FPFGuidetoProtectingStudentDataUnderSOPIPA:
ForK-12SchoolAdministratorsandEdTechVendors
November2016
2
FPFGuidetoStudentDataProtectionUnderSOPIPA:ForK-12SchoolAdministratorsandEdTechVendors1
Introduction.................................................................................................................................................................4
StudentDataPrivacy–BackgroundandOverview....................................................................................6
ParentalConcerns.....................................................................................................................................................7
ConcernsAboutThirdParties..............................................................................................................................8
KeyDevelopments–theStudentPrivacyPledge......................................................................................10
LegalOverview.........................................................................................................................................................10
ComplianceandEnforcement............................................................................................................................12
COPPA...........................................................................................................................................................................12
PPRA..............................................................................................................................................................................13
StateLawsGenerally..............................................................................................................................................14
SOPIPA..........................................................................................................................................................................15
WhoMustComply?............................................................................................................................................16
Whatis“ActualKnowledge”?........................................................................................................................16
Whatare“K-12SchoolPurposes”?.............................................................................................................17
WhatInformationIsProtectedUnderSOPIPA(“CoveredInformation”)?................................18
SpecificRequirementsofSOPIPAforEdTechVendors.....................................................................19
WhatisTargetedAdvertising?......................................................................................................................20
WhenCananOperatorDiscloseCoveredInformation?....................................................................20
HowCanOperatorsUseStudentInformation?......................................................................................21
SOPIPARightsforStudents............................................................................................................................21
SchoolandDistrictGuidanceonSOPIPA–WhattoExpect.............................................................21
1 AuthoredbyBrendaLeong,FutureofPrivacyForum;LinnetteAttai,PlayWellLLC;AmeliaVance,NationalAssociationofStateBoardsofEducation;andDavidRubin,DavidB.Rubin,PC
3
GuidancefromtheStateofCalifornia........................................................................................................23
LegalRemedies....................................................................................................................................................23
WhichStatesAreFollowingCalifornia’sLead?..........................................................................................25
WhatShouldOperatorsDoNow?.....................................................................................................................26
Conclusion...................................................................................................................................................................26
ANNEXES.....................................................................................................................................................................28
A. RelevantLaws.............................................................................................................................................28
B. WhatisTargetedAdvertising?............................................................................................................28
C. WhatCanParentsAuthorize?..............................................................................................................28
D. Whatare“ReasonableSecurity”ProceduresandPractices?.................................................28
A. RelevantLaws.............................................................................................................................................29
B. WhatisTargetedAdvertising?............................................................................................................30
C. WhatCanParentsAuthorize?..............................................................................................................34
D. Whatare“ReasonableSecurity”ProceduresandPractices?.................................................36
4
FPFGuidetoStudentDataProtectionsUnderSOPIPA:ForK-12SchoolAdministratorsandEdTechVendors
IntroductionThisguideisdesignedtoprovideanoverviewoftheCaliforniaStudentOnlinePersonalInformationProtectionAct(“SOPIPA”),which–inconjunctionwithCalifornia Education Code section 49073.1 (formerly AB 1584)–wasthefirststatelawtocomprehensivelyaddressstudentprivacy.ItbecameeffectiveJanuary1,2016andappliestowebsites,applications,andonlineservicesthatprovideprogramsorservicesforK-12students.SOPIPAappliestooperators(asdefinedinthestatute)thatcollectcoveredinformationfromstudentsinthestateofCalifornia.Thisguideprovidesgeneralinformation,notlegaladvice,andfollowingtherecommendationsortipswithindoesnotguaranteecompliancewithanyparticularlaw.SOPIPAisimportantbecausemosteducationtechnologycompaniesdobusinesswithCaliforniaschools,andbecauseitbecameatemplateforsimilarstatutesaroundthecountry.Ourgoalistoclearlyexplainwhatcompaniesandinformationiscovered,andwhatthelawdoes(ordoesn’t)require.ThismaybeusefulforcompaniesandschoolsoperatinginCalifornianow,andalsomayprovehelpfultopolicymakersinthosestateswhomaystillbeconsideringupdatestotheirstudentprivacylaws,andareconsideringwhethertofollowtheCaliforniamodel.Ourdiscussionexpandson:
• Whomustcomply?SOPIPAappliestooperatorsofwebsites,onlineservices(includingcloudcomputingservices),onlineapplicationsormobileapplicationswithactualknowledgethattheirsite,serviceorapplicationisusedprimarilyforK-12schoolpurposesandwasdesignedandmarketedforK-12schoolpurposes.SOPIPAdoesnotapplytooperatorsofgeneralaudienceproducts,evenifthoseproductsareaccessiblethroughaK-12operator’sproduct.
• Whatisactualknowledge?SOPIPAissilentonthequestion.TheexistingFederalTradeCommission(FTC)standardisareasonableguide:Theactualknowledgestandardislikelytobemetwhenanoperatoreithercommunicatesthenatureofitscontenttoathirdpartyorwhenarepresentativeofthethirdpartyrecognizesthenatureofthecontent.Ultimately,theFTCemphasizesacase-by-caseapproach.
• WhatareK-12schoolpurposes?Purposesthatcustomarilytakeplaceatthe
directionofaK–12school,teacher,orschooldistrict–thosedirectactivitiestraditionallyandroutinelydonebytheschoolaspartofcarryingouttheeducationofitsstudents.Further,K-12purposesmayincludesecondaryactivitieswhichaidoftheadministrationofschoolactivities,includingintheclassroomorathome,byschooladministration,betweenstudents,schoolpersonnel,orparents,orotherwisefortheuseandbenefitoftheschool.
5
• Whatiscoveredinformation?Coveredinformationisdefinedaspersonally
identifiableinformationormaterials,regardlessofmediaorformat,whichmeetanyofseveralspecifiedcriteria.MostcoveredinformationisalreadyidentifiedandprotectedunderFERPA.
• WhatisuniquetoSOPIPAforEdTechvendors?Operatorsmustnot:
• Engageintargetedadvertisingwhenthetargetingisbasedonanyinformationthathasbeenacquiredbecauseoftheuseofthatoperator’ssite,serviceorapplication
• UseinformationtoamassaprofileaboutaK-12student,exceptinfurtheranceofaK-12schoolpurpose
• Sellastudent’sinformation,includingcoveredinformation• Disclosecoveredinformationexceptinspecific,limitedcircumstances
Operatorsmust:
• Implementandmaintainreasonablesecurityproceduresandpracticesappropriatetothenatureofthecoveredinformation
• Protectcoveredinformationfromunauthorizedaccess,destruction,use,modification,ordisclosure
• Deleteastudent’scoveredinformationifrequestedbytheschoolordistrictthatcontrolstheinformation2
• WhatisTargetedAdvertising?Acomplicatedquestionthatiscoveredindetailbelow.
• Whencananoperatordisclosecoveredinformation?TofurthertheK-12purposeofthesite,serviceorapplication,providedthattherecipientislikewiserestricted;forlegalresponseandcompliance;forusersafety;toothereducationalagenciesforK-12schoolpurposes;andtootherserviceproviderswhentheyarelikewisecontractuallybound.
• Howelsecanoperatorsusestudentinformation?Operatorsmayusestudentdatatoconductlegitimateresearch,andmayusedeidentifiedinformationforproductimprovement,marketinganddevelopment,ormayuseaggregated,deidentifiedinformationtodevelopandimproveeducationalsites,servicesorapplications.
2 The“schoolofficial”exceptionundertheFamilyEducationalRightsandProtectionsAct(FERPA)alreadyrequiresthatoperatorsbeunderthe“directcontrol”oftheeducationalagencyasaconditionofreceivingstudentdata.http://www.ecfr.gov/cgi-bin/text-idx?c=ecfr&SID=16796a773ac48f980cdfaed80b1fa94a&rgn=div5&view=text&node=34:1.1.1.1.33&idno=34
6
• SOPIPArightsforstudents:UnderSOPIPA,studentsmaydownload,exportorotherwisesaveormaintaindataordocumentsthattheycreate.
InadditiontoadetailedoverviewofSOPIPA,thisguidealsoprovidesageneraloverviewoffederalstudentprivacylaws,andacomparisontotheothermajorstate-levelstudentprivacylaw,theStudentUserPrivacyinEducationRightsAct(“SUPER”Act),thataswithSOPIPA,becameamodelformanystatesnationwide.TheSUPERActhasitsrootsintheStudentPrivacyPledgethattheFutureofPrivacyForumandSoftware&InformationIndustryAssociationfacilitatedwiththeeducationtechnologyindustry.Companiesthattakethepledgemake12commitments,suchas:notsellingstudentdata;notbuildingstudentprofilesfortheirownpurposes;anddisclosinghowtheyusestudentdata.Samplelanguageforabillbasedonthesecommitmentswasdraftedandincludedinavarietyofformsbymanystates.
StudentDataPrivacy–BackgroundandOverview
Datauseisnowessentialtomost,ifnotall,educationfunctions,andissointegraltotheworkingsofschoolsanddistrictsthatitwouldbeimpossibletodecoupledatafromeducation.Indeed,whendataisbeingusedeffectivelyitallowsparentstotrackandpromotetheirchildren’sprogress,helpsteachersimprovetheirinstructionandcatermoreaccuratelytostudents’needs,andassistsschoolanddistrictleadersinmakingmanagerialdecisions,allocatingresources,andcommunicatingwiththepublic.Constructiveuseofeducationaldataalsoincreasestransparency,holdsschoolsaccountable,andhelpsstateandfederalpolicymakersassesspoliciesandstrategiespriortotheenactmentofimportantchanges.
However,withthebenefitsofdatacomepotentialconcerns.Collection,storage,
access,anduseofdataallhaveinherentrisks.Safeguardingstudentprivacyisacriticalaspectofresponsibleeducationdatacollectionanduse.
Childrenandadolescentsareinherentlyvulnerable,andschoolshaveadutyto
protecttheirstudentsfromrisks.Thisincludesthemisuseof,unauthorizedaccessto,ortheftofschool-retainedinformation,whetheritexistsonpaperorisstoredonacomputerdrive,inanetwork,orisinformallyshared.Mostpeoplethinkthatmaintainingtheirprivacyisimportant.Despitenumerousarticlesbemoaningyoungpeople’slackofattentiontoprivacyissues,today’schildrendocareaboutprivacy;studieshavefoundthattheattitudesofolderandyoungerpeopleaboutprivacyaresimilar,anda2012Microsoftstudyfoundthat“[p]rivacyandsecurityrankascollegestudents’#1concernaboutonlineactivity.”3Despiteroutinesharingofpersonalinformationinthedigitalage,mostpeople,regardlessofage,wanttocontrolwhomayaccesstheirpersonaldata.43http://www.teachprivacy.com/do-young-people-care-about-privacy/4USCAnnenberg,IsOnlinePrivacyOver?,April22,2013:“Whenaskedaboutthestatement,‘Nooneshouldeverbeallowedtohaveaccesstomypersonaldataorwebbehavior,’70percentofMillennialsagreed,comparedwith77percentofusers35andolder.”(http://annenberg.usc.edu/News%20and%20Events/News/130422CDF_Millennials.aspx)
7
ParentalConcerns
AsaCommonSenseMediapollrevealed,90percentofadultscareaboutthewaysthatstudents’personaldatabecomesaccessibletonon-educationalinterestsafteritiscollectedasapartofinstruction.5Forsome,“[e]venifgovernmentweretokeeptheinformationprivate,theveryexistenceofa‘dossier’isimmenselyintimidatingandinhibiting.”6
Otherparentsandstudentssimplywanttokeepinformationtheyfeelisembarrassing—whetherpoortestscoresoraminordisciplinaryevent—private.Whetherlegitimatefearorparanoia,parentswanttomakesurechildhoodmisjudgments,suchasafightinmiddleschool,willnotharmtheirchild’sfutureabilitytoattendcollegeorgetajob.
