirchildisdoinginclasslongbeforetheirmid-yearreportcard.

Itisalsoimpracticalfordistrictstobuildtheirowninternet-connectednetworkstostorestudentdata:mostschoolsanddistrictssimplydonothavethefinancialresources,technicalexpertise,orstaffingcapacitytodeveloptheirowninternalsystems.Ifschoolsanddistrictsdidcreatesuchsystemswithouthavingtheresourcestomanagethem,thelikelihoodthatstudentdatawouldbemismanagedorinappropriatelyaccessedwouldalsoincrease.Inaddition,suchsystemswouldhavetokeepupwithstateandfederallaws,whichwouldlikelyrequireconstantmonitoringbytheschooldistrict’slegalcounseltoverifythatthedistrictwasnotviolatingacomplicatedwebofprivacylaws.Finally,becausesomeaggregateandindividualizeddatamustbereportedatthestatelevel,adistrict-createdsystemcouldbeincompatiblewiththestate-levelsystem,requiringincreasedstafftimeandnewtechnologytomakethesystemscompatible.

Therefore,manyschoolsanddistrictscontractwithfor-profitandnonprofitpartnerstotransformtheirdataintoactionableinformation.Serviceprovidershavethecapacityandexpertisetosecurelymanageandanalyzedataandprovidetimely,usefulinformationtoparents,educators,schoolleaders,andpolicymakerswhouseittoadvancestudentsuccess.Amongthesethirdparties,“cloud”providersaredesignedtoprovidecomplex,sophisticatedprivacyandsecuritycontrols.Centralizedsystems,suchasstatewidelongitudinaldatasystemsandsystemsmanagedbyserviceprovidersinthecloud,ensurethatdatacollection,

17FordhamReport:PrivacyandCloudComputinginPublicSchool2013

10

storage,andaccessmeetauniformsetofprotectionsthatlimittheriskofinappropriateaccessanduse.

KeyDevelopments–theStudentPrivacyPledge

Whilemostvendorsacknowledgethevitalimportanceofstudentdataprivacy,theyalsowanttoensurethatanyadditionalprotectionsputinplacedonothindertechnologicalinnovationintheclassroomthatcouldhelpstudentssucceed:arepresentativefortheSoftwareandInformationIndustryAssociation,whichrepresentsmanyeducationtechnologycompanies,observedthatpolicymakerslookingtopassnewlawsorpoliciesshouldassurethatthese“newlegislativerequirements…providelocalcommunitiesandschoolofficialswithsufficientflexibilitysothatgovernmentactionsintendedtocreateaprivacyandsecurityfloordonotunintentionallycreateadigitallearningceiling.”18

However,thecomputerandtechindustrieshaverecognizedthepublic’sconcernsaboutdataprivacyandsecurity.AsdatasecurityexpertTomGalvinexplained,businesses“usedtoworryaboutwhohadthefastestspeedorthemostpowerorthemostmemory.Nowtheyhavetoworryaboutwhetherconsumersaregoingtofundamentallytrustthem.”19Thisconcernhasledthemtotakeseveralimportantstepstowardself-regulation.

In2014,theSoftwareandInformationIndustryAssociationandtheFutureofPrivacyForumintroducedalegallybindingstudentdataprivacypledge.20Over200companieshavesignedthepledgesinceitlaunched,andPresidentObamadiscussedthepledgefavorablyinhisspeechondataprivacyinJanuary2015,wherehestatedthathisadministrationwouldnothesitatetocalloutcompanieswhodidnotsignontoit.

Butsomeprivacyexpertsnotethatthispledgeandotherself-imposedcompanyguidelinesmaynotbesufficienttodeterso-called“badactors”—softwareproviderswhowanttoexploitchildren’sinformationandwhowilltakeadvantageofholesincurrentlawstodoso.Inordertofillthisgap,stateslikeCaliforniahavecreatedlawsthatdirectlyregulatethirdparties.Yetitisimportanttorememberthatmanyoftheconcernsparentshaveaboutthirdpartiesandstudentdata—includingworriesthatcompanieswillusestudentdatatomarkettochildren—arealreadyillegalunderexistingfederallaws,and“badactors”havenotyetbeennamed.

LegalOverview

TheFamilyEducationalRightsandPrivacyActof1974(FERPA)isthemainfederallawthatprotectstheprivacyofstudentinformation,andisthebasisformoststateeducationalprivacylaws.Ingeneral,FERPAprotectsstudents’educationrecordsfrom

18http://www.siia.net/blog/index.php/2014/05/siia-student-privacy-policy-guidelines-at-california-testimony/19Byers,Alex."PrivacyasaPRPush."POLITICO.September26,2014.http://www.politico.com.20http://studentprivacypledge.org/.

11

disclosuretopeopleoutsidetheeducationsystem,butmakesanexceptionfor“directoryinformation,”whichcanbereleasedwithouttheconsentoftheparentorstudentage18orolder(“eligiblestudent”)..

FERPAidentifiesfourrightsthatparents,guardians,orstudentsage18andolderhaveinregardtothestudent’seducationrecordanddirectoryinformation:1. Inspect.Parentshavetherighttoinspectandreviewtheirchild’seducationrecords.2. Correct.Parentshavetherighttorequestthattheschoolcorrectoramendtheirchild’s

educationrecordswhentherecordsareinaccurateormisleading.Iftheschooldecidesnottoamendtherecords,thenthestudent(orparent/guardian)hastherighttoaformalhearing.

3. Release.Schoolsmustobtainthewrittenpermissionofparentstoreleaseany

informationfromtheirchild’seducationrecords,withcertainexceptions.Schoolsmayreleaserecordstothefollowingpartieswithoutconsent:• Schoolofficialswithlegitimateeducationalinterest;• Otherschoolstowhichastudentistransferring;• Specifiedofficialsforauditorevaluationpurposes;• Appropriatepartiesinconnectionwithfinancialaidtoastudent;• Organizationsconductingcertainstudiesfororonbehalfoftheschool;• Accreditingorganizations;• Authorizedpartiesinacourtcase,tocomplywithajudicialorderorlawfullyissued

subpoena;• Appropriateofficials,incasesofhealthandsafetyemergencies;and• Stateandlocalauthoritieswithinajuvenilejusticesystem,pursuanttospecificstate

law.4. Optout.Schoolsmustgiveparentstheopportunitytooptoutofhavingtheirchildren’s

directoryinformationpublished.21

Inresponsetostaterequestsforclarification,DepartmentofEducationregulatoryguidanceforFERPAwasupdatedin2008,andagainin2011.Theseupdatesallowschoolstoconsidercontractors,consultants,volunteers,orotherpartiestowhomtheschoolhasoutsourcedinstitutionalservicesorfunctionsas“schoolofficials”underFERPA.22Thismeansschoolsmaydisclosestudentinformationtothesepartieswithoutparentalconsent.However,thesepartiesmaynotdisclosetheinformationtoanyoneelse,andmayusetheinformationonlyforthepurposesforwhichthedisclosurewasmade.23The2011updateallowsschoolstoincludestudentidentificationnumberswithdirectoryinformationonlyif

2134CFR§992234CFR§99.312334CFR§99.33

12

thenumberscannotbeusedtogainaccesstoeducationrecords.24Outsourcinginformationtothosepartieswasalreadyacommonpracticebyschoolsatthattime;theFERPAupdatessimplyclarifiedthatthiswasacceptableunderthelaw.

ComplianceandEnforcement

FERPAisa“spendingclause”statute,meaningthatschools,districts,andstateagenciesmustfollowitsprovisionstobeeligibletoreceivefederalfunds.Therefore,asapracticalmatter,allstatesmustadheretotheprovisionsinFERPA.TheFamilyPolicyComplianceOffice(FPCO)investigatescomplaintsbystudentsandparentsorguardiansregardingschool,district,agency,orvendorcompliancewithFERPA.

FPCOwillusuallyworkwiththeschool,district,orstateagencytohelpitcomeintocompliancewiththelawbeforemovingtowithholdfunds.IfathirdpartyvendorisfoundtohaveviolatedFERPA,itcanbeexcludedfromhavingaccesstostudentinformationforuptofiveyears.However,noschoolorvendorhaseverbeenpunishedforviolatingFERPAthroughwithholdingfundsorexcludingaccesstostudentinformation.

Aspartofthe2011FERPAregulationchanges,theU.S.DepartmentofEducationestablishedthePrivacyTechnicalAssistanceCenter(PTAC)tohelpschools,districts,andeducationpolicymakerswithdataprivacyconcernsrelatedtostudent-levellongitudinaldatasystems.Inaddressingstudentprivacy,accordingtoPTACguidance,“[s]choolsanddistrictsareencouragedtorememberthatFERPArepresentsaminimumsetofrequirementstofollow.”25PTACprovidesinformationandtrainingmaterialsandcanofferdirectassistancewhenneeded.

COPPAEnforcedbytheFederalTradeCommission,theChildren’sOnlinePrivacyProtection

Act(COPPA)regulateshowcommercialentitiesmaycollectandusepersonalinformationfromchildrenundertheageofthirteen.Thelaw’sprimarypurposeistoputparentsincontrolofinformationcollectedfromtheiryoungchildrenonlinebyrequiringtheirpriorconsentforthecollectionanduseofthatinformation.

