Week 5

Legal Implications of Using Digital Technology in Public Schools: Effects on Privacy

JOANNA TUDOR, J.D *

Policymakers have been attempting to improve our education system and student achievement for decades. With encouragement from recent legislation— such as the America Competes Act, which places an emphasis on STEM education— school districts across the country are incorporating technology into academics in sweeping strides. Between 2012 and 2013, the United States Department of Education gave out over $500 million in Race to the Top funds and almost every recipient school district implemented a one-to-one digital device initiative. As technology is integrated into academic instruction for use at school and at home, student interaction with digital technology has been propelled to exceptional levels. .

Meanwhile, the efficiency of digital technology has made it easier tor school districts and other entities to collect, organize, and store large databases of information. School districts, state departments of education, and the U.S. Department of Education all collect and use data about students. At the local level, specific information on individual students is collected to help teachers improve their instruction or keep records of student behavior. For example, Apple’s iTunes has a behavior-monitoring application (app) available to teachers that allows them to compile information about which students have behavior

*This article was prepared as part of the author’s work at the University of San Diego’s Mobile Technology Learning Center (MTLC), an Institute of Entrepreneurship in Education (IEE) knowledge lab in the School of Leadership and Education Sciences.

1. Ross Brenneman, Before Buying Technology, Asking ‘Why,?’ Educ. Weekly, June 18, 2014, http://www.edweek.org/tm/articles/2014/06/18/gp-definitions.html.

287

288 Journal of Law & Education [Vol. 44, No. 3

problems and which students are helpful in the classroom. 2 Data collection can also help administrators make better-informed decisions about allocating resources to district programs. Sometimes districts contract with outside service providers who deliver services to students and often these service providers also collect and use personally identifiable student information to help them improve their services. For example, some school cafeterias are now using a biometric identification system to allow students to pay for lunch by scanning their fingerprint at the checkout line. 3

The ease and convenience of collecting, organizing, and storing data through the use of technology means that most, if not all, of these data are in digital form. However, the convenience and insight allowed by unprecedented access to technology comes at a cost, which frequently manifests as invasions of student privacy. Furthermore, districts may not realize the extent to which student privacy is at risk, particularly because technology is constantly evolving, thus creating new risks Understanding the risks involved is only half the battle. Districts must d so navigate the multitude of federal and state laws currently in place that are designed to protect student privacy. In the last several decades, privacy laws in general have morphed as advances in technology have challenged well-established concepts in privacy law.4 Compounding the matter, student expectations in privacy has always been a vague concept, and is only further complicated by the challenges digital technology has introduced to privacy law.

This report discusses the potential risks to students when districts incorporate technology by considering who is collecting data and why it is problematic. The report focuses on privacy violations that are likely

. „ 2;,. TlPTaPTech, LLC, Easy Behavior Tracker fo r Teachers, iTunes Preview

March i r S t 5 ) P e’C° ^ US/aPP/eaSy’behaViOr‘traCker' f0r/id553367265?mt=8 (last visited

3 Adam Shanks, North Adams schools to implement biometric ID at cafeterias The

T , (SePt' h 13; 2° 14’ 12:11 AM)’ h ttp ://w w w .b e r k s h £ :X o ^ i c “ 6525" 0/nOrth‘adams' schools' lmPlement' biometric-id-at-cafeterias. 4. For example, in U.S. v. Jones, 132 S.Ct. 945, 181 L.Ed.2d 911 (2012) the United States

Supreme Court ruled that the attachment o f a Global-Positioning-System (GPS) to a car wa a

r v T v eemma Tf T " ° f “ Amendment a"d ^ ̂ - t “ edby government officials without a warrant. J

Summer 2015] Using Digital Technology in Public Schools 289

to occur due to a district’s increased use of technology and explores questions such as, “What are students’ expectations of privacy m digital technology?” and “What is a district’s duty to protect students Irom privacy invasions?” Where answers are not yet available, the report provides relevant information that districts need to contemplate as they implement technology devices and programs in their schools. The report begins with an overview of federal privacy laws, California privacy laws, and other laws that regulate technology use. The report then takes a look at how student privacy is compromised and who are the biggest contributors to student privacy invasions and why. Based on the law described in the first two sections, the report then discusses students expectations in digital technology, and the implications for school districts.

I OVERVIEW OF RELEVANT LAW AFFECTING STUDENT PRIVACY

Privacy rights can be separated into three main categories: (1) the right to access and to control access to personal information, (2) the right to personal autonomy, and (3) the right to control public use of an individual’s persona. Of these three, the first two (the right to access personal information and the right to personal autonomy) are largely at issue with regard to the legal implications of students who use digita technology in an academic setting. Federal statutes such as the Federa Educational Rights and Privacy Act (FERPA) and the Children s Online Privacy Protection Act (COPPA) address the right to access and to control access to personal information, while the United States Constitution offers some protection for personal autonomy through the First, Fourth and Fourteenth Amendments. Additionally, each state has its own set of legislation governing student privacy. Although the third category (the right to control persona) could arise within the educational context, it would be an unusual occurrence; therefore, this report will only discuss the first two privacy concepts.

290 Journal of Law & Education [VoL 44, No. 3

Within the first two ideas, there are many federal and state laws that can and do apply to school districts, students, and other interested parties. In fact, in just the past few years, almost 150 bills affecting student privacy were introduced in 40 different state legislatures6 Because of the diversity of state laws affecting student privacy this report focuses mainly on federal law. California serves as the model when exploring the intersection of federal and state law. California lends itself to these examples because its Silicon Valley hosts many high-technology companies, such as Google, Facebook, Apple, Hewlett- Packard, and Intel, to name a few.6 Of course, these companies’ influences reach far beyond the boundaries of California, so this is not to suggest that by being headquartered in California their impact is hmited to California. Therefore, in order to fully understand the subtleties of some of the implications presented by digital technology programs within other states, a thorough exploration and analysis of the state s law is necessary.

A. Federal Privacy Laws

The United States Constitution does not guarantee privacy specifically, but there are constitutional limits as to how far the government can intrude into an individual’s private life. The Fourth

mendment establishes some of those limits by ensuring the right to be free from unreasonable search and seizure of body, house, papers, and effects^ In addition to the Fourth Amendment, the First and Fourteenth Amendments also protect personal autonomy. The First Amendment

20155' Bil\ Wouldn't St°P Data l i n i n g o f Kids, Politico (Mar. 23, • http.7/www.politico.com/story/2015/03/privacy-bill-woulclrrt-ston datamining-of-ktds-116299.html#ixzz3WYqkGlsp. woman t stop data-

visited GZ t t ° Cf r ^ J ttp:l/w VW g° ^ le-com/about/comPany/facts/locations/ (last M rC TT16’ 20 5)’ Faceho°k HQ, Facebook, https://www facebook com/

pages/Facebook-HQ/166793820034304 (last visited March 16. 2015); Apple Corporate Office M u d T r n t S T T T T ' 'lllP:̂ ecorPorateoffices-coni/App!e-!697 ^(last , i L

about h n L f i 015 4 C l , n Head^ m rters’ HP- http://www8.hp.com/us/en/hp-information/ out-hp/headquarters.htm1 (last visited March 16, 2015); Intel Corporate Office &

\ A 15’) eCOrP° rate0fflCeS’ http://ecorporateoffices.com/Intel-2953 (fast visited March 7. U.S. Const, amend. IV.