Moreover,asthescopeandamountofeducationalandnon-educationalinformationthatschoolscollectincreases,therisksincrease,asshouldsecuritydesignedtomitigatethoserisks.Indeed,aspublicschoolsbecomemorethanjustacademicinstitutions—providing,forexample,medicalandpsychologicaltreatmentin2,000school-basedhealthcentersaroundthecountry—theyarecontinuallycollectingmoreinformationthatishighlysensitive.7
Atthesametime,asexamplesoflarge-scalesecuritybreachesatbusinessesandgovernmentagenciesemphasize,itisimpossibleforacompanyoraschooltopromisethatitcankeepinformationcompletelysafe.AsprivacyadvocateJoelReidenbergobserved,“Youhavefailuresatinstitutionsthatarespendingmillionstryingtoprotectthesecurityoftheirdata.Isthereanyreasontobelievethatschoolsystemsaregoingtobemoresuccessful?”8
Educationleadersandstatepolicymakershearconcernsfrommanystakeholdersaboutthecollectionanduseofstudentdata.Apprehensionsabound,fromthosewhofear“behaviormodification”9tothosewhoworrythatchildrenarelearningtoacceptintrusionsintotheirprivacy.10Someconcernsarepartofmorebroadlyheldbeliefsaboutprivacyingeneralorabouttheroleofgovernmentandpubliceducation.Otherconcernsreflectalack
5CommonSenseMedia,NationalPollCommissionedbyCommonSenseMediaRevealsDeepConcernforHowStudents’PersonalInformationIsCollected,Used,andShared,January22,2014(https://www.commonsensemedia.org/about-us/news/press-releases/national-poll-commissioned-by-common-sense-media-reveals-deep-concern).6PioneerInstitute:BigData,CommonCore,andNationalTesting7PioneerInstitute:BigData,CommonCore,andNationalTesting8Reidenberg,NPR:WhatParentsNeedToKnowAboutBigDataAndStudentPrivacy.9PioneerInstitute:BigData,CommonCore,andNationalTesting10JayStanley,“NewestSchoolRFIDSchemeisReminderofTechnology’sSurveillancePotential”www.aclu.org.June29,2012.
8
ofbasic,accurateinformationaboutdatacollectionanduse.Manyconcerns,however,arevalidandimportant,especiallythoseabouttheextentofdatacollectedandthesecurityofthetechnologyusedindatacollectionandstorage.
Forexample,separatefromconcernsoverdatabreachesandidentitytheft,manyparentsareworriedaboutthepotentialramificationsofcollectingsomuchdataaboutchildren.Theyfearthatthepeople,companiesandgovernmententitiesthatcreateandmaintaindatabasesmaymisuseinformationorhandleitpoorly.11Inits2015BigDatareport,theWhiteHousewarnedthat“[o]nceinformationaboutcitizensiscompiledforadefinedpurpose,thetemptationtouseitforotherpurposescanbeconsiderable…Ifunchecked,bigdatacouldbeatoolthatsubstantiallyexpandsgovernmentpowerovercitizens.”12Asanexample,thereportpointstotheuseofsupposedlyconfidentialcensusdatathatwasusedtoidentifyJapaneseAmericansforinternmentduringtheWorldWarII.13
Anotherreasonparentsareoftenconcernedaboutdatacollectionisthatchildrenandadolescentsoftenmakemistakeswhentheyareyoungthat,ifexposed,mayaffecttheiropportunitieslaterinlife.Ifdisciplinerecordsbecamepubliclyaccessible,itcouldbemuchharderforstudentstomovepasttheirbadchoices.Yetmanystatescollectinformationaboutstudentdisciplinaryincidents,ofteningreatdetail,andtiethoserecordstostudents’names.Forexample,Louisianahas32differentcodesfordisciplinaryactions,andFloridahaswide-rangingcategoriesforstudentcodeviolations.14Theworryisthatifdisciplinaryinformationisnotexpungedfromschoolrecords,itcouldbeusedtodenystudentsaccesstojobsinthefuture.Conversely,ifitweretobeexpunged,itmayhinderthosewhomightintervenetohelpstudentsmakemorepositivebehaviorchoices.
Criminalrecordsarealsoincludedinmanyeducationalfiles.Asof2009,atleast17statesincludedacodeforincarcerationasacauseofwithdrawal.15AsresearchersfromFordhamUniversityhaveobserved,the“collectionofdatapertainingtothecriminaljusticesystemcanbeespeciallydamagingtoastudent.Manystatesprovidethatjuvenilecriminalrecordscanbesealedandeventuallyexpunged.However,theincidentswillstillremainpartofthestudent’seducationfileintheabsenceofacomparabledatapurgerequirement.”16Thequestionofcost/benefitofretainingsuchdataiscomplexandraisesconcernsonallsidesoftheargument.
ConcernsAboutThirdParties
11NPR:WhatParentsNeedToKnowAboutBigDataAndStudentPrivacy12BIGDATA:SEIZINGOPPORTUNITIES,PRESERVINGVALUES,2213BIGDATA:SEIZINGOPPORTUNITIES,PRESERVINGVALUES,2214FordhamReport:Children’sEducationalRecordsandPrivacy200915FordhamReport:Children’sEducationalRecordsandPrivacy200916FordhamReport:Children’sEducationalRecordsandPrivacy2009
9
Finally,thereareever-increasingnumbersofthirdpartyeducationalapplicationsusedintheclassroom,forpurposesrangingfrommarkingattendanceandmonitoringclassbehaviortolearningnewmathskills.Becausetheseappsareabletocollectandmaintainmorestudentinformationthanwouldeverhavebeenmaintainedwithouttechnology—and,concernsaboutholdingdatawithoutcleardeletionoruserestrictions—parentsareconcernedaboutwhatdatatheseappproviderscollectregardingtheirchild,andifthedatacouldbeusedinappropriately.
Inmanyways,parentalworriesaboutwhatschoolsorothergovernmentalentitiesmightdowiththeirchild’sdataarethesameastheirworriesaboutwhatthirdpartiesmightdowiththedata.Focusonthirdpartiesandtheiraccesstostudentdatahasintensifiedoverthepastdecade,notonlybecauseoftheuseofthirdpartyapps,butalsobecausemostschoolsoutsourcetheelectronicstorageofeducationalrecordstothirdparties:ninety-fivepercentofdistrictsrelyoncloud-basedservicesforadiverserangeoffunctions,includingdatastorage(“hosting”)relatedtostudentperformance,supportforclassroomactivities,studentguidance,andevencafeteriapaymentsandtransportationplanning.17
Whileitmayseemthatstudentandschooldatawouldbemoresecureifstoredonalocalcomputerwithoutaccesstotheinternet,likethepaperfilesofoldwerekeptintheschool’slockedbackoffice,suchacomputerissubjecttotheftanddamage.Storingdatathiswaywouldalsoremovemanyofthebenefitstechnologyhasbroughttoeducation,suchasensuringthattransientstudents’recordsfollowthemsotheydon’tfallbehind,orallowingparentstoknowhowtheirchildisdoinginclasslongbeforetheirmid-yearreportcard.
Itisalsoimpracticalfordistrictstobuildtheirowninternet-connectednetworkstostorestudentdata:mostschoolsanddistrictssimplydonothavethefinancialresources,technicalexpertise,orstaffingcapacitytodeveloptheirowninternalsystems.Ifschoolsanddistrictsdidcreatesuchsystemswithouthavingtheresourcestomanagethem,thelikelihoodthatstudentdatawouldbemismanagedorinappropriatelyaccessedwouldalsoincrease.Inaddition,suchsystemswouldhavetokeepupwithstateandfederallaws,whichwouldlikelyrequireconstantmonitoringbytheschooldistrict’slegalcounseltoverifythatthedistrictwasnotviolatingacomplicatedwebofprivacylaws.Finally,becausesomeaggregateandindividualizeddatamustbereportedatthestatelevel,adistrict-createdsystemcouldbeincompatiblewiththestate-levelsystem,requiringincreasedstafftimeandnewtechnologytomakethesystemscompatible.
Therefore,manyschoolsanddistrictscontractwithfor-profitandnonprofitpartnerstotransformtheirdataintoactionableinformation.Serviceprovidershavethecapacityandexpertisetosecurelymanageandanalyzedataandprovidetimely,usefulinformationtoparents,educators,schoolleaders,andpolicymakerswhouseittoadvancestudentsuccess.Amongthesethirdparties,“cloud”providersaredesignedtoprovidecomplex,sophisticatedprivacyandsecuritycontrols.Centralizedsystems,suchasstatewidelongitudinaldatasystemsandsystemsmanagedbyserviceprovidersinthecloud,ensurethatdatacollection,
17FordhamReport:PrivacyandCloudComputinginPublicSchool2013
10
storage,andaccessmeetauniformsetofprotectionsthatlimittheriskofinappropriateaccessanduse.
KeyDevelopments–theStudentPrivacyPledge
Whilemostvendorsacknowledgethevitalimportanceofstudentdataprivacy,theyalsowanttoensurethatanyadditionalprotectionsputinplacedonothindertechnologicalinnovationintheclassroomthatcouldhelpstudentssucceed:arepresentativefortheSoftwareandInformationIndustryAssociation,whichrepresentsmanyeducationtechnologycompanies,observedthatpolicymakerslookingtopassnewlawsorpoliciesshouldassurethatthese“newlegislativerequirements…providelocalcommunitiesandschoolofficialswithsufficientflexibilitysothatgovernmentactionsintendedtocreateaprivacyandsecurityfloordonotunintentionallycreateadigitallearningceiling.”18
However,thecomputerandtechindustrieshaverecognizedthepublic’sconcernsaboutdataprivacyandsecurity.AsdatasecurityexpertTomGalvinexplained,businesses“usedtoworryaboutwhohadthefastestspeedorthemostpowerorthemostmemory.Nowtheyhavetoworryaboutwhetherconsumersaregoingtofundamentallytrustthem.”19Thisconcernhasledthemtotakeseveralimportantstepstowardself-regulation.
In2014,theSoftwareandInformationIndustryAssociationandtheFutureofPrivacyForumintroducedalegallybindingstudentdataprivacypledge.20Over200companieshavesignedthepledgesinceitlaunched,andPresidentObamadiscussedthepledgefavorablyinhisspeechondataprivacyinJanuary2015,wherehestatedthathisadministrationwouldnothesitatetocalloutcompanieswhodidnotsignontoit.
Butsomeprivacyexpertsnotethatthispledgeandotherself-imposedcompanyguidelinesmaynotbesufficienttodeterso-called“badactors”—softwareproviderswhowanttoexploitchildren’sinformationandwhowilltakeadvantageofholesincurrentlawstodoso.Inordertofillthisgap,stateslikeCaliforniahavecreatedlawsthatdirectlyregulatethirdparties.Yetitisimportanttorememberthatmanyoftheconcernsparentshaveaboutthirdpartiesandstudentdata—includingworriesthatcompanieswillusestudentdatatomarkettochildren—arealreadyillegalunderexistingfederallaws,and“badactors”havenotyetbeennamed.
