FINAL BILL REPORT

ESB 5419

This analysis was prepared by non-partisan legislative staff for the use of legislative members in their deliberations. This analysis is not a part of the legislation nor does it constitute a statement of legislative intent.

C 277 L 15

Synopsis as Enacted

Brief Description: Enacting the student user privacy in education rights act.

Sponsors: Senators Litzow, McAuliffe, Rivers, Fain, Mullet, Frockt, Hill, Dammeier, Rolfes, Kohl-Welles and Chase.

Senate Committee on Early Learning & K-12 Education

House Committee on Education

Background: The Family Educational Rights and Privacy Act (FERPA) and state laws give parents and students rights with respect to education records. Under FERPA, schools generally must have written consent from the parent, or student when the right has transferred, in order to release any personally identifiable information from a student's education record. However, there are exceptions to this consent requirement.

Currently there are no Washington or federal laws that limit the sharing of personal student information by other entities that provide services to schools and have access to personal student information.

The Education Data Center within the Office of Financial Management conducts analyses of early learning, K–12, higher education programs, and education and workforce issues across the educational system in collaboration with other agencies.

Summary: School Service Providers. School service providers must take specified actions to protect the personal information of students. School service provider means an entity that operates a school service to the extent it is operating in that capacity. School service means a website, mobile application, or online service that meets all three of the following criteria:

Student personal information means information collected through a school service that personally identifies an individual student or other information collected and maintained about an individual student that is linked to information that identifies an individual student. A school service does not include a website, mobile application, or online service that is designed and marketed for use by individuals or entities generally, even if also marketed to a United States K–12 school.

School Service Providers' Policies. School service providers must provide (1) clear and easy to understand information about the types of student personal information they collect and about how they use and share the student personal information, and (2) prominent notice before making material changes to their privacy policies for school services. Where the school service is offered to an educational institution or teacher, this information and prominent notice may be provided to the educational institution or teacher.

School service providers must facilitate access to and correction of student personal information by students or their parent or guardian either directly or through the relevant educational institution or teacher.

These requirements do not apply to the Education Data Center, but they do apply to any of its subcontractors.

Consent for Use of Student Personal Information. School service providers must obtain consent before using student personal information in a manner that is materially inconsistent with the provider's privacy policy or school contract for the applicable school service in effect at the time of collection.

Existing law regarding consent, including consent from minors and employees on behalf of educational institutions, is not changed.

Collecting, Using, and Sharing Student Personal Information. School service providers may collect, use, and share student personal information only for purposes authorized by the relevant educational institution or teacher, or with the consent of the student or the student's parent or guardian.

School service providers may not:

The prohibition against selling student personal information does not apply to the purchase, merger, or other type of acquisition of a school service provider, or any assets of a school service provider by another entity, as long as the successor entity continues to be subject to the foregoing provisions with respect to previously acquired student personal information to the extent that the school service provider was regulated with regard to its acquisition of student personal information.

Targeted advertising means sending advertisements to a student where the advertisement is selected based on information obtained or inferred from that student's online behavior, usage of applications, or student personal information. It does not include the following:

The foregoing provisions do not apply to the use or disclosure of personal information by a school service provider to:

  1. protect the security or integrity of its website, mobile application, or online service;

  2. ensure legal or regulatory compliance or to take precautions against liability;

  3. respond to or participate in judicial process;

  4. protect the safety of users or others on the website, mobile application, or online service;

  5. investigate a matter related to public safety; or

  6. a subcontractor, if the school service provider:

    1. contractually prohibits the subcontractor from using any student personal information for any purpose other than providing the contracted service to, or on behalf of, the school service provider;

    2. prohibits the subcontractor from disclosing any student personal information provided by the school service provider to subsequent third parties unless the disclosure is expressly permitted; and

    3. requires the subcontractor to comply with the requirements.

School service providers must delete student personal information within a reasonable period of time if the relevant educational institution requests deletion of the data under the control of the educational institution unless:

Information Security Program. School service providers must maintain a comprehensive information security program that is reasonably designed to protect the security, privacy, confidentiality, and integrity of student personal information. The information security program should make use of appropriate administrative, technological, and physical safeguards.

Adaptive Learning and Customized Education. Nothing is intended to prohibit the use of student personal information for purposes of:

Construction of the Act. The act must not be construed to:

Future Contracts. The limitations and requirements only apply to contracts entered or renewed after the effective date of the act and are not retroactive. This act takes effect July 1, 2016.

Votes on Final Passage:

Senate

49

0

House

96

2

Effective:

July 1, 2016