At a time when reliance on digital school services is at an all time high, Proposition 24, the Personal Information Law and Agency Initiative of 2020, fails to advance digital safeguards to students. The voter initiative, which is complement to the California Consumer Privacy Act of 2018, has been promoted as a means to protect school children online, but this is a grave exaggeration.
Voicing her support for Prop. 24, Valerie Amezcua, Vice President of the Santa Ana Unified School District, commented on the enforcement agency Proposition 24 creates, saying, “We can protect the privacy of our students and make sure violations are enforced. We have no agency to administer our privacy laws and Prop. 24 would put that in place.”
On the surface, it seems to deliver some promise of that. One of the features of Prop. 24 that garnered attention from educators is the tripling of fines for violations which involve a minor’s sensitive information. But the benefits to students stop there.
The CCPA is notable for its creation of a “right to be forgotten,” meaning a consumer can submit a request to have their personal information deleted. The original CCPA rightfully considers educational assessments and other student data to be a sensitive class of information. Yet, Prop. 24 undermines this by carving out an exemption to these types of records.
Section 15 of Prop. 24’s text amends Section 1798.145 of the California Civil Code to allow for the deletion of data of some classifications of data to be refused. One class of information, outlined in subsection (q) (1), exempts businesses from complying with a “verifiable consumer request to delete a consumer’s personal information... to the extent the verifiable consumer request applies to a student’s grades, educational scores, or educational test results that the business holds on behalf of a local educational agency... to which the student is currently enrolled.”
This is an inappropriate exemption. There are numerous reasons why a student or the student’s parents would want this personal information to remain private. Least among them is the poor record of protecting student information by education agencies and third parties. In a 2019 review on “The State of K-12 Cybersecurity”, the group EdTech Strategies LLC found that “[Fifty-one percent] of student and educator data breach incidents during 2019 were due to the actions (or inaction) of school vendors or (in some few cases) partners, including regional service agencies, non-profits, associations, and state departments of education.
This means that a majority of times where there was a data breach or improper disclosure involving student records, a party working with schools to hold this data was responsible.
These data breaches are no small matter. In 2019 a FBI investigation uncovered that a cyberattack of Pearson PLC, a British education software maker, affected upwards of 13,000 American students. Last year it was reported that in 2016 the ACT inappropriately released information pertaining to 8,000 students in Montana.
At a Defcon Hacker Conference a high school student found flaws in the Blackboard and Follett platforms used by his school, which exposed sensitive information of at least five million students. This included “records for students and teachers, including student grades, immunization records, cafeteria balance, schedules, cryptographically hashed passwords, and photos.” In the Bay Area, the chief financial officer of a school lunch company was charged with identity and unauthorized computer access, when he was accused of hacking into a competitor’s website so he could obtain student data, including on food allergies and grades. California should not limit efforts of students or parents to mitigate the possible release of potentially damaging information.
Proponents suggest that a new enforcement agency, like Prop. 24 would create, is needed to ensure compliance. Yet, herein lies another monumental flaw with the initiative: it does not allow for a private right of action.
Having the right to address those who mishandle data is a necessary component of helping guarantee there is remedy against bad actors. Such an amendment to the CCPA should have been an obvious inclusion. A similar online consumer privacy bill introduced at the federal level in the Senate by Maria Cantwell (D-WA) contains a private right of action and is worthy of consideration for future public policy.
As such, Prop. 24 does not adequately extend privacy protections to students. The initiative does not give Californians privacy, it gives Californians extra bureaucracy. It is worse than window dressing.