The Battle for Leadership in Education Privacy Law: Will California Seize the Throne?

Education was one of the first areas where privacy was
regulated by a federal statute. Passed in the early 1970s, the Family
Educational Rights and Privacy Act (FERPA) was on the frontier of
federal privacy regulation. But now it is old and ineffective. With the
growing public concern about the privacy of student data, states are
starting to rev up their engines and become more involved. The result
could be game-changing legislation for the multi-billion dollar education technology industry.

There are notable gaps in FERPA that make it largely ineffective in
protecting student privacy in today’s digital age. For example, FERPA
lacks meaningful enforcement. Students and their parents have no right
to sue for FERPA violations. Only the Department of Education can
enforce the law. FERPA only allows one sanction — the removal of all
federal funding for an educational institution. This sanction is so
impractical and severe that the Department has never used it in FERPA’s
four-decade history. Thus, enforcement of the statute is essentially
nonexistent.

Moreover, FERPA enforcement only applies to schools. Unlike HIPAA,
which gives the Department of Health and Human Services (HHS) the
authority to enforce against nearly all entities that receive
HIPAA-regulated information, the Department of Education lacks similar
authority. The Department of Education is unable to enforce against
businesses that are not schools, but that receive FERPA-regulated data.

FERPA also says little about selecting a cloud provider or about the
responsibilities of such an entity. The FERPA Regulations state: “An
educational agency or institution may disclose personally identifiable
information from an education record only on the condition that the
party to whom the information is disclosed will not disclose the
information to any other party without the prior consent of the parent
or eligible student.”

But FERPA does not have much more to say about the responsibilities
of a cloud computing provider. In fact, it contains a potentially broad
loophole. If a school discloses education records for outsourcing its
functions, the FERPA Regulations allow the school to designate the cloud
computing provider as a “school official” in order to facilitate the
sharing.

When a school shares student data with a cloud service provider, the
duties of the provider to protect the data are governed by the contract
into which the school and the provider enter. Recently, Fordham School
of Law’s Center on Law and Information Policy released a study of how
public K-12 schools are handling privacy issues with regard to cloud
computing. This report, Privacy and Cloud Computing in Public Schools,
found that 95% of school districts use cloud services and share
sensitive student data with these third party data service providers. At
the same time, however, the contracts of the service providers with
their providers were found to be derelict.

The weaknesses in the contracts were widespread. The Fordham Law
School report found that only 25% of school districts provide adequate
notice to parents about the use of cloud services. About “20% of the
responding districts had no policies addressing teacher use of
information resources.” Only 25% of the agreements “gave districts the
right to audit and inspect the vendor’s practices with respect to the
transferred data.” A quarter of the agreements failed to prohibit or
limit “re-disclosure of student data or other confidential information.”
None “specifically prohibited the sale and marketing of children’s
information.” Finally, the Fordham Law study found, “Only one agreement
(12.5%) required the vendor to notify the district in the event of a
data security breach.”

FERPA is not getting the job done.

Congress’s Hibernation and the Awakening of the States

FERPA is in desperate need of reform. While Congress is asleep at the
wheel, states are increasingly becoming active in education privacy.

State law can play an important role in education privacy because
FERPA provides a floor of privacy protection, not a ceiling. It does not
preempt more privacy-protective state laws.

As a general rule, when a state law is inconsistent with FERPA, the
law that is more protective of privacy will govern. Moreover, most
provisions of FERPA do not mandate disclosure or sharing of data – they
merely permit it. Thus, there is no conflict if a state law restricts
disclosure or sharing in non-mandated instances because FERPA does not
require such disclosure. Finally, there is no conflict if state law
requires additional requirements for contracting with third party data
service vendors, or additional privacy rights to students or parents.

Recently, there has been increased media attention to education privacy issues as well as increased public concern and increased political involvement. Several states have enacted or proposed legislation
to protect student data in an age of rapid growth in the market for
educational technology software. California provides a good illustration
of this trend.