Summer 2015] Using Digital Technology in Public Schools 291

safeguards personal autonomy by protecting the right to speak freely and peaceably assemble,8 while the Fourteenth Amendment ensures substantive due process.9 The Ninth Amendment protects privacy indirectly because it holds that even if a right is not explicitly mentioned in the Constitution, the government may not infringe upon that right it it has been granted through other means.

Unlike the Constitution, there are many federal statutes that^directly address privacy concerns, such as the Privacy Act of 1974 Some statutes specifically concern digital privacy, like the Electronic Communications Privacy Act,13 while others are even more specific an address the digital privacy of students or minors. The following descriptions of federal law focuses on those sections that address students’ privacy rights specifically.

1. Family Educational Rights and Privacy Act (FERPA)'4

Student privacy rights begin with FERPA. FERPA governs schools that receive federal funding and maintain student education records. It requires that parental consent be given before any personally identifiable information or information held in the education record can be shared.15 Although FERPA’s jurisdiction covers elementary, secondary and post-secondary school students, this report will focus solely on the portions of FERPA that apply to K-12 students.

FERPA grants rights to parents of minors and to students themselves, once they have reached the age of majority. These rights include the ability to inspect the education record that the school maintains on their

eight amendments to the Constitution were not later deemed exnausuve. 12. 5 U.S.C. § 552a (2010). 13. See generally, 18 U.S.C. § 2510 (2002). 14. 20 U.S.C. § 1232g (2013). 15. Id. at § 1232g(b)(l).

8. Id. amend. I. 9. Id. amend. XIV. 10. Id. amend. IX. 11. This concept was

292 Journal of Law & Education [Vol. 44, No. 3

child and the right to challenge and correct or delete any content in the record that is inaccurate or misleading. 16 Additionally, the Code of Federal Regulations, which has expanded upon FERPA’s rights requires districts to annually notify parents of these rights. 17 The statute does not grant a private right of action however, meaning parents cannot sue districts that are in breach of FERPA. The only statutory incentive districts have to remain in compliance with this law is that federal funding can be revoked for any school in violation of the law. 18 Tod d a 1̂ ormatlon held in the education record is protected under FERPA. However, as information conduits and data storage methods have evolved, a bit of a controversy has developed regarding what information is included in the education record and therefore protected from being accessed by others. The statute defines “education record” as records, files, documents or other materials which “contain information

irectly related to a student” and “are maintained by an educational agency or institution. ” 19 At times, FERPA has been applied broadly when identifying content within the education record. 20 However, the education record does not include teachers’ personal notes that are not s ared with others except substitutes, or records created and kept by law

There are a few exceptions granted under the statute that allow districts to disclose information that would otherwise be a part of the education record without permission. The two most relevant exceptions include the Directory Information exception and the School Official exception.- Directory Information refers to information that is generally not considered harmful if disclosed.23 This information may include but

16. Id. at § 1232g(a)(2). 17. 34 C.F.R. § 99.67 (2012). 18. 20 U.S.C. §1232g(a)(l)(B)-(2). 19. 20 U.S.C. § 1232g(a)(4)(A).

, h, . 2° ,F0r a° examPIe- ^ U.S. v. Miami University, 91 F.Supp.2d 1132 (2000) (including student disciplinary records as part of the “education record”). 8

21. 20 U.S.C. §1232g(a)(4)(B). Subsection (a)(4)(B) also identifies records of employees

is e is h te e 3tl0na 316 n0t als° students of that a8ency and records on a student who is eighteen years of age or older that have been made or maintained by a physician or

P ^ 2 2 C§?I232g(b)>t lnCluded 10 the deflnltion of “education record” for purposes o f FERPA.

23. 34 C.F.R. § 99.3 (2012).

Summer 2015] Using Digital Technology in Public Schools 293

is not limited to the student’s: name; address; telephone listing; e-mail address; photograph; date and place of birth; grade level; major field o study; participation in officially recognized activities and sports; weight and height (of members of athletic teams); dates of attendance; degrees and awards received; and the most recent previous educational agency or institution the student attended.24 Directory information does not include social security numbers.25 Under the Directory Information exception, districts may make such information public, but must give notice to parents of the categories of information that it intends to disclose. Parents have the rig h tto “opt out” if they do not wish for this information to be made public. 26

The School Official exception allows schools to disclose to certain individuals or entities information that is considered persona y identifiable information” (PH) 27 or information that would otherwise be a part of the education record. The Code of Federal Regulations defines “personally identifiable information” as including, but not limited to a student’s: name; names of family members; address; any persona identifier such as social security number or biometric record; other indirect identifiers such as date or place of birth, or mother’s maiden name; and any other information that “alone or in combination, is linked or linkable to a specific student that would allow a reasonable person in the schoo community, who does not have personal knowledge of the relevant circumstances, to identify the student with reasonable certainty. Under this exception, the school may disclose information without prior consent to other school officials, including teachers, 29 or to vendors who perform a function for the school that would otherwise be performed by a school employee.30 The vendor must have a legitimate educational interest in the data and the school must be in direct control of the vendor’s use and maintenance of the data. 31 Under these circumstances, the vendor can

24. 20 U.S.C. § 1232g(a)(5)(A); 34 C.F.R. § 99.3. 25. Id. at § 1232g(a)(5)(B).

27. The statute does not define what constitutes “personally identifiable information. 28. 34 C.F.R. §99.3. 29. Id. at § 99.31 (a)(l)(i)(A). 30. Id. at § 99.31 (a)(l)(i)(B). 31. Id. at § 99.31(a)(1).

294 Journal of Law & Education [Vol. 44, No. 3

use PII for authorized purposes only, and cannot redisclose the data without permission from the school and written consent from the parent.

In light of the current trend of heightened violence in schools two other exceptions under FERPA are worth noting. The first includes situations where an emergency has arisen and PII or information from the education record must be disclosed to protect the health or safety of the student or others. The second includes disclosing disciplinary information in the education record that concerns student conduct that has posed a significant risk to the safety or well-being of that student or others. Such information may be disclosed to teachers, school officials or others who have a legitimate educational interest in that student’s behavior.

