HOUSE BILL REPORT
ESB 5419
This analysis was prepared by non-partisan legislative staff for the use of legislative members in their deliberations. This analysis is not a part of the legislation nor does it constitute a statement of legislative intent. |
As Passed House:
April 15, 2015
Title: An act relating to the student user privacy in education rights act.
Brief Description: Enacting the student user privacy in education rights act.
Sponsors: Senators Litzow, McAuliffe, Rivers, Fain, Mullet, Frockt, Hill, Dammeier, Rolfes, Kohl-Welles and Chase.
Brief History:
Committee Activity:
Education: 3/23/15, 3/26/15 [DP].
Floor Activity:
Passed House: 4/15/15, 96-2.
Brief Summary of Engrossed Bill |
Requires school service providers to follow certain requirements related to:
|
HOUSE COMMITTEE ON EDUCATION |
Majority Report: Do pass. Signed by 20 members: Representatives Santos, Chair; Ortiz-Self, Vice Chair; Reykdal, Vice Chair; Magendanz, Ranking Minority Member; Muri, Assistant Ranking Minority Member; Stambaugh, Assistant Ranking Minority Member; Bergquist, Caldier, Fagan, Gregory, Griffey, Hargrove, Hayes, S. Hunt, Kilduff, Klippert, McCaslin, Orwall, Pollet and Springer.
Staff: Megan Wargacki (786-7194).
Background:
School Services.
Elementary and secondary teachers are increasingly using websites, mobile applications, and online services provided by a third-party to a school or district. These school services allow teachers to: customize and personalize students' learning experiences; encourage collaboration between students in the classroom and across the globe; and enable students to learn in the classroom, at home, and on the go. Although these technologies have demonstrated their potential to transform the educational process, their use has generated concerns about how best to protect student privacy and secure student information.
Student Personal Information.
The federal Family Educational Rights and Privacy Act and state laws protect the personally identifiable information in students' education records from unauthorized disclosure. In general, schools must have written consent from the parent, or student when the right has transferred, to release any personally identifiable information from a student's education record. Education records are defined as those records that are directly related to a student and maintained by an educational agency or institution or by a party acting for the agency or institution, such as a school service provider.
Currently, there are no Washington or federal laws that limit the collection, use, sharing, or sale of a student's personal information (PI) by third parties that are not acting for the educational agency or institution, but that provide services to schools and have access to student information. However, at least one state, California, has passed legislation that does this.
Summary of Bill:
Privacy Policies, Notice, and Transparency.
School service providers (providers) must provide clear and easy to understand information about the types of student PI they collect and about how they use and share this information. Prominent notice must be provided before material changes are made to school service privacy policies. Providers must make it easy for students or families to access and correct student PI. Where the school service is offered to an educational institution or teacher, policies and notice must be provided to the educational agency or teacher. These provisions do not apply to the Education Research and Data Center, but do apply to its subcontractors.
Collection, Use, and Sharing.
Providers may collect, use, and share student PI only for authorized purposes or with the consent of the student or student's family. Providers may not sell student PI, except as part of a purchase, merger, or other type of acquisition, as long as the successor follows the collection, use, and sharing provisions. Providers may not use or share student PI for purposes of targeted advertisements to students. Providers may not create a personal profile of a student other than for supporting authorized purposes, or with consent. Providers must obtain consent before using student PI in a manner material inconsistent with the provider's privacy policy or school contract.
Except for the prohibition against using student PI for targeted advertising to students, these sections do not apply to the use or disclosure of student PI by a provider to:
protect the security or integrity of its website, mobile application, or online service;
ensure legal or regulatory compliance or to take precautions against liability;
respond to or participate in judicial process;
protect the safety of users or others on the website, mobile application, or online service;
investigate a matter related to public safety; or
a subcontractor, if the school service provider: (1) contractually prohibits the subcontractor from using any student PI for any purpose other than providing the contracted service; (2) prohibits the subcontractor from disclosing any student PI provided by the provider to subsequent third parties unless the disclosure is expressly permitted by certain sections of this act; and (3) requires the subcontractor to comply with the requirements of this act.
Security.
Providers must maintain a comprehensive information security program that is reasonably designed to protect the security, privacy, confidentiality, and integrity of student PI. The program should use appropriate administrative, technological, and physical safeguards. Providers must delete student PI within a reasonable period of time if the relevant educational institution requests deletion of the data under the control of the institution unless:
the provider obtained the consent of the student or the student's family; or
the student transferred to another educational institution and that institution requested that the provider retain the information.
