HOUSE BILL REPORT

ESHB 1495

This analysis was prepared by non-partisan legislative staff for the use of legislative members in their deliberations. This analysis is not a part of the legislation nor does it constitute a statement of legislative intent.

As Passed House:

March 3, 2015

Title: An act relating to the student user privacy in education rights act.

Brief Description: Enacting the student user privacy in education rights act.

Sponsors: House Committee on Education (originally sponsored by Representatives Reykdal, Magendanz, Springer, S. Hunt, Pollet and Stanford).

Brief History:

Committee Activity:

Education: 2/5/15, 2/19/15 [DPS].

Floor Activity:

Passed House: 3/3/15, 90-7.

Brief Summary of Engrossed Substitute Bill

  • Requires school service providers to follow certain requirements related to:

    • privacy policies;

    • collection, use, and sharing of student personal information;

    • obtaining consent; and

    • security, privacy, confidentiality, and integrity of student personal information.

HOUSE COMMITTEE ON EDUCATION

Majority Report: The substitute bill be substituted therefor and the substitute bill do pass. Signed by 21 members: Representatives Santos, Chair; Ortiz-Self, Vice Chair; Reykdal, Vice Chair; Magendanz, Ranking Minority Member; Muri, Assistant Ranking Minority Member; Stambaugh, Assistant Ranking Minority Member; Bergquist, Caldier, Fagan, Gregory, Griffey, Hargrove, Hayes, S. Hunt, Kilduff, Klippert, Lytton, McCaslin, Orwall, Pollet and Springer.

Staff: Megan Wargacki (786-7194).

Background:

School Services.

Elementary and secondary teachers are increasingly using websites, mobile applications, and online services provided by a third-party to a school or district. These school services allow a teacher to customize and personalize students' learning experiences; encourage collaboration between students in the classroom and across the globe; and enable students to learn in the classroom, at home, and on the go. Although these technologies have demonstrated their potential to transform the educational process, their use has generated concerns about how best to protect student privacy and secure student information.

Student Personal Information.

The federal Family Educational Rights and Privacy Act and state laws protect the personally identifiable information in students' education records from unauthorized disclosure. In general, schools must have written consent from the parent, or student when the right has transferred, to release any personally identifiable information from a student's education record. Education records are defined as those records that are directly related to a student and maintained by an educational agency or institution or by a party acting for the agency or institution, such as a school service provider.

Currently there are no Washington or federal laws that limit the collection, use, sharing, or sale of a student's personal information by third parties that are not acting for the educational agency or institution, but that provide services to schools and have access to student information. However, at least one state, California, has passed legislation that does this.

Summary of Engrossed Substitute Bill:

Privacy Policies, Notice, and Transparency.

School service providers (providers) must provide clear and easy to understand information about the types of student personal information (PI) they collect and about how they use and share this information. Prominent notice must be provided before material changes are made to school service privacy policies. Providers must make it easy for students or families to access and correct student PI. These provisions do not apply to the Education Data and Research Center, but do apply to its subcontractors.

Collection, Use, and Sharing.

Providers may collect, use, and share student PI only for authorized purposes or with the consent of the student or student's family. Providers may not sell student PI, except as part of a purchase, merger, or other type of acquisition, as long as the successor follows the collection, use and sharing provisions. Providers may not use or share student PI for purposes of targeted advertisements to students. Providers may not create a personal profile of a student other than for supporting authorized purposes, or with consent. Providers must obtain consent before using student PI in a manner material inconsistent with the provider's privacy policy or school contract.

Except for the prohibition against using student PI for targeted advertising to students, these sections do not apply to the use or disclosure of student PI by a provider to:

Security.

Providers must maintain a comprehensive information security program that is reasonably designed to protect the security, privacy, confidentiality, and integrity of student PI. The program should use appropriate administrative, technological, and physical safeguards. Providers must delete student PI within a reasonable period of time if the relevant educational institution requests deletion of the data under the control of the institution unless:

Adaptive Learning and Customized Education.

The act is not intended to prohibit the use of student PI for:

Consent.

This act adopts and does not modify existing law regarding consent, including consent from minors and employees on behalf of educational institutions.

Construction of Act.

The act must not be construed to:

Future Contracts.

If a provider entered into a signed, written contract with an educational institution or teacher before the effective date of this act, the provider is not liable for these requirements.

Definitions.

The following terms are defined:

Appropriation: None.

Fiscal Note: Available.

Effective Date: The bill takes effect July 1, 2016.

Staff Summary of Public Testimony:

(In support) State laws are inadequate when it comes to third-party vendors.  Vendors should not have 295 radically different contracts related to student privacy. Rather, there should be specific state requirements and more consistency across all districts.  This bill will address all types of information that is used or shared with third parties. Microsoft supports this bill because it is a good balance between regulation and innovation.  It prohibits wrong uses of student data, such as targeted advertising, but allows good uses, such as targeting programs to the unique needs to students.  Schools and districts are currently transferring data outside the district without ensuring adequate privacy and security protections.  Currently laws have not kept pace with technology and could allow people to use student data for reasons other than educational reasons.  The principles in this bill enjoy widespread support. The Parent Teacher Association supports the bill. 

(In support with concerns) Vendors who work with the Office of the Superintendent of Public Instruction support the bill.  These vendors need to have access to student information and, though they support the bill, are trying to figure out the bill requirements that will work in all circumstances.

(Opposed) None.

Persons Testifying: (In support) Representative Reykdal, prime sponsor; Ryan Hawkins, Microsoft; and Tim Ferrell, Washington State Parent Teacher Association.

(In support with concerns) Carolyn Logue, K12 On Behalf Of DCI Group LLC.

Persons Signed In To Testify But Not Testifying: None.