Whenever an exception applies, information may only be disclosed on the conditions that the recipient of the information not share it with any other party without prior consent of the parent, and the information will only be used for the purpose for which the disclosure was made.35 Whenever a disclosure has been made, the district must make a reasonable attempt to notify the parents and provide them with a copy of the record that was disclosed. 36 This has big implications for school districts looking to contracting with third-party providers if the third- party will or may have access to student records.

FERPA also requires that districts keep a record in each student’s file ot any individual or entity that has accessed or maintained the education record Along with that information the district must indicate what that individual or entity’s legitimate interest was in obtaining the information. Where a third party maintains education records under the School Official exception, the district must be able to provide a requesting parent access to those records.

32. 20 U.S.C. § 1232g(b)(4)(B). 33. Id. at § 1232g(b)(l)(F). 34. Id. at § 1232g(h)(2). 35. 34 C.F.R. § 99.33(a). 36. Id. at § 99.34(a)(1). 37. 20 U.S.C. § 1232g(b)(4)(A).

Summer 2015] Using Digital Technology in Public Schools 295

FERPA also requires that regulations governing surveys or^data- collecting activities be implemented to protect student privacy.^ This requirement was codified in what is sometimes referred to as the “Hatch Amendment,” but is also known as the Protection of Pupil Rights Amendment. There are some significant problems that are not addressed by the FERPA legislation. For these reasons, there is a strong likelihood that a proposal to amend FERPA will arise in Congress in the near future. In fact, during a congressional hearing held in early 2015, the House of Representatives heard testimony of several experts regarding the ways in which FERPA is falling short of protecting student privacy. At this time, it appears the House is considering updating FERPA

2. Protection o f Pupil Rights Amendment o f 1978 (P P R A f0

PPRA governs the administration of surveys soliciting specific categories of information, and imposes certain requirements regarding the collection and use of student information for marketing purposes. It requires that schools give notice to, obtain written consent from, and provide an opt-out opportunity to parents before students can participate in commercial activities that involve the collection, disclosure or use of personal information for marketing purposes.41 The exception to this is if a vendor is using student data solely for the purpose of developing, evaluating, or providing educational products or services to students or schools.42 Under the statute, “personal information” is defined as individually identifiable information including a student or parent s first and last name, a physical address, a telephone number, or a social security number.43 A , _ .

In addition to the difference in the way PPRA and FERPA define “personally identifiable information,” some of the other distinctions

38. Id. at § 1232g(c). . 39. Technology and Student Privacy: Before the H. Comm. On Education and the

Workforce 114th Cong. (2015) (statement of Todd Rokita, Chairman Subcomm. On Early Childhood, Elementary, and Secondary Education).

40. 20U.S.C. § 1232h (2002). 41. Id. 42. Id. at § 1232h(c)(4)(A). 43. Id. at § 1232h(c)(6)(E).

296 Journal of Law & Education [Vol. 44, No. 3

between the two statutes are that FERPA is triggered where a school simply maintains education records containing personally identifiable information, while PPRA is only invoked when personal information is collected from the student. An example illustrating the difference between the two comes from the Privacy Technical Assistance Center a subset of the U.S. Department of Education. If a district contracts with a provider under FERPA’s school official exception for basic applications designed to help educate students, and sets up user accounts using basic enrollment information, such as name and grade, then the provider may not use data about individual student preferences to target ads to individual students. This would be an unauthorized use of the data, and would not constitute a legitimate educational interest as specified under FERPA. PPRA would also prohibit targeted ads unless the district had a policy addressing this and parents were notified. Parents must also have been given an opportunity to opt-out of the marketing. However, the provider could use data conveying personally identifiable information to improve their product and its delivery. Additionally, the provider could use non-PII data to develop new products and services that the provider could then market to schools and districts.44

PPRA applies to K-12 students only, while FERPA protections extend to post-secondary students. Like FERPA, there is no private right of action under PPRA, so students and parents cannot enforce compliance with the statute. However, schools that do not comply jeopardize federal funding.45 Also noteworthy, PPRA applies to all students, regardless of age, as opposed to the Children’s Online Privacy Protection Act, discussed in the next section, which only governs children age thirteen and younger.

, J 4 Protecting Student Privacy While Using Online Educational Services: Requirements c i t l f n f Pu f t \ Ce% P7 aCy Technical Assistance Center (February 2014), http://ptac.ed.gov/

%Sftb“,“ 202oT̂;“ ™ vac),* 20a"d%20Onli"e%20Edu“ tio" aW 20s" vi“ s%20 H o o f f 20 U S C ® I232h(e); See also’ C N ' v- Ridgewood Bd. of Edu., 146 F. Supp.2d 528

Summer 2015] Using Digital Technology in Public Schools 297

3. Children’s Online Privacy Protection Act (COPPA f '

COPPA is designed to protect the privacy of children under the age of thirteen COPPA prohibits commercial website operators from collecting personally identifiable information from children under thirteen without first obtaining “verifiable parental consent.” The Code of Federal Regulations define PII as:

[I]ndividually identifiable information about an individual collected online, including: a first and last name, a home or other physical address including street name and name of a city or town, online contact information [such as email address or other substantially similar identifier], a screen or user name, a telephone number, a social security number, a persistent identifier that can be used to recognize a user over time and across different Web sites or online services (includes but is not limited to a customer number held in a cookie, an Internet Protocol address, a processor or device serial number, or unique device identifier), a photograph, video or audio file where such files contains a child’s image or voice, geolocation information sufficient to identify street name and the name of a city or town, or information concerning the child or the parents of that child that the operator collects online from the child and combines with an identifier described above.

Consent must be obtained even when such information is offered voluntarily. COPPA applies to any website operator or online service that is directed to children. The Code of Federal Regulations expounds on some of the factors that are considered when evaluating whether a website is directed towards children. These factors include subject matter of the site, visual content, use of animated characters or chil - oriented activities, music and other audio content, age of models presence of child celebrities or celebrities who appeal to children, and whether advertising promoting or appearing on the website is directed to children.49 When a website has “actual knowledge that it collects

46. 15 U.S.C. §§ 6501-6506. 47. Id. at § 6502. 48. 16 C.F.R§ 312.2 (2013). 49. Id.

