California Gov. Jerry Brown signed into law last week a sweeping bill aimed at restricting the use of students鈥 educational data by third-party vendors. The measure is one of the most aggressive legislative attempts to date to balance the promise of digital learning technologies with concerns about the privacy and security of children鈥檚 sensitive information.
The new law in California caps a wave of efforts this year by state lawmakers nationwide to better protect students鈥 sensitive educational information.
The new privacy measures, enacted in 21 states during recent legislative sessions, in some cases build on previous efforts. The new laws generally fall into one of three categories: prohibiting the collection of certain types of student data; attempting to improve state and district data-governance policies; or, in California鈥檚 case, establishing comprehensive guidelines for how third-party vendors should handle student information.
Amid the flurry of activity, the impact on educational technology vendors remains uncertain. Industry representatives have mostly expressed public support for the laws that were enacted and shared only mild concerns about possible downsides.
鈥淎 lot of the laws that were passed were not specifically aimed at the role of third-party service providers,鈥 said Mark Schneiderman, the senior policy director for the Washington-based Software & Information Industry Association, or SIIA. 鈥淲e hope there are not too many with unintended consequences that may inhibit legitimate educational purposes.鈥
Protecting student data has become an increasingly contentious issue over the past year, with parents and activists expressing growing concern about the nature and volume of digital data that schools now share with vendors that host student information in the cloud, track students鈥 educational progress, and manage administrative record-keeping.
Such worries helped prompt Florida state Sen. Dorothy L. Hukill to sponsor a bill鈥攗ltimately signed into law in May by Gov. Rick Scott, a fellow Republican鈥攖hat prohibits the collection of students鈥 biometric data, which can include such distinguishing characteristics as fingerprints and iris patterns.
In an interview, Ms. Hukill said that the uses of such data that she found to be either in practice or under consideration by Florida schools鈥攊ncluding electronic scanning of students鈥 eyes or fingerprints when they get on or off a school bus, check out a book from the library, or get in line for lunch鈥攔epresented a 鈥渓udicrous鈥 and unnecessary invasion of privacy.
鈥淭here鈥檚 no need to scan a child to give them a grilled-cheese sandwich,鈥 Ms. Hukill said. 鈥淵ou don鈥檛 use the most intrusive method. You use the easiest method.鈥
But Mr. Schneiderman pointed to the law as one example of potential 鈥渦nintended consequences.鈥
The statute, he said, is imprecise and could be interpreted to limit the use of valuable biometric technologies, such as software programs for foreign-language and special-needs instruction that rely on recording students鈥 voices.
鈥淭here鈥檚 a big learning curve for policymakers on this issue,鈥 Mr. Schneiderman said. 鈥淲e鈥檙e hopeful that, over time, policymakers will re-examine that [provision] and understand that there are legitimate, appropriate, safe uses of biometric data, just like any other data.鈥
During their most recent legislative sessions, more than a dozen states passed laws restricting the collection of some type of sensitive student information, including biometric data, parents鈥 and students鈥 political affiliation, and information on gun ownership.
Burden of Responsibility
Industry representatives expressed less concern about the type of legislation enacted in states such as Idaho, which framed its measure around better governance of data by public agencies.
The Student Data, Accessibility, Transparency, and Accountability Act鈥攕igned into law in Idaho by Republican Gov. C.L. 鈥淏utch鈥 Otter in March鈥攆ocuses on vesting authority over student-data use with the state board of education and providing districts with guidelines for protecting data and penalties for failing to do so. But the law does not feature any strict mandates or prohibitions.
The bill鈥檚 sponsor, state Sen. John Goedde, a Republican, said in an interview that it makes sense to put the burden of responsibility for safeguarding student information on the public sector because the private-sector companies working with schools are generally working directly for states or school districts.
A handful of states enacted similar laws, some of which were modeled in whole or in part on a statute in Oklahoma that gained support from the American Legislative Exchange Council, a legislative-advocacy group based in Washington.
In California, meanwhile, the Student Online Personal Information Protection Act, or SOPIPA, focuses explicitly on ed-tech vendors.
The law prohibits operators of online educational services from selling student data and using such information to target advertising to students or to 鈥渁mass a profile鈥 on any particular student for a non-educational purpose. The law also requires online service providers to maintain adequate security procedures and to delete student information at the request of a school or district.
鈥淚 think this is a blunt call to industry to say that school data is for educational purposes, period,鈥 said James P. Steyer, the CEO and founder of Common Sense Media, a San Francisco-based nonprofit that helped craft the law.
Although Mr. Steyer said that many of the 鈥渕ajor players鈥 in the ed-tech industry had attempted to 鈥渨ater down鈥 the bill during the legislative process, Mr. Schneiderman of the SIIA said that the California measure 鈥渟eems to generally strike the right balance鈥 between recognizing the promise of digital learning technologies and seeking to protect student information.
Impact on Vendors
One way in which the new California law could have a direct impact on industry is by prohibiting vendors from using 鈥渋nformation, including persistent unique identifiers, created or gathered by the operator鈥檚 site, service, or application, to amass a profile about a K鈥12 student except in furtherance of K鈥12 school purposes.鈥
Such practices came under scrutiny after Google, the Mountain View, Calif.-based online-services giant, was accused of building such profiles in a federal lawsuit that made its way through the courts this year.
The company acknowledged to 澳门跑狗论坛 that it had been scanning and data-mining student email messages sent using its wildly popular Apps for Education tool suite for purposes including targeted advertising.
Google later ceased that practice, but company representatives have for months declined to clarify whether Google continues to scan student emails and build profiles of children for commercial purposes other than advertising.
Even in California, the final legislation includes some key accommodations to industry concerns, such as specifying that operators be allowed to maintain and use 鈥渄e-identified,鈥 or anonymous, student information to develop and improve their own educational products and services.
In general, many in the ed-tech sector seem supportive of the new legislation and hopeful that it will not significantly curtail their activities.
鈥淭hese are the standards and commitments that we already live up to, and that we think every company working with school districts should live up to,鈥 said Justin Hamilton, a spokesman for Amplify, a New York City-based developer of digital products and services. (Larry Berger, the president of the Amplify Learning division, is a member of the board of trustees of 澳门跑狗论坛, the nonprofit publisher of 澳门跑狗论坛.)
Privacy advocates have also generally supported the California law.
For the bill鈥檚 sponsor, California Senate President Pro Tempore Darrell S. Steinberg, a Democrat, acceptance on both sides of the often-fraught student-data-privacy debate offers reason to believe the law can become a model for the rest of the country.
鈥淭he bottom line is that it fosters innovation and protects kids鈥 privacy and demonstrates that these goals can be complementary,鈥 Mr. Steinberg said in an email. 鈥淭he old notion of trading privacy for innovation is a false choice.鈥