California Gov. Jerry Brown signed into law Monday a sweeping measure aimed at restricting the use of students’ educational data by third-party vendors, marking one of the most aggressive legislative attempts to date to balance the promise of digital learning technologies with concerns about the privacy and security of children’s sensitive information.
The Student Online Personal Information Protection Act, or SOPIPA, prohibits operators of online educational services from selling student data and using such information to target advertising to students or to “amass a profile” on students for a non-educational purpose. The law also requires online service providers to maintain adequate security procedures and to delete student information at the request of a school or district.
James Steyer, CEO and founder of Common Sense Media, a San Francisco-based nonprofit that helped craft the law, described SOPIPA in an interview with Education Week as the nation’s “first truly comprehensive student-data-privacy legislation” and said he expects it to become a model for other states around the country.
“It’s a major step forward in creating a trusted online learning environment,” Steyer said. “I think this is a blunt call to industry to say that school data is for educational purposes. Period.”
Protecting student data has become an increasingly contentious issue in recent months, with parents and activists expressing growing concern about the nature and volume of digital data on children that schools now share with third-party vendors.
Twenty states enacted student-data-privacy laws during recent legislative sessions, but the bulk of the new statutes focus on either prohibiting the collection of certain types of data or on requiring states and school districts to improve their governance infrastructure and processes for safeguarding student information. At the national level, a bill to update the main federal law protecting student privacy is currently under consideration in the United States Senate.
California’s new law is unique in putting the responsibility for ensuring the privacy of student data on industry. Governor Brown also signed into law a related bill that would require districts’ contracts with vendors to include certain privacy-related provisions.
Steyer said that many of the “major players” in the ed-tech industry attempted to “water down” SOPIPA during the legislative process, but praised the bill’s sponsor, state Senate President Pro tempore Darrell Steinberg, a Democrat, for “standing up to the tech industry and saying ‘no.’”
The final legislation does include some key accommodations to industry concerns, such as specifying that operators be allowed to maintain and use “de-identified” or anonymous student information to develop and improve their own educational products and services.
Mark Schneiderman, senior director of education policy for the Washington-based trade group Software & Information Industry Association, said the legislation “seems to strike generally the right balance.”
And at least one major ed-tech vendor, New York City-based digital products and services developer Amplify, expressed clear support for the law.
“These are the standards and commitments that we already live up to and that we think every company working with school districts should live up to,” said Justin Hamilton, a spokesman for the company.
Industry reaction was less enthusiastic in some quarters, however.
A spokeswoman for Mountain View, Calif.-based online-services giant Google, which came under intense criticism earlier this year after acknowledging toEducation Weekthat the company had been scanning and data-mining the contents of student email messages, said she could not comment on pending or active legislation.
Google also declined to clarify whether it scans student email messages sent using its wildly popular Apps for Education tool suite in order to build profiles that might be used for commercial purposes other than targeted advertising, as was alleged in recent lawsuit against the company.
California’s new law expressly prohibits vendors from using “information, including persistent unique identifiers, created or gathered by the operator’s site, service, or application, to amass a profile about a K-12 student except in furtherance of K-12 school purposes.”
In April, Google announced that it had stopped ad-related scanning of student email messages for advertising purposes.
Meanwhile, privacy advocates, many of whom have contended that federal and state laws and district contracting practices are woefully inadequate in the face of the rapidly changing digital technologies now found in schools, generally expressed support for California’s approach.
Ultimately, it may be that winning some measure of acceptance from both sides of the student-data-privacy debate is the California legislation’s most significant contribution.
“The bottom line is that [SOPIPA] fosters innovation, and protects kids’ privacy, and demonstrates that these goals can be complimentary,” Steinberg, SOPIPA’s sponsor in the California Senate, said in a statement. “The old notion of trading privacy for innovation is a false choice.”
Photo: California State Senate President Pro tempore Darrell Steinberg, D-Sacramento, right, in a 2007 file photo--Rich Pedroncelli/AP-File.
A version of this news article first appeared in the Digital Education blog.