Developers and operators of educational technology services should take note.  Just before the election, California Attorney General Kamala Harris provided a document laying out guidance for those providing education technology (“Ed Tech”).  “Recommendations for the Ed Tech Industry to Protect the Privacy of Student Data” provides practical direction that operators of websites and online services of a site or service used for K-12 purposes can use to implement best practices for their business models.

Ed Tech, per the Recommendations, comes in three categories: (1) administrative management systems and tools, such as cloud services that store student data; (2) instructional support, including testing and assessment; (3) content, including curriculum and resources such as websites and mobile apps.  The Recommendations recognize the important role that educational technology plays in classrooms by citing the Software & Information Industry Association; the U.S. Market for PreK-12 Ed Tech was estimated at $8.38 billion in 2015.

The data that may be gathered by through Ed Tech systems and services can be extremely sensitive, including medical histories, social and emotional assessments and test results.  At the Federal level, the Family Educational Rights and Privacy Act (FERPA) and the Children’s Online Privacy Protection Rule (COPPA) govern the use of student data.  However, according to the Recommendations, these laws “are widely viewed as having been significantly outdated by new technology.”

Recognizing this, California has enacted laws in this space to fill in gaps in the protection.  Cal. Ed. Code § 49073.1, requires that local education agencies (county offices of education, school districts, and charter schools) that contract with third parties for systems or services that manage, access, or use pupil records, to include specific provisions regarding the use, ownership and control of pupil records. On the private side, the Student Online Personal Information Privacy Act (SOPIPA), requires Ed Tech provides to comply with baseline privacy and security protections.

Building on this backdrop of legislation, Attorney General Harris’ office provided six recommendations for Ed Tech providers, especially those that provide services in the pre-kindergarten to twelfth grade space.

  • Data Collection and Retention: Minimization is the Goal 

Describe the data being collected and the methods being used, while understanding that data can be thought of to include everything from behavioral data to persistent identifiers.  If your service links to another service, disclose this in your privacy policy and provide a link to the privacy policy of the external service.  If you operate the external service, maintain the same privacy and security protections for the external service that users enjoyed with the original service.  Minimize the data collected to only that necessary to provide the service, retain the data for only as long as necessary, and be able to delete personally identifiable information upon request.

  • Data Use: Keep it Educational

Describe the purposes of the data you are collecting.  Do not use any personally identifiable data for targeted advertising, including persistent identifiers, whether within the original service, or any other service.  Do not create profiles other than those necessary for the school purposes that your service was intended for.  If you use collected data for product improvement, aggregate or de-identify the data first.

  • Data Disclosure: Make Protections Stick 

Specifically describe any third parties you share personally identifiable data with. If disclosing for school purposes, only do so to further the school specific purpose of your site.  If disclosing for research purposes, only disclose personally identifiable information if you are required by federal or state law, or if allowed under federal and state law, and the disclosure is under the direction of a school, district or state education department.  Service providers should be contractually required to use any personally identifiable data only for the contracted service, not disclose the information, take reasonable security measures, delete the information when the contract is completed, and notify you of any unauthorized disclosure or breach.  Do not sell any collected information, except as part of a merger or acquisition.

  • Individual Control: Respect Users’ Rights 

Describe procedures for parents, legal guardians, and eligible students to access, review and correct personally identifiable data.  Provide procedures for students to transfer content they create to another service, and describe these procedures in your privacy policy.

  • Data Security: Implement Reasonable and Appropriate Safeguards

Provide a description of the reasonable and appropriate security you use, including technical, administrative and physical safeguards, to protect student information.  Describe your process for data breach notification.  Provide training for your employees regarding your policies and procedures and employee obligations.

  • Transparency: Provide a Meaningful Privacy Policy

Make available a privacy policy, using a descriptive title such as Privacy Policy, in a conspicuous manner that covers all student information, including personally identifiable information.  The policy should be easy for parents and educators to understand.  Consider getting feedback regarding your actual privacy policy, including from parents and students.  Include an effective date on the policy and describe how you will provide notice to the account holder, such as a school, parent, or eligible student.  Include a contact method in the policy, at a minimum an email address, and ideally also a toll-free number.