COPPAallowsschoolstoconsentonbehalfofparentstoinformationcollectionbythird-partywebsiteoronlineserviceproviderswhocollectandusestudentpersonalinformationsolelyforthebenefitoftheschools,butfornoothercommercialpurposes.Additionally,eveniftheschoolconsentsfortheparents,theoperatormuststill“providetheschoolwithalltherequirednotices…anduponrequestfromtheschool,mustprovideadescriptionofthetypesofpersonalinformationcollected;anopportunitytoreviewthe

2434CFR§99.325PTAC,ProtectingStudentPrivacyWhileUsingOnlineEducationalServices:RequirementsandBestPractices,2014,p.5.

13

child’spersonalinformationand/orhavetheinformationdeleted;andtheopportunitytopreventfurtheruseoronlinecollectionofachild’spersonalinformation.”26

Inaddition,theschoolmaywanttomakeavailabletheoperators’directnoticesregardingtheirinformationpracticesforinterestedparents.

PPRASchoolsmustalsoconsidertheirobligationsundertheProtectionofPupilRights

Amendment(PPRA)tohavepoliciesinplaceandtoprovidedirectnoticetoparentsregarding“rightsofparentstoopttheirchildrenoutofparticipationin,activitiesinvolvingthecollection,disclosure,oruseofpersonalinformationcollectedfromstudentsforthepurposeofmarketingorsellingthatinformation(orotherwiseprovidingtheinformationtoothersforthatpurpose).”27

WhenschoolsadministersurveysandconductanalysesorevaluationsfundedbytheU.S.DepartmentofEducation,suchassurveysthathelpstudentsdiscoverwhatcareerstheymightexplore,PPRAdefinestherulestheymustfollow.PPRArequiresthat“schoolsandcontractorsmakeinstructionalmaterialsavailableforinspectionbyparentsifthosematerialswillbeusedinconnectionwith[aU.S.DepartmentofEducation]-fundedsurvey,analysis,orevaluationinwhichtheirchildrenparticipate.”28AsspecifiedbytheU.S.DepartmentofEducation,schoolsmustalsoobtainwrittenconsentfromparentsorguardiansbeforeminorstudentsareallowedtoparticipateinsurveysthataskquestionsregardingthefollowing:

• politicalaffiliations;• mentalandpsychologicalproblemspotentiallyembarrassingtothestudentand

his/herfamily;• sexualbehaviorandattitudes;• illegal,anti-social,self-incriminatinganddemeaningbehavior;• criticalappraisalsofotherindividualswithwhomrespondentshaveclosefamily

relationships;• legallyrecognizedprivilegedoranalogousrelationships,suchasthoseoflawyers,

physicians,andministers;• religiouspractices,affiliations,orbeliefsofthestudentorstudent’sparent[or

guardian];or• income(otherthanthatrequiredbylawtodetermineeligibilityforparticipationin

aprogramorforreceivingfinancialassistanceundersuchprogram).29

26https://www.ftc.gov/tips-advice/business-center/guidance/complying-coppa-frequently-asked-questions#Schools27FederalTradeCommission,ComplyingwithCOPPA:FrequentlyAskedQuestions,March201528(citationneeded)29(citationneeded)

14

PPRAisalsoenforcedbytheFPCO.ParentscanfilecomplaintswithFPCO,andschoolscouldlosefederalfundingiftheydonotcomplywithPPRAnoticeprocedures.However,aswithFERPA,FPCOwillworkwithschoolstocomeintocompliance;todatenoschoolhaseverlostfundingfornotcomplyingwithPPRAnoticeprocedures.

StateLawsGenerally

Priortostudentdataprivacytakingoffasanissuein2014,manystateshadpreexistingprivacylaws.Somestateshaveprivacylawsthatarenotspecifictoeducationbutstillaffecteducationaldata.Forexample,10stateconstitutionshaverecognizedarighttoprivacy,30andmanymorehavegeneralprivacyprotectionsinplacefortheircitizens.Theselawsaffectstudents,teachers,schools,anddistricts.Manystateshavespecificlawsregardingthedisposalofrecordsthatcontainpersonalinformation.31Somestatesalsorequiregovernmententitiestohaveawrittenprivacypolicyinplace.32Andsome,suchasCalifornia,requiregovernmentagenciestohaveaspecificpersonresponsibleforcompliancewithprivacylaw.33

Statescangivestudentsadditionalprivacyprotections,andmanyhave:atleast35stateshavepassedlawssupplementingFERPA;3445maketheirdataprivacypoliciespublicallyavailable;48stateeducationagencieshaveestablishedgovernancebodieschargedwithmanagingthecollectionanduseofdata,includinghowthatdatawillbekeptsecureandconfidential;and45haveestablishedpoliciesthatdeterminewhattypeofdataisavailabletoselectstakeholders,suchasteachersandprincipals,whowilluseittoimproveinstruction.

Thenumberoflawsdirectlyregulatingstudentprivacyhasdramaticallyincreasedinthepastthreeyears.Since2014,49stateshaveintroducednearly400studentprivacybills,withatleast100billsintroducedeachyear.Thirty-fivestateshavepassed73lawssince2013.Generally,theselawseitherregulateeducationalagenciesandinstitutions,suchasschools,districts,andstateeducationagencies,orregulatethirdparties.

Thirty-threestateshaveintroducedeitheraversionofCalifornia’sSOPIPAora

similarpieceoflegislationthatregulatesindustryknownastheSUPER(“studentuserprivacyineducationrights”)Act,and12stateshavepassedthosebillsintolaw.

30“Constitutionsintenstates—Alaska,Arizona,California,Florida,Hawaii,Illinois,Louisiana,Montana,SouthCarolina,andWashington—expresslyrecognizearighttoprivacy.”NationalConferenceofStateLegislatures,PrivacyProtectionsinStateConstitutions,December11,2013.31“Atleast30stateshaveenactedlawsthatrequireentitiestodestroy,dispose,orotherwisemakepersonalinformationunreadableorundecipherable.”NationalConferenceofStateLegislatures,DataDisposalLaws,December26,2013.32Cf.AlaskaStat.§45.48.530;Ariz.Rev.Stat.Ann.§41-4152;Colo.Rev.Stat.§6-1.713;N.J.Stat.56:8-16233Cal.Civ.Code§1798.22:“Eachagencyshalldesignateanagencyemployeetoberesponsibleforensuringthattheagencycomplieswithalloftheprovisionsofthischapter.”34Epic.org,StudentPrivacy

15

SOPIPA,SUPER,andotherrecentstudentprivacylawsimposedirectliabilityonedtechoperators.FERPA,whichisenforcedbytheU.S.DepartmentofEducationisonlydirectlyenforceableagainst“educationalinstitutionsreceivingfederalfunds”–whichequatestomostpublicschools.EvenifathirdpartyvendorpracticecausestheschooltobeinviolationofFERPA,DOEmayonlyholdtheschoolliable.Anyliabilitybytheschoolserviceproviderwouldsimplybethroughitscontractwiththeschool.TheentirepurposeofstatesseekingtopassSOPIPA,SUPER,andotherstudentprivacylawsistodirectlyregulateprivatecompaniesthatarenowsofrequentlyworkingdirectlywithstudentsaspartofthe

SOPIPA

TheStudentOnlinePersonalInformationProtectionAct(SB1177,orSOPIPA)isaCaliforniastudentdataprivacyregulationsignedintolawonSeptember29,2014,andineffectsinceJanuary1,2016.IthasbeendescribedbyCaliforniaStateSenatePresidentProtemporeDarrellSteinberg(D-Sacramento)asalawthat“fostersinnovationandprotectskids’privacy.”35

Itiswrittenbroadly,providingnewandextensivedataprivacyprotectionsforK-12studentsinCaliforniaandunprecedentedadvertisingrestrictions.

SOPIPAiscomplementedinCaliforniabytheprivacyofpupilrecordsprovisionoftheCaliforniaEducationCode49073.136(commonlyreferredtoasAB1584),whichauthorizeseducationalagenciestocontractwiththirdpartytechnologyprovidersforeducationalsoftwareorforstorageandmanagementofpupilrecords.TheCoderequiresthatcontractsbetweenvendorsandschoolsystems:

• Statethatpupilrecordsarethepropertyofandunderthecontrolofthelocaleducationalagency

• Specifywhatmeasuresatechnologyproviderwilltaketoensurethesecurityandconfidentialityofpupilrecords

• ExplainhowthetechnologyproviderandeducationalagencywilltogetherensurecompliancewiththeFamilyEducationalRightsandPrivacyAct(FERPA)

• Prohibitthirdpartiesfromusinganyinformationinthepupilrecordforanypurposeotherthanthoserequiredorpermittedbythecontract.

• Explainhowtheparentoreligiblepupilmayreviewandcorrectpersonallyidentifiableinformationinthepupil’srecords

• Explainhowaffectedparentsoreligiblepupilswillbenotifiedintheeventofunauthorizeddisclosureofthepupil’srecords

• Certifythatthepupil’srecordswillnotberetainedoravailabletothevendoruponcompletionofthetermofthecontractandhowthatwillbeenforced

35http://blogs.edweek.org/edweek/DigitalEducation/2014/09/_landmark_student-data-privacy.html36http://leginfo.legislature.ca.gov/faces/codes_displaySection.xhtml?lawCode=EDC&sectionNum=49073.1

16

• Prohibituseofpersonallyidentifiableinformationinpupilrecordstoengageintargetedadvertising

• Describehowpupilsmayretainpossessionandcontroloftheirpupil-generatedcontent,ifapplicable

• Contractsthatdon’talignwithAB1584canbeconsideredvoid.Together,SOPIPAandAB1584createacomprehensivesuiteofdataprivacyregulationsforoperatorsinCalifornia.WhoMustComply?

