On September 29, 2014, California Governor Jerry Brown signed SB 1177 into law, effective Jan 1, 2015. See Governor Brown Issues Legislative Update. The new privacy and advertising regulation goes beyond FERPA, the federal student privacy law, and existing state student privacy laws that govern schools and requires them to obtain privacy protections for student personal information from their vendors. It also follows a trend to treat unique identifiers, such as IP address and device identifiers, as personal information.
SB 1177 applies privacy obligations directly to educational software and online services publishers, however, the scope of coverage of the final law is less comprehensive than initially proposed. As originally introduced, SB 1177 would have applied prohibitions on collection, use and sharing of student personal information for purposes not necessary for core service operations, such as for promoting sales of add-on services or other products or services, to any service that was intended for K – 12 educational purposes, even if not licensed, mandated or promoted by schools or teachers, and it would prohibit any form of on-service advertising on services intended for K-12 educational purposes. The final law only applies to operators “with actual knowledge that the site, service or application is used primarily for K-12 school purposes and was designed and marketed for K-12 school purposes.” “K-12 school purposes” is defined now as “purposes that customarily take place at the direction of the K-12 school teacher, or school district, or aid in the administration of school activities, including without limitation, but not limited to, instruction in the class room or at home, administrative activities, and collaboration between students, school personnel, or parent, or are for the benefit of the school.” The final law also permits some on-service, non-targeted advertising, but bans behavioral or targeted advertising on the covered services, or use of data collected on-service to target or retarget ads to parents or students on other sites or services. Accordingly, the new law covers a smaller universe of educational services than originally proposed, permitting commercial services intended to be independent of schools to maintain a commercial business model that includes up-sale messaging and targeted and retargeted advertising, although the federal COPPA law prohibits behavioral or targeted advertising on sites for children under 13 or otherwise knowingly targeted to children under 13. The final law also allows covered services to share student personal information in certain instances such as in connection with the sale of their business, to comply with legal process or to protect user safety. While for services that are licensed to schools, or designed and marketed for schools to require or encourage, the new law applies new privacy and advertising restrictions that will need to be understood and complied with. Those licensed to schools are already under somewhat similar restrictions by contractual obligations schools are mandated to require under existing laws. The new regulated category covers services that may not be formerly licensed to schools, but are designed and marketed for schools to use. Also, notably, under the new California law there is no consent exception to the restrictions.
SB 1177 follows the passage last year of another California law intended to protect minors’ privacy. The Privacy Rights for California Minors in the Digital World a/k/a Media Eraser Law, SB 568, amended California Business and Professions Code by adding Sections 22580 -22582, also effective January 1, 2015, to prohibit advertising of certain items minors are not permitted to purchase (e.g., cigarettes) to minors if the “marketing or advertising is specifically directed to that minor based on information specific to that minor (including IP address, activity, etc.).” In addition, it requires operators of services directed to minors or with actual knowledge that minors are using the service: to permit registered users who are minors to remove, or request removal of, content posted by the user (but not third parties); provide notice that the information may be removed; provide clear instructions as to how to remove the information; and provide notice that such removal mechanisms do not ensure complete or comprehensive removal. This law will have far broader impact on web site and mobile app publishers as it essentially reaches all online service providers that permit user generated content (i.e., the ability to post).