Governor Signs Three Bills Protecting Student Data Online

September 2014

On September 29, 2014, Governor Brown signed Senate Bill 1177 (“SB 1177”), Assembly Bill 1442 (“AB 1442”), and Assembly Bill 1584 (“AB 1584”), all aimed at enhancing protection of student data online.  While there is existing federal law that safeguards student data, these three bills include specific requirements for California school districts and website operators to protect student information.

 

Contract Requirements With Technology Providers

AB 1584 specifies what local educational agencies must include in contracts with third-party digital record and educational software providers.  This bill is effective January 1, 2015.  Therefore, all contracts entered into or effective on or after January 1, 2015 should include the terms enumerated below:

 

  1. Establish that the local educational agency owns and controls student records.
  2. Describe how students can keep control of content created for school, along with a way to transfer content to a personal account later.
  3. Prohibit third parties from using student information for purposes outside of those named in the contract.
  4. Describe how parents, legal guardians, or students can review and correct personally identifiable information contained in their records.
  5. Outline actions that third parties will take to make sure that student data is secure and confidential.
  6. Describe procedures for notifying affected parents, legal guardians, or eligible students when there is an unauthorized disclosure of student records.
  7. Certify that student records will not be retained or available to the third party once the contract is over and how that will be enforced.
  8. Describe how local educational agencies and third parties will comply with FERPA.
  9. Prohibit third parties from using personally identifiable information from student records to target advertising to students.

 

School districts should be cautious that out-of-state technology providers may not be familiar with these requirements.  The penalty for noncompliance with AB 1584 is that contracts will be voided if—following the provision of notice of deficiency—they do not comply after a reasonable amount of time.

 

Student Information And Social Media

AB 1442 requires local educational agencies that consider a program to gather or maintain in its records any pupil information obtained from social media to first notify pupils and their parents or guardians about the proposed program, and to provide an opportunity for public comment at a regularly scheduled public meeting before the adoption of the program.  Any local educational agency that adopts a program pursuant to this provision must:

 

  • Gather and maintain only information that pertains directly to school safety or to student safety;
  • Provide a student with access to any information about the student obtained from social media; and
  • Destroy the information gathered from social media and maintained in its records after a certain period.

 

If a local educational agency contracts with a third party to gather information from social media on a student, AB 1442: (1) prohibits the third party from using the information for purposes other than to satisfy the terms of the contract; (2) prohibits the third party from selling or sharing the information with outside persons or entities; and (3) provides additional restrictions on the destruction of the information by the third party.

 

Student Online Personal Information Protection Act

SB 1177, the Student Online Personal Information Protection Act (“SOPIPA”), takes effect on January 1, 2016.  SOPIPA sets forth privacy laws for operators of websites, online services, and applications that are marketed and used for K-12 school purposes, even if those operators do not contract with educational agencies.  While primary responsibility for compliance with SOPIPA lies with website operators, school districts should proceed with reasonable due diligence when evaluating technology providers, especially providers based out-of-state, to ensure that their policies and procedures comply with SOPIPA.

 

Existing federal law, the Children's Online Privacy Protection Act (“COPPA”), requires the operator of a website or online service that knows it is collecting personal information from a child under the age of 13 to provide notice of what information is being collected and how it is being used, and to give the parents of the child the opportunity to refuse to permit the operator's further collection of information from the child.  SOPIPA adds to the K-12 student privacy scheme the following requirements:

 

  1. Operators cannot target advertising on their website or any other website using information acquired from students.
  2. Operators cannot create a profile for a student, except for school purposes.
  3. Operators cannot sell a student's information.
  4. Operators cannot disclose student information, unless for legal, regulatory, judicial, safety, or operational improvement reasons.
  5. Operators must protect student information through reasonable security procedures and practices.
  6. Operators must delete school- or district-controlled student information when requested by schools or districts.
  7. Operators must disclose student information: when required by law; for legitimate research purposes; and for school purposes to educational agencies.

 

Note that these are general descriptions of SOPIPA's requirements, and exceptions may apply.  Please consult with your legal counsel about the application of SOPIPA in any particular instance. 

 

If you have any questions regarding the application of these new laws, please call one of our six offices.


F3 NewsFlash prepared by Gretchen M. Shipley, Luke P. Boughen and John W. Norlin.

Gretchen is a Partner in the F3 San Diego office.

Luke is an Associate in the F3 San Diego office.

John is Special Counsel in the F3 San Diego office.


This F3 NewsFlash is a summary only and not legal advice.  We recommend that you consult with legal counsel to determine how this legal development may apply to your specific facts and circumstances.  Information on a free NewsFlash subscription can be found at www.f3law.com.


Keep up to the minute on the latest updates, NewsFlashes, and legal news by following F3 on Twitter:@F3Law.


Back to Top