California Law Stops the Sale of Student Information, But Does It Protect Their Privacy?

September 16, 2014

SB 1177 or SOPIPA is a bill that was introduced by Senator Steinberg (D-Sacramento) on February 20, 2014 to the 2013-2014 session of the California Legislature that prohibits website operators from selling K-12 student data profiles, or using this information to generate advertisements targeting these minors. The impetus for the bill as described by Steinberg, is the growing increasing presence of technology in the classroom, and associated threats to student privacy where student personal information has been captured. The bill has been enrolled after it passed on the assembly (79-0) and the senate (36-0). It is currently being presented to Governor Jerry Brown as of 2nd September, 2014. The Bill follows another legislative push by Senator Steinberg in the form of another bill (SB-568, or the “Eraser Bill”), which require website operator’s to remove information that a minor posted online if requested. SOPIPA marks the one-year anniversary of SB-568’s approval by the governor, which was chaptered in September 2013.
Before its presentation to the Governor, SOPIPA went through a series of six amendments. The Bill has garnered public attention, and a number of public comments and concerns have been raised about its contents. While it remains clear that privacy protections for children who interact with online content is a necessary precaution, there are a number of revisions to SOPIPA that should be made before its enactment, as well as a number of additional projects, above and beyond SOPIPA, to fully realize the underlying objective.
First, as one commentor noted, there are some instances in which student information that is helpful, if not necessary, to the individual’s personal safety. For example, where there is a child missing, his or her online activity is a key detail in retracing the minor’s steps and identifying the child’s current physical location. To this, Steinberg may retort – the Bill does allow for the disclosure of information if federal or state law requires it! However, it is likely that the prohibition of data mining for targeted marketing purposes as it relates to K-12 students will drain the profit-driven incentives to collect this data altogether. Website operators may respond to this by simply taking their data-mining activities elsewhere, and perhaps refrain from collecting and/or storing personal information from K-12 students altogether. One less source of a minor’s whereabouts may make the search for missing minors more difficult.
The bill does, however, include a shelter for website operators who are engaged in research directed towards interactive learning.

If the bill were to expand the scope of the term “legitimate research activity” that fell into this shelter, perhaps website operators would find a new incentive to continue data-mining that would not contravene SOPIPA while indirectly allowing for the police to access student personal information for law enforcement purposes, if and when necessary.

Moreover, the bill is not intended to prevent the collection of personal information from students, just the use of this information for nefarious activities (namely, targeted advertising towards minors). The operating assumption seems to be that minors are especially vulnerable to the aggressive and sometimes invasive marketing tactics of website operators. What seems less reasonable though, is the protection of the minors’ parents and guardians from the same sort of targeted advertising. The Bill includes in 22584 (i)(1) that the information that is protected includes data provided not only by the student, but also by the student’s parents or legal guardians; this “covered” information is protected from targeted advertising under 22684 (b)(1)(A). If the Bill was drafted with the intention of protecting the personal information of adults in this way, why weren’t teachers or school personnel referenced? Perhaps what Senator Steinberg had in mind when drafting this provision was that the protected information was still the student’s data, but simply inputted into a website by the parent or legal guardian. If this is the case, the Bill should likely be amended to read: ““Covered information” means personally identifiable information or materials pertaining directly to the student, in any media or format.”
A more fundamental issue that both SOPIPA and the “Eraser Bill” share is why students are sharing this personal information to begin with. Both bills place the onus on the website operator to change their operating procedures to adapt to the new privacy concerns. The decision to integrate technology into the classroom is made by on a local level by school districts but on a larger scale by the State Department of Education, and there seems little effort on from that end to educate students in a way to prevent disclosures of personal information. In fact, software developers have already come up with programs to teach students about protecting their own personal information. In addition to SOPIPA, a legislative push to incorporate data-privacy learning objectives into the curriculum would more effectively and equitably address the underlying interest in protecting student online privacy.