LegalOverview
TheFamilyEducationalRightsandPrivacyActof1974(FERPA)isthemainfederallawthatprotectstheprivacyofstudentinformation,andisthebasisformoststateeducationalprivacylaws.Ingeneral,FERPAprotectsstudents’educationrecordsfrom
18http://www.siia.net/blog/index.php/2014/05/siia-student-privacy-policy-guidelines-at-california-testimony/19Byers,Alex."PrivacyasaPRPush."POLITICO.September26,2014.http://www.politico.com.20http://studentprivacypledge.org/.
11
disclosuretopeopleoutsidetheeducationsystem,butmakesanexceptionfor“directoryinformation,”whichcanbereleasedwithouttheconsentoftheparentorstudentage18orolder(“eligiblestudent”)..
FERPAidentifiesfourrightsthatparents,guardians,orstudentsage18andolderhaveinregardtothestudent’seducationrecordanddirectoryinformation:1. Inspect.Parentshavetherighttoinspectandreviewtheirchild’seducationrecords.2. Correct.Parentshavetherighttorequestthattheschoolcorrectoramendtheirchild’s
educationrecordswhentherecordsareinaccurateormisleading.Iftheschooldecidesnottoamendtherecords,thenthestudent(orparent/guardian)hastherighttoaformalhearing.
3. Release.Schoolsmustobtainthewrittenpermissionofparentstoreleaseany
informationfromtheirchild’seducationrecords,withcertainexceptions.Schoolsmayreleaserecordstothefollowingpartieswithoutconsent:• Schoolofficialswithlegitimateeducationalinterest;• Otherschoolstowhichastudentistransferring;• Specifiedofficialsforauditorevaluationpurposes;• Appropriatepartiesinconnectionwithfinancialaidtoastudent;• Organizationsconductingcertainstudiesfororonbehalfoftheschool;• Accreditingorganizations;• Authorizedpartiesinacourtcase,tocomplywithajudicialorderorlawfullyissued
subpoena;• Appropriateofficials,incasesofhealthandsafetyemergencies;and• Stateandlocalauthoritieswithinajuvenilejusticesystem,pursuanttospecificstate
law.4. Optout.Schoolsmustgiveparentstheopportunitytooptoutofhavingtheirchildren’s
directoryinformationpublished.21
Inresponsetostaterequestsforclarification,DepartmentofEducationregulatoryguidanceforFERPAwasupdatedin2008,andagainin2011.Theseupdatesallowschoolstoconsidercontractors,consultants,volunteers,orotherpartiestowhomtheschoolhasoutsourcedinstitutionalservicesorfunctionsas“schoolofficials”underFERPA.22Thismeansschoolsmaydisclosestudentinformationtothesepartieswithoutparentalconsent.However,thesepartiesmaynotdisclosetheinformationtoanyoneelse,andmayusetheinformationonlyforthepurposesforwhichthedisclosurewasmade.23The2011updateallowsschoolstoincludestudentidentificationnumberswithdirectoryinformationonlyif
2134CFR§992234CFR§99.312334CFR§99.33
12
thenumberscannotbeusedtogainaccesstoeducationrecords.24Outsourcinginformationtothosepartieswasalreadyacommonpracticebyschoolsatthattime;theFERPAupdatessimplyclarifiedthatthiswasacceptableunderthelaw.
ComplianceandEnforcement
FERPAisa“spendingclause”statute,meaningthatschools,districts,andstateagenciesmustfollowitsprovisionstobeeligibletoreceivefederalfunds.Therefore,asapracticalmatter,allstatesmustadheretotheprovisionsinFERPA.TheFamilyPolicyComplianceOffice(FPCO)investigatescomplaintsbystudentsandparentsorguardiansregardingschool,district,agency,orvendorcompliancewithFERPA.
FPCOwillusuallyworkwiththeschool,district,orstateagencytohelpitcomeintocompliancewiththelawbeforemovingtowithholdfunds.IfathirdpartyvendorisfoundtohaveviolatedFERPA,itcanbeexcludedfromhavingaccesstostudentinformationforuptofiveyears.However,noschoolorvendorhaseverbeenpunishedforviolatingFERPAthroughwithholdingfundsorexcludingaccesstostudentinformation.
Aspartofthe2011FERPAregulationchanges,theU.S.DepartmentofEducationestablishedthePrivacyTechnicalAssistanceCenter(PTAC)tohelpschools,districts,andeducationpolicymakerswithdataprivacyconcernsrelatedtostudent-levellongitudinaldatasystems.Inaddressingstudentprivacy,accordingtoPTACguidance,“[s]choolsanddistrictsareencouragedtorememberthatFERPArepresentsaminimumsetofrequirementstofollow.”25PTACprovidesinformationandtrainingmaterialsandcanofferdirectassistancewhenneeded.
COPPAEnforcedbytheFederalTradeCommission,theChildren’sOnlinePrivacyProtection
Act(COPPA)regulateshowcommercialentitiesmaycollectandusepersonalinformationfromchildrenundertheageofthirteen.Thelaw’sprimarypurposeistoputparentsincontrolofinformationcollectedfromtheiryoungchildrenonlinebyrequiringtheirpriorconsentforthecollectionanduseofthatinformation.
COPPAallowsschoolstoconsentonbehalfofparentstoinformationcollectionbythird-partywebsiteoronlineserviceproviderswhocollectandusestudentpersonalinformationsolelyforthebenefitoftheschools,butfornoothercommercialpurposes.Additionally,eveniftheschoolconsentsfortheparents,theoperatormuststill“providetheschoolwithalltherequirednotices…anduponrequestfromtheschool,mustprovideadescriptionofthetypesofpersonalinformationcollected;anopportunitytoreviewthe
2434CFR§99.325PTAC,ProtectingStudentPrivacyWhileUsingOnlineEducationalServices:RequirementsandBestPractices,2014,p.5.
13
child’spersonalinformationand/orhavetheinformationdeleted;andtheopportunitytopreventfurtheruseoronlinecollectionofachild’spersonalinformation.”26
Inaddition,theschoolmaywanttomakeavailabletheoperators’directnoticesregardingtheirinformationpracticesforinterestedparents.
PPRASchoolsmustalsoconsidertheirobligationsundertheProtectionofPupilRights
Amendment(PPRA)tohavepoliciesinplaceandtoprovidedirectnoticetoparentsregarding“rightsofparentstoopttheirchildrenoutofparticipationin,activitiesinvolvingthecollection,disclosure,oruseofpersonalinformationcollectedfromstudentsforthepurposeofmarketingorsellingthatinformation(orotherwiseprovidingtheinformationtoothersforthatpurpose).”27
WhenschoolsadministersurveysandconductanalysesorevaluationsfundedbytheU.S.DepartmentofEducation,suchassurveysthathelpstudentsdiscoverwhatcareerstheymightexplore,PPRAdefinestherulestheymustfollow.PPRArequiresthat“schoolsandcontractorsmakeinstructionalmaterialsavailableforinspectionbyparentsifthosematerialswillbeusedinconnectionwith[aU.S.DepartmentofEducation]-fundedsurvey,analysis,orevaluationinwhichtheirchildrenparticipate.”28AsspecifiedbytheU.S.DepartmentofEducation,schoolsmustalsoobtainwrittenconsentfromparentsorguardiansbeforeminorstudentsareallowedtoparticipateinsurveysthataskquestionsregardingthefollowing:
• politicalaffiliations;• mentalandpsychologicalproblemspotentiallyembarrassingtothestudentand
his/herfamily;• sexualbehaviorandattitudes;• illegal,anti-social,self-incriminatinganddemeaningbehavior;• criticalappraisalsofotherindividualswithwhomrespondentshaveclosefamily
relationships;• legallyrecognizedprivilegedoranalogousrelationships,suchasthoseoflawyers,
physicians,andministers;• religiouspractices,affiliations,orbeliefsofthestudentorstudent’sparent[or
guardian];or• income(otherthanthatrequiredbylawtodetermineeligibilityforparticipationin
aprogramorforreceivingfinancialassistanceundersuchprogram).29
26https://www.ftc.gov/tips-advice/business-center/guidance/complying-coppa-frequently-asked-questions#Schools27FederalTradeCommission,ComplyingwithCOPPA:FrequentlyAskedQuestions,March201528(citationneeded)29(citationneeded)
14
PPRAisalsoenforcedbytheFPCO.ParentscanfilecomplaintswithFPCO,andschoolscouldlosefederalfundingiftheydonotcomplywithPPRAnoticeprocedures.However,aswithFERPA,FPCOwillworkwithschoolstocomeintocompliance;todatenoschoolhaseverlostfundingfornotcomplyingwithPPRAnoticeprocedures.
StateLawsGenerally
Priortostudentdataprivacytakingoffasanissuein2014,manystateshadpreexistingprivacylaws.Somestateshaveprivacylawsthatarenotspecifictoeducationbutstillaffecteducationaldata.Forexample,10stateconstitutionshaverecognizedarighttoprivacy,30andmanymorehavegeneralprivacyprotectionsinplacefortheircitizens.Theselawsaffectstudents,teachers,schools,anddistricts.Manystateshavespecificlawsregardingthedisposalofrecordsthatcontainpersonalinformation.31Somestatesalsorequiregovernmententitiestohaveawrittenprivacypolicyinplace.32Andsome,suchasCalifornia,requiregovernmentagenciestohaveaspecificpersonresponsibleforcompliancewithprivacylaw.33
Statescangivestudentsadditionalprivacyprotections,andmanyhave:atleast35stateshavepassedlawssupplementingFERPA;3445maketheirdataprivacypoliciespublicallyavailable;48stateeducationagencieshaveestablishedgovernancebodieschargedwithmanagingthecollectionanduseofdata,includinghowthatdatawillbekeptsecureandconfidential;and45haveestablishedpoliciesthatdeterminewhattypeofdataisavailabletoselectstakeholders,suchasteachersandprincipals,whowilluseittoimproveinstruction.
Thenumberoflawsdirectlyregulatingstudentprivacyhasdramaticallyincreasedinthepastthreeyears.Since2014,49stateshaveintroducednearly400studentprivacybills,withatleast100billsintroducedeachyear.Thirty-fivestateshavepassed73lawssince2013.Generally,theselawseitherregulateeducationalagenciesandinstitutions,suchasschools,districts,andstateeducationagencies,orregulatethirdparties.
Thirty-threestateshaveintroducedeitheraversionofCalifornia’sSOPIPAora
similarpieceoflegislationthatregulatesindustryknownastheSUPER(“studentuserprivacyineducationrights”)Act,and12stateshavepassedthosebillsintolaw.
30“Constitutionsintenstates—Alaska,Arizona,California,Florida,Hawaii,Illinois,Louisiana,Montana,SouthCarolina,andWashington—expresslyrecognizearighttoprivacy.”NationalConferenceofStateLegislatures,PrivacyProtectionsinStateConstitutions,December11,2013.31“Atleast30stateshaveenactedlawsthatrequireentitiestodestroy,dispose,orotherwisemakepersonalinformationunreadableorundecipherable.”NationalConferenceofStateLegislatures,DataDisposalLaws,December26,2013.32Cf.AlaskaStat.§45.48.530;Ariz.Rev.Stat.Ann.§41-4152;Colo.Rev.Stat.§6-1.713;N.J.Stat.56:8-16233Cal.Civ.Code§1798.22:“Eachagencyshalldesignateanagencyemployeetoberesponsibleforensuringthattheagencycomplieswithalloftheprovisionsofthischapter.”34Epic.org,StudentPrivacy
15
SOPIPA,SUPER,andotherrecentstudentprivacylawsimposedirectliabilityonedtechoperators.FERPA,whichisenforcedbytheU.S.DepartmentofEducationisonlydirectlyenforceableagainst“educationalinstitutionsreceivingfederalfunds”–whichequatestomostpublicschools.EvenifathirdpartyvendorpracticecausestheschooltobeinviolationofFERPA,DOEmayonlyholdtheschoolliable.Anyliabilitybytheschoolserviceproviderwouldsimplybethroughitscontractwiththeschool.TheentirepurposeofstatesseekingtopassSOPIPA,SUPER,andotherstudentprivacylawsistodirectlyregulateprivatecompaniesthatarenowsofrequentlyworkingdirectlywithstudentsaspartofthe
SOPIPA
TheStudentOnlinePersonalInformationProtectionAct(SB1177,orSOPIPA)isaCaliforniastudentdataprivacyregulationsignedintolawonSeptember29,2014,andineffectsinceJanuary1,2016.IthasbeendescribedbyCaliforniaStateSenatePresidentProtemporeDarrellSteinberg(D-Sacramento)asalawthat“fostersinnovationandprotectskids’privacy.”35
Itiswrittenbroadly,providingnewandextensivedataprivacyprotectionsforK-12studentsinCaliforniaandunprecedentedadvertisingrestrictions.