298 Journal of Law & Education [Vol. 44, No. 3

personal information directly from users of another website” that is directed towards children, the first website is also considered directed towards children for purposes of applying COPPA.50 COPPA also covers operators who direct their content towards a general audience but have actual knowledge that they are collecting personal information rom a child. Websites that do not target children as their primary

audience are exempt under COPPA if they do not collect personal information from any visitor prior to collecting age information and prevents the use, collection or disclosure of personal information from visitors who identify themselves as under the age of thirteen.52 Website operators who fall under COPPA regulations must provide notice on their website of their data collection policies as well as allow parents to review the personal information collected from a child and allow parents to refuse further permission of its use.53

Once personal information is collected, the website operator must protect the confidentiality, security and integrity of that information and take reasonable steps to release the information only to third parties who are capable of maintaining the confidentiality, security and integrity of the information. 54

Any personal information collected may be retained only for as long as is necessary to fulfill the puipose for which the information was collected Once that purpose has been fulfilled, the operator must delete the information using reasonable measures to protect against unauthorized access to, or use of, the information.55

Like FERPA and PPRA, there is no private right of action for children whose information has been collected in violation of COPPA. However, when a website operator has violated the Act, a state’s attorney general may bring a civil action to enjoin the illegal practice and enforce compliance as well as obtain damages, restitution or other

50. id. 51. Id. 52. 15U.S.C. § 6502. 53. Id. at § 312.3. 54. Id. at § 312.8. 55. Id. §312.10.

Summer 2015] Using Digital Technology in Public Schools 299

compensation on behalf of residents of the State.16 The statute also allows for “other relief as the court may consider to be appropriate.

4. Children’s Internet Protection Act (CIPA)^& Neighborhood Children’s Internet Protection Act (N C IP A f8

Congress enacted CIPA in response to public library patrons who were using the library’s Internet to access pornographic websites. Under CIPA, a public library, or elementary or secondary school may not receive federal funds under the E-rate program or the Library Services and Technology Act (LSTA) unless it has “a policy of Internet safety for minors that includes the operation of a technology protection measure . . . that protects against access. . . to visual depictions that are obscene or pornographic or harmful to minors. These entities must submit certification that they are complying with the protection measures required by CIPA.61 Failure to do so may result in loss of federal funding.62 . . . . .

One important thing to note about CIPA is that while it protects minors from exposure to pornography, it is not designed to protect against other non-visual communications on the Internet. Thus, Cl leaves minors unprotected from other forms of inappropriate or harmfu interactions on the Internet, including data mining and exposure to cyberbullying. NCIPA tackles this problem in part by requiring schools and public libraries to adopt and implement an Internet safety policy that addresses the accessibility of inappropriate material on the Internet the safety and security of minors while using email and other forms of Internet communication, and the unauthorized disclosure of personally

56. 15 U .S.C § 6504 (2012). 57 Id 58* 20 U S C. § 9134(f) (2012). 47 U.S.C. § 254(h) (2012). 59. United States, v. Am. Library Ass’n. Inc., 539 U.S. 194, 199 (2003) 60 20 U.S.C. § 9134(f)( 1)(A)(i) (2012). See 47 U.S.C. § 254(h)(5)(B)(i) (2012). 61.47 U.S.C. § 254(h)(5)(B) (2012). 62 Id § 254(h)(5)(F) (2012). See 20 U.S.C. § 9134(f)(5) (2012). 63. Frank Kemerer & Peter Sansom, C alifornia School Law 81 (Stanford University

Press, 3d ed. 2013).

300 Journal of Law & Education [Vol. 44, No. 3

identifiable information« NCIPA also addresses hacking and other unlawful activities by minors online.65

®^6°SSible LegisIation: Student Digits' Privacy and Parental Rights

At the time of this writing, U.S. Representatives Jared Polis and Luke Messer are sponsoring a bill known on Capitol Hill as the Student Digital Privacy and Parental Rights Act. Although it has not yet been formally introduced in Congress, a draft of the bill has circulated. Due to the criticism the bill has received, the introduction has been postponed Among the bill’s critics are privacy advocates who feel the bill is not rigorous enough to adequately protect student privacy, as well as technology groups who oppose the bill because they favor self- regulation.68

The current draft of the Student Digital Privacy and Parental Rights Act appears to allow education technology companies to continue to collect and compile student information and then mine that data for commercial gain. Apparently, such companies may sell students’ personal information to colleges, employers, and military recruiters.69 The current draft also appears to allow schools to authorize even wider

isclosure of student data without parental notification or permission.70 However, the current bill does ban the use of targeted advertising, and it requires that ed-tech companies must delete data within 45 days upon a school s request. Making it unique among other federal student privacy

64. 47 U.S.C. § 254(1) (2012). 65. Id.

6. At this time, a bill has not been formally introduced and there is no bill number 67. Simon, supra note 5; Benjamin Herold, Federal Student-Data Privacy Bill Delayed

fa w n - Education Week (March- 23, 2015, 9:33pm), http://blog edweek o g/ edweek/Dig,talEduCat,on/2015/03/federal_student_data_privaCy_bill delayed.html?pdnt^i°r̂

York T i m e T S " W° M U* °fS tu d e n t * * The New lin>i,-u,e^si t a d a « L ^ ^

69. Simon, supra note 5 70. Id.

Summer 2015] Using Digital Technology in Public Schools 301

laws, the current version of the bill appoints the Federal Trade Commission to handle enforcement of the law.71

Of course, there is no guarantee that the Student Digital Privacy an Parental Rights Act will become law, and if it does, there is no guarantee that any of the elements mentioned above will be present in the final version of the bill. It is clear, however, that Congress is alert to the growing concerns of parents and students regarding student privacy being at risk. Regardless of whether the Student Digital Privacy Act^and Parental Rights Act is approved by Congress, the reader should be aware that there will likely be more legislation to follow.

C. Relevant California Law The following list is not comprehensive, but it does highlight the

breadth as well as give substantial insight into current California laws that affect student privacy:

1. California Constitution Article 1, section 1 of the California Constitution explicitly grants

privacy as an inalienable right: “All people are by nature free and independent and have inalienable rights. Among these are enjoying and defending life and liberty, acquiring, possessing, and protecting property, and pursuing and obtaining safety, happiness, and privacy.

2. California Civil Code section 1798.2973

Any agency in California that owns or licenses or maintains computerized data that includes personally identifiable information (PII) must disclose any breach of the data to every California resident whose unencrypted personal information is reasonably believed to have been acquired by an unauthorized person. Included under the definition of PH is an individual’s first name (or initial) and last name, m combination with one or more designated data elements relating to.

71. Id. 72. Cal. Const, art. 1, § 1. 73. Cal. Civ. Code § 1798.29 (West 2014).

302 Journal of Law & Education [Vol. 44, No. 3

social security numbers, driver’s license numbers, financial accounts and medical information. As well, a user name or email address in combination with a password or security question and answer that

lAformano™'1 t0 “ 0nline account also qualifies as personal

3. California Business and Professions Code section 2258074

This is the California version of COPPA, which went into effect January 1, 2015. It prohibits the operator of a website, online service online application or mobile application from marketing or advertising certain products to a minor. Such products include alcohol, firearms aerosol containers capable of defacing property, tobacco products and electronic cigarettes, salvia divinorum, fireworks, tanning devices dietary supplements, lottery tickets, tattoos, drug paraphernalia and obscene matter. It prohibits an operator from knowingly using disclosing, compiling, or allowing a third party to use, disclose or compile, the personal information of a minor for the purpose’ of marketing or advertising products. The prohibition is also applicable to an advertising service that has been notified by the website operator that t e site is directed to minors. One thing that distinguishes this piece of egislation from COPPA is that operators of mobile applications are

definitively obligated under this law, whereas COPPA is less clear as to whether operators of mobile applications fall within the confines of the law. This law also authorizes a minor to have content or information removed.

