AB 817
Page 1
Date of Hearing: April 21, 2015
ASSEMBLY COMMITTEE ON PRIVACY AND CONSUMER PROTECTION
Mike Gatto, Chair
AB 817 Calderon – As Amended April 13, 2015
SUBJECT: Privacy: students
SUMMARY: Narrows the breadth of the Student Online Personal Information Protection Act
(SOPIPA) so that its restrictions on the use of online websites or mobile applications to collect
data on students and target advertising to them no longer apply to parents or students 14 years of
age regarding postsecondary or extracurricular educational, military, or career products or
services. Specifically, this bill:
1) Narrows the definition of "K-12 school purposes" as it pertains to SOPIPA to exclude
"communications to and from parents or students 14 years of age or older regarding
postsecondary or extracurricular educational, military, or career products or services,
including, but not limited to, college readiness assessments and preparation for them,
recruitment for and financing of the costs of those product and service opportunities, and
educational assistance or enrichment opportunities."
2) Revises the definition of “covered information” to apply to personally identifiable
information or materials, in any media or format, that is created or provided by an employee
or agent of the K-12 school, school district, local education agency, or county office of
education, to an operator explicitly for K-12 school purposes, rather than for any purpose.
EXISTING LAW:
1) Provides that all people have an inalienable right to pursue and obtain privacy. (Cal. Const.,
art. I, Sec. 1.)
2) Prohibits, commencing on January 1, 2016, an operator from knowingly engaging in targeted
advertising to students or their parents or legal guardians using covered information, as
defined, amassing a profile of a K-12 student, selling a student’s information, or disclosing
covered information, as provided. (Business and Professions Code (BPC) Section 22584-85)
3) Defines an “operator” as the operator of a website, online service, online application, or
mobile application with actual knowledge that the site, service, or application is used
primarily for K–12 school purposes and was designed and marketed for K-12 school
purposes. (BPC 22584(a))
4) Requires an operator of a commercial website or online service that collects personally
identifiable information through the Internet about individual consumers residing in
California who use or visit its website to conspicuously post its privacy policy. (BPC 22575)
5) Protects, pursuant to the Federal Educational Rights and Privacy Act (FERPA), the
confidentiality of educational records (and personally identifiable information contained
therein) by prohibiting the funding of schools that permit the release of those records. It
applies to all schools that receive funds under an applicable program of the U.S. Department
of Education. Generally, schools must have written permission from the parent or eligible
AB 817
Page 2
student in order to release any information from a student’s education record. FERPA’s
prohibition only applies to the school itself and contains various exemptions where the data
may be released without the written consent of the parents. (20 U.S.C. Sec. 1232g(b)(1))
6) Prohibits, pursuant to the federal Children's Online Privacy Protection Act of 1998 (COPPA),
an operator of a website or online service directed to children under the age of 13 from
collecting personal information from a child, including a child’s first and last name, home or
other physical address including street name and name of a city or town, e-mail address,
telephone number, or Social Security number. (5 U.S.C. 6501-6505)
FISCAL EFFECT: None. This bill has been keyed non-fiscal by the Legislative Counsel.
COMMENTS:
1) Purpose of this bill. This bill is intended to narrow the range of activities covered by K-12
student privacy restrictions on the collection, sale or disclosure of personal student
information and targeted marketing to students to exclude communications with teenagers
and their parents regarding postsecondary or extracurricular educational, military, or career
products or services. This measure is sponsored by the National Research Center for College
and University Admissions (NRCCUA).
2) Author's statement. According to the author, AB 817 "[s]eeks to clarify under what
circumstances K-12 students’ personal informational may be collected and used by operators,
as defined."
"The bill clarifies the definition of K-12 school purposes to clearly indicate that it does not
include data gathering from students who are 14 or older for post-secondary and
extracurricular educational product and service opportunities. These include college, military
and career training, scholarships or other financial aid opportunities, college readiness
assessments, and educational enrichment or assistance programs."
3) NRCCUA. The sponsor of this bill, NRCCUA, is a membership-based organization that
administers what it refers to as "the nation’s largest college planning program." According
to its website, it "is a provider of comprehensive student data, collected early, solely for the
purpose of college planning, and maintained throughout the high school lifecycle. We
capture about 5 million declarations of pure, non-marketing driven college interest each
year."
NRCCUA conducts annual surveys of highs school students to gather information on student
attitudes and educational plans from over 5 million students in 22,000 public and private high
schools nationally. The surveys are intended to help "1,300 member colleges and
universities so they can better identify high school students who meet their institutions'
admission profiles. In addition to hearing from colleges and universities, students may also
hear from non-profit and for-profit organizations offering educational opportunities such as
college admissions services, financial aid, career information, extracurricular enrichment and
recognition programs."
One such example, the "myCollegeOptions" survey, collects the following information:
name, address, school, email, gender, birthdate, grade average, high school name, teacher,
AB 817
Page 3
home and cell phone numbers, preferred type of college, parental educational attainment,
high school courses, prospective sports, prospective extracurricular activities, interest in test
prep and financial aid, preferred majors, religion, socio-political preferences, military
interest, racial-ethnic identity, and preferred colleges.
4) The Student Online Personal Information Protection Act. In 2014, the Legislature passed the
Student Online Personal Information Protection Act, or SOPIPA, which was designed to
restrict companies from collecting, selling or disclosing personal information about K-12
students through the use of software and applications designed for K-12 school purposes.