SOPIPAiscomplementedinCaliforniabytheprivacyofpupilrecordsprovisionoftheCaliforniaEducationCode49073.136(commonlyreferredtoasAB1584),whichauthorizeseducationalagenciestocontractwiththirdpartytechnologyprovidersforeducationalsoftwareorforstorageandmanagementofpupilrecords.TheCoderequiresthatcontractsbetweenvendorsandschoolsystems:
• Statethatpupilrecordsarethepropertyofandunderthecontrolofthelocaleducationalagency
• Specifywhatmeasuresatechnologyproviderwilltaketoensurethesecurityandconfidentialityofpupilrecords
• ExplainhowthetechnologyproviderandeducationalagencywilltogetherensurecompliancewiththeFamilyEducationalRightsandPrivacyAct(FERPA)
• Prohibitthirdpartiesfromusinganyinformationinthepupilrecordforanypurposeotherthanthoserequiredorpermittedbythecontract.
• Explainhowtheparentoreligiblepupilmayreviewandcorrectpersonallyidentifiableinformationinthepupil’srecords
• Explainhowaffectedparentsoreligiblepupilswillbenotifiedintheeventofunauthorizeddisclosureofthepupil’srecords
• Certifythatthepupil’srecordswillnotberetainedoravailabletothevendoruponcompletionofthetermofthecontractandhowthatwillbeenforced
35http://blogs.edweek.org/edweek/DigitalEducation/2014/09/_landmark_student-data-privacy.html36http://leginfo.legislature.ca.gov/faces/codes_displaySection.xhtml?lawCode=EDC§ionNum=49073.1
16
• Prohibituseofpersonallyidentifiableinformationinpupilrecordstoengageintargetedadvertising
• Describehowpupilsmayretainpossessionandcontroloftheirpupil-generatedcontent,ifapplicable
• Contractsthatdon’talignwithAB1584canbeconsideredvoid.Together,SOPIPAandAB1584createacomprehensivesuiteofdataprivacyregulationsforoperatorsinCalifornia.WhoMustComply?
SOPIPAappliestooperatorsofwebsites,onlineservices(includingcloudcomputingservices),onlineapplicationsormobileapplicationswithactualknowledgethattheirsite,serviceorapplicationisusedprimarilyforK-12schoolpurposesandwasdesignedandmarketedforK-12schoolpurposes.
SOPIPAdoesnotapplytooperatorsofgeneralaudienceproducts,evenifthoseproductsareaccessiblethroughaK-12operator’sproduct.Forexample,ifanoperatordesignsandmarketsaneducationalwebsiteforK-12schoolpurposes,andincludesalinktoageneralaudiencesocialmediaorvideoplatformonthewebsite,itislikelythattheeducationalwebsitewillneedtocomplywithSOPIPA,butthegeneralaudiencesocialmediaorvideoplatformwouldbeexempt.
AnoperatordoesnotneedtohaveacontractwithaschoolordistrictinordertobesubjecttoSOPIPA.Instead,theneedtocomplyisdeterminedbytheuse,designandmarketingoftheproduct.
Whatis“ActualKnowledge”?
Itmayseemobvious,butthisquestionwasasubjectofmuchdiscussionpriortotheFederalTradeCommission’s(FTC)2012updateoftheChildren’sOnlinePrivacyProtectionAct(COPPA).Thefocustherewasonhowandwhenathirdpartywouldbedeemedtohave“actualknowledge”thatitwasoperatingonachild-directedsite.
SOPIPAissilentonthequestion.However,theexistingFTCstandardseemsto
provideareasonableguide.TheFTCnotedthattheactualknowledgestandardwaslikelytobemetwhenan
operatoreithercommunicatedthenatureofitscontenttothethirdpartyorwhenarepresentativeofthethirdpartyrecognizedthenatureofthecontent.
TheFTCfurthernotedthat,whileotherfactsmightalsobesufficienttoestablish
actualknowledge,suchfactswouldneedtobeanalyzedcarefullyonacase-by-casebasis.37
37https://www.ftc.gov/system/files/documents/federal_register_notices/2013/01/2012-31341.pdf
17
IfyouaretoldthatyourproductisusedprimarilyforK-12schoolpurposesoryouotherwiseidentifythatasbeingthecase,youhavelikelymetthe“actualknowledge”standard.Whatare“K-12SchoolPurposes”?
UnderSOPIPA,K-12SchoolPurposeshasseveralkeymeanings,eachofwhichhelpsclarifytheusecasescoveredbytherestrictions.Overall,theyarepurposesthatcustomarilytakeplaceatthedirectionoftheK–12school,teacher,orschooldistrict–meaningthosedirectactivitiestraditionallyandroutinelydonebytheschoolaspartofcarryingouttheeducationofitsstudents.
Further,K-12purposesmaybesecondaryactivitieswhichaidoftheadministrationofschoolactivities,includingintheclassroomorathome,byschooladministration,betweenstudents,schoolpersonnel,orparents,orotherwisefortheuseandbenefitoftheschool.
Similarly,theSUPERbillsincludeconsistentlanguageintheirdefinitionofa“schoolservice.”Inthoselaws,schoolservicemeansawebsite,mobileapplication,oronlineservicethat:
(a)isdesignedandmarketedprimarilyforuseinaK-12school;(b)isusedatthedirectionofteachersorotheremployeesofaK-12school;and(c)collects,maintains,orusesstudentpersonalinformation.
Withinthisdefinition,SUPERlawsexpresslyexcludewebsites,mobileapplications,or
onlineservicesthataredesignedandmarketedforgeneraluse,eveniftheyarealsomarketedinawaythatincludespromotionstoK-12schools.Thismeansthatcommonmarketproducts–awordprocessingprogram,anadministrativemanagementtool,evensomechildren’sappsorgames–thatarenotspecificallydesignedforaneducationalpurposeandmarketeddirectlytoschoolsarenotcoveredbythelimitationsofthebill.
SOPIPAhasthesameexception,asdoesalmosteverystudentprivacylawinthecountry,regardlessofmodelorigin.Thisisafrequentlymisunderstoodexclusion,butsimplymeansthattheselawsdonotapplytothewidevarietyoftoolsavailabletothegeneralpublic,eveniftheyarealsousedbyschools.Avendorsellingtoolsorprovidingservicesdesignedforthegeneralpublicisn’tobligatedtoredesignthemjustbecauseschoolspurchasetheproductsorstudentshappentovisitthewebsites.
Theuseofthesegeneralproductsisstillcoveredbyexisting,separatefederalandstatelaws,whichmakeitclearthatschoolsarerestrictedfromrequiringstudentstosharedataexceptforappropriateeducationalpurposes.Ifaschoolpurchasesageneralaudienceproductandrequiresstudentstouseit,itisstillultimatelyresponsibleformakingsurethatthetoolcomplieswithprivacyregulationsthatapplytotheschool.
18
WhatInformationIsProtectedUnderSOPIPA(“CoveredInformation”)?
SOPIPAprotectsawiderangeofstudentinformation,referredtoas“coveredinformation.”Itincludesinformationprovidedbythestudent,andinformationprovidedaboutthestudentbyschoolrepresentatives,parentsandlegalguardians.
Coveredinformationisdefinedaspersonallyidentifiableinformationormaterials,regardlessofmediaorformat,whichmeetanyofthefollowingcriteria:
• Createdorprovidedbyastudent,orthestudent’sparentorlegalguardian,toanoperatorinthecourseoftheiruseoftheoperator’ssite,service,orapplicationforK-12schoolpurposes
• CreatedorprovidedbyanemployeeoragentoftheK-12school,schooldistrict,localeducationagency,orcountyofficeofeducation,toanoperator
• Gatheredbyanoperatorthroughtheoperationofasite,serviceorapplicationandisdescriptiveofastudentorotherwiseidentifiesastudent,including,butnotlimitedtothese29items:
Informationinthestudent’seducationalrecordoremail~Firstandlastname~Home
address~Telephonenumber~Emailaddress~Otherinformationthatallowsphysicaloronlinecontact~Disciplinerecords~Testresults~Specialeducationdata~Juvenile
dependencyrecords~Grades~Evaluations~Criminalrecords~Medicalrecords~Healthrecords~Socialsecuritynumber~Biometricinformation~Disabilities~Socioeconomicinformation~Foodpurchases~Politicalaffiliations~Religiousinformation~Text
messages~Documents~Studentidentifiers~Searchactivity~Photos~Voicerecordings~Geolocationinformation
Mostdataelementscategorizedas“coveredinformation”underSOPIPAarealready
protectedaspersonallyidentifiableinformationunderfederallaws.Forexample,withinFERPA,personallyidentifiableinformationincludes,butisnotlimitedtonameandaddressofthestudentandfamilymembers,personalidentifiersorbiometricrecords,indirectidentifiersandtheverybroadlyinclusive:“otherinformationthat,aloneorincombination,islinkedorlinkabletoaspecificstudentthatwouldallowareasonablepersonintheschoolcommunity,whodoesnothavepersonalknowledgeoftherelevantcircumstances,toidentifythestudentwithreasonablecertainty,orinformationrequestedbyapersonwhotheeducationalagencyreasonablybelievesknowstheidentityofthestudenttowhomtheeducationrecordrelates.38
COPPAcharacterizespersonalinformationtoincludenotonlyname,address,online
identifiers,photosandvideosthatcontainachild’slikenessandaudiofilesthatcontainachild’svoice,butalsogeolocation“sufficienttoidentifyastreetnameandnameofacityortown,”aswellaspersistentidentifiersthatcanbeusedtorecognizeauserovertimeandacrossdifferentWebsitesoronlineservices.39 3834CFR§99.33916CFR§312.2
19
UnderSOPIPA,theterm“coveredinformation”ismeanttoinclude“personally
identifiableinformation,”butunlikeinmanylaws,“personallyidentifiableinformation”isnotdefinedinSOPIPA.Thiscreatescompliancechallengesforoperators,becauseeachoperatorneedstoassessthedataprovidedbythestudentorbyteachersandparentsaboutthestudent,anddetermineifitcouldbeconstruedaspersonallyidentifiable.
Thelackofspecificityinthelistofitemsdeemedtobecoveredinformationcompoundstheissue.Forexample,coarsegeolocation,sufficienttoidentifycountry,stateorcity,isnotusuallyconsideredtobepersonallyidentifiableor“descriptive”ofastudentunlesscombinedwithotheridentifiableinformation.Capturingcoarsegeolocation(suchasstate)maybeusefulforoperatorstoinformstudentsaboutstate-specificscholarships,ortoblockadsfromstudentsandparentsinthestate.
