Caride Introduces Bill to Protect Students’ Digital Data

As more schools use technological tools to enhance learning in the classroom, Assemblywoman Marlene Caride (D-Bergen/Passaic) has introduced a bill to help protect the privacy of students and prevent student digital data from ending up in the hands of private vendors.

“We tell our young people to use the web responsibly, and yet website and app operators who have access to sensitive student information are using this data at their leisure without the consent of these students and with no regard for their privacy,” said Caride. “This bill would help ensure that this information is not shared or sold to other entities by restricting its use to educational purposes only.”

Entitled the “Student Digital Privacy and Parental Rights Act,” the bill (A-4873) concerns online student information collected or generated by a school service, which is defined by the bill as a website, online service, online application, or mobile application that is used to aid in the administration of activities of public or nonpublic schools, and that is designed and marketed for those purposes. Under the provisions of the bill, the operator of a school service is prohibited from:

  • presenting students or parents with targeted advertisements that are selected based on information obtained or inferred from the students’ online behavior or use of online or mobile applications, or personally identifiable information about the student maintained by the operator;
  • selling a student’s personally identifiable information to third parties or collecting this information for purposes unrelated to educational instruction; and
  • disclosing a student’s personally identifiable information except in the specific instances outlined in the bill and in accordance with rules prescribed in the bill.

In addition to the list of prohibited practices, the bill also sets forth certain actions that an operator is required to perform, including:

  • disclosing publicly and to public and nonpublic schools to which the operator provides a school service, the types of personal information the operator collects or generates, the purposes for which information is used or disclosed to third parties, and the identity of these third parties;
  • establishing procedures for parents and system users to access and correct certain information;
  • establishing, implementing, and maintaining security procedures to protect the confidentiality, security, and integrity of student information;
  • deleting certain student information within a specified timeframe upon the request of the public or nonpublic school serving the student or a request from the student’s parent;
  • deleting student information within a specified timeframe after the operator ceases to provide the service to the public or nonpublic school; and
  • implementing policies and procedures to respond to data breaches, including notifying the Department of Education and, as appropriate, students, parents, and public or nonpublic schools of the breach.

“This practice has been largely unregulated, leaving districts to figure out how to protect students. In some cases, school districts had no idea what these operators were doing with the data they collected. This bill not only restricts how these operators can use a student’s digital data, but it requires that they disclose what type of information they’re collecting, the reason why they are sharing it with a third party and who these third parties are,” added Caride. “This bill is as much about protecting the privacy of students as it is about bringing some needed transparency and order to the process.”

The bill requires the Commissioner of Education to provide public and nonpublic schools with guidance and technical assistance with respect to preventing and responding to data breaches involving unauthorized acquisition of or access to students’ personally identifiable information.

The commissioner also is required to submit a report annually to the governor and the legislature on the number, scope, and nature of the data breaches about which the department receives notice from operators in accordance with the bill’s provisions.

The bill has been referred to the Assembly Education Committee.