Attorney General Kamala D. Harris Releases Comprehensive Recommendations to Protect Student Privacy and Their Data

Wednesday, November 2, 2016
Contact: (916) 210-6000, agpressoffice@doj.ca.gov

SAN FRANCISCO – Attorney General Kamala D. Harris today released Ready for School: Recommendations for the Ed Tech Industry to Protect the Privacy of Student Data, a report which outlines best practices for the education technology industry (“Ed Tech”) to ensure that student privacy is respected, protected, and prioritized as the education technology industry brings innovation into our schools.  The recommendations cover the collection and use of student information acquired through educational technology companies’ systems.

In developing the report, the Attorney General’s Privacy Enforcement and Protection Unit consulted with Ed Tech providers, educators, privacy advocates, members of the business community, and consumer advocates. Ed Tech includes administrative management systems, such as cloud services that store student data; instructional support, such as testing and assessment; and content, including curriculum and resources such as websites and mobile apps.

“Technology in the classroom can unlock countless new opportunities to educate students for the workforce of tomorrow,” said Attorney General Harris.  “At the same time, we must protect our children’s privacy as they learn. The recommendations outlined in this report will help companies whose products enter the physical or virtual classroom protect students’ personal information and ensure that its use is only for educational purposes.”

Many companies provide online services to aid classroom teaching but they require students to create accounts that capture a wide range of students’ data and personal information. In some instances, companies are mining data from schoolchildren beyond what is necessary for their education. The data on students collected and stored by Ed Tech can be very sensitive, including medical histories, social and emotional assessments, child welfare or juvenile justice system involvement, progress reports, and test results. Ed Tech companies also often collect new types of data, like a student’s location and the type of device being used, that generally fall outside the scope of longstanding federal laws protecting the privacy of students and minors.

In 2014, parents and policymakers in California worked together to enact two student privacy laws in response to growing concerns about privacy risks and the gaps in existing law. One of the new laws (AB 1584, Buchanan) applies to local educational agencies (such as school districts and charter schools). It addresses a lack of appropriate controls over student data in the hands of third parties, particularly cloud storage providers, by requiring specific terms to be included in contracts for services and software that store or collect student data. The other law (SB 1177, Steinberg) is the Student Online Personal Information Privacy Act (SOPIPA), which imposes obligations on the companies that provide Ed Tech services.

To help ensure the efficacy of these laws, this report was developed to chart a high road of best practices aimed at protecting student privacy. The report’s recommendations focus on: 1) minimizing data collection and retention to include only the student information necessary; 2) keeping the use of data strictly educational; 3) contractually requiring service providers who receive student information not to disclose it or sell it; 4) instituting policies that enable parents and legal guardians to fully understand the student data collected and maintained; 5) implementing reasonable security measures to protect data; and 6) ensuring transparency by providing meaningful privacy policies.

Upholding Californians’ right to privacy and data security is a top priority of Attorney General Harris. Earlier this month, Attorney General Harris announced the release of an online form—https://oag.ca.gov/reportprivacy—to help consumers report websites, mobile applications, and other online services that are in violation of the California Online Privacy Protection Act (CalOPPA). A website or app operator may violate CalOPPA by failing to post privacy policies or posting incomplete or inadequate policies. This new form is one of several initiatives Attorney General Harris is undertaking to protect Californians’ privacy, especially in light of technological advances and the growth of the “internet of things.” 

In February of this year, Attorney General Harris released a data breach report detailing the nature of reported breaches in the last four years, accompanied by recommendations for business and lawmakers including pointing to standards regarding “reasonable security” for protecting personally identifiable information. The office recently conducted a set of workshops for small businesses in conjunction with security experts from the Center for Internet Security.

Attorney General Kamala Harris developed the Privacy Enforcement and Protection Unit with the mission of protecting the inalienable right to privacy conferred by the California Constitution. The Privacy Unit enforces state and federal privacy laws and develops programs to educate individuals, businesses and organizations on privacy obligations, rights, and best practices.

The publication is available online at https://oag.ca.gov/sites/all/files/agweb/pdfs/cybersecurity/ready-for-school-1116.pdf?

# # #