However,giventhatSOPIPAissilentonthequestionofwhatispersonallyidentifiable,andthatitoffersnodistinctionbetweencoarseandfinegeolocation,operatorsmusteachmakeajudgmentaboutwhatwouldbeconsideredcompliant.
Inaddition,coveredinformationincludesinformationthatis“descriptiveorotherwiseidentifiesastudent.”However,whatisdescriptiveisnotoften“otherwiseidentifiable.”Astudentmaybedescribedas12yearsold,withbrownhairandbrowneyes,butonewouldnotcharacterizethatas“identifiable”unlessdealingwithanexceptionallysmallpopulationorcombiningthosedescriptorswithotherinformation.
Operatorsalsomustexercisetheirownjudgmenttodeterminewhich“documents”
areandarenotcategorizedasdescriptiveoridentifiable.Althoughthelawreferences“allmedia,regardlessofformat,”documentsinparticulararecalledoutseparatelywithnoexplanation,andsoshouldbecarefullyevaluatedforpossiblerelevanceunderthissection.
Operatorswillneedtousecareandcautionwhenworkingthroughthefactors,assesstheirriskandmakeareasonabledeterminationaboutwhatdataisactuallycovered.OneofthepitfallsofSOPIPAisthat–intheabsenceofofficialguidance–suchdeterminationsmayvarywildlyacrossindustry,orbywhatrequirementsmaybesetindifferentschooldistricts,makingstate-widecompliancechallengingorpotentiallycontradictory.SpecificRequirementsofSOPIPAforEdTechVendorsUnderSOPIPA,operatorsmaynot:
• Engageintargetedadvertisingontheirsite,serviceorapplication,ortargetadvertisingonanyothersite,serviceorapplicationwhenthetargetingisbasedonanyinformation,includingcoveredinformationandpersistentuniqueidentifiers,thathasbeenacquiredbecauseoftheuseofthatoperator’ssite,serviceorapplication
20
• Useinformation,includingpersistentuniqueidentifiers,createdorgatheredbytheoperator’ssite,serviceorapplication,toamassaprofileaboutaK-12student,exceptinfurtheranceofK-12schoolpurpose
• Sellastudent’sinformation,includingcoveredinformation• Disclosecoveredinformationexceptinspecific,limitedcircumstances
Operatorsmust:
• Implementandmaintainreasonablesecurityproceduresandpracticesappropriatetothenatureofthecoveredinformation
• Protectcoveredinformationfromunauthorizedaccess,destruction,use,modification,ordisclosure
• Deleteastudent’scoveredinformationifrequestedbytheschoolordistrictthatcontrolstheinformation40
WhatisTargetedAdvertising?
ThisisoneofthemostcomplexprovisionsofSOPIPA,primarilybecauseitisnotclearlydefined.Asaresult,theprohibitioncreatesasignificantcompliancechallengeforoperators,andleavesschoolsandoperatorswithalackofclarityabouttheroleofadsupportedtechnologyineducation.Formoreonthequestionssurroundingtargetedadvertising,seetheDiscussionAnnex.WhenCananOperatorDiscloseCoveredInformation?
Coveredinformationmaybedisclosedonlyto:• FurthertheK-12purposeofthesite,serviceorapplication,providedthatthe
recipient:• Doesnotthendisclosetheinformationunlesstoalloworimproveoperability
andfunctionalitywithinthestudent’sclassroomorschool;and• Islegallyrequiredtoimplementandmaintainreasonablesecurityprocedures
andpracticesappropriatetothenatureofthecoveredinformation,andprotectthatinformationfromunauthorizedaccess,destruction,use,modificationanddisclosure
• Ensurelegalandregulatorycompliance• Respondtoorparticipateinjudicialprocess• Protectthesafetyofusersorothers,orthesecurityofthesite• Astateorlocaleducationalagency,includingschoolsandschooldistricts,forK-12
schoolpurposes,aspermittedbystateorfederallaw
40The“schoolofficial”exceptionundertheFamilyEducationalRightsandProtectionsAct(FERPA)alreadyrequiresthatoperatorsbeunderthe“directcontrol”oftheeducationalagencyasaconditionofreceivingstudentdata.http://www.ecfr.gov/cgi-bin/text-idx?c=ecfr&SID=16796a773ac48f980cdfaed80b1fa94a&rgn=div5&view=text&node=34:1.1.1.1.33&idno=34
21
• Aserviceprovider,whentheoperatorcontractually:• Prohibitstheserviceproviderfromusinganycoveredinformationforany
purposeotherthanprovidingthecontractedserviceto,oronbehalfof,theoperator
• Prohibitstheserviceproviderfromdisclosinganycoveredinformationprovidedbytheoperatorwithsubsequentthirdparties
• Requirestheserviceprovidertoimplementandmaintainreasonablesecurityproceduresandpracticesasdescribedabove
HowCanOperatorsUseStudentInformation?
Operatorsmayusestudentdatatoconduct:• Legitimateresearch,definedas:
o Requiredbystateorfederallawandsubjecttotheapplicablelegalrestrictions
o Allowedbystateorfederallawandunderthedirectionofaschool,schooldistrictorstatedepartmentofeducation,providedthatcoveredinformationisnotusedforanythingotherthantheK-12schoolpurposes
Operatorsmayusedeidentifiedinformationforproductimprovement,marketinganddevelopment:
• Withinanyoftheirownsites,servicesorapplicationstoimproveeducationalproducts
• Todemonstratetheeffectivenessoftheoperator’sproductsorservices,includingintheirmarketing.
Finally,operatorsmayuseaggregated,deidentifiedinformationtodevelopand
improveeducationalsites,servicesorapplicationsSOPIPARightsforStudents
UnderSOPIPA,studentsmaydownload,exportorotherwisesaveormaintaindataordocumentsthattheycreate.Thisisanimportantnoteforoperators,asitallowsforanindependentrelationshipwiththestudentuser,whomaywishtomaintaincontinuityoftheirworkovertime.ItisaprovisionthatisnotalwaysbeingincludedinotherstatelawsthataremodeledafterSOPIPA.SchoolandDistrictGuidanceonSOPIPA–WhattoExpect
WhileSOPIPAappliestotechnologyproviders,schoolsanddistrictswanttoensurethatoperatorscomplywithSOPIPAbeforeengaging.AfewdistrictsinCaliforniahaveissuedguidancetoschools.However,theguidanceislimitedandvarieswidely.
22
GuidanceavailablefromtheLosAngelesUnifiedSchoolDistrict,41whichpredatespassageofSOPIPA,notes:
“Indeed,asecondarymarketofapplicationor‘App’developmentand
educationalproductadvertisinghasevolvedaroundtheseonlineservicesthatholdstudentpersonalinformation.Developersareusingstudentdatatodesignnewapplicationsthatcanbesoldonthesein-systemK-12onlinesitesor‘stores.’‘Apps’purchasedinthese‘stores’oftentimeshavenoprivacypolicypresentedduringthepurchase.Thisisleavingstudentpersonalinformationvulnerableforahostofusesnevercontemplatedbythestudentsoreducators.Currentfederalandstateprivacylawsaredeficientinprotectingstudentpersonalinformation.ItisimperativethatonlinecompaniesthatmarkettheironlinesitestoschoolsandstudentsforK-12schoolpurposesensurethatthesensitiveinformationtheyholdregardingCaliforniastudentsremainssafe.”
WhenworkingwithschoolsanddistrictsinCalifornia,bepreparedforquestions,
andagooddealofanxiety.
Severaldistrictsrequirethatvendorsanswerchecklistsintheformof“yes/no”questionsthatlistkeyprovisionsofbothSOPIPAandAB1584.Unfortunately,someofthesechecklistsdonotalwaystracklegalrequirements,creatingsomeconcern.
Whenitcomestostandardizedorprescribedcontractlanguage,someschoolsordistrictsdonotallowoperatorstocorrectmistakesinproposedcontractterms,ortostrikelanguagethatisnotapplicabletotheproduct.Assuch,operatorsmaybeforcedtofindalternativewaystocalloutcontractualprovisionsthatarenotrelevant,orinextremecases,maychoosetonotservethatdistrict.
OnedistrictincludesastandardizedrequirementthatoperatorsguaranteecompliancewiththeentireCaliforniaEducationCode.Sincethecodedealswithawidevarietyoftopics,includingsexequity,violenceprevention,countyboardsofeducation,electionconduct,childcarefacilities,bonds,retirementandmorethatisnotapplicabletotechnologyproviders,thisissomethingofamisfitforproviderstoassert,whenitwouldbemoreappropriatetospecifyonlythe49073.1 provisions,whichareapplicable.
Someschoolsanddistrictsremainunfamiliarwiththedetails,orsometimeseventhebroadoutlines,ofthenewlaws,andinthosecases,theburdenisparticularlystrongonthevendortoensurethatbothsidesareawareoftherequirements,sotheycanworkinpartnershiptofulfillthem.
Somedistrictsdonothaveprivacypoliciesontheirownwebsitesordonotdisplaythemprominently,andareotherwisestrugglingwiththeirowncompliancepractices.TheyarealsofrequentlydelayingdevelopmentoftheirownSOPIPA-basedrequirementsinthe41http://home.lausd.net/apps/search/?q=sopipa&x=0&y=0
23
expectationthatthestatewillprovidemoredetailedinstruction.Untilthathappens,ifitdoes,patience,knowledge,flexibilityandguidancefromthevendorwillbeinvaluabletoeasethefears,ensurecomplianceandhelpincraftingbalancedandlegallyenforceablecontracts.
GuidancefromtheStateofCalifornia
GuidanceemergingfromtheStateAttorneyGeneral’sofficeisintheformof“recommendedpractices.”SinceitisnotbeingissuedasbindingregulatoryinterpretationtoensurecompliancewithSOPIPA,itdoesnotcarrytheweightoflaw.Whileitprovidesasensibleapproachtosomeareasofprotectingstudentprivacy,itdoesnotfurtherclarifysomeofthevaguertermsandrequirementsinSOPIPA.Assuch,operatorswillstillbeartheresponsibility,inconjunctionwithguidancefromcounsel,todeterminetheirthresholdsforcompliance.Itmaybethatsubsequentlegalchallengesarewhatendupdefiningthetruescopeofthelaw.LegalRemedies
TheenforcementauthorityandlikelihoodofactionunderSOPIPAareotheraspectsthatdivergesignificantlyfromFERPA.UnderFERPA,individualsdonothaveaprivaterightofaction–onlyDoEdmaybringaclaimagainstaneducationalinstitutionforaviolation.However,sincethewithholdingoffederalfundsassociatedwithaFERPAviolationresponsecouldhaveextremeconsequencesforaschoolordistrict,FERPAbudgetarywithholdinghasneverbeenimplemented.
Incontrast,SOPIPAprovidesaprivaterightofaction,inadditiontoactionswhichmaybebroughtbythestateAttorneyGeneral,soitisforeseeablethatenforcementactionsmayoccurmoreoftenandallowformoregraduatedpenalties.Nevertheless,beyondestablishingwhomaybringaclaimbyvirtueofitbeingenforcedundertheCaliforniaBusinessCode,SOPIPAcontainsnoprovisionsforitsownenforcement.