SOPIPAappliestooperatorsofwebsites,onlineservices(includingcloudcomputingservices),onlineapplicationsormobileapplicationswithactualknowledgethattheirsite,serviceorapplicationisusedprimarilyforK-12schoolpurposesandwasdesignedandmarketedforK-12schoolpurposes.

SOPIPAdoesnotapplytooperatorsofgeneralaudienceproducts,evenifthoseproductsareaccessiblethroughaK-12operator’sproduct.Forexample,ifanoperatordesignsandmarketsaneducationalwebsiteforK-12schoolpurposes,andincludesalinktoageneralaudiencesocialmediaorvideoplatformonthewebsite,itislikelythattheeducationalwebsitewillneedtocomplywithSOPIPA,butthegeneralaudiencesocialmediaorvideoplatformwouldbeexempt.

AnoperatordoesnotneedtohaveacontractwithaschoolordistrictinordertobesubjecttoSOPIPA.Instead,theneedtocomplyisdeterminedbytheuse,designandmarketingoftheproduct.

Whatis“ActualKnowledge”?

Itmayseemobvious,butthisquestionwasasubjectofmuchdiscussionpriortotheFederalTradeCommission’s(FTC)2012updateoftheChildren’sOnlinePrivacyProtectionAct(COPPA).Thefocustherewasonhowandwhenathirdpartywouldbedeemedtohave“actualknowledge”thatitwasoperatingonachild-directedsite.

SOPIPAissilentonthequestion.However,theexistingFTCstandardseemsto

provideareasonableguide.TheFTCnotedthattheactualknowledgestandardwaslikelytobemetwhenan

operatoreithercommunicatedthenatureofitscontenttothethirdpartyorwhenarepresentativeofthethirdpartyrecognizedthenatureofthecontent.

TheFTCfurthernotedthat,whileotherfactsmightalsobesufficienttoestablish

actualknowledge,suchfactswouldneedtobeanalyzedcarefullyonacase-by-casebasis.37

37https://www.ftc.gov/system/files/documents/federal_register_notices/2013/01/2012-31341.pdf

17

IfyouaretoldthatyourproductisusedprimarilyforK-12schoolpurposesoryouotherwiseidentifythatasbeingthecase,youhavelikelymetthe“actualknowledge”standard.Whatare“K-12SchoolPurposes”?

UnderSOPIPA,K-12SchoolPurposeshasseveralkeymeanings,eachofwhichhelpsclarifytheusecasescoveredbytherestrictions.Overall,theyarepurposesthatcustomarilytakeplaceatthedirectionoftheK–12school,teacher,orschooldistrict–meaningthosedirectactivitiestraditionallyandroutinelydonebytheschoolaspartofcarryingouttheeducationofitsstudents.

Further,K-12purposesmaybesecondaryactivitieswhichaidoftheadministrationofschoolactivities,includingintheclassroomorathome,byschooladministration,betweenstudents,schoolpersonnel,orparents,orotherwisefortheuseandbenefitoftheschool.

Similarly,theSUPERbillsincludeconsistentlanguageintheirdefinitionofa“schoolservice.”Inthoselaws,schoolservicemeansawebsite,mobileapplication,oronlineservicethat:

(a)isdesignedandmarketedprimarilyforuseinaK-12school;(b)isusedatthedirectionofteachersorotheremployeesofaK-12school;and(c)collects,maintains,orusesstudentpersonalinformation.

Withinthisdefinition,SUPERlawsexpresslyexcludewebsites,mobileapplications,or

onlineservicesthataredesignedandmarketedforgeneraluse,eveniftheyarealsomarketedinawaythatincludespromotionstoK-12schools.Thismeansthatcommonmarketproducts–awordprocessingprogram,anadministrativemanagementtool,evensomechildren’sappsorgames–thatarenotspecificallydesignedforaneducationalpurposeandmarketeddirectlytoschoolsarenotcoveredbythelimitationsofthebill.

SOPIPAhasthesameexception,asdoesalmosteverystudentprivacylawinthecountry,regardlessofmodelorigin.Thisisafrequentlymisunderstoodexclusion,butsimplymeansthattheselawsdonotapplytothewidevarietyoftoolsavailabletothegeneralpublic,eveniftheyarealsousedbyschools.Avendorsellingtoolsorprovidingservicesdesignedforthegeneralpublicisn’tobligatedtoredesignthemjustbecauseschoolspurchasetheproductsorstudentshappentovisitthewebsites.

Theuseofthesegeneralproductsisstillcoveredbyexisting,separatefederalandstatelaws,whichmakeitclearthatschoolsarerestrictedfromrequiringstudentstosharedataexceptforappropriateeducationalpurposes.Ifaschoolpurchasesageneralaudienceproductandrequiresstudentstouseit,itisstillultimatelyresponsibleformakingsurethatthetoolcomplieswithprivacyregulationsthatapplytotheschool.

18

WhatInformationIsProtectedUnderSOPIPA(“CoveredInformation”)?

SOPIPAprotectsawiderangeofstudentinformation,referredtoas“coveredinformation.”Itincludesinformationprovidedbythestudent,andinformationprovidedaboutthestudentbyschoolrepresentatives,parentsandlegalguardians.

Coveredinformationisdefinedaspersonallyidentifiableinformationormaterials,regardlessofmediaorformat,whichmeetanyofthefollowingcriteria:

• Createdorprovidedbyastudent,orthestudent’sparentorlegalguardian,toanoperatorinthecourseoftheiruseoftheoperator’ssite,service,orapplicationforK-12schoolpurposes

• CreatedorprovidedbyanemployeeoragentoftheK-12school,schooldistrict,localeducationagency,orcountyofficeofeducation,toanoperator

• Gatheredbyanoperatorthroughtheoperationofasite,serviceorapplicationandisdescriptiveofastudentorotherwiseidentifiesastudent,including,butnotlimitedtothese29items:

Informationinthestudent’seducationalrecordoremail~Firstandlastname~Home

address~Telephonenumber~Emailaddress~Otherinformationthatallowsphysicaloronlinecontact~Disciplinerecords~Testresults~Specialeducationdata~Juvenile

dependencyrecords~Grades~Evaluations~Criminalrecords~Medicalrecords~Healthrecords~Socialsecuritynumber~Biometricinformation~Disabilities~Socioeconomicinformation~Foodpurchases~Politicalaffiliations~Religiousinformation~Text

messages~Documents~Studentidentifiers~Searchactivity~Photos~Voicerecordings~Geolocationinformation

Mostdataelementscategorizedas“coveredinformation”underSOPIPAarealready

protectedaspersonallyidentifiableinformationunderfederallaws.Forexample,withinFERPA,personallyidentifiableinformationincludes,butisnotlimitedtonameandaddressofthestudentandfamilymembers,personalidentifiersorbiometricrecords,indirectidentifiersandtheverybroadlyinclusive:“otherinformationthat,aloneorincombination,islinkedorlinkabletoaspecificstudentthatwouldallowareasonablepersonintheschoolcommunity,whodoesnothavepersonalknowledgeoftherelevantcircumstances,toidentifythestudentwithreasonablecertainty,orinformationrequestedbyapersonwhotheeducationalagencyreasonablybelievesknowstheidentityofthestudenttowhomtheeducationrecordrelates.38

COPPAcharacterizespersonalinformationtoincludenotonlyname,address,online

identifiers,photosandvideosthatcontainachild’slikenessandaudiofilesthatcontainachild’svoice,butalsogeolocation“sufficienttoidentifyastreetnameandnameofacityortown,”aswellaspersistentidentifiersthatcanbeusedtorecognizeauserovertimeandacrossdifferentWebsitesoronlineservices.39 3834CFR§99.33916CFR§312.2

19

UnderSOPIPA,theterm“coveredinformation”ismeanttoinclude“personally

identifiableinformation,”butunlikeinmanylaws,“personallyidentifiableinformation”isnotdefinedinSOPIPA.Thiscreatescompliancechallengesforoperators,becauseeachoperatorneedstoassessthedataprovidedbythestudentorbyteachersandparentsaboutthestudent,anddetermineifitcouldbeconstruedaspersonallyidentifiable.

Thelackofspecificityinthelistofitemsdeemedtobecoveredinformationcompoundstheissue.Forexample,coarsegeolocation,sufficienttoidentifycountry,stateorcity,isnotusuallyconsideredtobepersonallyidentifiableor“descriptive”ofastudentunlesscombinedwithotheridentifiableinformation.Capturingcoarsegeolocation(suchasstate)maybeusefulforoperatorstoinformstudentsaboutstate-specificscholarships,ortoblockadsfromstudentsandparentsinthestate.

However,giventhatSOPIPAissilentonthequestionofwhatispersonallyidentifiable,andthatitoffersnodistinctionbetweencoarseandfinegeolocation,operatorsmusteachmakeajudgmentaboutwhatwouldbeconsideredcompliant.

