By Andrew McDevitt, Senior Privacy Consultant at TRUSTe
California has always been known as a trailblazer state within the entertainment and technology sectors. This has significantly influenced our society, both at the national and global levels. The golden state is no different when it comes to public policy trends. California has historically served as a national bellwether on a variety of political issues and matters pertaining to data privacy are no different.
During the 2013 and 2014 legislative cycles state lawmakers enacted legislation to provide more robust data privacy protections for California’s children.
Student Online Personal Information Protection Act (SOPIPA)
One of these laws is Senate Bill 1117, also known as the Student Online Personal Information Protection Act (SOPIPA). Effective as of Jan. 1, 2016, SOPIPA would preclude online service companies that focus on the K-12 educational offerings to engage in targeted advertising to minor students and their parents or legal guardians and to collect information about these students to establish individual profiles about them. SOPIPA also bans the sale of a student’s information and requires the K-12 online service organizations to implement and maintain reasonable security to protect the data they do collect. In addition, these service entities must delete student data upon the request of a K-12 school or district that has had its students use a company’s online educational services.
Privacy Rights for California Minors in the Digital World
The other significant child privacy legislation passed in 2013 was Senate Bill 568 titled, Privacy Rights for California Minors in the Digital World. Effective as of Jan. 1, 2015, this law prohibits online service companies from marketing a variety of products and services to minors when such products and services can only be purchased by a person 18 years of age or older. The law also prohibits the collection of personal data of minors that would be shared with third parties for the purpose of advertising or marketing these same types of products and services. The most noteworthy aspect of S.B. 568 is the “right to be forgotten” clause in the context of minors. Essentially, this means that a California resident who is under 18 years of age now has the ability to have the online content that is collected and stored about them by an online service company to be permanently deleted. In fact, the website owner must actually disclose to minors that they indeed have this right and they must be educated about the actual process to make such a request when desired.
Some of the key drivers for the passage of these two significant child privacy protection laws are that the public now has a heightened awareness and concern about data privacy matters. At the same time, K-12 public schools are increasingly looking for free or low-cost online technology services to successfully educate students during extreme budgetary shortfalls at the state and school district levels. In addition, the current trajectory of negative online activities and behaviors of some California minors were potentially leading toward long-term ramifications if students were not provided the opportunity to delete their online mistakes. According to a recent study about parents’ concerns regarding their pre-teens’ Internet usage, 43% of parents think their child will share personal information online that they will later regret.
What this means for online service organizations is that they will need to clearly establish a mechanism to identify minors who are using their site if they are not doing so already. These websites will also need to establish effective legal and technological mechanisms, as well as policies and programs to ensure that they are fully compliant with these new child privacy protection laws. This includes providing minors an easy method to exercise their new “right to be forgotten” rights. Online tracking partners and technologies will also need to be fine-tuned to ensure that California’s minors are not included in online advertising programs in the K-12 context or being served advertisements that are not deemed age appropriate by the state. This will also be a perfect opportunity for these organizations to evaluate their current data security programs and address any new gaps or vulnerabilities found.