Currently,violationsareexpectedtobeaddressedunderCalifornia’sfar-reachingUnfairCompetitionLaw(“theUCL”),42whichdefines“unfaircompetition”toincludevirtuallyanyunlawfulbusinesspractice.43TheUCLauthorizesenforcementproceedingsbygovernmentofficialssuchastheAttorneyGeneral,districtattorneys,countycounselandcityattorneysand,inmorelimitedcircumstances,byprivateindividualsandentities.44Acourtmayissueaninjunction,requiringthewrongdoertostoptheviolation.Thecourtalsomayorderrestitutionintheformofreturnofmoneyorpropertylostasaresultoftheoffendingconduct,45oritmayimposecivilpenalties.TheUCLmakesclearthatitsremedies
42SeeCaliforniaBusinessandProfessionsCode,§§17200through17209.43UCL,§17200.SeealsoComm.OnChildren’sTelevision,Inc.v.Gen.FoodsCorp.,35Cal.3d197,210(1983).44UCL§17204.45SeeMadridv.PerotSystemsCorp.,130Cal.App.4th440,452,30Cal.Rptr.3d210(2005).
24
areintendedtosupplementotherexistinglaw,soitispossiblethatvictimsmaysimultaneouslyseekreliefundertheUCLandotherstatutesthatmayofferprotectionbasedonthesamefacts.46
TheUCLimposessignificantlimitationsontheabilityofprivateindividualsandentitiestosueunderthestatute.Formanyyears,privatepartieswerenotrequiredtoshowanyactualinjuryorfinancialharminordertobringalawsuitundertheUCLwhich,intheviewofthebusinesscommunityandtheLegislature,was“subjecttoabusebyattorneyswhouseditasthebasisforlegal‘“shakedown’”schemes”47andfrivolouslawsuits.48Buta2004amendmenttotheUCL,knownasProposition64,nowrequiresprivateplaintiffstoshowthatthey“sufferedinjuryinfactand...lostmoneyorproperty”asaresultoftheunfaircompetition.Thephrase“injuryinfact”isatechnicallegaltermintendedtopermitonlypartieswhohaveactuallysuffereddemonstrableharmtobringsuit,andtopreventlawsuitsbroughtinthepublicinterestbyindividualsororganizationswhohavenotsufferedharmthemselves.
Showing“injuryinfactand...lostmoneyorproperty”couldbeadauntingchallengeincasesinvolvingimproperdisclosureofonlinepersonaldata.SomedatabreachcasesdecidedundertheUCL,priortoSOPIPA,haveallowedsuitstogoforwardifplaintiffscouldatleastshowthattheypaidmoreforanoffendingcompany’sproductthantheywouldhavehadtheyknownofthecompany’sshoddydatasecuritymeasures.49Butunlawfuldatingmining,targetedadvertisingandotherpracticesprohibitedbySOPIPAmaynotinvolvepaymentofmoneybytheaggrievedparty,renderingeventhislowthresholdofproofimpossibletomeetinmanycases.Thiswillbemadeevermorechallengingbyplaintiffsgiventhelackofspecificityinkeyprovisionsofthelaw.
SincethesameeventstriggeringaviolationofSOPIPAmayalsobesueduponiftheyviolateotherlaw,itcanbeanticipatedthatcreativeplaintiffs’counselwillattempttodevelopviabletheoriesofliabilityundertheCaliforniaConstitution’srightofprivacyclause,50andotherstatestatutes.SinceSOPIPAjustbecameeffectiveinJanuary2016,however,itistoosoontoassesshowreceptivetheCaliforniacourtswillbe.Notwithstandingtheviabilityofspecificlegalclaims,sincevendorswhoarethesubjectof46UCL§17205.47SeeBucklandv.ThresholdEnterprises,Ltd.,155Cal.App.4th798,812,66Cal.Rptr.3d543(2007),disapprovedonothergroundsinKwiksetCorp.v.SuperiorCourt,51Cal.4th310,337,120Cal.Rptr.3d741,246P.3d877(2011).48SeeCaliforniansforDisabilityRightsv.Mervyn’sLLC,39Cal.4th223,228,46Cal.Rptr.3d57,138P.3d207(2006).49InreAnthem,Inc.DataBreachLitigation,____F.Supp.3d____,2016WL589760(N.D.Cal.2016);InreAdobeSystems,Inc.PrivacyLitigation,No.13-CV-05226-LHK,2014WL4379916(N.D.Cal.2016)*16(N.D.Cal.2014).SeealsoInreSonyGamingNetworks&CustomerDataSecurityBreachLitigation,No.11MD2258AJBMDD,2014WL223677(S.D.Cal.2014).50ArticleI,section1oftheCaliforniaConstitutionprovides:“Allpeoplearebynaturefreeandindependentandhaveinalienablerights.Amongtheseareenjoyinganddefendinglifeandliberty,acquiring,possessing,andprotectingproperty,andpursuingandobtainingsafety,happiness,andprivacy.”
25
suchactionsarelikelytoexperiencereputationalharm,theymaywanttoconsideraconservativeapproachandpractice.
WhichStatesAreFollowingCalifornia’sLead?SeventeenstateshavepassedlawsthatresembleortakeinspirationfromSOPIPA,resultingin18newlaws:
ArkansasHB1961~CaliforniaAB2799~ConnecticutHB5469~DelawareSB79~GeorgiaSB89~HawaiiSB2607~KansasSB2008~MaineLD454~MarylandHB298~NevadaSB463~NewHampshireHB520~NorthCarolinaHB632~OregonSB187~
TennesseeHB1931~VirginiaHB1612~VirginiaHB519~VirginiaHB749~WashingtonSB5419
Inall,33stateshaveconsideredbillsthatresembleSOPIPA.SevenstateshavepassedlegislationwithclausesmodeledafterSOPIPAin2016,51anumberthatislikelyoutdatedbythetimeyoureadthis.NoteverysuchbillorlawincludesalloftheprovisionsofSOPIPA,anditremainstobeseenhowinterpretationandenforcementofSOPIPAmightinfluencelegislativeactionacrossthecountry.KeyDifferences:Severalstatelawshavemoreclearlydefinedpreclusionsaroundadvertising,havingclearlyspentsometimetryingtocarveoutamoreprecisedefinition.Forexample,Virginialawclearlyexplainsthatoperatorsmaynot,“useorshareanystudentpersonalinformationforthepurposeofbehaviorallytargetingadvertisementstostudents,”52where“behaviorallytargetingadvertising”isapreviouslydefinedtermforindustry(seeAnnex,“WhatisTargetedAdvertising?”).Oregonlawprecludestargetedadvertising,butdefinesitas“advertisingpresentedtoastudentbasedoninformationobtainedorinferredfromthestudent’sonlinebehavior,usageofapplicationsorcoveredinformation.”TargetedadvertisingunderOregonlawdoesnotinclude“advertisingpresentedtoastudentatanonlinelocationbaseduponthestudent’scurrentvisittothatlocationorasasinglesearchquery,aslongasthestudent’sonlineactivitiesarenotcollectedorretainedovertime.”53Similarly,Georgialawdefinestargetedadvertisingas“presentingadvertisementstoastudentwheretheadvertisementisselectedbasedoninformationobtainedorinferredfromthatstudent’sonlinebehavior,usageofapplicationsorstudentdata,”andthatitdoesnotinclude“advertisingtoastudentatanonlinelocationbaseduponthatstudent’scurrentvisittothatlocationorasinglesearchquerywithoutcollectionandretentionofastudent’s
51http://dataqualitycampaign.org/resource/2016-student-data-privacy-legislation/52http://lis.virginia.gov/cgi-bin/legp604.exe?151+ful+CHAP072853https://olis.leg.state.or.us/liz/2015R1/Downloads/MeasureDocument/SB187/Enrolled
26
onlineactivitiesovertime.”54Stillotherstatesarelookingatthestudentdataprivacylegislativelandscapeand,whileenactingstrongdataprivacyprotections,arealsotakingstepstoensurethatbeneficialservicesarenotunintentionallyprecludedbythelaws.Forexample,Coloradolawnotesthatitsdefinitionoftargetedadvertisingspecificallydoesnotincludeuseofastudent’spersonallyidentifiableinformationtoidentifyhighereducationinstitutionsorscholarshipprovidersthatarelookingforstudentswhomeetspecificcriteria,providedthatit’sdonewiththepermissionofthestudentorthestudent’sparent.55
WhatShouldOperatorsDoNow?ThisresourceshouldhelpyoubecomefamiliarwiththekeyrequirementsofSOPIPA,butit’sjustthebeginning.Asalwayswhenitcomestostudentdataprivacy,takingresponsibilityforproperandcompliantstewardshipofstudentdataisarequirementforoperatingintheeducationarena,asispartneringinapositiveandproactivemannerwithschoolsanddistricts.Intheabsenceofdefinitivestateguidance,consultwithcompetentlegalcounseltoassessanyriskyoumighthavewithrespecttoSOPIPA,andensurethatyourdataprivacyandsecuritypoliciesandpracticesareinalignmentwithallrelevantandapplicablefederal,stateandlocallawsandnorms.Reassessyourthirdparties,theirdatahandlingpracticesandyourcontractstobesuretheycontainthenecessaryrestrictions.Alsoassessallcurrentandfutureproductdevelopmentanddatahandlingoperationsinaccordancewiththeregulations,inpartnershipwithcompetentlegalandcomplianceguidance.Inaddition,paycloseattentiontoanyauthoritativeregulatoryguidancethatemergesfromCaliforniaandotherstates.
ConclusionThisguideprovidesanoverviewofSOPIPA,comparingtheCaliforniastatutewithfederallawandotherstatestatutesgoverningschoolserviceproviders.Asareminder,nothinginthisguideshouldbeconsideredlegalorcomplianceadvice,andactionsbasedontheinterpretationandrecommendationsherecannotbeguaranteedtoensurecompliancewithanyparticularlaw(s).Clearly,guidancefromtheStateofCaliforniawouldbehelpfultointerpretthevaguerpointsofSOPIPA.Initscurrentform,itisunclearwhatspecificactionswillensureoperator
54https://legiscan.com/GA/text/SB89/201555http://www.leg.state.co.us/clics/clics2016a/csl.nsf/fsbillcont3/65C31D600337BF8787257F2400644D7C?open&file=1423_enr.pdf
27
compliancewithsomeSOPIPAprovisions;therefore,itisimportantforoperatorstoremainawareofindustrynormsandtocomplywiththespiritoftheregulation.
