On September 29, 2014, Governor Brown signed Senate Bill 1177 (“SB 1177”), Assembly Bill 1442 (“AB 1442”), and Assembly Bill 1584 (“AB 1584”), all aimed at enhancing protection of student data online. While there is existing federal law that safeguards student data, these three bills include specific requirements for California school districts and website operators to protect student information.
Contract Requirements With Technology Providers
AB 1584 specifies what local educational agencies must include in contracts with third-party digital record and educational software providers. This bill is effective January 1, 2015. Therefore, all contracts entered into or effective on or after January 1, 2015 should include the terms enumerated below:
School districts should be cautious that out-of-state technology providers may not be familiar with these requirements. The penalty for noncompliance with AB 1584 is that contracts will be voided if—following the provision of notice of deficiency—they do not comply after a reasonable amount of time.
Student Information And Social Media
AB 1442 requires local educational agencies that consider a program to gather or maintain in its records any pupil information obtained from social media to first notify pupils and their parents or guardians about the proposed program, and to provide an opportunity for public comment at a regularly scheduled public meeting before the adoption of the program. Any local educational agency that adopts a program pursuant to this provision must:
If a local educational agency contracts with a third party to gather information from social media on a student, AB 1442: (1) prohibits the third party from using the information for purposes other than to satisfy the terms of the contract; (2) prohibits the third party from selling or sharing the information with outside persons or entities; and (3) provides additional restrictions on the destruction of the information by the third party.
Student Online Personal Information Protection Act
SB 1177, the Student Online Personal Information Protection Act (“SOPIPA”), takes effect on January 1, 2016. SOPIPA sets forth privacy laws for operators of websites, online services, and applications that are marketed and used for K-12 school purposes, even if those operators do not contract with educational agencies. While primary responsibility for compliance with SOPIPA lies with website operators, school districts should proceed with reasonable due diligence when evaluating technology providers, especially providers based out-of-state, to ensure that their policies and procedures comply with SOPIPA.
Existing federal law, the Children's Online Privacy Protection Act (“COPPA”), requires the operator of a website or online service that knows it is collecting personal information from a child under the age of 13 to provide notice of what information is being collected and how it is being used, and to give the parents of the child the opportunity to refuse to permit the operator's further collection of information from the child. SOPIPA adds to the K-12 student privacy scheme the following requirements:
Note that these are general descriptions of SOPIPA's requirements, and exceptions may apply. Please consult with your legal counsel about the application of SOPIPA in any particular instance.
If you have any questions regarding the application of these new laws, please call one of our six offices.
F3 NewsFlash prepared by Gretchen M. Shipley, Luke P. Boughen and John W. Norlin.
Gretchen is a Partner in the F3 San Diego office.
Luke is an Associate in the F3 San Diego office.
John is Special Counsel in the F3 San Diego office.
This F3 NewsFlash is a summary only and not legal advice. We recommend that you consult with legal counsel to determine how this legal development may apply to your specific facts and circumstances. Information on a free NewsFlash subscription can be found at www.f3law.com.
Keep up to the minute on the latest updates, NewsFlashes, and legal news by following F3 on Twitter:@F3Law.