Inaddition,coveredinformationincludesinformationthatis“descriptiveorotherwiseidentifiesastudent.”However,whatisdescriptiveisnotoften“otherwiseidentifiable.”Astudentmaybedescribedas12yearsold,withbrownhairandbrowneyes,butonewouldnotcharacterizethatas“identifiable”unlessdealingwithanexceptionallysmallpopulationorcombiningthosedescriptorswithotherinformation.

Operatorsalsomustexercisetheirownjudgmenttodeterminewhich“documents”

areandarenotcategorizedasdescriptiveoridentifiable.Althoughthelawreferences“allmedia,regardlessofformat,”documentsinparticulararecalledoutseparatelywithnoexplanation,andsoshouldbecarefullyevaluatedforpossiblerelevanceunderthissection.

Operatorswillneedtousecareandcautionwhenworkingthroughthefactors,assesstheirriskandmakeareasonabledeterminationaboutwhatdataisactuallycovered.OneofthepitfallsofSOPIPAisthat–intheabsenceofofficialguidance–suchdeterminationsmayvarywildlyacrossindustry,orbywhatrequirementsmaybesetindifferentschooldistricts,makingstate-widecompliancechallengingorpotentiallycontradictory.SpecificRequirementsofSOPIPAforEdTechVendorsUnderSOPIPA,operatorsmaynot:

• Engageintargetedadvertisingontheirsite,serviceorapplication,ortargetadvertisingonanyothersite,serviceorapplicationwhenthetargetingisbasedonanyinformation,includingcoveredinformationandpersistentuniqueidentifiers,thathasbeenacquiredbecauseoftheuseofthatoperator’ssite,serviceorapplication

20

• Useinformation,includingpersistentuniqueidentifiers,createdorgatheredbytheoperator’ssite,serviceorapplication,toamassaprofileaboutaK-12student,exceptinfurtheranceofK-12schoolpurpose

• Sellastudent’sinformation,includingcoveredinformation• Disclosecoveredinformationexceptinspecific,limitedcircumstances

Operatorsmust:

• Implementandmaintainreasonablesecurityproceduresandpracticesappropriatetothenatureofthecoveredinformation

• Protectcoveredinformationfromunauthorizedaccess,destruction,use,modification,ordisclosure

• Deleteastudent’scoveredinformationifrequestedbytheschoolordistrictthatcontrolstheinformation40

WhatisTargetedAdvertising?

ThisisoneofthemostcomplexprovisionsofSOPIPA,primarilybecauseitisnotclearlydefined.Asaresult,theprohibitioncreatesasignificantcompliancechallengeforoperators,andleavesschoolsandoperatorswithalackofclarityabouttheroleofadsupportedtechnologyineducation.Formoreonthequestionssurroundingtargetedadvertising,seetheDiscussionAnnex.WhenCananOperatorDiscloseCoveredInformation?

Coveredinformationmaybedisclosedonlyto:• FurthertheK-12purposeofthesite,serviceorapplication,providedthatthe

recipient:• Doesnotthendisclosetheinformationunlesstoalloworimproveoperability

andfunctionalitywithinthestudent’sclassroomorschool;and• Islegallyrequiredtoimplementandmaintainreasonablesecurityprocedures

andpracticesappropriatetothenatureofthecoveredinformation,andprotectthatinformationfromunauthorizedaccess,destruction,use,modificationanddisclosure

• Ensurelegalandregulatorycompliance• Respondtoorparticipateinjudicialprocess• Protectthesafetyofusersorothers,orthesecurityofthesite• Astateorlocaleducationalagency,includingschoolsandschooldistricts,forK-12

schoolpurposes,aspermittedbystateorfederallaw

40The“schoolofficial”exceptionundertheFamilyEducationalRightsandProtectionsAct(FERPA)alreadyrequiresthatoperatorsbeunderthe“directcontrol”oftheeducationalagencyasaconditionofreceivingstudentdata.http://www.ecfr.gov/cgi-bin/text-idx?c=ecfr&SID=16796a773ac48f980cdfaed80b1fa94a&rgn=div5&view=text&node=34:1.1.1.1.33&idno=34

21

• Aserviceprovider,whentheoperatorcontractually:• Prohibitstheserviceproviderfromusinganycoveredinformationforany

purposeotherthanprovidingthecontractedserviceto,oronbehalfof,theoperator

• Prohibitstheserviceproviderfromdisclosinganycoveredinformationprovidedbytheoperatorwithsubsequentthirdparties

• Requirestheserviceprovidertoimplementandmaintainreasonablesecurityproceduresandpracticesasdescribedabove

HowCanOperatorsUseStudentInformation?

Operatorsmayusestudentdatatoconduct:• Legitimateresearch,definedas:

o Requiredbystateorfederallawandsubjecttotheapplicablelegalrestrictions

o Allowedbystateorfederallawandunderthedirectionofaschool,schooldistrictorstatedepartmentofeducation,providedthatcoveredinformationisnotusedforanythingotherthantheK-12schoolpurposes

Operatorsmayusedeidentifiedinformationforproductimprovement,marketinganddevelopment:

• Withinanyoftheirownsites,servicesorapplicationstoimproveeducationalproducts

• Todemonstratetheeffectivenessoftheoperator’sproductsorservices,includingintheirmarketing.

Finally,operatorsmayuseaggregated,deidentifiedinformationtodevelopand

improveeducationalsites,servicesorapplicationsSOPIPARightsforStudents

UnderSOPIPA,studentsmaydownload,exportorotherwisesaveormaintaindataordocumentsthattheycreate.Thisisanimportantnoteforoperators,asitallowsforanindependentrelationshipwiththestudentuser,whomaywishtomaintaincontinuityoftheirworkovertime.ItisaprovisionthatisnotalwaysbeingincludedinotherstatelawsthataremodeledafterSOPIPA.SchoolandDistrictGuidanceonSOPIPA–WhattoExpect

WhileSOPIPAappliestotechnologyproviders,schoolsanddistrictswanttoensurethatoperatorscomplywithSOPIPAbeforeengaging.AfewdistrictsinCaliforniahaveissuedguidancetoschools.However,theguidanceislimitedandvarieswidely.

22

GuidanceavailablefromtheLosAngelesUnifiedSchoolDistrict,41whichpredatespassageofSOPIPA,notes:

“Indeed,asecondarymarketofapplicationor‘App’developmentand

educationalproductadvertisinghasevolvedaroundtheseonlineservicesthatholdstudentpersonalinformation.Developersareusingstudentdatatodesignnewapplicationsthatcanbesoldonthesein-systemK-12onlinesitesor‘stores.’‘Apps’purchasedinthese‘stores’oftentimeshavenoprivacypolicypresentedduringthepurchase.Thisisleavingstudentpersonalinformationvulnerableforahostofusesnevercontemplatedbythestudentsoreducators.Currentfederalandstateprivacylawsaredeficientinprotectingstudentpersonalinformation.ItisimperativethatonlinecompaniesthatmarkettheironlinesitestoschoolsandstudentsforK-12schoolpurposesensurethatthesensitiveinformationtheyholdregardingCaliforniastudentsremainssafe.”

WhenworkingwithschoolsanddistrictsinCalifornia,bepreparedforquestions,

andagooddealofanxiety.

Severaldistrictsrequirethatvendorsanswerchecklistsintheformof“yes/no”questionsthatlistkeyprovisionsofbothSOPIPAandAB1584.Unfortunately,someofthesechecklistsdonotalwaystracklegalrequirements,creatingsomeconcern.

Whenitcomestostandardizedorprescribedcontractlanguage,someschoolsordistrictsdonotallowoperatorstocorrectmistakesinproposedcontractterms,ortostrikelanguagethatisnotapplicabletotheproduct.Assuch,operatorsmaybeforcedtofindalternativewaystocalloutcontractualprovisionsthatarenotrelevant,orinextremecases,maychoosetonotservethatdistrict.

OnedistrictincludesastandardizedrequirementthatoperatorsguaranteecompliancewiththeentireCaliforniaEducationCode.Sincethecodedealswithawidevarietyoftopics,includingsexequity,violenceprevention,countyboardsofeducation,electionconduct,childcarefacilities,bonds,retirementandmorethatisnotapplicabletotechnologyproviders,thisissomethingofamisfitforproviderstoassert,whenitwouldbemoreappropriatetospecifyonlythe49073.1 provisions,whichareapplicable.

Someschoolsanddistrictsremainunfamiliarwiththedetails,orsometimeseventhebroadoutlines,ofthenewlaws,andinthosecases,theburdenisparticularlystrongonthevendortoensurethatbothsidesareawareoftherequirements,sotheycanworkinpartnershiptofulfillthem.

Somedistrictsdonothaveprivacypoliciesontheirownwebsitesordonotdisplaythemprominently,andareotherwisestrugglingwiththeirowncompliancepractices.TheyarealsofrequentlydelayingdevelopmentoftheirownSOPIPA-basedrequirementsinthe41http://home.lausd.net/apps/search/?q=sopipa&x=0&y=0

23

expectationthatthestatewillprovidemoredetailedinstruction.Untilthathappens,ifitdoes,patience,knowledge,flexibilityandguidancefromthevendorwillbeinvaluabletoeasethefears,ensurecomplianceandhelpincraftingbalancedandlegallyenforceablecontracts.