28
ANNEXES
A. RelevantLawsB. WhatisTargetedAdvertising?C. WhatCanParentsAuthorize?D. Whatare“ReasonableSecurity”ProceduresandPractices?56
56https://ferpasherpa.org/s-p.html#security
29
A. RelevantLawsFEDERAL:
FERPA–FamilyEducationalRightsandPrivacyAct(20U.S.Code§1232g)
i. FERPA–FinalRule2011(34CFRPart99)ii. FERPA–DepartmentofEducationGuidanceforEligibleStudents
COPPA–Children’sOn-LinePrivacyandProtectionAct(15U.S.Code§91)
i. FTCCOPPARule,Guidance,andFAQs(16 CFR Part 312)
PPRA–ProtectionofPupilRightsAmendment(20U.S.Code§1232h)
STATE SOPIPA–StudentOnlinePersonalInformationProtectionAct(SB1177) CAEducationCode/PrivacyofPupilRecords–(49037.1)) SummaryofOtherStateLaws–(DataQualityCampaign-2016)
2015:Arkansas HB 1961 Delaware SB 79 Georgia SB 89 Maine LD 454 Maryland HB 298 Nevada SB 463 NewHampshire HB 520 Oregon SB 187 Virginia HB 1612 Washington SB 5419 2016:California AB 2799 Connecticut HB 5469 Hawaii SB 2607 Kansas SB 2008 NorthCarolina HB 632 TennesseeHB 1931 Virginia HB 519 Virginia HB 749
30
B. WhatisTargetedAdvertising?AcriticalprovisionofSOPIPArequiresthatoperatorsdonot,“Engageintargetedadvertisingontheirsite,serviceorapplication,ortargetadvertisingonanyothersite,serviceorapplicationwhenthetargetingisbasedonanyinformation,includingcoveredinformationandpersistentuniqueidentifiers,thathavebeenacquiredbecauseoftheuseofthatoperator’ssite,serviceorapplication.”Thereferenceto“targetedadvertising”hassincebeenwidelyimitatedinotherstatelegislation,yetthisprovisionisconstructedsoastocreatebothoperationalandpossiblyConstitutionalissuesthatareworthdiscussion.Beforedivinginfurther,it’simportanttoreviewhowtheclauseisactuallywritteninthelaw.Asconstructed,itreferstotwodifferenttypesofadvertising:1. Targetedadvertisingontheoperator’ssite,serviceorapplication;OR2. Targetedadvertisingonanyothersite,serviceorapplicationwhenthetargetingis
basedonanyinformation,includingcoveredinformationandpersistentuniqueidentifiers,thathavebeenacquiredbecauseoftheuseofthatoperator’ssite,serviceorapplication
Tocomplywiththelaw,wefirstneedtoanswerthequestion,“whatistargetedadvertising?”It’sbeenthesubjectofmuchdiscussionanddebate,asitisnotdefinedinSOPIPA.Existingfederalregulation,industryself-regulationandotherguidancedonotdefineiteither.Instead,regulationmostcommonlyusesthefollowingterms.Existingterms:Behaviorallytargetedadvertising(alsoreferredtoasonlinebehavioraladvertising[OBA]orinterest-basedadvertising)hasbeendefinedbytheDigitalAdvertisingAlliance57(DAA)as“thecollectionofdataonlinefromaparticularcomputerordeviceregardingWebviewingbehaviorsovertimeandacrossnon-affiliateWebsitesforthepurposeofusingsuchdatatopredictuserpreferencesorintereststodeliveradvertisingtothatcomputerordevicebasedonpreferencesorinterestsknownorinferredfromthedatacollected.”58Servingbehaviorallytargetedadvertisingdoesnotactuallyrequirecollectionofpersonalinformation.Instead,apartywillserveadstoauserbasedonaprofiledevelopedfromtrackingthecomputerbrowseractivitiesovertimeandacrossdifferentwebsitesandonlineservices.
57DigitalAdvertisingAllianceis“anindependentnon-profitorganizationledbytheleadingadvertisingandmarketingtradeorganizations.”Itrepresentsacross-industryself-regulatoryprogramthat“establishesandenforcesresponsibleprivacypracticesacrossindustryforrelevantdigitaladvertising,providingconsumerswithenhancedtransparencyandcontrol.”http://www.aboutads.info/58http://www.aboutads.info/resource/download/seven-principles-07-01-09.pdf
31
ThedefinitionhaslargelybeenacceptedbytheFTC,andisdescribedinsimilarfashioninitsSelf-RegulatoryPrinciplesforOnlineBehavioralAdvertising.59ThistypeofadvertisingisprecludedbytheChildren’sOnlinePrivacyProtectionAct(COPPA)forchildrenunder13withoutprior,verifiableparentalconsent,aswellasbytheexistingself-regulatoryadvertisinggroups,includingDAAandtheNetworkAdvertisingInitiative(NAI).60Contextualtargeting(alsoreferredtoascontextuallyrelevantadvertising)isdefinedbyDAAasadvertisementsthataredelivered“basedonthecontentofaWebpage,asearchquery,orauser’scontemporaneousbehaviorontheWebsite.”61NAIexpandsabitfurtherexplaining,“theadselecteddependsuponthecontentofthepageonwhichitisserved,or‘firstparty’marketinginwhichadsarecustomizedorproductsaresuggestedbasedonthecontentofthepageorusers’activityonthepage(includingthecontenttheyvieworthesearchestheyperform).”62 TheFTCechoesthisinpolicystatementsandincommentssurroundingCOPPA.There,theFTCnotesthatcontextualtargeting,“ismoretransparentandpresentsfewerprivacyconcernsascomparedtotheaggregationanduseofdataacrosssitesandovertimeformarketingpurposes.” ContextualtargetingispermittedunderCOPPA.
WhyDoesThisMatter?Thedefinitionoftargetedadvertisingiscriticallyimportantforavarietyofreasons.Considerthecaseofthestudentwhoprogressesquicklythroughcurriculummaterialandisreadyformore.Perhapsthestudentisworkingonmathlessonsthoughaproductusedinschoolandathome.Aftercompletingtheworkassignedbytheteacher,wouldtheoperatorbeabletoletthestudentortheparentknowthatmoreadvancedmaterialswereavailableforpurchase,orwouldthatbeconsidered“targeting”undertheundefinedprovisionofSOPIPA?Wouldoperatorsbeabletopromotebookstoparentsofyoungreaders,includingbooksthestudentmightenjoybasedonpreferencesthey’veexpressed?Schoolshavelongadvertisedproductsandservicesthatarelikelyvaluedbyparentsandstudentsbasedonactivitiesandschoolprograms:adsrelatedtomusicalproviderstomembersofbandandorchestra;sportsequipmentoropportunitiesadvertisedtostudentsofvariousathleticteams;scholarshipadstojuniorsandseniors,bothforlocalopportunities,andperhapsmorelongdistanceoptionsnototherwiseeasilydiscoverable.
59https://www.ftc.gov/sites/default/files/documents/reports/federal-trade-commission-staff-report-self-regulatory-principles-online-behavioral-advertising/p085400behavadreport.pdf60https://www.networkadvertising.org/2013_Principles.pdf61http://www.aboutads.info/resource/download/seven-principles-07-01-09.pdf62https://www.networkadvertising.org/2013_Principles.pdf
32
Withoutacleardefinitionoftargetedadvertising,itisuncleartooperatorswherethelinefallsbetweenthesetraditionalandacceptedadsandinappropriateuseofpersonalizedinformationnowavailableingreaterdetailviastudents’digitalrecords.Tobanadvertisingbroadlyrisksdeprivingstudentsandparentsofinformationandopportunitiestheyexpectanddesire.
PersistentIdentifiersandAdvertising:SOPIPAincludes“persistentidentifiers”initsdefinitionofcoveredinformation,andassuch,suchidentifiersmaynotbeusedfor“targetedadvertising.”However,SOPIPAdoesn’ttakeintoaccountthemostcommonmechanismsbywhichadvertisingisservedonline,andthereasonsbehindthosemechanisms.
Persistentidentifierscomeinseveralformats,withmanydependentonthedeviceitselfandnotnecessarilytheuser.Theyserveavarietyofpurposes,includingmanythatarefortheconvenienceoftheuser.Apersistentidentifieriswhatallowstheusertocustomizetheirsitecontentandhavethosepreferencesretainedthenexttimetheyvisit.Itisalsowhatallowstheusertoretaintheirprogressovertime.
Whenitcomestoadvertising,persistentidentifiersaren’tjustusedtoserveads,they’realsousedtorestrictads.Forexample,persistentidentifiersareusedtoplaceacaponthenumberoftimesauserseesads.They’realsousedtoensurethatusersdon’tseethesameadsrepeatedly.
Operatorscanusepersistentidentifierstoensurethatadsthatmeettheregulatoryandself-regulatoryrequirementsforchildrenareservedtochildren,andthatadsnotappropriateforchildrenareservedonlytoolderusers.
UnderCOPPA,theFTCacknowledgesthat–unlikeallotherpersonalinformation-persistentidentifiersmaybecollectedwithoutpriorparentalnoticeorconsentwhenusedonlytosupportspecificinternaloperations,includingservingcontextualadvertisingandcappingthefrequencyofadvertising.63
SowhatdoesSOPIPAintendtorestrict?Certainly,thesecondhalfoftheclause,whichisabanon“targetedadvertisingonanyothersite,serviceorapplicationwhenthetargetingis63SupportfortheinternaloperationsoftheWebsiteoronlineservicemeans:(1)Thoseactivitiesnecessaryto:(i)MaintainoranalyzethefunctioningoftheWebsiteoronlineservice;(ii)Performnetworkcommunications;(iii)Authenticateusersof,orpersonalizethecontenton,theWebsiteoronlineservice;(iv)ServecontextualadvertisingontheWebsiteoronlineserviceorcapthefrequencyofadvertising;(v)Protectthesecurityorintegrityoftheuser,Website,oronlineservice;(vi)Ensurelegalorregulatorycompliance;or(vii)Fulfillarequestofachildaspermittedby§312.5(c)(3)and(4);(2)SolongasTheinformationcollectedfortheactivitieslistedinparagraphs(1)(i)-(vii)ofthisdefinitionisnotusedordisclosedtocontactaspecificindividual,includingthroughbehavioraladvertising,toamassaprofileonaspecificindividual,orforanyotherpurpose.
33
basedonanyinformation,includingcoveredinformationandpersistentuniqueidentifiers,thathavebeenacquiredbecauseoftheuseofthatoperator’ssiteserviceorapplication”iswell-defined.Retargetingtostudentsandparentsisentirelyprohibited.However,whateverisactuallymeantandenforceablewithrespecttothebanon“targetedadvertising”aloneremainsunclear.
Whataresomeoftheconsequencesofsuchrestrictions?It’sdifficulttooverstatetheadverseimpactofstudentdataprivacylegislationinwhichkeyprovisionsareundefined.However,oneareatoconsiderarethepotentiallyunintendedconsequencesthatcouldresult.TherearemanywithSOPIPA.Since“coveredinformation”isdefinedsobroadlyand“targetedadvertising”isundefined,someadvocatesinterpretSOPIPAasimposingacompleteadvertisingban.Abanonevencontextuallyrelevantadvertisingwouldprohibitprovidingpotentiallyusefulanddesirableopportunities,andpotentiallyrestrictself-directedlearningandparent-guidedprogress.Inaddition,collegeswouldnotbeabletopromoteadmissionsonlytojuniorandseniorstudents,ortostudentswhootherwiseundermatchataparticularinstitution.Inaproductthatincludeslevelsformultiplegrades,itwouldprovenearlyimpossibletopreventyoungerusersfromseeingadvertisingintendedonlyforolderaudiences,andviceversa.Organizations–evennonprofitsorfoundations–interestedinreachingeligiblestudentswithscholarshipswouldnotbeabletotakeadvantageoftechnologytoreachthosestudentswhomeetcertainrequirements.Promotionoftraditionalschoolactivities,suchassellingclassrings,yearbooks,classphotosandmorecouldbestifled.However,since“targetedadvertising”remainsundefinedinSOPIPA,itwillbeimportanttolookathowtheCaliforniaAttorneyGeneral’sofficechoosestointerpretandapplytheclauseovertime.