4. California Online Privacy Act (sections 22575-22579)15

Section 22575 Business and Professions Code states that commercial website operators and online services that collect PII about customers must post a conspicuous privacy policy on their website. The policy must identify the types of data being collected and the types of third

74. Cal. Bus. & Prof. Code § 22580 (West 2015) 75. Id. §§ 22575-22579 (West 2014).

Summer 2015] Using Digital Technology in Public Schools 303

parties with whom the information may be shared. Section 22576 states that website operators are in violation of this section if the operator knowingly and willfully or negligently and materially violates the statute. PII includes first and last name, physical address, email address, telephone number, social security number, and any other identifier that permits the physical or online contact of a specific individual.

5. New Legislation: Student Online Personal Information Protection Act (SOPIPA)(Cal. Bus. & Prof. Code sections 22584-22585f 6

Senate Bill 1177 brought this newly enacted piece of legislation into existence, effective on January 1, 2016. It will prohibit an operator of a website, online service, online application, or mobile application from knowingly engaging in targeted advertising to students or their parents or legal guardians. Such operators will be prohibited from using covered information to collect student profiles, selling student information, and disclosing covered information. It requires operators to implement and maintain reasonable security procedures and practices to protect the information from unauthorized access, and it requires operators to delete student data if requested to do so by a school or district.

6. California Education Code: Section 4906277 gives authority to the State Board of Education to

establish the standards under which school distncts will establish, maintain, and destroy student records.

Section 35182.578 states that a school may not enter into a contract for electronic products or services that requires the dissemination of advertising to students unless the electronic product or service would be an integral educational component and the district cannot afford to provide the product or service without contracting to permit dissemination of advertising. In such a case, the school must provide written notice to parents that the advertising will be used and parents

76. S.B. 1177 (Cal. 2014). http://www.leginfo.ca.gov/pub/13-14/bill/sen/sb_11511200/

sb_l 177_bill_20140929_chaptered.pdf 77. Cal. Educ. Code § 49062 (West 2014). 78. Id. § 35182.5 (West 2014).

304 Journal of Law & Education [Vol. 44, No. 3

must be given the opportunity to request in writing that the student not be exposed to the program containing the advertising.

7. Privacy o f Pupil Records (sections 49073-49079.7)79

Similar to requirements under FERPA, California law says schools must adopt a policy and give annual notice identifying which information will be defined as “directory information” and thus will be subject to release. Parents have the right to prohibit directory information from being released if they notify the school. Additionally n,° inf°iy iatl0Ib including directory information, regarding a student identified as homeless may be released without consent. As well no directory information about any student may be released to a private profit-making entity.80

Parents may give written consent to allow access to student records to anyone of their choosing. Those who have permission to access records must be given notice that the transmission of the information to others without written consent from the parent is prohibited.81

Districts cannot permit access to student records to anyone without parental consent except as established in the regulations under FERPA. This section includes a few exceptions to who may obtain records without parental consent, including school officials and employees, and students sixteen years of age or older or who have completed 10th grade Students who are fourteen years of age or older who are either homeless or unaccompanied (42 USC section 11434a) are also entitled to their own records. Schools may release records when there is an emergency and the information is necessary to protect the health or safety of the student or others. The statute also allows information to be released to organizations that conduct studies for educational agencies for the purpose of developing programs or tests or improving instruction. 6

79. Id. §§ 49073-49079.9 (West 2014). 80. Id. § 49073(a) (West 2014). 81. W. § 49075(a) (West 2002). 82. Id. § 49076(a)(2)(E) (West 2014).

Summer 2015] Using Digital Technology in Public Schools 305

Districts must provide teachers with information when a student has engaged in, or is reasonably suspected to have engaged in, acts that warrant suspension or expulsion under the education code. Information provided to teachers in these instances will come from records that the district maintains in its ordinary course of business.

8. New Legislation: Cal. Educ. Code section 49073.6M

Assembly Bill 1442 went into effect on January 1, 2015, and requires schools to contact parents when considering the implementation of a program to gather or maintain as part of the education record, information about a student obtained from social media. Parents must be informed of the proposed program and provided with an opportunity to offer public comment before any such program may be adopted, lhis section also requires the destruction of such information one year after a student reaches the age of eighteen, or within one year after the student is no longer enrolled in the district.

9. New Legislation: Cal. Educ. Code section 49073. E 5

Assembly Bill 1584 also went into effect on January 1, 2015, and allows schools to enter into contracts with third parties to provide the digital storage, management, and retrieval of student records. Include in such contracts, there must be a statement declaring that student records continue to be the property of and under the control of the district, along with a description of the actions the third party will take to ensure the security and confidentiality of student records and a description of how the district will ensure compliance with FERPA. Contracts failing to comply with these requirements are void. The law does not apply to any contracts existing prior to January 1, 2015, unless or until they expire, are amended or are renewed.

83. Id. § 49079(a) (West 2001). 84. Id. § 49073.6 (West 2015). 85. Id. §49073.1 (West 2015).

306 Journal of Law & Education [Vol. 44, No. 3

II. WHO IS COLLECTING DATA, HOW IS IT BEING COLLECTED, AND WHY DOES IT MATTER?

As districts begin to incorporate technology into their schools, especially where one-to-one programs are in place, understanding the actions that expose students to risk is imperative. There are three main groups that are interested in data collection. These include advertisers criminals, and the government.86 Each group wants different information for vaiying reasons, but they are all using technology to access the information they are seeking, and are jeopardizing students’ privacy in the process. Of course, as individual consumers, we are all at risk of privacy invasion when using the Internet, but students in particular are a vulnerable group because of their exposure to online dealings both at home and at school as well as their maturity level and

v 87Ĉ ° f lnhlbltlon with regard to sharing personal information online. The following sections will discuss how each of the three main ata collectors (advertisers, criminals and government) uses technology

to mliltrate technology users’ lives and gather private data.

A. Advertisers

Advertisers want to reach large audiences efficiently and effectively, they do this using a process called “targeted advertising” which allows marketers to place advertisements in front of groups of consumers based on various traits such as demographics and other behavioral variables 1 his kind of behavioral targeting uses information gathered about individual consumers’ habits so as to gain insights about the types of products and services that an individual is likely to purchase. Then marketers can strategically place advertisements in front of an individual that are specifically tailored to that individual. One of the most efficient ways to collect data about individual consumers is by

hitn //6’ Fact Sheet 2bu Pnvacy m ,he ASe ° f the Smartphone, Privacy Rights Clearinghouse hti^y/www.pnvacynghts.c^smartphone-celP/^Ophone-privacj^martphonedata (last updated Feb.’