Given the size of the California market, any guidance issued by the California Attorney General’s office should be carefully considered and reviewed.   If you are growing an ed tech company, this is the time to build in data privacy and security controls.   if you are established, it’s time to review your privacy practices against this Guidance and see how you match up.  If you have any questions or concerns as to how these recommendations could be applied to your company, please do not hesitate to contact the team at Mintz Levin.

 

It’s time for a compliance check on those website or mobile app privacy policies, before the California Attorney General comes knocking.

Attorney General Kamala D. Harris has announced the release of a new tool for consumers to report websites, mobile applications, and other online services that may be in violation of the California Online Privacy Protection Act (CalOPPA).  The form is available at https://oag.ca.gov/reportprivacy.  As a reminder, a website owner or app operator may violate CalOPPA by failing to post privacy policies or posting incomplete or inadequate policies that do not meet the requirements of the statute.

As we have previously written on this blog, the potential cost for not meeting the CalOPPA requirements can be substantial.  Violations of CalOPPA may result in penalties of up to $2,500 per violation which, for mobile applications, means up to $2,500 for each copy of the non-compliant application that is downloaded by California consumers.

“In the information age, companies doing business in California must take every step possible to be transparent with consumers and protect their privacy,” said Attorney General Harris. “As the devices we use each day become increasingly connected and more Americans live their lives online, it’s critical that we implement robust safeguards on what information is shared online and how. By harnessing the power of technology and public-private partnerships, California can continue to lead the nation on privacy protections and adapt as innovations emerge.”

Mobile app creators should be aware that the Attorney General’s office will not only be relying on consumers to identify non-compliant apps.  The Office is also partnering with the Usable Privacy Policy Project at Carnegie Mellon University to develop a tool that will identify mobile apps that may be in violation of CalOPPA by looking for discrepancies between disclosures in a given privacy policy and the mobile app’s actual data collection and sharing practices (for example, a company might share personal information with third parties but doesn’t disclose that in its privacy policies).

If you have any questions regarding CalOPPA compliance, please do not hesitate to contact the team at Mintz Levin.

 

 

Eager to retain its spot among the principal laboratories for domestic privacy legislation, California’s legislature is set to debate Senate Bill 178, legislation restricting state law enforcement agencies from requesting data without a warrant. Five other states have adopted similar legislation in recent months, and California’s proposal largely follows that trend. Continue Reading California May Limit Law Enforcement’s Warrantless Data Collection

Written by Jake Romero, CIPP/US

Following a string of high-profile data breaches and new data suggesting that approximately 21.3 million customer accounts have been exposed by data breach incidents over the past two years, the California legislature has introduced legislation aimed at making retailers responsible for certain costs in connection with data breach incidents.  If passed in its current form, Assembly Bill 1710, titled the Consumer Data Breach Protection Act, would have a substantial impact on retailers operating in California.  Continue Reading Target Becomes a Target: Proposed California Bill Aims to Make Retailers Liable for Data Breach Incidents

Written by Jake Romero, CIPP/US

When you think of catastrophic events that take place online and have a devastating effect on millions of people, you probably think of HBO Go crashing during the True Detective finale.  However, California Attorney General Kamala Harris wants to remind you that you should be thinking about data breaches.  New data and statements released by the office of Attorney General Harris disclose that more than 20 million customer accounts been affected over the past two years by the ever-increasing number of data breaches, and also provide insight into the central role the Attorney General’s office hopes to play in remedying the problem. Continue Reading Over 20 Million Customer Accounts Affected by Data Breaches in California; Attorney General Harris Promises Increased Enforcement

We hope that you remembered to “spring forward” over the weekend —

Today’s Privacy Monday is a bit longer than usual – but an important read, particularly if you are a mobile app developer.