34
C. WhatCanParentsAuthorize?Overthelasttwoyears,publicconcernsaboutstudentdatacollectionhavegrown.Policymakershaverespondedtothoseconcernsbyproposingnewstateandfederallegislationtoaddressavarietyofpossiblerisks.Someadvocatesworrythatsensitivedatawillbesenttostateorfederalauthoritiesforusestheydonotconsiderappropriate.Someareconcernedthatstudentrecordswillbeusedinadiscriminatorymannerbycollegesorfutureemployers.Someworrythatschoolsorvendorswillsellorimproperlysharestudentdata.Basicconcernsaboutbothschoolsandvendorssimplyhavingadequateprivacyandsecuritymeasuresinplacemustbeaddressedbyresponsiblestakeholders,butunfortunatelysomeofthereactionstotheseconcernshaveunnecessarilylimitedparents’rightstoauthorizedisclosureoruseoftheirchildren’sinformation.SOPIPAisanexampleofthisoverreach–whichhasbeenatleastamelioratedinmanyofthebillsmodeledonit.Federalandstatelawmakerssoughtwaystoimplementandenforcestudentprivacylawstoensureprotectionofstudentdata.In2015,therewereover180studentprivacybills64underconsiderationin46states,upfromthepreviousyearrecordof110studentprivacybillsproposedin36states.Inaddition,in2015,theU.S.HouseofRepresentatives65andU.S.Senate66eachproposedlegislationdirectedatedtechvendorsaswellasdraftingrewritesorproposedamendmentstotheFamilyEducationalRightsandPrivacyAct(FERPA)toupdatetheresponsibilitiesofschoolsandeducationalagencies.67FERPAisfoundedonaparent’srighttoaccesstheirchild’seducationrecord.Manybillssoughttoensureorexpandparentalaccesstodatainthenewcontextofschool-vendorpartnerships,respondingtoworriesthatthesedataweren’tcoveredorthatdataheldbyvendorswouldn’talsobeaccessibletoparents.However,toaddressconcernsaboutdatabeingfurthersharedwithdatabrokersorunauthorizedparties,manybills–includingSOPIPA–broadlybanavendorfromsharingstudentdatawithanyadditionalthirdparties.SOPIPAhasnoprovisionforparentstoconsenttousesoftheirchild’sdataforpurposesprecludedbySOPIPA.Whenadvisedthatvendorsweretypicallydirectedbyschoolsorparentstosenddatatocollegesorscholarshiporfinancialaidorganizations,somelegislatorsamendedbillsinotherstatestoincludeprovisionsallowingvendorstosharedatawiththoserecipientsonly,withthepermissionoftheschoolsorparents.However,anyothertransferofstudentdata
64DataQualityCampaign."StudentDataPrivacyLegislation:WhatHappenedin2015,WhatIsNext?"(n.d.):n.pag.24Sept.2015.Web.65“Messer,PolisIntroduceLandmarkBilltoProtectStudentDataPrivacy."N.p.,29Apr.2015.Web.12Nov.2015.66S.1788-114thCongress:SAFEKIDSAct.Text.N.p.,n.d.Web.https://www.congress.gov/bill/114th-congress/senate-bill/1788/text67H.R.3157-114thCongress:StudentPrivacyProtectionAct."Text.N.p.,n.d.Web.https://www.congress.gov/bill/114th-congress/house-bill/3157/text?resultIndex=1
35
isfrequentlystillbanned.Thesebanscreateasignificantbarrierforawiderangeofbeneficialusesofdatathatparentsandstudentswanttoenable.Withalltheextracurricularandspecializedopportunitiesavailableonline,thereareanincreasingnumberofareaswhereparentsmaywanttousedatafromorabouttheirchildtosupportactivitiesoutsideoftheschool’scurricularprograms.Theymaywanttomaketheirchild’sdataavailabletoatutoringprogram,toacollegementoringprogramorothereducationalsupportservices.
UnderSOPIPA,theparentcannotdoso.Evenwithexplicitparentalrequestorpermission,thevendorisforbiddenfromdisclosingthestudent’sdatatothedesignatedthirdparty.Thislackofaparentalchoiceoptiontosharedatalimitseveryparent’sabilitytomakethebestchoicesfortheirownchild.Thelawauthorizesparentstodownloadorobtainphysicalcopiesofthefileoraccountdata,butthelanguagedeniestheedtechcompanytheabilitytodirectlyshareit,evenwiththeparent’srequestorconsent.Thisputsthetransferburdenontheparent,mayopensecurityconcernsandcancloseoffavenuestoensurethattheinformationwillbeusedeffectivelyandefficiently.Withoutthatabilityforparentstorequestelectronictransferoraccessfromthosevendorswhomaybeableandwillingtoprovideit,theparentandstudentareforcedtoessentiallystartfromscratcheachtimetheystartanewprogramoutsideofschool.
Thismaybecomeparticularlyrelevantforchildrenwithdisabilitiesorlearningchallengeswhoaresomeofthe“powerusers”ofmultipleresourcesbeyondtheschool.Studentswithphysicaloreducationalchallengesusuallyhavewhatarereferredtoas“thickfiles”–agreatdealofinformationbuiltupovertimewhichiscriticaltotheiracademicandpersonalsuccess.Today,thisinformationexistselectronically.Transitioningtoneworaddedserviceswithouttheabilitytoeasilyintegrateexistinginformationcreatesatremendousburdenonparentandproviderwheneachnewprogrammayhavetoreassessandfreshlyestablishordocumentthechild’sabilitiesandrequirements.It’scriticalthatnewlegislationconsiderfirst,whatarethereal–nottheimagined–adverseprivacyandsecurityissueswithstudentdata,whatareschoolsappropriatelyresourcedandempoweredtoactaroundthatdata,howdoestechnologyreallywork,whatarevendorstrulydoing(andnotdoing)withthedata,andwhatdoparentsandstudentsneedtobestsupporteachindividual’seducationpathway.
36
D. Whatare“ReasonableSecurity”ProceduresandPractices?68Thischecklistisdesignedtoprovideasimplebaselineofsecurityprinciplesandpracticesasanedtechbusinessgrowsitsproductsandservices.Thislistoftipsdoesnotconstituteacompletesecuritypolicy,butiffollowed,willensurethatvendorshavetakenthebest,firststepstowardresponsibleprotectionofstudentdata,asthesetipsflagmanyofthecommonkeyconcerns.
1.Risk:DataInterceptionSolution:EncryptDatainTransitEnd-usernetworktrafficiseasilymonitoredorinterceptedonopenWiFioroverthewirebytheoperatorofthenetwork.Topreventsensitiveinformationfrombeingaccessibletounintendedparties,useHTTPS(SSL/TLS).Donotsendpasswordsincleartext!(Alsoencryptdataatrest;see4.below)
2.Risk:VulnerableSoftwareSolution:RegularlyPatchandUpdateSoftware,ServersandEndpointsManydatabreachesarecausedbytheexploitationofvulnerabilitiesforwhichthereareknownfixes.Inotherwords,thebreachdidn’thavetohappen.Requireappropriatepersonneltopatchandupdatesystems,quickly,routinely,programmatically,andoften,inaccordancewithpolicy.Commonly,operationspersonnelapplypatches,andversionupdates,whilesecurityanalyst/engineersrunscanstoconfirmthatpatchinghasbeenappliedandvulnerabilitiesareremediated.(Keepingthedistinctionbetweenthetworolesprovidesacheckandbalancewithintheprocess.)
3.Risk:DatabaseCompromise(InjectionAttacks)Solution:UseAcceptedSecureCodingPracticesCodecanmasqueradeasdata,andtheresulting“injection”attacksarethesourceofmanydatabreaches.Thankfullythenecessarysecurecodingpracticestopreventinjectionattacksarewellknown,suchasparameterizedqueriesandsanitizinginputs.SeeSQLInjectionPreventionCheatSheet.
4.Risk:LostorStolenLaptopsandWorkstationsSolution:RequireFullDiskEncryptionRequireyoursecurityteamtousefull-diskencryptiononalllaptopsandworkstations.Allinformationatrestinyourcontrolshouldbeencrypted.Thisincludesyourservers,thirdpartyservers,butespeciallywhenitlivesonamachinethatcanbetuckedunderanarmandcarriedoutthedoor.Ifyouuseorallowportablestoragemedia(thumbdrives,any
68https://ferpasherpa.org/s-p.html#security
37
portablemedia),theyshouldalsobeencrypted.Trainemployeestoreportlostorstolenequipmentimmediately.
5.Risk:PasswordCompromiseSolution:Deploy2-factorauthentication.Requiredevelopmentteamstodeploy2-factorauthenticationonweb-accessiblelog-ins.Yes,thisisnotalwayspossible,orpractical.Striveforitwherepossible;whenitisnotfeasible,employstrongpasswordrulesandcontrols;applypracticesappropriatetothelevelofriskofthedatainvolved.
6.Risk:RelyingonHashingtoDe-IdentifyDataSolution:UseProperlySaltedHashesAlthoughmanyhashoutputsor“digest”valuesinputscannotbeeasilyreverse-engineeredtodeterminethehashinput,calculatinglook-uptablesforcertaintypesofuniformdataisveryeasy.
Forexample,alook-uptableforallU.S.phonenumberscanbecalculatedveryquicklyandusedtolookup“hashed”phonenumbers.Thesolutionistousesaltedhashesandconsultwithacomputerscientisttoverifystrengthofresultingde-identification.
7.Risk:CloudServices(reminder,thereisno“cloud”–it’sjustsomeoneelse’scomputer)Solution:DoYourDueDiligence.Determineifyoucanevenuseacloudsolutionbasedonlegalrequirements.Ifyoudon’tencryptstudentdatabeforeitissenttothecloud,thecloudproviderhasphysicalaccesstothedata.
8.Risk:Third-PartyManagementandHostedSolutionsSolution:DueDiligenceandContractualConstraintsYourresponsibilityandauthorityfordatainyourpossession/controlextendstoitsmanagementwhileunderthecontrolofathirdpartyprovidingyouaservice.Contractualconstraints:
• Seekthirdpartyauditsorauditreports• Verifyinsurancerequirementsandcomply• Includerelevantrepsandwarranties• Requireincidentresponseprovisions
38
9.Risk:BrowserCompromiseThroughJavaPlug-InSolution:DisabletheJavaPlug-IninallBrowserSoftwareEnterprise-WideNeverPublishSoftwarethatRequirestheJavaPlug-intobeInstalledinOrdertoRunManyinstancesofbrowsercompromiseoccurbecauseofsecurityissueswiththeJavaPlug-inforbrowsers.Blockanddisabletheplug-in.
10.Risk:OtherBrowserandAppCompromiseSolution:RequireIn-HouseandExternalDeveloperstoSatisfytheAppropriateASVSStandardConsiderusingtheASVSstandards–theaimoftheOWASPApplicationSecurityVerificationStandard(ASVS)ProjectistonormalizetherangeinthecoverageandlevelofrigoravailableinthemarketforWebapplicationsecurityverificationusingacommercially-workableopenstandard.Thestandardprovidesabasisfortestingapplicationtechnicalsecuritycontrols,aswellasanytechnicalsecuritycontrolsintheenvironment,thatarereliedontoprotectagainstvulnerabilitiessuchasCross-SiteScripting(XSS)andSQLinjection.Seehttps://www.owasp.org/images/5/58/OWASP_ASVS_Version_2.pdf.
AdditionalAreastoAddressforSecurityPolicyandPractices
• Incidentresponseplanningandpreparation:haveabreachresponseplan.Yourcontractmayrequireit,butregardless,youshouldhave(andtest,andtrainfor,regularly)yourproceduresforhowtorespondintheeventofabreach,ofdifferentmagnitudes
• Insurance• Establish,updateandregularlyconducttrainingforemployees,boththosedirectly
involvedinsecuritysystemsandthosewhosimplyneedtounderstandtheirownresponsibilities
• Employasystemorprocessforloggingandmonitoringofallactivities
AdditionalResources
• https://www.owasp.org/index.php/Web_Application_Security_Testing_Cheat_Sheet• https://www.ftc.gov/tips-advice/business-center/guidance/start-security-guide-
business• https://www.ftc.gov/datasecurity
Top Related