MlSS8 L.JMia035G(20Wl 0 ^ ’ ReaS° nable ExPectati°™ o f Privacy fo r Youth in a Digital Age, 80

Summer 2015] Using Digital Technology in Public Schools 307

tracking their activity online. Thus, a quick overview of how data miners are able to track activity is necessary to better understand how advertisers work and why.

1. IP Addresses In the past, every digital device was designed to have its own Internet

Protocol (IP) address, which could be used to identify the web activities of each device. When signing up with an Internet service provider (ISP), a record connecting a computer’s IP address to an individual or an entity was created. By simply browsing the Internet, a record was created for every website the device visited.88

More devices are entering society and the average Amencan now owns four devices.89 This means there are more connected devices than there are unique public IP addresses.90 To resolve the problem, a public IP address is assigned to a router, which then shares the address among all other computers and devices that access Internet via that particular router.91 This process is sometimes referred to as “IP tethering” because it ties all devices using the same router together. Local IP addresses are then issued to devices that use the router to make them distinguishable from each other. Generally, a device needs to access the Internet more than once for the device to be tied to the public IP address.

Regardless of whether the individual device or the router is given the public IP address, information can be tracked back to the individual or entity that is registered as owning that IP address. In the case of a

88. Fact Sheet 18: Online Privacy: Using the Internet Safely, PRIVACY RIGHTS Clearinghouse, https://www.privacyrights.org/online-privacy-usmg-intemet-safely, (last

updated Oct. 2014). . . , . tl 89 The U.S. Digital Consumer Report, Nielsen, http://www.melsen.com/content/

corporate/us/en/insights/reports/2014/the-us-digital-consumer-report.html (last updated Feb.

’ *90 Chris Hoffman, How and Why All Devices in Your Home Share One IP Address, HOW-TO Geek, http://www.howtogeek.com/148664/how-and-why-all-devices-m-your-home-

share-one-ip-address/ (last updated Apr. 15, 2013).

92. Gavin Dunaway, ID Is Key: Unlocking Mobile Tracking & Cross-Device Measurement, Part 2, ADMONSTERS, https://www.admonsters.com/blog/id-key-unlockmg- mobile-tracking-cross-device-measurement-part-2 (last updated Aug. 3, 2013).

308 Journal of Law & Education [Vol. 44, No. 3

tstrict owned device, the IP address would be registered to the district, and thus the connection between IP address and owner would not immediately implicate a student who has been assigned to that device However, as is brought to light in the subsequent sections, due to advances in technology, this is a specious conviction.

2. Search Engines

Data collection does not end with IP addresses, however. Search engines, such as Google, Yahoo and Bing, are programs that are designed to search documents on the Internet for specific keywords and then generate a list of documents where the keywords were found.93 Search engines have the ability to not just track an IP address, but also the terms that were used in the search, the time that the search occurred as well as other data.94 This is where data collection can begin to implicate individual students, regardless of to whom the device is registered. If search terms reveal personal information, for example a name and a social security number, then the search engine will have a record of that information connecting it to the user of the device. When an individual uses the same entity for a search engine and email accounts, for example, Google and Gmail, the search engine can then tie the email login to the searches as well.95 As this occurs, data collection becomes no longer tied to the registered owner of the device, but rather is tied to the individual user.

3. Cookies

“Cookies” are another tracking tool that websites deposit on a device’s hard drive to record and save information. The cookie enables the web browser to retain information such as login, user preferences,

93. Vangie Beal, search engine, Webopedia, http://www.webopedia.eom/TERM/S/ search_engme.html (last visited Sept. 30, 2014).

94. Fact Sheet 18, supra note 88. 95. Id.

r pr e9' lS <he dif f erence between a web browser and a search engine?, The ComputerSiTawi ^̂//̂ r/W COmputer-geek net/what-is-the-difference-be-va-47.html (last visited Oct. 1 - 14) (A web browser is different from a search engine in that the browser is the tool used to

Summer 2015] Using Digital Technology in Public Schools 309

shopping cart information and other personalized information that bolster the ease and speed of digital interactions. Although this can be convenient for the user, some cookies also track and collect information about the user, which is then communicated to advertisers and online marketers ^

Websites such as www.Ghostery.com allow users to identify and block companies that are tracking through the use of cookies. Moreover, smartphones, which are being increasingly used to access webpages, do not use cookies. This combination has caused cookies to lose appeal to data miners who are trying to stay ahead of consumers. Instead, data miners are now turning to what is known as fingerprinting technology.

4. Fingerprinting Similar to cookies, but far more surreptitious, are “fingerprints”

which summarize the software and hardware settings (like clock settings, fonts, installed software, etc.) that are unique to each computer Each time the device connects to the Internet, these details are collected and pieced together to form a “fingerprint.” The more changes to a device’s software and settings, the more identifiable the device becomes." The fingerprint can be assigned an identifying number that is used to track the device in the same way cookies are used. Fingerprints, unlike cookies—which can be detected and removed from a hard drive— are impossible to detect and much tougher to block. This makes them a preferable tracking method for data miners and thus fingerprinting is being used more and more frequently than antiquated cookies. To identify the details a computer or other device is transmitting, visit www.panopticlick.eff.org.

access the Internet. The search engine is the tool used to search within the Internet once it has been accessed by the browser).

97. Fact Sheet 18, supra note 88. T, . 98. Adam Tanner, The Web Cookie Is Dying. H ere’s The Creepier Technology That

Comes Next, Forbes, http://www.forbes.com/sites/adamtanner/2013/06/17/the-web-cookie-is- dying-heres-the-creepier-technology-that-comes-next/ (last updated Jun. 17, 2013).

99. Id.

310 Journal of Law & Education [Vol. 44, No. 3

5. Householding

Technology100 has now advanced to the point where the combination of IP tethering and fingerprinting can be used to track across multiple devices, so that they are all associated with one user or one household, and layer all the information collected into one profile.101 This process] called “householding,” is also sometimes referred to as “multi-screen” or cross-device identification. In the past, unique identifiers were linked to individual computers, but now identifiers are more closely tied to the individual using the device.102

More than any other tracking method, householding has major implications for school districts with one-to-one technology programs regardless of whether the program offers district-owned devices or through a Bring-Your-Own-Device (BYOD) program. Householding allows data collection to occur across devices regardless of whether or not they are owned by a district or owned privately by a student, and thus any activity that a student engages in at home on a personal device can be linked to activity conducted by that student at school. Householding is able to identify every device the student uses, regardless of who owns the device, where it is used, and for what purpose. Therefore the line between data collected from the student on the student’s own device on his or her own time, and data collected from the student while using a district device at school is virtually eliminated. Data miners will not distinguish between data collected at school from data collected at home. Nor will they distinguish between data collected on a district device form data collected on a personal device. All devices are capable of being linked to one individual and all data collected across devices can be compounded and cross-referenced to create a broader image of who an individual user is.