California Public Utilities Commission Declines to Develop New Regulations and Standards for Wireless Carriers and Mobile App Providers  . . . for Now, at Least

Written by Jake Romero

Certain things in life are a certainty; death and taxes, for example, or Jennifer Lawrence falling down at the Oscars.  Until recently, a good argument could have been made that California agreeing to implement new data privacy regulations was one of those certainties.  At its January 16, 2014 meeting, however, the California Public Utilities Commission (“CPUC”) declined a request to develop privacy standards for wireless carriers and mobile applications.  The denial comes in response to a Petition for Rulemaking filed by a collection of consumer groups (the “Petition”) such as the Consumer Federation of California, the Privacy Rights Clearinghouse and the Utility Reform Network.  The CPUC Decision (which can be read in its entirety here) concludes that “[g]iven the lack of documented examples of actual breaches of customer privacy by telecommunications corporations, as well as the existence of a variety of laws and regulations governing the treatment of potentially sensitive customer information by businesses in general and telecommunications providers in particular, it is not clear that a review of the company privacy practices in California is needed at this time.”

The Petition, which was originally filed on November 8, 2012, requested that the CPUC (1) initiate a new rulemaking to review the customer information that telephone corporations collect or have access to, along with those companies’ practices in handling and using that information; (2) develop standards for the collection, handling, and sharing of customer information to ensure that customers are aware of what information may be collected and how that information may be used; and (3) extend the applicability of its privacy rules to third parties under contract with telecommunications providers, as well as other third parties that use the phone as a platform, such as mobile applications.  Had the CPUC agreed with the petitioners, the additional rules would have added to an already crowded regulatory mix in California.  However, the petitioners argued that additional rules are necessary because of the rapid development of communication technologies, and that any additional rules promulgated by the CPUC could help to update and modernize current regulations.

Opposition comments to the Petition were filed by CTIA, AT&T and its affiliated companies and MetroPCS California.  The opposing party comments made two primary arguments in favor of denying the Petition; one procedural and one substantive.  On procedural grounds, the opposing parties argued that the Petition attempts to reach non-regulated services and providers, over which the CPUC has limited authority, without clear justification.  Substantively, the opposition argued that additional rulemaking is unnecessary because existing laws and policies already protect the privacy of customer information available to telecommunications carriers, and carriers already have internal privacy policies in place to comply with California state law.

In denying the Petition, the CPUC agreed with the opposing parties that federal and state laws governing the protection and use of, among other things, information that relates to the use of telecommunications services, already address privacy issues related to customer data, and that such laws had been updated and revised on an ongoing basis in response to further technological development.  The CPUC noted that the Petition was specifically focused on third-party applications, but found that the Petition was unable to identify types of information collected or accessible by these parties that would not already be covered by federal or state privacy laws.  Moreover, the application of the federal and state laws applicable to mobile application providers are primary enforced by entities other than the CPUC, such as the Federal Trade Commission or States’ Attorneys General.  In the absence of “clearer documentation of gaps in existing privacy laws and regulations, as well as examples of actual harm from such privacy violations” the CPUC denied the Petition.

There are a few key takeaways from the CPUC decision.  First, notwithstanding its conclusions, the CPUC left the door open for the petitioners to return with further information and developments in the future.  The CPUC noted that because of rapid changes in communications technology, it is possible that concerns may develop that would need to be addressed.    Second, the Petition’s focus on mobile applications is yet another indication that concerns about mobile privacy and continuing to grow.  Following months of front-page news stories about data breaches and Apple’s own high-profile security update, it is unlikely that these concerns will diminish any time soon.  On the other hand, online service providers just recently dealt with a barrage of new California regulations.  The CPUC’s decision not to add to the regulatory web at this point will likely be welcome news for online service providers.

Written by Jake Romero

The California Senate has passed a bill restricting the information that certain online retailers can collect in connection with consumer purchases.  Senate Bill 383 would amend Sections 1747.02 and 1747.08 of the California Civil Code to address the collection of customer information in connection with credit card purchases in online transactions for downloadable products.  The bill aims to close a perceived gap in the data privacy protections afforded to California residents, by placing these types of transactions within the scope of California’s Song-Beverly Credit Card Act, which prohibits retailers from requiring certain customer personally identifiable information as a condition to accepting credit card payment.

