10 Things to Know About California's New Data Privacy Law
California's new data privacy law, modeled after the European Union's General Data Protection Regulation (GDPR), took effect on New Year's Day. The state's attorney general has said the California Consumer Privacy Act (CCPA) won't be enforced until July 1, but the effort to strengthen protections of consumer data is underway.
Here's a guide to what matters for K-12 schools.
CCPA (the new law) applies directly to for-profit companies, not schools. The law affords the state's residents opportunities to know how big companies are using their data and to make decisions about how their data is used, including the right to request deletion of data they want to keep private. Companies with at least $25 million in revenue or 50,000 users are included—which means schools aren't, though many of the companies they work with are. Think Google, Microsoft, Apple, and Amazon.
Data use restrictions in K-12 education were already in place. Thanks to existing K-12 education privacy laws like FERPA and COPPA, education technology companies are already making many of the newly mandated disclosures, according to Linette Attai, a close observer of the education technology landscape and president of PlayWell, a for-profit provider of education for young children.
Overall, this law will not require an enormous amount of extra work on the part of school districts. Educators and administrators can breathe easy, said Andrea Bennett, executive director of California IT in Education. Unlike in 2015, when a new California law, AB-1584, required schools to renegotiate agreements with many of their ed-tech partners, "The majority of people I've spoken to are thinking that it's not going to be a major task like AB-1584," Bennett said.
Issues may arise if parents exercise CCPA rights to request the deletion of personal information that schools are required by other laws to maintain. Many schools host student information on third-party platforms owned by major companies like Microsoft. Under the new law, parents have a right to request the deletion of data on those servers—but schools are also required by law to keep certain data on file for reporting to the state and federal government.
Hypothetical instances that might cause conflict include parents with separate addresses who want control of the student's listed home address, or undocumented immigrants concerned about their location being exposed, according to Bennett. Those cases are likely to be few and far between, according to Bennett, but no guidance currently exists to figure out how to respond when they arise.
Lawyers hope California officials will clarify ambiguities in the law related to education. Relationships among schools, companies, parents, and students are more complicated and less linear than relationships between companies and consumers, said Mark Williams, an attorney advising California IT in Education and other organizations on navigating CCPA. It's unclear what would happen, for instance, if a student requested deletion of information from a tech platform that an individual teacher had asked the student to use. "Most relationships between school districts and providers are not part of a contract, but are entered into at the teaching level," Williams said.
Williams said he and his colleagues expect holes in the law will eventually be sorted out, but clarification may require further legislation or regulatory guidance.
"A website might serve two purposes—it might be predominantly for marketing purposes but also include a portal for student login to the product," Attai said. "Careful attention to privacy policies and the intended audience for the website or platform is a fundamental first step in determining what sort of data collection and use is acceptable."
More students will enjoy privacy under the new law. CCPA extends data privacy rights to children under the age of 16, whereas previous laws only covered children under 13, according an analysis of the law from the Education Framework blog. That means parents of children under 16 must opt in before the sale of "IP addresses, geolocation information, and inferences drawn from personal data to create a data profile of a consumer."
The protections are stronger, but advocates are still worried. Leonie Haimson, a student data privacy advocate who founded and serves as executive director of the nonprofit Class Size Matters, said she's concerned about the California attorney general's office's capacity to enforce penalties for violations of the law. Though California and other states already strictly prohibit the sale of student data, some organizations and companies continue to do so.
"I'm skeptical, but I do think that this is a definite step forward, and it's one that other states will hopefully emulate," Haimson said.
Similar laws could arise in other states or on the federal level. Several dozen states are considering privacy policies of their own, and advocates are pushing for stronger federal laws around privacy, using GDPR in Europe as a model.
These laws are confusing for everyone. Recent surveys of teachers suggest that many people feel they haven't had adequate training on privacy laws and their responsibilities to students along those lines, Haimson said.
Jennifer King, director of consumer privacy at Stanford Law School's Center for Internet and Society, recommends high school teachers turn the privacy law into a teachable moment. Educators in California can work together with students to make requests for data information from a company like Facebook, and parse the findings together.
The California legislature didn't include any funding for public education on the law's contents and hasn't provided helpful FAQ resources, King said.
Haimson finds the lack of clarity troubling.
"You can pass all the laws that you want in the world," Haimson said. "If no one's paying attention to them, they have no real impact on what's happening in the classroom."
Don't miss another Digital Education post. Sign up here to get news alerts in your email inbox.