] 00. See Cross-Screen Starrs Here, BLUECAVA, Bluecava.com/about (last visited O ct 1 2014) See also Specific Media Launches Householding, S pecific Media, http://specificmedia.com/specific-media- launches-householding-2/(last updated S ept 24,2012).

101. Dunaway, supra note 92. 102. Id.

Summer 2015] Using Digital Technology in Public Schools 311

6. Smartphones and Tablets

Smartphones, like computers, have their own IP address, and thus can be tracked in the same manner that a computer can be tracked. Service providers for smartphones are also able to collect information about incoming and outgoing calls (including phone numbers and duration), how frequently users check email or access the Internet from the phone, and the user’s location. 103 Most individuals who use smartphones (and tablets) use mobile applications (apps) rather than an Internet browser, to access the Internet and its features. Apps can provide a wide variety of functions ranging from mapping services, to games, to flashlights— all of which make them attractive to users. The apps often have a dual function however. Naturally, they deliver the content or service they are designed to provide, but they are also advertising gold mines. Particularly when an app is free to download, developers make money either by selling space within the app to advertisers who can market to a captive audience, or by collecting data from the unsuspecting user and then selling it to marketing agencies. Generally, the type of data collected includes phone and email contacts, call logs, Internet data, calendar data, data about the device s location, the device’s unique IDs and information about how the user engages with the app itself. 105 Some apps have a user agreement alerting users to their data collection policies, but the privacy policy (if it exists at all) does not always identify what data are being collected, how long the data are being stored, where the data are being stored, and who may ultimately end up receiving the data. 106 Thus, these policies are often unleashed on users who are unaware their data are being harvested. For example, Angry Birds, one of the first games made for smart phones,

103. Fact Sheet 2B, supra note 86. 104. Understanding Mobile Apps, On Guard Online, http://www.onguardonhne.gov/

articles/0018-understanding-mobile-apps (last visited Oct. 1, 2014). 105. Id. . 106. FPF Finds Nearly Three-Quarters o f Most Downloaded Mobile Apps Lack a Privacy

Policy Future of Privacy Forum, http://www.futureofprivacy.org/2011/05/12/fpf-finds- nearly-three-quarters-of-most-downloaded-mobile-apps-lack-a-privacy-policy (last updated May 12, 2011) (The Future Privacy Forum found that nearly 75% of downloadable apps lack a privacy policy).

312 Journal of Law & Education [Vol. 44, No. 3

collects personal information such as location data from users that is unnecessary to run the game.107 In fact, in a 2013 Carnegie Mellon study, over half of the top 100 Android applications accessed the device ID, contacts lists or location data. The study found that this was often contrary to user expectation.108 In a similar investigation, the Wall Street Journal found that almost half of 101 smartphone apps were tracking the phone’s location.109 Fifty-six shared the phone’s unique ID number forty-seven transmitted the phone’s location, and five shared the user’s &§>£■> gender and other personal details such as contacts list.110

Victims of this kind of privacy invasion extend beyond just the users of mobile apps. Any of the users’ contacts are also at risk of having information collected. Of course, contact information such as phone number and email address will be collected if the users’ address book is accessed, but any information offered in an email or text message may be intercepted and collected as well. Districts with one-to-one technology programs need to be careful when students download and use apps for classroom or homework assignments. FERPA does not appear to cover any information collected by a third-party app operator, and COPPA only protects students up to age thirteen, so student information accessed in this manner can be easily collected without federal violation.

Thus, the question arises, whose responsibility is it to protect students from exposure to data collection in this situation? Do parents or students have the right to opt out of an assignment that requires the use of a mobile app? How can students who wish to maintain anonymity protect themselves? What rights do they have? The answers to these questions remain unresolved. However, as more legislation is

... !,07- Crh e 'jyl Conner’ Your Privacy has Gone to the [Angry] Birds, FORBES, nttp.//www.forbes.com/sites/cherylsnappconner/2012/12/05/your-privacy-has-gone-to-the- angry-birds/ (last updated Dec. 05, 2012).

108. Press Release: Did Your Smartphone Flashlight Rat You Out? Crowdsourcing Privacy Concerns o f Mobile Apps, CARNEGIE MELLON UNIVERSITY, http://www.cmu.edu/ ncws/stones/arch|ves/2 ° I S/january/jan 15_appprivacyconcems.html (last updated Jan. 15,

109. Fact Sheet 18, supra note 88. 110. What They Know-Mobile, Wall Street Journal, (Oct. 1, 2014, 7:56 AM) httjr//blo«s

wsj.com/wtk-mobile/. 6 '

Summer 2015] Using Digital Technology in Public Schools 313

introduced and as case law on the subject develops, answers will surely begin to emerge.

7. The Cloud As technology advances, the trend is to move information storage

and hosting from tangible dedicated servers to cloud computing. The term “cloud” is simply another name for the Internet, although this term is constantly evolving.111 In general, cloud-computing platforms allow users to access software applications through web browsers that enable them to store files and email on the Internet.112 Cloud computing is attractive to school districts because it requires less maintenance, and is cheaper and more efficient. Cloud storage allows users to access files from any device that has Internet access, thus the cloud can be used to increase student access to learning activities and enhance the ability of students to collaborate with each other or receive feedback from teachers. However, the cloud has also opened the door to advertisers looking to access personal information.113

One of the problems with cloud computing is that most cloud providers who don’t charge for their services are funding their services through advertising to their clients or through data mining. For example, Google, Yahoo, and Hotmail are all email providers that use the cloud, but they are able to provide free services because of the money they make by selling user information to data collectors and by selling targeted advertisements created from the collected data. The major problem with this is that even though most companies promise to remove identifying information from data when they mine it, once the data has been transferred to a marketer, data aggregators can recombine information to re-identify an individual.116 Most people are aware that marketers have the ability to track online interactions. However, the

H I . Andrea Cascia, D on’t Lose Your Head in the Cloud: Cloud Computing and Directed Marketing Raise Student Privacy Issues in K-12 Schools, 261 Ed. L. Rep. 883, 883 (2011).

112. Id. (Technically, files and emails are stored in offsite servers). 113. Id. at 885. 114. Id. 115. Id. at 885. 116. Id.