GuidancefromtheStateofCalifornia

GuidanceemergingfromtheStateAttorneyGeneral’sofficeisintheformof“recommendedpractices.”SinceitisnotbeingissuedasbindingregulatoryinterpretationtoensurecompliancewithSOPIPA,itdoesnotcarrytheweightoflaw.Whileitprovidesasensibleapproachtosomeareasofprotectingstudentprivacy,itdoesnotfurtherclarifysomeofthevaguertermsandrequirementsinSOPIPA.Assuch,operatorswillstillbeartheresponsibility,inconjunctionwithguidancefromcounsel,todeterminetheirthresholdsforcompliance.Itmaybethatsubsequentlegalchallengesarewhatendupdefiningthetruescopeofthelaw.LegalRemedies

TheenforcementauthorityandlikelihoodofactionunderSOPIPAareotheraspectsthatdivergesignificantlyfromFERPA.UnderFERPA,individualsdonothaveaprivaterightofaction–onlyDoEdmaybringaclaimagainstaneducationalinstitutionforaviolation.However,sincethewithholdingoffederalfundsassociatedwithaFERPAviolationresponsecouldhaveextremeconsequencesforaschoolordistrict,FERPAbudgetarywithholdinghasneverbeenimplemented.

Incontrast,SOPIPAprovidesaprivaterightofaction,inadditiontoactionswhichmaybebroughtbythestateAttorneyGeneral,soitisforeseeablethatenforcementactionsmayoccurmoreoftenandallowformoregraduatedpenalties.Nevertheless,beyondestablishingwhomaybringaclaimbyvirtueofitbeingenforcedundertheCaliforniaBusinessCode,SOPIPAcontainsnoprovisionsforitsownenforcement.

Currently,violationsareexpectedtobeaddressedunderCalifornia’sfar-reachingUnfairCompetitionLaw(“theUCL”),42whichdefines“unfaircompetition”toincludevirtuallyanyunlawfulbusinesspractice.43TheUCLauthorizesenforcementproceedingsbygovernmentofficialssuchastheAttorneyGeneral,districtattorneys,countycounselandcityattorneysand,inmorelimitedcircumstances,byprivateindividualsandentities.44Acourtmayissueaninjunction,requiringthewrongdoertostoptheviolation.Thecourtalsomayorderrestitutionintheformofreturnofmoneyorpropertylostasaresultoftheoffendingconduct,45oritmayimposecivilpenalties.TheUCLmakesclearthatitsremedies

42SeeCaliforniaBusinessandProfessionsCode,§§17200through17209.43UCL,§17200.SeealsoComm.OnChildren’sTelevision,Inc.v.Gen.FoodsCorp.,35Cal.3d197,210(1983).44UCL§17204.45SeeMadridv.PerotSystemsCorp.,130Cal.App.4th440,452,30Cal.Rptr.3d210(2005).

24

areintendedtosupplementotherexistinglaw,soitispossiblethatvictimsmaysimultaneouslyseekreliefundertheUCLandotherstatutesthatmayofferprotectionbasedonthesamefacts.46

TheUCLimposessignificantlimitationsontheabilityofprivateindividualsandentitiestosueunderthestatute.Formanyyears,privatepartieswerenotrequiredtoshowanyactualinjuryorfinancialharminordertobringalawsuitundertheUCLwhich,intheviewofthebusinesscommunityandtheLegislature,was“subjecttoabusebyattorneyswhouseditasthebasisforlegal‘“shakedown’”schemes”47andfrivolouslawsuits.48Buta2004amendmenttotheUCL,knownasProposition64,nowrequiresprivateplaintiffstoshowthatthey“sufferedinjuryinfactand...lostmoneyorproperty”asaresultoftheunfaircompetition.Thephrase“injuryinfact”isatechnicallegaltermintendedtopermitonlypartieswhohaveactuallysuffereddemonstrableharmtobringsuit,andtopreventlawsuitsbroughtinthepublicinterestbyindividualsororganizationswhohavenotsufferedharmthemselves.

Showing“injuryinfactand...lostmoneyorproperty”couldbeadauntingchallengeincasesinvolvingimproperdisclosureofonlinepersonaldata.SomedatabreachcasesdecidedundertheUCL,priortoSOPIPA,haveallowedsuitstogoforwardifplaintiffscouldatleastshowthattheypaidmoreforanoffendingcompany’sproductthantheywouldhavehadtheyknownofthecompany’sshoddydatasecuritymeasures.49Butunlawfuldatingmining,targetedadvertisingandotherpracticesprohibitedbySOPIPAmaynotinvolvepaymentofmoneybytheaggrievedparty,renderingeventhislowthresholdofproofimpossibletomeetinmanycases.Thiswillbemadeevermorechallengingbyplaintiffsgiventhelackofspecificityinkeyprovisionsofthelaw.

SincethesameeventstriggeringaviolationofSOPIPAmayalsobesueduponiftheyviolateotherlaw,itcanbeanticipatedthatcreativeplaintiffs’counselwillattempttodevelopviabletheoriesofliabilityundertheCaliforniaConstitution’srightofprivacyclause,50andotherstatestatutes.SinceSOPIPAjustbecameeffectiveinJanuary2016,however,itistoosoontoassesshowreceptivetheCaliforniacourtswillbe.Notwithstandingtheviabilityofspecificlegalclaims,sincevendorswhoarethesubjectof46UCL§17205.47SeeBucklandv.ThresholdEnterprises,Ltd.,155Cal.App.4th798,812,66Cal.Rptr.3d543(2007),disapprovedonothergroundsinKwiksetCorp.v.SuperiorCourt,51Cal.4th310,337,120Cal.Rptr.3d741,246P.3d877(2011).48SeeCaliforniansforDisabilityRightsv.Mervyn’sLLC,39Cal.4th223,228,46Cal.Rptr.3d57,138P.3d207(2006).49InreAnthem,Inc.DataBreachLitigation,____F.Supp.3d____,2016WL589760(N.D.Cal.2016);InreAdobeSystems,Inc.PrivacyLitigation,No.13-CV-05226-LHK,2014WL4379916(N.D.Cal.2016)*16(N.D.Cal.2014).SeealsoInreSonyGamingNetworks&CustomerDataSecurityBreachLitigation,No.11MD2258AJBMDD,2014WL223677(S.D.Cal.2014).50ArticleI,section1oftheCaliforniaConstitutionprovides:“Allpeoplearebynaturefreeandindependentandhaveinalienablerights.Amongtheseareenjoyinganddefendinglifeandliberty,acquiring,possessing,andprotectingproperty,andpursuingandobtainingsafety,happiness,andprivacy.”

25

suchactionsarelikelytoexperiencereputationalharm,theymaywanttoconsideraconservativeapproachandpractice.

WhichStatesAreFollowingCalifornia’sLead?SeventeenstateshavepassedlawsthatresembleortakeinspirationfromSOPIPA,resultingin18newlaws:

ArkansasHB1961~CaliforniaAB2799~ConnecticutHB5469~DelawareSB79~GeorgiaSB89~HawaiiSB2607~KansasSB2008~MaineLD454~MarylandHB298~NevadaSB463~NewHampshireHB520~NorthCarolinaHB632~OregonSB187~

TennesseeHB1931~VirginiaHB1612~VirginiaHB519~VirginiaHB749~WashingtonSB5419

Inall,33stateshaveconsideredbillsthatresembleSOPIPA.SevenstateshavepassedlegislationwithclausesmodeledafterSOPIPAin2016,51anumberthatislikelyoutdatedbythetimeyoureadthis.NoteverysuchbillorlawincludesalloftheprovisionsofSOPIPA,anditremainstobeseenhowinterpretationandenforcementofSOPIPAmightinfluencelegislativeactionacrossthecountry.KeyDifferences:Severalstatelawshavemoreclearlydefinedpreclusionsaroundadvertising,havingclearlyspentsometimetryingtocarveoutamoreprecisedefinition.Forexample,Virginialawclearlyexplainsthatoperatorsmaynot,“useorshareanystudentpersonalinformationforthepurposeofbehaviorallytargetingadvertisementstostudents,”52where“behaviorallytargetingadvertising”isapreviouslydefinedtermforindustry(seeAnnex,“WhatisTargetedAdvertising?”).Oregonlawprecludestargetedadvertising,butdefinesitas“advertisingpresentedtoastudentbasedoninformationobtainedorinferredfromthestudent’sonlinebehavior,usageofapplicationsorcoveredinformation.”TargetedadvertisingunderOregonlawdoesnotinclude“advertisingpresentedtoastudentatanonlinelocationbaseduponthestudent’scurrentvisittothatlocationorasasinglesearchquery,aslongasthestudent’sonlineactivitiesarenotcollectedorretainedovertime.”53Similarly,Georgialawdefinestargetedadvertisingas“presentingadvertisementstoastudentwheretheadvertisementisselectedbasedoninformationobtainedorinferredfromthatstudent’sonlinebehavior,usageofapplicationsorstudentdata,”andthatitdoesnotinclude“advertisingtoastudentatanonlinelocationbaseduponthatstudent’scurrentvisittothatlocationorasinglesearchquerywithoutcollectionandretentionofastudent’s

