SENATE BILL REPORT
SB 5419
This analysis was prepared by non-partisan legislative staff for the use of legislative members in their deliberations. This analysis is not a part of the legislation nor does it constitute a statement of legislative intent. |
As Reported by Senate Committee On:
Early Learning & K-12 Education, February 17, 2015
Title: An act relating to the student user privacy in education rights act.
Brief Description: Enacting the student user privacy in education rights act.
Sponsors: Senators Litzow, McAuliffe, Rivers, Fain, Mullet, Frockt, Hill, Dammeier, Rolfes, Kohl-Welles and Chase.
Brief History:
Committee Activity: Early Learning & K-12 Education: 2/02/15, 2/17/15 [DP, w/oRec].
SENATE COMMITTEE ON EARLY LEARNING & K-12 EDUCATION |
Majority Report: Do pass.
Signed by Senators Litzow, Chair; Dammeier, Vice Chair; Fain, Hill, Mullet and Rivers.
Minority Report: That it be referred without recommendation.
Signed by Senators McAuliffe, Ranking Member; Billig and Rolfes.
Staff: Ailey Kato (786-7434)
Background: The Family Educational Rights and Privacy Act (FERPA) and state laws give parents and students rights with respect to education records. Under FERPA, schools generally must have written consent from the parent, or student when the right has transferred, in order to release any personally identifiable information from a student's education record. However, there are exceptions to this consent requirement.
Currently there are no Washington or federal laws that limit the sharing of personal student information by other entities that provide services to schools and have access to personal student information.
Summary of Bill: School Service Providers. School service providers must take specified actions to protect the personal information of students. School service provider means an entity that operates a school service. School service means a website, mobile application, or online service that meets all three of the following criteria:
is designed and marketed for use in United States elementary or secondary educational institutions;
is used at the direction of teachers or other employees of an elementary or secondary educational institution; and
collects, maintains, or uses student personal information.
Student personal information means information collected through a school service that identifies an individual student or that is linked to information that identifies an individual student. A school service does not include a website, mobile application, or online service that is designed and marketed for use by individuals or entities generally, even if also marketed to United States elementary or secondary educational institutions.
School Service Providers' Policies. School service providers must provide (1) clear and easy to understand information about the types of student personal information they collect and about how they use and share the student personal information, and (2) prominent notice before making material changes to their privacy policies for school services. Where the school service is offered to an educational institution or teacher, this information and prominent notice may be provided to the educational institution or teacher.
School service providers must facilitate access to and correction of student personal information by students or their parent or guardian either directly or through the relevant educational institution or teacher.
Consent for Use of Student Personal Information. School service providers must obtain consent before using student personal information in a manner that is inconsistent with the provider's privacy policy for the applicable school service in effect at the time of collection. Where the student personal information was collected directly from students, the school service provider must obtain consent from the student or the student's parent or guardian. In all other cases, consent may be obtained from the educational institution or teacher.
Existing law regarding consent, including consent from minors and employees on behalf of educational institutions, is not changed.
Collecting, Using, and Sharing Student Personal Information. School service providers may collect, use, and share student personal information only for purposes authorized by the relevant educational institution or teacher, or with the consent of the student or the student's parent or guardian.
School service providers may not:
sell student personal information;
use or share any student personal information for purposes of behaviorally targeting advertisements to students; or
use student personal information to create a personal profile of a student other than for supporting purposes authorized by the relevant educational institution or teacher, or with the consent of the student or the student's parent or guardian.
School service providers may not knowingly retain student personal information beyond the time period authorized by the relevant educational institution or teacher unless the school service provider has obtained student consent or the consent of the student's parent or guardian.
The use of student personal information for purposes of adaptive learning or customized education is allowed.
Third Parties and Successor Entities. School service providers must obligate any third parties involved on the providers' behalf in the supply of school services to adhere to and implement certain imposed obligations.
Before permitting a successor entity to access student personal information, a school service provider must ensure that the successor entity abides by all privacy and security commitments related to previously collected student personal information.
Information Security Program. School service providers must maintain a comprehensive information security program that is reasonably designed to protect the security, privacy, confidentiality, and integrity of student personal information. The information security program should make use of appropriate administrative, technological, and physical safeguards.
Future Contracts. The limitations and requirements only apply to contracts entered or renewed after the effective date of the act and are not retroactive.
Appropriation: None.
Fiscal Note: Available.
Committee/Commission/Task Force Created: No.
Effective Date: Ninety days after adjournment of session in which bill is passed.
Staff Summary of Public Testimony: PRO: Large amounts of data are collected from students. This bill helps make sure that this data is used appropriately and protects students' privacy. This bill strikes the right balance between regulation and innovation. It would eliminate bad data practices in the growing educational technology industry and limit what providers can do with data. But the bill also enables providers to develop innovative services that can improve education and meet students' unique needs. Student data should be used to help kids learn; it should not be used for unrelated commercial purposes. Data is being stored remotely, which transfers data to third parties. Sometimes this transfer is not done securely. Students are using many different forms of technology in schools. Existing law has not kept up with technology. It is not clear whether this bill would apply to contracted school service providers. Contracted school service providers and schools should make decisions about privacy policies together.
Persons Testifying: PRO: Senator Litzow, prime sponsor; Rowland Thompson, Allied Daily Newspapers of WA; Ryan Harkins, Microsoft Corp; Tim Farrell, WA State Parent Teacher Assn.