Educators and policymakers around the country will be keeping a close eye on an ambitious suite of K-12 data-privacy measures that went into effect Jan. 1 in California.
The law primarily aims to prevent third-party contractors from selling student data for advertising purposes, and restricts vendors from creating profiles of students for any non-educational purpose. Companies doing business in California districts are now also required to meet basic cyber-security standards and be prepared to delete student data at school or district requests.
When SOPIPA, or the Student Online Personal Information Protection Act, was signed into law by Gov. Jerry Brown in 2014, many experts predicted that the legislation would prompt a series of similar measures by other states also eager to curtail commercial use of student information.
That prediction is proving to be accurate. Arkansas, Delaware, Georgia, Maryland, New Hampshire, Oregon, and Washington each passed state laws loosely based on SOPIPA, according to Brendan Desetti, the director of education policy for the Software & Information Industry Association, a trade association that represents the industry’s interests.
While his group has voiced measured support for legislation that specifically outlines student privacy protections, Desetti cautioned that California’s law could have been more specific in its definitions and compliance standards. For example, he sees a potential for confusion over what practices might constitute “targeted advertising.”
Desetti is watching to see “how it plays out,” including guidelines expected from the California Attorney General’s office which are expected to give a more detailed understanding of what state officials are looking for.
Craig Cheslog, the vice president of California Policy for Common Sense Media, a nonprofit advocacy organization that helped write and shepherd the bill to passage, is confident the law will ensure “school zones remain privacy zones.”
Specifically, Cheslog stressed the importance of the law’s provision that the burden of compliance be placed on the vendor, rather than teachers, and that it applies “whether or not a contract with the district has been signed.”
In addition, he applauded the fact that the bill passed without any loopholes or special provisions, such as controversial parental consent exemptions.
These exemption requests, according to Cheslog, give districts a financial incentive to have as many students as possible sign on, and are often phrased to parents in such ways as “do you agree to allow us to share your student’s information to companies that could provide scholarships?” Furthermore, Common Sense Media has found some instances where parents are told that they must acquiesce to exemption requests or their child will lose access to the ed-tech service in question.
In addition, the group has fought exceptions for “recommendation engines,” which Common Sense Media argues are put forward “under the guise of ‘adaptive learning’” to circumvent the law’s essential protections.
Of the states listed by Desetti that have passed student privacy legislation modeled on SOPIPA, only the Delaware, New Hampshire, and Oregon measures match the California law’s rigor, according to Cheslog. All the others have unacceptable loopholes, he said.
New Hampshire’s law also went into effect Jan. 1. The measures in Delaware and Oregon become effective July 1.
See also: