The Student Online Personal Information Protection Act (SOPIPA) or SB1177 was signed into law last week. It has been called the first in the nation law that strengthens privacy protections for the personal information of California students while permitting innovation in education and technology. There have been many student data privacy laws enacted in recent legislative sessions but many focus on either restricting the types of data collected or mandating states and/or school districts improve their governance and infrastructure to safeguard student information. But asking a school district to improve its infrastructure is easier said than done, especially without supplying the funds for implementation. And restricting data collection can veer into the path of limiting school operations and fail to serve its students.
SOPIPA is interesting in that the law places the responsibility for ensuring student data privacy on the ed-tech industry. It directly addresses the way online service providers and apps can collect and use student data. It is important to recognize that software applications need to collect data in order to personalize the service students receive but also to maintain student records for teachers to keep track of grades, student progress, reading records etc. It is also worth noting that the new law allows these service providers to use the data they have to improve their products but they cannot use the information for targeted or “behavioral” advertising. The law does not unnecessarily impede the use of data and technology, which can stall under more restrictive laws. This is what I find of great importance. This premise fosters innovation in education technologies by enabling service providers to use the de-identified data at their disposal to develop products beneficial to all.
And while all this is good news, SB1177 is far from perfect. I am pretty sure that by now you know I stand on the side of student ownership of data. And I am disappointed at the lack of control given to students (and their parents) particularly regarding the deletion and retention of their data. Students and parents need to have a voice in how their data is collected and used and for how long it shall be retained. What happens when privacy policies and contracts change? If we do not have student ownership in mind, whose best interests are we serving when a privacy policy is updated? Will the law support access to and correction of student information or is the burden, again, on the school districts to review student information and ensure its accuracy?
There are also some points that require clarification. For example, what does the law define as “k-12 purposes”? Besides the services used in schools does the term include apps used outside of school by students without the school’s knowledge? And even though COPPA applies to apps generally used by the “under 13” crowd does SOPIPA protect students’ data when they use apps outside of school but the app is an “educational” one? I don’t believe this is addressed, and if it’s not, it is inadvertently creating a grey area of how student data is protected in these cases. This is where an update of FERPA and a well-delineated Federal standard is necessary. There needs to be a blanket Federal Standard that will address these issues when necessary and eliminate ambiguity as much as possible.
SOPIPA is a significant step forward. It provides a framework for stronger protections for student data and with a different (and interesting) approach than other state bills. It provides a good framework for other states to use, and I hope they do. I am encouraged to see the legislature promote collaboration, but we must not forget students in the process.
And don’t worry, there is time to debate this endlessly – the bill’s provisions will not take effect until January of 2016.