51http://dataqualitycampaign.org/resource/2016-student-data-privacy-legislation/52http://lis.virginia.gov/cgi-bin/legp604.exe?151+ful+CHAP072853https://olis.leg.state.or.us/liz/2015R1/Downloads/MeasureDocument/SB187/Enrolled

26

onlineactivitiesovertime.”54Stillotherstatesarelookingatthestudentdataprivacylegislativelandscapeand,whileenactingstrongdataprivacyprotections,arealsotakingstepstoensurethatbeneficialservicesarenotunintentionallyprecludedbythelaws.Forexample,Coloradolawnotesthatitsdefinitionoftargetedadvertisingspecificallydoesnotincludeuseofastudent’spersonallyidentifiableinformationtoidentifyhighereducationinstitutionsorscholarshipprovidersthatarelookingforstudentswhomeetspecificcriteria,providedthatit’sdonewiththepermissionofthestudentorthestudent’sparent.55

WhatShouldOperatorsDoNow?ThisresourceshouldhelpyoubecomefamiliarwiththekeyrequirementsofSOPIPA,butit’sjustthebeginning.Asalwayswhenitcomestostudentdataprivacy,takingresponsibilityforproperandcompliantstewardshipofstudentdataisarequirementforoperatingintheeducationarena,asispartneringinapositiveandproactivemannerwithschoolsanddistricts.Intheabsenceofdefinitivestateguidance,consultwithcompetentlegalcounseltoassessanyriskyoumighthavewithrespecttoSOPIPA,andensurethatyourdataprivacyandsecuritypoliciesandpracticesareinalignmentwithallrelevantandapplicablefederal,stateandlocallawsandnorms.Reassessyourthirdparties,theirdatahandlingpracticesandyourcontractstobesuretheycontainthenecessaryrestrictions.Alsoassessallcurrentandfutureproductdevelopmentanddatahandlingoperationsinaccordancewiththeregulations,inpartnershipwithcompetentlegalandcomplianceguidance.Inaddition,paycloseattentiontoanyauthoritativeregulatoryguidancethatemergesfromCaliforniaandotherstates.

ConclusionThisguideprovidesanoverviewofSOPIPA,comparingtheCaliforniastatutewithfederallawandotherstatestatutesgoverningschoolserviceproviders.Asareminder,nothinginthisguideshouldbeconsideredlegalorcomplianceadvice,andactionsbasedontheinterpretationandrecommendationsherecannotbeguaranteedtoensurecompliancewithanyparticularlaw(s).Clearly,guidancefromtheStateofCaliforniawouldbehelpfultointerpretthevaguerpointsofSOPIPA.Initscurrentform,itisunclearwhatspecificactionswillensureoperator

54https://legiscan.com/GA/text/SB89/201555http://www.leg.state.co.us/clics/clics2016a/csl.nsf/fsbillcont3/65C31D600337BF8787257F2400644D7C?open&file=1423_enr.pdf

27

compliancewithsomeSOPIPAprovisions;therefore,itisimportantforoperatorstoremainawareofindustrynormsandtocomplywiththespiritoftheregulation.

28

ANNEXES

A. RelevantLawsB. WhatisTargetedAdvertising?C. WhatCanParentsAuthorize?D. Whatare“ReasonableSecurity”ProceduresandPractices?56

56https://ferpasherpa.org/s-p.html#security

29

A. RelevantLawsFEDERAL:

FERPA–FamilyEducationalRightsandPrivacyAct(20U.S.Code§1232g)

i. FERPA–FinalRule2011(34CFRPart99)ii. FERPA–DepartmentofEducationGuidanceforEligibleStudents

COPPA–Children’sOn-LinePrivacyandProtectionAct(15U.S.Code§91)

i. FTCCOPPARule,Guidance,andFAQs(16 CFR Part 312)

PPRA–ProtectionofPupilRightsAmendment(20U.S.Code§1232h)

STATE SOPIPA–StudentOnlinePersonalInformationProtectionAct(SB1177) CAEducationCode/PrivacyofPupilRecords–(49037.1)) SummaryofOtherStateLaws–(DataQualityCampaign-2016)

2015:Arkansas HB 1961 Delaware SB 79 Georgia SB 89 Maine LD 454 Maryland HB 298 Nevada SB 463 NewHampshire HB 520 Oregon SB 187 Virginia HB 1612 Washington SB 5419 2016:California AB 2799 Connecticut HB 5469 Hawaii SB 2607 Kansas SB 2008 NorthCarolina HB 632 TennesseeHB 1931 Virginia HB 519 Virginia HB 749

30

B. WhatisTargetedAdvertising?AcriticalprovisionofSOPIPArequiresthatoperatorsdonot,“Engageintargetedadvertisingontheirsite,serviceorapplication,ortargetadvertisingonanyothersite,serviceorapplicationwhenthetargetingisbasedonanyinformation,includingcoveredinformationandpersistentuniqueidentifiers,thathavebeenacquiredbecauseoftheuseofthatoperator’ssite,serviceorapplication.”Thereferenceto“targetedadvertising”hassincebeenwidelyimitatedinotherstatelegislation,yetthisprovisionisconstructedsoastocreatebothoperationalandpossiblyConstitutionalissuesthatareworthdiscussion.Beforedivinginfurther,it’simportanttoreviewhowtheclauseisactuallywritteninthelaw.Asconstructed,itreferstotwodifferenttypesofadvertising:1. Targetedadvertisingontheoperator’ssite,serviceorapplication;OR2. Targetedadvertisingonanyothersite,serviceorapplicationwhenthetargetingis

basedonanyinformation,includingcoveredinformationandpersistentuniqueidentifiers,thathavebeenacquiredbecauseoftheuseofthatoperator’ssite,serviceorapplication

Tocomplywiththelaw,wefirstneedtoanswerthequestion,“whatistargetedadvertising?”It’sbeenthesubjectofmuchdiscussionanddebate,asitisnotdefinedinSOPIPA.Existingfederalregulation,industryself-regulationandotherguidancedonotdefineiteither.Instead,regulationmostcommonlyusesthefollowingterms.Existingterms:Behaviorallytargetedadvertising(alsoreferredtoasonlinebehavioraladvertising[OBA]orinterest-basedadvertising)hasbeendefinedbytheDigitalAdvertisingAlliance57(DAA)as“thecollectionofdataonlinefromaparticularcomputerordeviceregardingWebviewingbehaviorsovertimeandacrossnon-affiliateWebsitesforthepurposeofusingsuchdatatopredictuserpreferencesorintereststodeliveradvertisingtothatcomputerordevicebasedonpreferencesorinterestsknownorinferredfromthedatacollected.”58Servingbehaviorallytargetedadvertisingdoesnotactuallyrequirecollectionofpersonalinformation.Instead,apartywillserveadstoauserbasedonaprofiledevelopedfromtrackingthecomputerbrowseractivitiesovertimeandacrossdifferentwebsitesandonlineservices.

57DigitalAdvertisingAllianceis“anindependentnon-profitorganizationledbytheleadingadvertisingandmarketingtradeorganizations.”Itrepresentsacross-industryself-regulatoryprogramthat“establishesandenforcesresponsibleprivacypracticesacrossindustryforrelevantdigitaladvertising,providingconsumerswithenhancedtransparencyandcontrol.”http://www.aboutads.info/58http://www.aboutads.info/resource/download/seven-principles-07-01-09.pdf

31

ThedefinitionhaslargelybeenacceptedbytheFTC,andisdescribedinsimilarfashioninitsSelf-RegulatoryPrinciplesforOnlineBehavioralAdvertising.59ThistypeofadvertisingisprecludedbytheChildren’sOnlinePrivacyProtectionAct(COPPA)forchildrenunder13withoutprior,verifiableparentalconsent,aswellasbytheexistingself-regulatoryadvertisinggroups,includingDAAandtheNetworkAdvertisingInitiative(NAI).60Contextualtargeting(alsoreferredtoascontextuallyrelevantadvertising)isdefinedbyDAAasadvertisementsthataredelivered“basedonthecontentofaWebpage,asearchquery,orauser’scontemporaneousbehaviorontheWebsite.”61NAIexpandsabitfurtherexplaining,“theadselecteddependsuponthecontentofthepageonwhichitisserved,or‘firstparty’marketinginwhichadsarecustomizedorproductsaresuggestedbasedonthecontentofthepageorusers’activityonthepage(includingthecontenttheyvieworthesearchestheyperform).”62 TheFTCechoesthisinpolicystatementsandincommentssurroundingCOPPA.There,theFTCnotesthatcontextualtargeting,“ismoretransparentandpresentsfewerprivacyconcernsascomparedtotheaggregationanduseofdataacrosssitesandovertimeformarketingpurposes.” ContextualtargetingispermittedunderCOPPA.