California Law and Education Privacy

For the past two decades, California has led the way on privacy law
by enacting some of the most privacy-protective laws in the country.
Other states, the federal government, and international jurisdictions
look to California for ideas regarding privacy legislation. For example,
California created the country’s first data breach notification law,
and now most jurisdictions have enacted similar laws.

In 2013, California continued this innovative path. It enacted an “eraser” law
for children and young adults, which allows a right of deletion of
posted content for registered users of an online service, mobile App’s,
or certain other kinds of digital services. Note, however, the limited
scope of this law compared to broader European proposals to create a
broad “right to be forgotten” for everyone: the “eraser” law only
applies to a limited group – namely, minor users who are registered
users of certain sites or services. This statute also only limits
operators of the regulated services and not third parties who might
repost the original material.

What of educational privacy law in California? The core interest in
this area of the state’s law is transparency. California law permits
parents to access the school records of their children (see Cal. Ed. Code § 49069).
It also requires schools to maintain a log of all individuals and
organizations that request information from school records. Finally,
California limits access to these logs and records to parents, school
officials and certain kinds of governmental officials.

The next step in this privacy saga took place in February 2014 when
California Senate President Pro Tem Darrell Steinberg proposed the Student Online Personal Information Protection Act
(SOPIPA). Senator Steinberg acted to stop problematic aspects in the
advertising market built around educational online services. As the
legislative summary to SOPIPA notes, in-system K-12 “App stores”
frequently lack a privacy policy and leave student personal information
“vulnerable for a host of uses never contemplated by the students or
educators.”

SOPIPA seeks to place strong restrictions on companies that operate
K-12 online sites, services, and applications. The bill requires these
entities to use student personal information only for school purposes.
SOPIPA limits, in particular, any sales of student personal information
to third parties, such as advertisers. It states that an operator of a
regulated entity “shall not use, share, disclose, or compile personal
information about a K-12 student for any purpose other than the K-12
school purpose and for maintaining the integrity of the site, service,
or application.” The Bill also flatly prohibits use of “a student’s
personal information for any commercial purpose, including, but not
limited to advertising or profiling.”

SOPIPA requires deletion of a student’s personal information when it
is no longer needed for the school purpose. The bill requires deletion
when a “site, service or application is no longer used for the original
K-12 school purpose”; the student requests deletion; once the
information is no longer being used for a legitimate educational
purpose; or the student ceases to be a student at the institution. In
short, the proposed bill makes clear that online sites, services and
applications cannot hold student information beyond the period or
purpose associated with the original educational reason for collection.

Finally, SOPIPA would draw on general principles in California
business law to create a private right of action. Here, is a clear
contrast with FERPA, which does not grant private parties any such
ability to enforce the law. The California Unfair Competition Statute
allows individuals to sue for any unlawful, unfair or fraudulent
business act or practice. A violation of SOPIPA would be an unlawful
business practice under this statute. Pursuant to this ban in California
on unfair competition, individuals and government entities could seek
judicial remedies, including injunctions.

If enacted, SOPIPA would revolutionize the education technology
market. SOPIPA is a striking example of how the absence of leadership on
privacy issues by the U.S. Congress is inviting states to become more
active.

* * *

Daniel J. Solove is the John Marshall Harlan Research Professor of
Law at George Washington University Law School, the founder of TeachPrivacy,
a privacy/data security training company, and a Senior Policy Advisor
at Hogan Lovells. He is the author of 9 books (including Understanding Privacy and Nothing to Hide: The False Tradeoff Between Privacy and Security) and more than 50 articles. Follow Professor Solove on Twitter @DanielSolove.

Paul Schwartz is the Jefferson E. Peyser Professor of Law at UC
Berkeley School of Law and a Director of the Berkeley Center for Law
and Technology. Schwartz is also a Special Advisor at Paul Hastings,
where he works in the Privacy and Data Security Practice. He is the
author of numerous books and articles on information privacy and
information law. With Daniel Solove, he is the co-author of Privacy Law Fundamentals.

The views here are the personal views of Professor Solove and
Professor Schwartz and not those of any organization with which they are
affiliated.