• School officials with legitimate educational interest;
• Other schools to which a student is transferring;
• Specified officials for audit or evaluation purposes;
• Appropriate parties in connection with financial aid to a student;
• Organizations conducting certain studies for or on behalf of the school;
• Accrediting organizations such as WASC;
• To comply with a judicial order or lawfully issued subpoena;
• Appropriate officials in cases of health and safety emergencies; and
• State and local authorities, within a juvenile justice system, pursuant to specific State law.

Established in 1978, the PPRA (20 U.S.C. § 1232h, 34 CFR Part 98) affords parents of students certain rights regarding, among other things, participation in surveys, the collection and use of information for marketing purposes, and certain physical exams.

 

These include, but are not limited to, the right to:

 

Established in 1998, The Children’s Online Privacy Protection Act (“COPPA”) is a federal law governed by the Federal Trade Commission (“FTC”) that controls what information may be collected from children under the age of 13 by companies operating websites and mobile applications. (15 U.S.C. § 6501, et seq.) COPPA requires companies to post a clear privacy policy on their website or mobile application, provide notice to parents, and obtain parental consent before collecting personal information from children under the age of 13. Under COPPA, school districts1 are authorized to provide consent on behalf of parents and may approve a student’s use of an educational program. An LEA’s ability to consent on a parent’s behalf is strictly limited to the educational context. That is, an LEA may only consent on the parent’s behalf if the personal information collected is used strictly for educational purposes and not for any commercial purpose. Additionally, the FTC recommends that an LEA provide notice on its website identifying all of the websites and applications for which the LEA has provided consent on a student’s behalf. What is Personal Information? For COPPA purposes, personal information is individually identifiable information collected online, including: # A first and last name; # A home or other physical address including street name and name of a city or town; # Online contact information as defined in this section; # A screen or user name where it functions in the same manner as online contact information, as defined in this section; # A telephone number; # A social security number; # A persistent identifier that can be used to recognize a user over time and across different websites or online services. Such persistent identifier includes, but is not limited to, a customer number held in a cookie, an Internet Protocol (“IP”) address, a processor or device serial number, or unique device identifier; # A photograph, video, or audio file where such file contains a child’s image or voice; # Geolocation information sufficient to identify street name and name of a city or town; or # Information concerning the child or the parents of that child that the operator collects online from the child and combines with an identifier described in this definition. Consent to Collection of Student Data is Presumed An LEA may act as a parent’s agent and can consent to the collection of a student’s information on the parent’s behalf, as long as the consent is limited to the educational context. Technically, in order for a commercial website operator that collects, uses, or discloses personal information from children under 13 to get consent from the school, the operator must provide the school with 1 COPPA specifically references school districts, but given that County Offices of Education (“COE”) may utilize student data in the exact same way as California school districts, we recommend that COEs follow the same guidelines as school districts. Accordingly, LEAs are referred to generally in this section even though COPPA only specifically identifies school districts. Data Privacy Guide 2 all the notices required under COPPA. However, as long as the operator limits use of the student’s information to the educational context authorized by the LEA, the operator can presume that the LEA’s authorization is based on the LEA having obtained parental consent. Website Operators Must Provide LEA with Information Upon Request Upon request from the LEA, website operators must provide: a description of the types of personal information collected; an opportunity to review the child’s personal information and/or have the information deleted; and the opportunity to prevent further use or online collection of a child’s personal information. FTC-Recommended Best Practices # Allow parents to review the personal information collected. # Ensure operators delete a student’s personal information once the information is no longer needed for its educational purpose. # LEAs should make available to parents notice of the websites and online services to which it has provided consent on behalf of the parent concerning student data collection, as well as the operators’ direct notices. This information or a link to this information can be maintained on the LEA website. FTC-Recommended Inquiries According to the FTC, in deciding whether to use online technology with students, an LEA should be careful to understand how an operator will collect, use, and disclose personal information from its students. Among the questions that LEAs should ask potential operators are: # What types of personal information will the operator collect from students? # How does the operator use this personal information? # Does the operator use or share the information for commercial purposes not related to the provision of the online services requested by the LEA? # Does the operator enable the LEA to review and have deleted the personal information collected from its students? If not, the LEA cannot consent on behalf of the parent. # What measures does the operator take to protect the security, confidentiality, and integrity of the personal information that it collects? # What are the operator’s data retention and deletion policies for children’s personal information? Policy and Notice of Right to Opt Out of Data Collection for Marketing LEAs must adopt policies and provide direct notification to parents at least annually regarding the rights of parents to opt their children out of participation in activities involving the collection, disclosure, or use of personal information collected from students for the purpose of marketing or selling that information (or otherwise providing that information to others for such purpose). For more information on COPPA, see Section M: COPPA and Schools on www.ftc.gov/tips-advice/business-center/guidance/complying-coppa-frequently-asked-questions

