California passes “landmark bill” to protect students’ personal data

Classroom. Image courtesy of Shutterstock

Classroom. Image courtesy of ShutterstockCalifornia’s state legislature last month unanimously passed the nation’s toughest bill yet to protect the personal data of kindergarten through 12th grade (K-12) students.

California Governor Brown hasn’t taken a public stance on this and a related bill that addresses contracts with tech vendors. But if he doesn’t sign, they automatically become law at the end of the month.

The senate bill would stop online services from selling or disclosing data they’re now chowing down like kids in a candy store.

There’s a lot at stake: think student records that cover attendance, grades, discipline, health, academics, intimate details about family members, parent and student contact information, biometrics, and sometimes even a child’s geolocation.

In some high school cafeterias in Georgia, for example, students can pay for lunch by scanning their palms at the checkout line.

That’s just the tip of the iceberg when it comes to student data being amassed as school systems sign contracts with educational technology vendors that often fail to prohibit the sale of that personal information or that lack specifications about encryption or storage.

For its part, Google found itself embroiled in a lawsuit over data-mining students’ email after it admitted to Education Week that it automatically “scans and indexes” the email of its Apps for Education users.

Another education technology cloud app vendor, InBloom, in April was forced to shutter its doors after parents forced their home states to back out of contracts.

Ever since inBloom’s rollout, privacy and security experts and parents had been aghast at schools using the technology to suck up everything from students’ tax ID numbers to intimate family details – and then sharing the private information with software companies.

The bill, SB 1177, which would go into effect on 1 January 2016, prohibits educational sites, apps and cloud services used by schools from selling or disclosing personal information about K-12 students, from using the data to market to children, and from compiling dossiers on them.

Schools have been rushing to embrace all things e-education, from online portals that allow students to see course assignments and send messages to teachers, to reading apps that can record and assess a child’s every click and which promise to improve academic achievements by adapting to each child’s abilities and pace.

According to the Software and Information Industry Association, sales for such software last year reached an estimated $7.9 billion.

As the New York Times reports, the National Conference of State Legislatures has tracked legislature introduced in 36 US states in the past year, all focused on getting a better grip on this rampant data collection.

Some 30 bills were passed, all focused on a disparate list of data collection, storage and other details.

But the laws have been all over the map, addressing everything from the collection of data (including a measure that bans collection of student pregnancy histories), protecting students from having to hand over to schools their personal social media accounts or email addresses, the sale of personal data by third parties, transparency and accountability, and plans for data breach prevention and notification.

California’s is a “landmark bill” because it’s the first to require the technology vendors themselves to shape up, said the author of the bill, Senator Darrell Steinberg.

The NYT quotes him:

It’s a landmark bill in that it’s the first of its kind in the country to put the onus on internet companies to do the right thing.

Senator Steinberg last year also sponsored an “eraser button” law that gives minors in California the right to delete their digital footprints – a legislative move that’s been mirrored in other states and beyond, as two senators this summer introduced a national version of the student data privacy bill.

The legislative moves are positive steps for students, who have been facing futures in which their college applications and even their career advancement may have been tainted by data collected from practically their first wobbly steps.

So what about the rest of us? Will the overhaul of privacy law pertaining to students have any overlap that would benefit those over the age of 18?

Senator Steinberg told the NYT that he thinks the California bill does potentially have implications beyond education, in that it could push forward the principle of data rights for all.

That would mean a fundamental data rights principle that requires each of us who agrees to data collection to then have the right to decide whether the data can be used for unrelated purposes, he said:

The bill sets a standard that is applicable to the larger privacy debate. Personal information should only be used for other purposes with the permission of the individual.