WhyDoesThisMatter?Thedefinitionoftargetedadvertisingiscriticallyimportantforavarietyofreasons.Considerthecaseofthestudentwhoprogressesquicklythroughcurriculummaterialandisreadyformore.Perhapsthestudentisworkingonmathlessonsthoughaproductusedinschoolandathome.Aftercompletingtheworkassignedbytheteacher,wouldtheoperatorbeabletoletthestudentortheparentknowthatmoreadvancedmaterialswereavailableforpurchase,orwouldthatbeconsidered“targeting”undertheundefinedprovisionofSOPIPA?Wouldoperatorsbeabletopromotebookstoparentsofyoungreaders,includingbooksthestudentmightenjoybasedonpreferencesthey’veexpressed?Schoolshavelongadvertisedproductsandservicesthatarelikelyvaluedbyparentsandstudentsbasedonactivitiesandschoolprograms:adsrelatedtomusicalproviderstomembersofbandandorchestra;sportsequipmentoropportunitiesadvertisedtostudentsofvariousathleticteams;scholarshipadstojuniorsandseniors,bothforlocalopportunities,andperhapsmorelongdistanceoptionsnototherwiseeasilydiscoverable.

59https://www.ftc.gov/sites/default/files/documents/reports/federal-trade-commission-staff-report-self-regulatory-principles-online-behavioral-advertising/p085400behavadreport.pdf60https://www.networkadvertising.org/2013_Principles.pdf61http://www.aboutads.info/resource/download/seven-principles-07-01-09.pdf62https://www.networkadvertising.org/2013_Principles.pdf

32

Withoutacleardefinitionoftargetedadvertising,itisuncleartooperatorswherethelinefallsbetweenthesetraditionalandacceptedadsandinappropriateuseofpersonalizedinformationnowavailableingreaterdetailviastudents’digitalrecords.Tobanadvertisingbroadlyrisksdeprivingstudentsandparentsofinformationandopportunitiestheyexpectanddesire.

PersistentIdentifiersandAdvertising:SOPIPAincludes“persistentidentifiers”initsdefinitionofcoveredinformation,andassuch,suchidentifiersmaynotbeusedfor“targetedadvertising.”However,SOPIPAdoesn’ttakeintoaccountthemostcommonmechanismsbywhichadvertisingisservedonline,andthereasonsbehindthosemechanisms.

Persistentidentifierscomeinseveralformats,withmanydependentonthedeviceitselfandnotnecessarilytheuser.Theyserveavarietyofpurposes,includingmanythatarefortheconvenienceoftheuser.Apersistentidentifieriswhatallowstheusertocustomizetheirsitecontentandhavethosepreferencesretainedthenexttimetheyvisit.Itisalsowhatallowstheusertoretaintheirprogressovertime.

Whenitcomestoadvertising,persistentidentifiersaren’tjustusedtoserveads,they’realsousedtorestrictads.Forexample,persistentidentifiersareusedtoplaceacaponthenumberoftimesauserseesads.They’realsousedtoensurethatusersdon’tseethesameadsrepeatedly.

Operatorscanusepersistentidentifierstoensurethatadsthatmeettheregulatoryandself-regulatoryrequirementsforchildrenareservedtochildren,andthatadsnotappropriateforchildrenareservedonlytoolderusers.

UnderCOPPA,theFTCacknowledgesthat–unlikeallotherpersonalinformation-persistentidentifiersmaybecollectedwithoutpriorparentalnoticeorconsentwhenusedonlytosupportspecificinternaloperations,includingservingcontextualadvertisingandcappingthefrequencyofadvertising.63

SowhatdoesSOPIPAintendtorestrict?Certainly,thesecondhalfoftheclause,whichisabanon“targetedadvertisingonanyothersite,serviceorapplicationwhenthetargetingis63SupportfortheinternaloperationsoftheWebsiteoronlineservicemeans:(1)Thoseactivitiesnecessaryto:(i)MaintainoranalyzethefunctioningoftheWebsiteoronlineservice;(ii)Performnetworkcommunications;(iii)Authenticateusersof,orpersonalizethecontenton,theWebsiteoronlineservice;(iv)ServecontextualadvertisingontheWebsiteoronlineserviceorcapthefrequencyofadvertising;(v)Protectthesecurityorintegrityoftheuser,Website,oronlineservice;(vi)Ensurelegalorregulatorycompliance;or(vii)Fulfillarequestofachildaspermittedby§312.5(c)(3)and(4);(2)SolongasTheinformationcollectedfortheactivitieslistedinparagraphs(1)(i)-(vii)ofthisdefinitionisnotusedordisclosedtocontactaspecificindividual,includingthroughbehavioraladvertising,toamassaprofileonaspecificindividual,orforanyotherpurpose.

33

basedonanyinformation,includingcoveredinformationandpersistentuniqueidentifiers,thathavebeenacquiredbecauseoftheuseofthatoperator’ssiteserviceorapplication”iswell-defined.Retargetingtostudentsandparentsisentirelyprohibited.However,whateverisactuallymeantandenforceablewithrespecttothebanon“targetedadvertising”aloneremainsunclear.

Whataresomeoftheconsequencesofsuchrestrictions?It’sdifficulttooverstatetheadverseimpactofstudentdataprivacylegislationinwhichkeyprovisionsareundefined.However,oneareatoconsiderarethepotentiallyunintendedconsequencesthatcouldresult.TherearemanywithSOPIPA.Since“coveredinformation”isdefinedsobroadlyand“targetedadvertising”isundefined,someadvocatesinterpretSOPIPAasimposingacompleteadvertisingban.Abanonevencontextuallyrelevantadvertisingwouldprohibitprovidingpotentiallyusefulanddesirableopportunities,andpotentiallyrestrictself-directedlearningandparent-guidedprogress.Inaddition,collegeswouldnotbeabletopromoteadmissionsonlytojuniorandseniorstudents,ortostudentswhootherwiseundermatchataparticularinstitution.Inaproductthatincludeslevelsformultiplegrades,itwouldprovenearlyimpossibletopreventyoungerusersfromseeingadvertisingintendedonlyforolderaudiences,andviceversa.Organizations–evennonprofitsorfoundations–interestedinreachingeligiblestudentswithscholarshipswouldnotbeabletotakeadvantageoftechnologytoreachthosestudentswhomeetcertainrequirements.Promotionoftraditionalschoolactivities,suchassellingclassrings,yearbooks,classphotosandmorecouldbestifled.However,since“targetedadvertising”remainsundefinedinSOPIPA,itwillbeimportanttolookathowtheCaliforniaAttorneyGeneral’sofficechoosestointerpretandapplytheclauseovertime.

34

C. WhatCanParentsAuthorize?Overthelasttwoyears,publicconcernsaboutstudentdatacollectionhavegrown.Policymakershaverespondedtothoseconcernsbyproposingnewstateandfederallegislationtoaddressavarietyofpossiblerisks.Someadvocatesworrythatsensitivedatawillbesenttostateorfederalauthoritiesforusestheydonotconsiderappropriate.Someareconcernedthatstudentrecordswillbeusedinadiscriminatorymannerbycollegesorfutureemployers.Someworrythatschoolsorvendorswillsellorimproperlysharestudentdata.Basicconcernsaboutbothschoolsandvendorssimplyhavingadequateprivacyandsecuritymeasuresinplacemustbeaddressedbyresponsiblestakeholders,butunfortunatelysomeofthereactionstotheseconcernshaveunnecessarilylimitedparents’rightstoauthorizedisclosureoruseoftheirchildren’sinformation.SOPIPAisanexampleofthisoverreach–whichhasbeenatleastamelioratedinmanyofthebillsmodeledonit.Federalandstatelawmakerssoughtwaystoimplementandenforcestudentprivacylawstoensureprotectionofstudentdata.In2015,therewereover180studentprivacybills64underconsiderationin46states,upfromthepreviousyearrecordof110studentprivacybillsproposedin36states.Inaddition,in2015,theU.S.HouseofRepresentatives65andU.S.Senate66eachproposedlegislationdirectedatedtechvendorsaswellasdraftingrewritesorproposedamendmentstotheFamilyEducationalRightsandPrivacyAct(FERPA)toupdatetheresponsibilitiesofschoolsandeducationalagencies.67FERPAisfoundedonaparent’srighttoaccesstheirchild’seducationrecord.Manybillssoughttoensureorexpandparentalaccesstodatainthenewcontextofschool-vendorpartnerships,respondingtoworriesthatthesedataweren’tcoveredorthatdataheldbyvendorswouldn’talsobeaccessibletoparents.However,toaddressconcernsaboutdatabeingfurthersharedwithdatabrokersorunauthorizedparties,manybills–includingSOPIPA–broadlybanavendorfromsharingstudentdatawithanyadditionalthirdparties.SOPIPAhasnoprovisionforparentstoconsenttousesoftheirchild’sdataforpurposesprecludedbySOPIPA.Whenadvisedthatvendorsweretypicallydirectedbyschoolsorparentstosenddatatocollegesorscholarshiporfinancialaidorganizations,somelegislatorsamendedbillsinotherstatestoincludeprovisionsallowingvendorstosharedatawiththoserecipientsonly,withthepermissionoftheschoolsorparents.However,anyothertransferofstudentdata

64DataQualityCampaign."StudentDataPrivacyLegislation:WhatHappenedin2015,WhatIsNext?"(n.d.):n.pag.24Sept.2015.Web.65“Messer,PolisIntroduceLandmarkBilltoProtectStudentDataPrivacy."N.p.,29Apr.2015.Web.12Nov.2015.66S.1788-114thCongress:SAFEKIDSAct.Text.N.p.,n.d.Web.https://www.congress.gov/bill/114th-congress/senate-bill/1788/text67H.R.3157-114thCongress:StudentPrivacyProtectionAct."Text.N.p.,n.d.Web.https://www.congress.gov/bill/114th-congress/house-bill/3157/text?resultIndex=1

35

isfrequentlystillbanned.Thesebanscreateasignificantbarrierforawiderangeofbeneficialusesofdatathatparentsandstudentswanttoenable.Withalltheextracurricularandspecializedopportunitiesavailableonline,thereareanincreasingnumberofareaswhereparentsmaywanttousedatafromorabouttheirchildtosupportactivitiesoutsideoftheschool’scurricularprograms.Theymaywanttomaketheirchild’sdataavailabletoatutoringprogram,toacollegementoringprogramorothereducationalsupportservices.