SOPIPA applies to websites, online services and applications, and mobile applications
(which are termed "operators"). The restrictions apply to operators with actual knowledge
that their website or service is being used for K-12 school purposes, and was designed and
marketed primarily for K-12 purposes. Those operators are prohibited from knowingly
engaging in targeted advertising to K-12 students and their parents, creating dossiers on
students, and selling or disclosing student information. Operators are also required to
maintain reasonable security procedures and practices. The provisions of SOPIPA become
operative as of January 1, 2016.
SOPIPA was enacted in response to the growing use of online educational programs and
mobile applications, and the relative lack of restrictions on the collection and use of students'
and teachers' personal information by operators of educational programs and applications.
During the discussion over passage of SOPIPA, the Assembly Education Committee analysis
cited a May 14, 2014, article in Politico ("Data Mining Your Children"), which discussed the
impetus for the bill: "Students shed streams of data about their academic progress, work
habits, learning styles and personal interests as they navigate educational websites. All that
data has potential commercial value: It could be used to target ads to the kids and their
families, or to build profiles on them that might be of interest to employers, military
recruiters or college admissions officers." The same article went on to say: "Kathleen Styles,
the [U.S.] Education Department's chief privacy officer, acknowledged in an interview that
much of [student information] is likely not protected by FERPA—and thus can be
commercialized by the companies that hold it."
5) Arguments in support. NRCCUA writes in support of the bill, "AB 817…would clarify
existing law regarding student privacy and ensure that college-bound students can continue to
make informed choices about their educational and career plans after high school…The
effect of the most recent clarifying amendments would be to preserve current practices with
respect to educating students about their academic and career options after high school and
matching them with interested colleges, universities, and organizations that meet their goals."
6) Arguments in opposition. Common Sense Media writes, "AB 817 creates broad exemptions
in 'K-12 school purposes.'…In turn, sensitive information students and parents provide to
these companies would not have SOPIPA's privacy and data security protections – regardless
of whether these companies are engaging with students in school. AB 817 would essentially
grant a license to sell students' sensitive personal information to market all kinds of products
and services – even 'extracurricular educational' products or services and 'enrichment
opportunities.'
AB 817
Page 4
"Our students’ privacy and safety is not served by taking these broad categories of activities
and exempting them from SOPIPA. The result: companies can collect all kinds of sensitive
information from kids in school and data-mine and exploit it to market limitless
'extracurricular educational' products and 'enrichment opportunities' to kids and their
parents.…This is an example of precisely the kinds of results SOPIPA was designed to
prohibit.
"We also note that SOPIPA already expressly permits K-12 online companies to market to
parents so long as the marketing did not result from the use of covered student personal
information obtained through the provision of K-12 school services. SOPIPA was
extensively negotiated last year as it moved through the legislative process, and should allow
the companies seeking to market the kinds of services outlined in AB 817 to contact students
and parents in ways that do not jeopardize their information in a school setting. Students
deserve the school zone to be a privacy zone, a trusted environment where they can focus on
learning."
7) Questions for the Committee. The practical impact of this bill is to reduce the range of
activities affected by the privacy requirements of SOPIPA to exclude communications to
teenagers and parents regarding postsecondary or extracurricular educational, military, or
career products or services.
By design, this bill would exclude a wide variety of communications from the protections of
SOPIPA (such as all forms of student assessments, assessment preparation resources,
financing offers, as well as the less-well defined categories of 'educational assistance' and
'enrichment opportunities'), thereby allowing operators with websites or services geared
towards those exempted products and services to target their marketing to teenagers, and
even collect and sell data about them. As such, the key privacy question raised by this bill is,
essentially, whether or not these activities are, on balance, more beneficial than intrusive to
students.
The sponsor generally contends that the requirements of SOPIPA shouldn’t apply to it
because its surveys help make students aware of a variety of educational opportunities and
products in preparation for life after graduation – in much the same way that a guidance
counselor might – which is arguably in the student's best educational interests. Opponents
argue that the exemptions provided by this bill are exceedingly broad, and that the expanded
data collection, data sale, and targeted marketing enabled by this bill are exactly the kind of
activities SOPIPA was created to stop.
The Committee may wish to inquire of the author as to the justification for broadly
exempting educational, military, or career products or services from the protections of
SOPIPA, and how the products and services provided by the sponsor might usefully be
distinguished from the products and services that were originally intended to be restricted by
SOPIPA.
8) Previous legislation. SB 1177 (Steinberg), Chapter 839, Statutes of 2014, established
SOPIPA to restrict the use and disclosure of information about K-12 students.
SB 568 (Steinberg), Chapter 336, Statutes of 2013, prohibited, on and after January 1, 2015,
an operator of a website, online service, online application, or mobile application, as
AB 817
Page 5
specified, from marketing specified types of products or services to a minor; and prohibited
an operator from knowingly using, disclosing, compiling, or knowingly allowing a third
party to use, disclose, or compile, the personal information of a minor for the purpose of
marketing or advertising specified types of products or services.
9) Double-referral. This bill has been double-referred to the Assembly Education Committee,
where it will be heard if passed by this Committee.
REGISTERED SUPPORT / OPPOSITION:
Support
National Research Center for College and University Admissions (NRCCUA) (sponsor)
Opposition
American Civil Liberties Union of California
Common Sense Media
Consumer Federation of California
Privacy Rights Clearinghouse
Analysis Prepared by: Hank Dempsey / P. & C.P. / (916) 319-2200