Washington State House of Representatives Office of Program Research | BILL ANALYSIS |
Education Committee |
HB 1495
This analysis was prepared by non-partisan legislative staff for the use of legislative members in their deliberations. This analysis is not a part of the legislation nor does it constitute a statement of legislative intent. |
Brief Description: Enacting the student user privacy in education rights act.
Sponsors: Representatives Reykdal, Magendanz, Springer, S. Hunt, Pollet and Stanford.
Brief Summary of Bill |
|
Hearing Date: 2/5/15
Staff: Megan Wargacki (786-7194).
Background:
School Services.
Elementary and secondary teachers are increasingly using websites, mobile applications, and online services provided by a third-party to a school or district. These school services allow a teacher to customize and personalize students' learning experiences; encourage collaboration between students in the classroom and across the globe; and enable students to learn in the classroom, at home, and on the go. Although these technologies have demonstrated their potential to transform the educational process, their use has generated concerns about how best to protect student privacy and secure student information.
Student Personal Information.
The federal Family Educational Rights and Privacy Act (FERPA) and state laws protect the personally identifiable information in students' education records from unauthorized disclosure. In general, schools must have written consent from the parent, or student when the right has transferred, to release any personally identifiable information from a student's education record. Education records are defined as those records that are directly related to a student and maintained by an educational agency or institution or by a party acting for the agency or institution, such as a school service provider.
Currently there are no Washington or federal laws that limit the collection, use, sharing, or sale of a student's personal information by third-parties that are not acting for the educational agency or institution, but that provide services to schools and have access to student information.
Summary of Bill:
Privacy Policies.
School service providers (providers) must provide clear and easy to understand information about the types of student personal information (PI) they collect and about how they use and share this information. Prominent notice must be provided before material changes are made to school service privacy policies. Providers must make it easy for students or families to access and correct student PI.
Collection, Use and Sharing.
Providers may collect, use, and share student PI only for authorized purposes or with the student or student's families consent. Providers are prohibited from selling student PI, using or sharing student PI for purposes of behaviorally targeting advertisements to students, creating a personal profile of a student other than for supporting authorized purposes or with the consent. The use of student PI for adaptive learning or customized education purposes is not prohibited.
Consent.
Consent must be obtained before using student PI in a manner inconsistent with the provider's privacy policy. Where the student PI was collected directly from students, the provider must obtain consent from the student or the student's family. In all other cases, consent may be obtained from the educational institution or teacher. These act adopts and does not modify existing law regarding consent, including consent from minors and employees on behalf of educational institutions.
Security.
Providers must maintain a comprehensive information security program (program) that is reasonably designed to protect the security, privacy, confidentiality, and integrity of student PI. The program should use of appropriate administrative, technological, and physical safeguards.
Providers may not knowingly retain student personal information beyond the time period authorized by the relevant educational institution or teacher unless the provider has obtained consent from the student or the student's family. Providers must obligate third parties working on the providers' behalf and successors to these same privacy and security standards.
Future Contracts.
If a Provider entered into a signed, written contract with an educational institution or teacher before the effective date of this act, the provider is not liable for these requirements.
Definitions.
The following terms are defined:
"School service" means a website, mobile application, or online service that (a) is designed and marketed for use in elementary or secondary educational institutions; (b) is used at the direction of teachers or other employees; and (c) collects, maintains, or uses student personal information. A "school service" does not include a web site, mobile application, or online service that is designed and marketed for use by individuals or entities generally, even if also marketed to elementary or secondary educational institutions.
"School service provider" means an entity that operates a school service.
"Students" refer to students of United States elementary and secondary schools.
"Student personal information" means information collected through a school service that identifies an individual student or that is linked to information that identifies an individual student.
Appropriation: None.
Fiscal Note: Not requested.
Effective Date: The bill takes effect 90 days after adjournment of the session in which the bill is passed.