Does this all sound vaguely familiar?  If so, that is likely because SB 383, in its current form, is just the latest development in a series of efforts to adapt Song-Beverly, a law that pre-dates the modern internet, to current retail and data collection practices.  Continue Reading California Moves to Restrict Collection of Consumer Personal Information Online: the Process, History and Politics Behind Senate Bill 383

Well, the headlines don’t exactly work with the traditional tune, but blame the editor for that…..

Written by Jake Romero, CIPP/US

2013 was a busy year for California.  We passed a budget with a surplus, let Kim and Kanye get engaged in one of our stadiums and panicked over possibly losing Sriracha sauce.  At the same time, we also passed a number of significant pieces of legislation related to data privacy, the effects of which will be felt throughout the year.

  • Happy New Year!  Consumer Notification Laws Effective as of January 1, 2014 – “Do Not Track” and Data Breach Notification

Two laws going into effect on the first of the year will require additional notifications to consumers.  The first, A.B. 370, amends Section 22575 of California’s Business and Professions Code to require any operator of an online service to disclose in its privacy policy (1) how it responds to “Do Not Track” signals or similar tools and settings and (2) whether third parties are permitted to collect personally identifiable information about consumer online activities over time and across different websites when a consumer uses that online service.

As we discussed earlier this year, the absence of a universal industry standard for “Do Not Track” (which is not defined in the statute), may create pitfalls for unwary online service operators as they attempt to comply with the law’s requirements.  A full, clear and accurate description of an online service’s interpretation of Do Not Track signals will likely require significant review and diligence by, among others, that service’s operational and technical managers and support staff.  An online service that inaccurately describes the additional disclosures required by A.B. 370, or fails to update those disclosures in a timely manner following operational changes, may incur liability for engaging in deceptive practices.  On the other hand, a blanket disclosure stating that the service does not honor Do Not Track signals may ward off potential customers and damage the service’s reputation.

Under A.B. 370, online service operators are deemed to have satisfied the requirement to disclose the service’s interpretation of Do Not Track signals (but not the required disclosure regarding tracking by third parties), by linking to a description of a program or protocol that the operator follows that allows the consumer to exercise choice regarding collection of personally identifiable information.  Note that this option is only effective if the operator follows and complies with the protocol to which it directs consumers.  This may be problematic because many protocols, including the Digital Advertising Alliance (previously discussed here), require that all third party advertisers on the service be members of the program.  An online service operator hoping to take advantage of this option will need to have policies in place to assess compliance on an ongoing basis, including with respect to its third party advertisers.

The other consumer notification law going into effect is S.B. 46, which expands California’s data breach notification requirements to include incidents involving certain types of online data.  S.B. 46 amends Sections 1798.29 and 1798.82 of the California Civil Code to expand the definition of “personal information” to include “[a] user name or email address, in combination with a password or security question and answer that would permit access to an online account.”

As we previously discussed, this expansion of California’s notification requirement could significantly increase the number of reportable incidents in two ways.  First, California’s data breach notification requirements will apply to many more online service providers, as this type of online account information is commonly collected by websites.  Second, websites that only collect online account information may not have the type of robust safeguards and policies that an online service that collects other types of personal information, such as social security numbers, driver’s license numbers or credit card, medical or health insurance information, has already put in place.  We recommend that online services that collect “personal identification” as defined under that term’s expanded definition review our recommendations for preparing to comply with the new law here.

  • Sector-Specific Regulations Effective as of January 1, 2014 – Medical Information and Customer Electrical or National Gas Usage Data

In addition to the generally applicable laws described above, two pieces of industry-specific legislation will also go in effect.  A.B. 658 amends Section 56.06 of the California Civil Code, which is part of the “Confidentiality of Medical Information Act” (or “CMIA”).  The CMIA prohibits providers of health care or recipients of individually identifiable medical information from using or disclosing medical information for any purpose not necessary to provide health care services to patients, without first obtaining authorization.  A.B. 658 will expand the definition of “provider of health care” so that this prohibition will also apply to “[a]ny business that offers software or hardware to consumers, including a mobile application or other related device that is designed to maintain medical information . . . in order to make the information available to an individual or a provider of health care at the request of the individual or a provider of health care, for purposes of allowing the individual to manage his or her information, or for the diagnosis, treatment, or management of a medical condition of the individual . . .”  This change to the CMIA should be of particular concern to mobile application developers and operators.  With the use of mobile applications generally on the rise, health care related applications are expected to play a part in promoting wellness and addressing a number of issues, including rural access to health care.  However, as compared to the average website, mobile applications typically require a more complex system of third party service providers that may have access to data, and can be an inherently challenging platform for displaying notices.