Established in 2000, The Children’s Internet Protection Act (“CIPA”) is a federal law enacted to address concerns regarding children’s access to obscene or harmful content over the Internet. CIPA imposes requirements on LEAs that receive discounts for Internet access or internal connections through the federal E-rate program. In order to receive E-rate funding, LEAs must certify that they have in place an Internet safety policy that includes certain technology protection measures. Public Notice Requirement Prior to adoption and certification of an Internet safety policy, CIPA requires sufficient public notice for at least one public meeting to address the proposed policy. A public meeting called for the purpose of complying with CIPA must be open to all.

 

What is Required for Certification of the Internet Safety Policy? LEAs subject to CIPA may not receive discounts offered through the E-rate program unless they do the following: # Certify that it has an Internet safety policy that includes protection measures that block or filter Internet access to content that is: " Obscene; " Child pornography; or " Harmful to minors. # Include a provision in its Internet safety policy that requires monitoring of online activities of minors on the LEA network. # Provide for educating minors about appropriate online behavior, including: " Interacting with others on social networking websites and in chat rooms; and " Cyberbullying awareness and response. What Must the Internet Safety Policy Address? The Internet safety policy must address the following six components: # Access by minors to inappropriate matter on the Internet; # The safety and security of minors when using electronic mail, chat rooms and other forms of direct electronic communication; # Unauthorized access, including so-called “hacking” and other unlawful activities by minors online; # Unauthorized disclosure, use, and dissemination of personal information concerning minors; and # Measures restricting minors’ access to materials harmful to them.

Established in 2015, California Education Code section 49073.6 requires that LEAs considering “a program to gather or maintain in its records any pupil information obtained from social media” first notify pupils and their parents or guardians about the proposed program, and then provide an opportunity for public comment at a regularly scheduled public meeting before adopting the program. “Social media” means an electronic service or account, or electronic content, including, but not limited to, videos, still photographs, blogs, video blogs, podcasts, instant messages, email, text messages, online services or accounts, or Internet website profiles or locations. For purposes of this law, “social media” does not mean an electronic service or account used exclusively for educational purposes or primarily to facilitate creation of school-sponsored publications, such as a yearbook or pupil newspaper, under the direction or control of a school, teacher, or yearbook adviser.

 

Any LEA that adopts a program pursuant to this provision must:

Technology services agreements entered into, amended, or renewed by a California LEA on or after January 1, 2015 must follow specific requirements. These requirements apply to contracts for services that utilize electronic technology, including cloud-based services, for the digital storage, management and retrieval of pupil records, as well as educational software that authorizes a third-party provider to access, store and use pupil records. All of the following requirements must be included in such contracts:

 

California Business and Professions Code section 22584, also known as the Student Online Personal Information Protection Act (“SOPIPA”), takes effect on January 1, 2016 and sets forth privacy laws for operators of websites, online services, and applications that are marketed and used for K-12 school purposes, even if those operators do not contract with educational agencies. While primary responsibility for compliance with SOPIPA lies with website operators, LEAs should proceed with reasonable due diligence when evaluating technology service providers, especially providers based outside of California, to ensure their policies and procedures comply with SOPIPA.