California AG’s Student Privacy Guidelines a Step in the Right Direction
Written by Vijay Kasschau
California has once again proven itself a leader on student privacy issues. The state recently passed the Early Learning Personal Information Privacy Act (ELPIPA), which will extend the protections of the Student Online Personal Information Protection Act (SOPIPA) – one of the most expansive state student privacy laws to date – to pre-kindergarten and early learning programs.
In an effort to expand upon SOPIPA and ELPIPA, the California Department of Justice also took action to advance student privacy in the state. Kamala D. Harris, the California Attorney General (AG) turned Senator-elect, recently published guidelines for EdTech companies to suggest best practices to protect student data. The document focuses on recommendations in six areas designed to maximize student privacy: 1) data collection and retention; 2) data use; 3) data disclosure; 4) individual control; 5) data security; and 6) transparency. CDT commends these guidelines for drawing on strong research to guide the suggestions and for citing the contributions of numerous key stakeholders in advancing student privacy rights.
The AG’s recommendations, however, suffer from some of the same problems SOPIPA does. Specifically, a nebulous standard for “reasonable security” is undefined and does not offer concrete recommendations for companies. Previous iterations of SOPIPA used the National Institute of Standards and Technology’s Framework for Improvising Critical Infrastructure Cybersecurity as a guide for determining what security measures are appropriate, which we support. Tying reasonable security measures to NIST’s technical guidelines creates transparency and predictability for what industry best practices ought to be.
While not perfect, SOPIPA and ELPIPA provide some badly needed updates to the Family Educational Rights and Privacy Act of 1974 (FERPA), which has had only minor changes made to it in the past 40 years. SOPIPA directly regulates EdTech company behavior and creates accountability for company practices rather than regulating school systems and leaving accountability measures to be implemented on a local basis. Specifically, SOPIPA prohibits companies from engaging in targeted advertising to students and their families, and prevents uses of students’ information outside of their schools. It has been effective in creating a balance between school districts’ interests in improving educational outcomes and students’ individual autonomy.
Overall, CDT applauds the efforts of the AG and California lawmakers to supplement aging federal laws and enhance student privacy. We want to underscore the importance of continuing to advocate for more and clearer laws regulating the use of student information.
For more information on current state student privacy laws, see CDT’s State Student Privacy Law Compendium.