As of January 1, we will also see new regulations applicable to businesses that use “smart meter” data.  For the past three years, utilities have been prohibited from sharing or disclosing data regarding individual consumption or use of electricity or natural gas by an individual without that individual’s prior consent.  A.B. 1274, extends this prohibition to non-utility businesses, and requires that such businesses disclose any third parties with whom they share such information and how it will be used.  In addition, A.B. 1274 requires businesses to use reasonable security procedures and practices to protect usage data from unauthorized access or disclosure, and put in place contractual requirements with any third parties who receive usage data requiring those third parties to do the same.  A.B. 1274 also requires certain steps to be taken when disposing of usage data, and prohibits businesses from offering incentives to consumers who allow their information to be accessed without prior consent.

  • Looking Ahead – Children’s Privacy Rights

The supporters of the ballot initiative known as the California Personal Privacy Initiative may have dropped their efforts, but we expect that in 2014 California will continue its aggressive push to increase data privacy regulation and enforcement.  We will also be tracking preparations for S.B. 568, which goes into effect on January 1, 2015.  S.B. 568 prohibits operators of online services directed toward minors under the age of 18 (as well as online services not directed toward minors, if the operator of the service has actual knowledge of a minor using the service and advertisements are specifically directed to that minor based on information the minor has provided) from marketing certain products (including alcoholic beverages, firearms, ammunition, spray paint, cigarettes, fireworks, tanning devices, lottery tickets, tattoos, drug paraphernalia and obscene materials).  S.B. 568 also requires that these types of online services permit minors to remove or request the removal of content or information posted by that minor and provide certain specific disclosures regarding deletion of online information.  We discuss S.B. 568 in further detail and provide recommendations for preparing to comply with the new requirements here.

 

 

The federal government may be completely unable to pass laws, but that certainly isn’t the case with the State of California, which has just completed a data privacy hat trick by passing three significant laws addressing a broad subset of data privacy issues. The big question: is your online and/or mobile business ready for the coming changes?

Read the latest Mintz Levin Privacy Alert analyzing what effect these new laws will have on business and how you should be preparing to comply.

 

As we all ponder the potential for the first U.S. government shut down in 18 years, here are some Monday privacy tidbits to change the subject a bit.

September Mintz Matrix

As our readers know, we maintain a summary of the US state data breach notification laws, which we refer to as the “Mintz Matrix.”   We update the Mintz Matrix on a quarterly basis, or more frequently if developments dictate.

We’ve updated the Mintz Levin State Data Breach Notification Matrix to reflect changes to California’s law.   The Mintz Matrix is available here.

California SB 46 and AB 1149 have brought about the following changes:

(1)   The definition of PI has been expanded to include username or email in combination with password or security question and answer that would permit access to an online account.

(2)   The law specifies when electronic notice can be provided.

Now, for today’s disclaimer: This chart is for informational purposes only and does not constitute legal advice or opinions regarding any specific facts relating to specific data breach incidents. You should seek the advice of experienced legal counsel (e.g., the Mintz Levin privacy team) when reviewing options and obligations in responding to a particular data security breach.

Press Roundup

Last week was a busy one for members of the Mintz Levin privacy team – here’s a peek at our clipping file:

Law360 (registration may be required) – Va. Tech Breach Reveals Info on 145K Job Applicants – quotes Cynthia Larose

FierceCIO – How a decent risk assessment could save you a lot of money – Interview with Cynthia Larose

Law 360 (registration may be required) – Calif. Initiative Could Unleash Wave of Privacy Fights – quotes Jake Romero

E-Commerce Times – Judge Cuts Google No Slack in Gmail Wiretap Case – quotes Cynthia Larose