UnderSOPIPA,theparentcannotdoso.Evenwithexplicitparentalrequestorpermission,thevendorisforbiddenfromdisclosingthestudent’sdatatothedesignatedthirdparty.Thislackofaparentalchoiceoptiontosharedatalimitseveryparent’sabilitytomakethebestchoicesfortheirownchild.Thelawauthorizesparentstodownloadorobtainphysicalcopiesofthefileoraccountdata,butthelanguagedeniestheedtechcompanytheabilitytodirectlyshareit,evenwiththeparent’srequestorconsent.Thisputsthetransferburdenontheparent,mayopensecurityconcernsandcancloseoffavenuestoensurethattheinformationwillbeusedeffectivelyandefficiently.Withoutthatabilityforparentstorequestelectronictransferoraccessfromthosevendorswhomaybeableandwillingtoprovideit,theparentandstudentareforcedtoessentiallystartfromscratcheachtimetheystartanewprogramoutsideofschool.

Thismaybecomeparticularlyrelevantforchildrenwithdisabilitiesorlearningchallengeswhoaresomeofthe“powerusers”ofmultipleresourcesbeyondtheschool.Studentswithphysicaloreducationalchallengesusuallyhavewhatarereferredtoas“thickfiles”–agreatdealofinformationbuiltupovertimewhichiscriticaltotheiracademicandpersonalsuccess.Today,thisinformationexistselectronically.Transitioningtoneworaddedserviceswithouttheabilitytoeasilyintegrateexistinginformationcreatesatremendousburdenonparentandproviderwheneachnewprogrammayhavetoreassessandfreshlyestablishordocumentthechild’sabilitiesandrequirements.It’scriticalthatnewlegislationconsiderfirst,whatarethereal–nottheimagined–adverseprivacyandsecurityissueswithstudentdata,whatareschoolsappropriatelyresourcedandempoweredtoactaroundthatdata,howdoestechnologyreallywork,whatarevendorstrulydoing(andnotdoing)withthedata,andwhatdoparentsandstudentsneedtobestsupporteachindividual’seducationpathway.

36

D. Whatare“ReasonableSecurity”ProceduresandPractices?68Thischecklistisdesignedtoprovideasimplebaselineofsecurityprinciplesandpracticesasanedtechbusinessgrowsitsproductsandservices.Thislistoftipsdoesnotconstituteacompletesecuritypolicy,butiffollowed,willensurethatvendorshavetakenthebest,firststepstowardresponsibleprotectionofstudentdata,asthesetipsflagmanyofthecommonkeyconcerns.

1.Risk:DataInterceptionSolution:EncryptDatainTransitEnd-usernetworktrafficiseasilymonitoredorinterceptedonopenWiFioroverthewirebytheoperatorofthenetwork.Topreventsensitiveinformationfrombeingaccessibletounintendedparties,useHTTPS(SSL/TLS).Donotsendpasswordsincleartext!(Alsoencryptdataatrest;see4.below)

2.Risk:VulnerableSoftwareSolution:RegularlyPatchandUpdateSoftware,ServersandEndpointsManydatabreachesarecausedbytheexploitationofvulnerabilitiesforwhichthereareknownfixes.Inotherwords,thebreachdidn’thavetohappen.Requireappropriatepersonneltopatchandupdatesystems,quickly,routinely,programmatically,andoften,inaccordancewithpolicy.Commonly,operationspersonnelapplypatches,andversionupdates,whilesecurityanalyst/engineersrunscanstoconfirmthatpatchinghasbeenappliedandvulnerabilitiesareremediated.(Keepingthedistinctionbetweenthetworolesprovidesacheckandbalancewithintheprocess.)

3.Risk:DatabaseCompromise(InjectionAttacks)Solution:UseAcceptedSecureCodingPracticesCodecanmasqueradeasdata,andtheresulting“injection”attacksarethesourceofmanydatabreaches.Thankfullythenecessarysecurecodingpracticestopreventinjectionattacksarewellknown,suchasparameterizedqueriesandsanitizinginputs.SeeSQLInjectionPreventionCheatSheet.

4.Risk:LostorStolenLaptopsandWorkstationsSolution:RequireFullDiskEncryptionRequireyoursecurityteamtousefull-diskencryptiononalllaptopsandworkstations.Allinformationatrestinyourcontrolshouldbeencrypted.Thisincludesyourservers,thirdpartyservers,butespeciallywhenitlivesonamachinethatcanbetuckedunderanarmandcarriedoutthedoor.Ifyouuseorallowportablestoragemedia(thumbdrives,any

68https://ferpasherpa.org/s-p.html#security

37

portablemedia),theyshouldalsobeencrypted.Trainemployeestoreportlostorstolenequipmentimmediately.

5.Risk:PasswordCompromiseSolution:Deploy2-factorauthentication.Requiredevelopmentteamstodeploy2-factorauthenticationonweb-accessiblelog-ins.Yes,thisisnotalwayspossible,orpractical.Striveforitwherepossible;whenitisnotfeasible,employstrongpasswordrulesandcontrols;applypracticesappropriatetothelevelofriskofthedatainvolved.

6.Risk:RelyingonHashingtoDe-IdentifyDataSolution:UseProperlySaltedHashesAlthoughmanyhashoutputsor“digest”valuesinputscannotbeeasilyreverse-engineeredtodeterminethehashinput,calculatinglook-uptablesforcertaintypesofuniformdataisveryeasy.

Forexample,alook-uptableforallU.S.phonenumberscanbecalculatedveryquicklyandusedtolookup“hashed”phonenumbers.Thesolutionistousesaltedhashesandconsultwithacomputerscientisttoverifystrengthofresultingde-identification.

7.Risk:CloudServices(reminder,thereisno“cloud”–it’sjustsomeoneelse’scomputer)Solution:DoYourDueDiligence.Determineifyoucanevenuseacloudsolutionbasedonlegalrequirements.Ifyoudon’tencryptstudentdatabeforeitissenttothecloud,thecloudproviderhasphysicalaccesstothedata.

8.Risk:Third-PartyManagementandHostedSolutionsSolution:DueDiligenceandContractualConstraintsYourresponsibilityandauthorityfordatainyourpossession/controlextendstoitsmanagementwhileunderthecontrolofathirdpartyprovidingyouaservice.Contractualconstraints:

• Seekthirdpartyauditsorauditreports• Verifyinsurancerequirementsandcomply• Includerelevantrepsandwarranties• Requireincidentresponseprovisions

38

9.Risk:BrowserCompromiseThroughJavaPlug-InSolution:DisabletheJavaPlug-IninallBrowserSoftwareEnterprise-WideNeverPublishSoftwarethatRequirestheJavaPlug-intobeInstalledinOrdertoRunManyinstancesofbrowsercompromiseoccurbecauseofsecurityissueswiththeJavaPlug-inforbrowsers.Blockanddisabletheplug-in.

10.Risk:OtherBrowserandAppCompromiseSolution:RequireIn-HouseandExternalDeveloperstoSatisfytheAppropriateASVSStandardConsiderusingtheASVSstandards–theaimoftheOWASPApplicationSecurityVerificationStandard(ASVS)ProjectistonormalizetherangeinthecoverageandlevelofrigoravailableinthemarketforWebapplicationsecurityverificationusingacommercially-workableopenstandard.Thestandardprovidesabasisfortestingapplicationtechnicalsecuritycontrols,aswellasanytechnicalsecuritycontrolsintheenvironment,thatarereliedontoprotectagainstvulnerabilitiessuchasCross-SiteScripting(XSS)andSQLinjection.Seehttps://www.owasp.org/images/5/58/OWASP_ASVS_Version_2.pdf.

AdditionalAreastoAddressforSecurityPolicyandPractices

• Incidentresponseplanningandpreparation:haveabreachresponseplan.Yourcontractmayrequireit,butregardless,youshouldhave(andtest,andtrainfor,regularly)yourproceduresforhowtorespondintheeventofabreach,ofdifferentmagnitudes

• Insurance• Establish,updateandregularlyconducttrainingforemployees,boththosedirectly

involvedinsecuritysystemsandthosewhosimplyneedtounderstandtheirownresponsibilities

• Employasystemorprocessforloggingandmonitoringofallactivities

AdditionalResources

• https://www.owasp.org/index.php/Web_Application_Security_Testing_Cheat_Sheet• https://www.ftc.gov/tips-advice/business-center/guidance/start-security-guide-

business• https://www.ftc.gov/datasecurity

FPF Guide to Protecting Student Data Under SOPIPA: For K-12 ...

Documents

Transcript of FPF Guide to Protecting Student Data Under SOPIPA: For K-12 ...