Adaptive Learning and Customized Education.
The act is not intended to prohibit the use of student PI for:
adaptive learning or personalized or customized education;
maintaining, developing, supporting, improving, or diagnosing the provider's website, mobile application, online service, or application;
providing recommendations for school, educational, or employment purposes within a school service without the response being determined by payment or other consideration from a third-party; or
responding to a student's request for information or for feedback without the information or response being determined by payment or other consideration from a third party.
Consent.
This act adopts and does not modify existing law regarding consent, including consent from minors and employees on behalf of educational institutions.
Construction of Act.
The act must not be construed to:
impose a duty upon a provider of an interactive computer service to review or enforce compliance by third-party content providers;
apply to general audience Internet websites, general audience mobile applications, or general audience online services even if login credentials created for a student service provider's website, mobile application, or online service may be used to access those services;
impede the ability of students to download, export, or otherwise save or maintain their own student data or documents;
limit Internet service providers from providing Internet connectivity to schools or students and their families;
prohibit a provider from marketing educational products directly to parents if the marketing did not result from use of student PI obtained by the provider through the provision of its website, mobile application, or online service; or
impose a duty on a provider of an electronic store, gateway, marketplace, or other means of purchasing or downloading software or applications to review or enforce compliance with this chapter on those applications or software.
Future Contracts.
If a provider entered into a signed, written contract with an educational institution or teacher before the effective date of this act, the provider is not liable for these requirements until the next renewal date of the contract.
Definitions.
The following terms are defined:
"School service" means a website, mobile application, or online service that: (a) is designed and marketed primarily for use in a K-12 school; (b) is used at the direction of teachers or other employees of a K-12 school; and (c) collects, maintains, or uses student PI. A "school service" does not include a website, mobile application, or online service that is designed and marketed for use by individuals or entities generally, even if also marketed to a United States K-12 school.
"School service provider" means an entity that operates a school service to the extent it is operating in that capacity.
"Student personal information," or "student PI" means information collected through a school service that personally identifies an individual student or other information collected and maintained about an individual student that is linked to information that identifies an individual student.
"Students" means students of K-12 schools in Washington.
"Targeted advertising" means sending advertisements to a student where the advertisement is selected based on information obtained or inferred from that student's online behavior, usage of applications, or student PI. It does not include: (a) advertising to a student at an online location based upon that student's current visit to that location without the collection and retention of a student's online activities over time; or (b) adaptive learning, personalized learning, or customized education.
Appropriation: None.
Fiscal Note: Available.
Effective Date: The bill takes effect July 1, 2016.
Staff Summary of Public Testimony:
(In support) Some technology companies support this bill because it would strengthen trust in technology in schools, and drive commercial practices out of the classroom. The bill also encourages innovation by allowing companies to use education data to improve their services and personalize education for students. Concerns about privacy and use of student information have come up because in recent years, schools have been increasingly using online services and technology. Schools use these technologies for the same reason that other companies do; they improve efficiencies and can improve education to help students learn. But, many stakeholders are concerned that schools are transferring student data to the hands of technology companies without adequate safeguards around how the data will be used, who will have access to it, etc. Legislation around the country has been brought forth on this topic. A number of states passed laws to restrict access of companies from using student data for certain things, like targeted advertising. This includes states from across the political spectrum. Washington should implement similar safeguards.
(In support with amendment(s)) A few amendments would make the bill even stronger. It would be good to include all products that are knowingly provided and intended for K-12 education or schools. Currently, there are many companies that are not regulated by this bill, but their products are used in schools. Student personal information should include information that relates to a particular student even if that student is not directly identified on the face of the data. This is because powerful databases can be used to link data to individuals even when the usual types of identifying data have been removed. The scope of regulated activities should be expanded beyond behavioral advertising to encompass other forms of advertising to students, while still allowing a service provider to refer their own products. The needs of technology companies should be balanced with the needs of one of our most sensitive and vulnerable populations.
(Opposed) None.
Persons Testifying: (In support) Ryan Harkins, Microsoft.
(In support with amendment(s)) Chris Kaasa, American Civil Liberties Union of Washington.
Persons Signed In To Testify But Not Testifying: None.