California’s Three Student Data Privacy Bills Called ‘Groundbreaking,’ Possibly Overlapping
California’s governor this week signed into law measures to protect student data and clarify its data breach notification laws (http://bit.ly/1qWoh3E; http://bit.ly/YU26om). Lawyers and advocates told us the education bills -- designed to set guidelines for cloud-stored student data and prevent the use of student data for commercial purposes -- could create confusion, but also address a pressing concern in schools. The data breach notification update requires companies that choose to offer credit monitoring services following a data breach to do so for free. DLA Piper lawyer Jim Halpert, who helped draft the bill, said it was a compromise not meant to end the debate over breach liability.
Sign up for a free preview to unlock the rest of this article
Timely, relevant coverage of court proceedings and agency rulings involving tariffs, classification, valuation, origin and antidumping and countervailing duties. Each day, Trade Law Daily subscribers receive a daily headline email, in-depth PDF edition and access to all relevant documents via our trade law source document library and website.
California has consistently led the pack in data privacy legislation. It had the nation’s first data breach notification law over a decade ago, and more recently passed a law mandating websites and mobile apps to state in their privacy policy whether do not track requests are honored (CD Jan 2 p4). The California Attorney General’s office later issued compliance guidelines that some lawyers thought were an effort to enforce data privacy standards beyond the law’s requirements (CD May 22 p9).
Student data privacy advocates like Common Sense Media are touting the three freshly signed educational bills (AB-1442, AB-1584, SB-1177) as “landmark” and “groundbreaking.” SB-1177, the Student Online Personal Information Protection Act (SOPIPA), prohibits websites, online services and apps for students K-12 from using student data for commercial purposes. It requires them to implement reasonable security measures to protect student data. California Senate Leader Darrell Steinberg, D-Sacramento, called the bill a “first-in-the-nation law,” in a statement. Sen. Ed Markey, D-Mass., has been pushing a similar bill in the Senate, the Protecting Student Privacy Act.
Common Sense Media also lauded AB-1584, which requires schools to delineate security and privacy provisions when sharing student data with third-party contractors. “The idea is really to foster a trusted online environment, so teachers can embrace technology in the classroom,” said Joni Lupovitz, vice president-policy. Industry groups have clashed with lawmakers like Markey and privacy advocates over the need to require such provisions in contracts.
Halpert worried that the three bills are “contradictory” in places. “There is overlap that is confusing” about who falls under each bill, he said. The third bill, AB-1442, puts restrictions on the information schools can collect and use from student’s social media accounts. Taken as a group, “there are a bunch of kind of messy things about it,” said Halpert. But he said he retained faith that implementation would sort of the wrinkles: “The core of it is workable from a business perspective and does address concerns about use of student information for commercial purposes."
"We look at the two bills as complementary,” Lupovitz said. She said SB-1177 puts “responsibility on the key industry players,” while AB-1584 “looks to the schools and contracts.” She hopes other states follow California’s lead: “It’s a terrific model for other states."
The data breach updates are not expected to draw similar attention, but could spur other states to revisit their own data breach and education data laws, said lawyers. “A potential consequence of this change is credit monitoring also could be offered to residents of other states where they are similarly impacted by the same breach,” said Dorsey & Whitney privacy lawyer Melissa Krasnow. But the bill stops short of mandating that companies provide free credit monitoring after a breach, Halpert said: “That was in this bill early on and was stripped out.” That means the issue over who foots the bill after a breach remains unsettled, he said. “There will be more squabbling over this next year.”