SENATE BILL REPORT
This analysis was prepared by non-partisan legislative staff for the use of legislative members in their deliberations. This analysis is not a part of the legislation nor does it constitute a statement of legislative intent.
As Passed Senate, March 11, 2015
Title: An act relating to the student user privacy in education rights act.
Brief Description: Enacting the student user privacy in education rights act.
Sponsors: Senators Litzow, McAuliffe, Rivers, Fain, Mullet, Frockt, Hill, Dammeier, Rolfes, Kohl-Welles and Chase.
Committee Activity: Early Learning & K-12 Education: 2/02/15, 2/17/15 [DP, w/oRec].
Passed Senate: 3/11/15, 49-0.
SENATE COMMITTEE ON EARLY LEARNING & K-12 EDUCATION
Majority Report: Do pass.
Signed by Senators Litzow, Chair; Dammeier, Vice Chair; Fain, Hill, Mullet and Rivers.
Minority Report: That it be referred without recommendation.
Signed by Senators McAuliffe, Ranking Member; Billig and Rolfes.
Staff: Ailey Kato (786-7434)
Background: The Family Educational Rights and Privacy Act (FERPA) and state laws give parents and students rights with respect to education records. Under FERPA, schools generally must have written consent from the parent, or student when the right has transferred, in order to release any personally identifiable information from a student's education record. However, there are exceptions to this consent requirement.
Currently there are no Washington or federal laws that limit the sharing of personal student information by other entities that provide services to schools and have access to personal student information.
The Education Data Center within the Office of Financial Management conducts analyses of early learning, K–12, higher education programs, and education and workforce issues across the educational system in collaboration with other agencies.
Summary of Engrossed Bill: School Service Providers. School service providers must take specified actions to protect the personal information of students. School service provider means an entity that operates a school service to the extent it is operating in that capacity. School service means a website, mobile application, or online service that meets all three of the following criteria:
is designed and marketed primarily for use in a K–12 school;
is used at the direction of teachers or other employees of a K–12 school; and
collects, maintains, or uses student personal information.
Student personal information means information collected through a school service that personally identifies an individual student or other information collected and maintained about an individual student that is linked to information that identifies an individual student. A school service does not include a website, mobile application, or online service that is designed and marketed for use by individuals or entities generally, even if also marketed to a United States K–12 school.
School Service Providers' Policies. School service providers must provide (1) clear and easy to understand information about the types of student personal information they collect and about how they use and share the student personal information, and (2) prominent notice before making material changes to their privacy policies for school services. Where the school service is offered to an educational institution or teacher, this information and prominent notice may be provided to the educational institution or teacher.
School service providers must facilitate access to and correction of student personal information by students or their parent or guardian either directly or through the relevant educational institution or teacher.
These requirements do not apply to the Education Data Center, but they do apply to any of its subcontractors.
Existing law regarding consent, including consent from minors and employees on behalf of educational institutions, is not changed.
Collecting, Using, and Sharing Student Personal Information. School service providers may collect, use, and share student personal information only for purposes authorized by the relevant educational institution or teacher, or with the consent of the student or the student's parent or guardian.
School service providers may not:
sell student personal information;
use or share any student personal information for purposes of targeted advertising to students; or
use student personal information to create a personal profile of a student other than for supporting purposes authorized by the relevant educational institution or teacher, or with the consent of the student or the student's parent or guardian.
The prohibition against selling student personal information does not apply to the purchase, merger, or other type of acquisition of a school service provider, or any assets of a school service provider by another entity, as long as the successor entity continues to be subject to the foregoing provisions with respect to previously acquired student personal information to the extent that the school service provider was regulated with regard to its acquisition of student personal information.
Targeted advertising means sending advertisements to a student where the advertisement is selected based on information obtained or inferred from that student's online behavior, usage of applications, or student personal information. It does not include the following:
advertising to a student at an online location based upon that student's current visit to that location without the collection and retention of a student's online activities over time; or
adaptive learning, personalized learning, or customized education.
The foregoing provisions do not apply to the use or disclosure of personal information by a school service provider to:
protect the security or integrity of its website, mobile application, or online service;
ensure legal or regulatory compliance or to take precautions against liability;
respond to or participate in judicial process;
protect the safety of users or others on the website, mobile application, or online service;
investigate a matter related to public safety; or
a subcontractor, if the school service provider:
contractually prohibits the subcontractor from using any student personal information for any purpose other than providing the contracted service to, or on behalf of, the school service provider;
prohibits the subcontractor from disclosing any student personal information provided by the school service provider to subsequent third parties unless the disclosure is expressly permitted; and
requires the subcontractor to comply with the requirements.
School service providers must delete student personal information within a reasonable period of time if the relevant educational institution requests deletion of the data under the control of the educational institution unless:
the school service provider has obtained student consent or the consent of the student's parent or guardian to retain information related to that student; or
the student has transferred to another educational institution and that educational institution has requested that the school service provider retain information related to that student.
Information Security Program. School service providers must maintain a comprehensive information security program that is reasonably designed to protect the security, privacy, confidentiality, and integrity of student personal information. The information security program should make use of appropriate administrative, technological, and physical safeguards.
Adaptive Learning and Customized Education. Nothing is intended to prohibit the use of student personal information for purposes of:
adaptive learning or personalized or customized education;
maintaining, developing, supporting, improving, or diagnosing the school service provider's website, mobile application, online service, or application;
providing recommendations for school, educational, or employment purposes within a school service without the response being determined in whole or in part by payment or other consideration from a third party; or
responding to a student's request for information or for feedback without the information or response being determined in whole or in part by payment or other consideration from a third party.
Construction of the Act. The act must not be construed to:
impose a duty upon a provider of an interactive computer service to review or enforce compliance by third-party content providers;
apply to general audience Internet websites, general audience mobile applications, or general audience online services even if login credentials created for a school service provider's website, mobile application, or online service may be used to access those services;
impede the ability of students to download, export, or otherwise save or maintain their own student data or documents;
limit Internet service providers from providing Internet connectivity to schools or students and their families;
prohibit a school service provider from marketing educational products directly to parents so long as the marketing did not result from use of student personal information obtained by the school service provider through the provision of its website, mobile application, or online service; or
impose a duty on a school service provider of an electronic store, gateway, marketplace, or other means of purchasing or downloading software or applications to review or enforce compliance on those applications or software.
Future Contracts. The limitations and requirements only apply to contracts entered or renewed after the effective date of the act and are not retroactive. This act takes effect July 1, 2016.
Fiscal Note: Available.
Committee/Commission/Task Force Created: No.
Effective Date: Ninety days after adjournment of session in which bill is passed.
Staff Summary of Public Testimony: PRO: Large amounts of data are collected from students. This bill helps make sure that this data is used appropriately and protects students' privacy. This bill strikes the right balance between regulation and innovation. It would eliminate bad data practices in the growing educational technology industry and limit what providers can do with data. But the bill also enables providers to develop innovative services that can improve education and meet students' unique needs. Student data should be used to help kids learn; it should not be used for unrelated commercial purposes. Data is being stored remotely, which transfers data to third parties. Sometimes this transfer is not done securely. Students are using many different forms of technology in schools. Existing law has not kept up with technology. It is not clear whether this bill would apply to contracted school service providers. Contracted school service providers and schools should make decisions about privacy policies together.
Persons Testifying: PRO: Senator Litzow, prime sponsor; Rowland Thompson, Allied Daily Newspapers of WA; Ryan Harkins, Microsoft Corp; Tim Farrell, WA State Parent Teacher Assn.