California Gov. Jerry Brown signed into law last week aby third-party vendors. The measure is one of the most aggressive legislative attempts to date to balance the promise of digital learning technologies with concerns about the privacy and security of children’s sensitive information.
The new law in California caps a wave of efforts this year by state lawmakers nationwide to better protect students’ sensitive educational information.
The new privacy measures, enacted in 21 states during recent legislative sessions, in some cases build on previous efforts. The new laws generally fall into one of three categories: prohibiting the collection of certain types of student data; attempting to improve state and district data-governance policies; or, in California’s case, establishing comprehensive guidelines for how third-party vendors should handle student information.
Amid the flurry of activity, the impact on educational technology vendors remains uncertain. Industry representatives have mostly expressed public support for the laws that were enacted and shared only mild concerns about possible downsides.
“A lot of the laws that were passed were not specifically aimed at the role of third-party service providers,” said Mark Schneiderman, the senior policy director for the Washington-based, or SIIA. “We hope there are not too many with unintended consequences that may inhibit legitimate educational purposes.”
Protecting student data has become an increasingly contentious issue over the past year, with parents and activists expressing growing concern about the nature and volume of digital data that schools now share with vendors that host student information in the cloud, track students’ educational progress, and manage administrative record-keeping.
Such worries helped prompt Florida state Sen. Dorothy L. Hukill to sponsor a bill—ultimately signed into law in May by Gov. Rick Scott, a fellow Republican—that prohibits the collection of students’ biometric data, which can include such distinguishing characteristics as fingerprints and iris patterns.
In an interview, Ms. Hukill said that the uses of such data that she found to be either in practice or under consideration by Florida schools—including electronic scanning of students’ eyes or fingerprints when they get on or off a school bus, check out a book from the library, or get in line for lunch—represented a “ludicrous” and unnecessary invasion of privacy.
“There’s no need to scan a child to give them a grilled-cheese sandwich,” Ms. Hukill said. “You don’t use the most intrusive method. You use the easiest method.”
But Mr. Schneiderman pointed to the law as one example of potential “unintended consequences.”
The statute, he said, is imprecise and could be interpreted to limit the use of valuable biometric technologies, such as software programs for foreign-language and special-needs instruction that rely on recording students’ voices.
“There’s a big learning curve for policymakers on this issue,” Mr. Schneiderman said. “We’re hopeful that, over time, policymakers will re-examine that [provision] and understand that there are legitimate, appropriate, safe uses of biometric data, just like any other data.”
During their most recent legislative sessions,restricting the collection of some type of sensitive student information, including biometric data, parents’ and students’ political affiliation, and information on gun ownership.
Burden of Responsibility
Industry representatives expressed less concern about the type of legislation enacted in states such as Idaho, which framed its measure around better governance of data by public agencies.
The Student Data, Accessibility, Transparency, and Accountability Act—signed into law in Idaho by Republican Gov. C.L. “Butch” Otter in March—focuses on vesting authority over student-data use with the state board of education and providing districts with guidelines for protecting data and penalties for failing to do so. But the law does not feature any strict mandates or prohibitions.
The bill’s sponsor, state Sen. John Goedde, a Republican, said in an interview that it makes sense to put the burden of responsibility for safeguarding student information on the public sector because the private-sector companies working with schools are generally working directly for states or school districts.
A handful of states enacted similar laws, some of which were modeled in whole or in part on a statute in Oklahoma that, a legislative-advocacy group based in Washington.
In California, meanwhile, the Student Online Personal Information Protection Act, or SOPIPA, focuses explicitly on ed-tech vendors.
The law prohibits operators of online educational services from selling student data and using such information to target advertising to students or to “amass a profile” on any particular student for a non-educational purpose. The law also requires online service providers to maintain adequate security procedures and to delete student information at the request of a school or district.
“I think this is a blunt call to industry to say that school data is for educational purposes, period,” said James P. Steyer, the CEO and founder of, a San Francisco-based nonprofit that helped craft the law.
Although Mr. Steyer said that many of the “major players” in the ed-tech industry had attempted to “water down” the bill during the legislative process, Mr. Schneiderman of the SIIA said that the California measure “seems to generally strike the right balance” between recognizing the promise of digital learning technologies and seeking to protect student information.
Impact on Vendors
One way in which the new California law could have a direct impact on industry is by prohibiting vendors from using “information, including persistent unique identifiers, created or gathered by the operator’s site, service, or application, to amass a profile about a K–12 student except in furtherance of K–12 school purposes.”
Such practices came under scrutiny after Google, the Mountain View, Calif.-based online-services giant, was accused of building such profiles in a federal lawsuit that made its way through the courts this year.
The companysent using its wildly popular Apps for Education tool suite for purposes including targeted advertising.
Google later, but company representatives have for months declined to clarify whether Google continues to scan student emails and build profiles of children for commercial purposes other than advertising.
Even in California, the final legislation includes some key accommodations to industry concerns, such as specifying that operators be allowed to maintain and use “de-identified,” or anonymous, student information to develop and improve their own educational products and services.
In general, many in the ed-tech sector seem supportive of the new legislation and hopeful that it will not significantly curtail their activities.
“These are the standards and commitments that we already live up to, and that we think every company working with school districts should live up to,” said Justin Hamilton, a spokesman for Amplify, a New York City-based developer of digital products and services. (Larry Berger, the president of the Amplify Learning division, is a member of the board of trustees of Editorial Projects in Education, the nonprofit publisher of Education Week.)
Privacy advocates have also generally supported the California law.
For the bill’s sponsor, California Senate President Pro Tempore Darrell S. Steinberg, a Democrat, acceptance on both sides of the often-fraught student-data-privacy debate offers reason to believe the law can become a model for the rest of the country.
“The bottom line is that it fosters innovation and protects kids’ privacy and demonstrates that these goals can be complementary,” Mr. Steinberg said in an email. “The old notion of trading privacy for innovation is a false choice.”
A version of this article appeared in the October 08, 2014 edition of Education Week as Calif. Tackles Data Privacy In New Law