314 Journal of Law & Education [Vol. 44, No. 3

aggregation of data compiled from pieces collected in various places creates a substantial issue: it can turn non-personally identifiable information (non-PII) into personally identifiable information (PII) virtually eliminating the distinction. There is a wide misperception that if specific identifiable information, such as name, address, or social security number, is not voluntarily given, an individual can operate online anonymously. 7

Unfortunately, the problem is not unique to cloud computing and exists any time data collection is occurring. For example, the combination of three seemingly innocuous, and relatively available, pieces of information— gender, zip code, and date of birth are sufficient to accurately identify 87% of individuals in the United

tates. When this concept is applied to data mining through the collection of a student’s web search terms and other text from messages and online documents, the aggregation of data can combine to form a well-developed profile of the individual.119 By the time the information is sold to an advertiser there is no sense of anonymity.

8. The Problems With PII

The ability to aggregate data to compile a portrait of an identifiable individual is particularly problematic for schools because of the various restrictions on PII in federal legislation. As seen in the first section many laws, including FERPA, PPRA, and COPPA center on the “ p J m TWhat constitutes Personally identifiable information. Under rEKFA, PII cannot be shared without parental consent; under PPRA proper notification must be given before PII may be collected for commercial purposes; COPPA prevents the collection of PII without consent, from children under the age of thirteen. Therefore, whenever a student’s personal information is at issue, some law is likely to apply, dentifying which laws apply can be difficult, especially when the

117. Paul M. Schwartz and Daniel J. Solove, The PII Problem: Privacy and a New Concept o f Personally Identifiably Information, 86 N.Y.U. L. Rev. 1814 1836 (2011)

118. Id at 1842 (citing Latanya Sweeney, Simple Demographics Often Identify People

No! 3“ 2000)) meS' e UniV" SCh' ° f ComPuter Sci" Data Privacy Lab., Working Paper 119. Cascia, supra note 111 at 885.

Summer 2015] Using Digital Technology in Public Schools 315

collected information might not become PII until after the transaction at issue has occurred. Some of the laws have broadened their definitions of PII to include data that are not traditionally linkable to a student, such as geolocation. However, each law has its own definition of PII, making it harder to keep track of when a transaction might trigger federal or state

A startling example of how aggregation can convert non-PII into PII was exposed by two computer scientists who demonstrated that some people could be identified simply based on how they rated movies on a publicly available website. 120 In their research, the scientists found a way to link de-identified data from Netflix’s ratings database with the movie ratings that individuals had given films on the Internet Movie Database (IMDb). “Given a user’s public IMDb ratings, which the user posted voluntarily to selectively reveal some of his . . . movie likes and dislikes, [the scientists were able to identify] all the ratings that he entered privately in the Netflix system, presumably expecting that they [would] remain private.” 121 This example illustrates that

“the more information about a person that is known, the more likely it becomes that this information can be used to identify that person or to determine further data about her. When aggregated, information has a way of producing more information, such that de-identification of data becomes more difficult. Thus, it becomes possible to look for overlap in the data and then to link up different bodies of data.” 122

This example also helps to illustrate a number of problems that become apparent with the current protections available to students. Although the definitions of PII used in FERPA, PPRA and COPPA now cover a lot of personal information that in the past would not have been considered PII, they cannot protect student identities if student information exists elsewhere. The collection of a seemingly harmless

120. Schwartz & Solove, supra note 117 at 1843. , 121 Id (quoting Arvind Narayanan & Vitaly Shmatikov, Robust De-Anonymization of

Large Sparse Datasets, 2008 IEEE Symp. ON Sec. AND PRIVACY 111 (Feb. 5, 2008), http://www.cs.utexas.edu/~shmat/shmat_oak08netflix.pdf).

122. Id. at 1843.

316 Journal of Law & Education [Vol. 44, No. 3

piece of information, such as a movie review, can be enough to identify an individual if there is relevant information available elsewhere Although FERPA specifically declares that its list of items that can be defined as PII is not exhaustive, and COPPA’s list is even more extensive than FERPA’s (it includes identifiers such as photographs, video and audio files containing a child’s image or voice, and geolocation information), as seen above, even these protections may not be enough to protect student privacy.

9. What is a District’s Responsibility to Protect Student Privacy?

As made apparent in the discussion above, it is safe to assume that in today’s technological climate, almost every digital interaction is at risk o being m onitored." Information is collected from online interactions done on every type of device—from computers to tablets to smart­ phones and everything in between. When a district requires students to use digital technology in the course of their academic work, whether the device is personally owned by the student, as in a BYOD program, or the district issues the device, what kind of responsibility does the district bear for protecting the student’s digital interactions? If the district is responsible for protecting student privacy, Does that responsibility vary depending on whether the digital interaction is completed in furtherance of course work or simply done for the student’s recreation?

Schools must comply with CIPA and NCIPA, which are designed to protect students from exposure to inappropriate visual content through web filtering and from other harmful interactions such as unauthorized data collection through an Internet safety policy. This is valuable law, but it merely protects students from precisely those interactions. It does nothing to protect student privacy. Schools also must comply with

ERPA, which protects student records from being released to unauthorized parties. However, this is also inadequate to protect student privacy in all of the ways in which invasion occurs. One of the most pervasive problems associated with student privacy is the collection of data based on an individual’s digital interactions. Information is collected with every interaction, but even where precautions are taken to

123. Supra note 86.

Summer 2015] Using Digital Technology in Public Schools 317

eliminate personally identifying information, data may become identifiable and all the more so revealing when the data are pieced together with other personal information that has been collected and stored.

a. Problems Arising Under FERPA Under FERPA, schools are required to protect any information that is

held in the student record, but when third parties are collecting data, FERPA not only falls short of protecting student privacy, but it also creates some rather onerous responsibilities for school districts.

FERPA potentially fails to protect student privacy because even though it prohibits school districts from sharing information held in the “education record (or personally identifiable information contained therein . . ),”124 the education record is merely defined as those documents, records and files that are maintained by an educational agency Critics have argued that FERPA may not cover situations where students are using digital devices to directly interact with websites or apps that collect information because the website or app operator may be collecting information from the student that was never a part of the educational record.125 Of course, some students may be protected from this type of data collection under PPRA and COPPA, but even these protections are limited at best. PPRA appears to only focus on data collected from students through direct questioning such as through surveys, analysis or evaluation, and does not seem to address many o the ways in which data are collected via engagement with the Internet and mobile apps. COPPA, on the other hand, deals directly with data collected from student interactions on the Internet, but its protections only extend to students up to age thirteen, essentially leaving out almost half of K-12 students. Furthermore, many of the website and app providers who market to schools have found ways to work around these restrictions as discussed in the “Problems Arising Under COPPA Section below.

124. 20 U.S.C. § 1232g(b)(l) (2013). 125. Schwartz & Solove, supra note 117 at 1822-23.

318 Journal of Law & Education [Vol. 44, No. 3

Another weak point in FERPA’s language comes from the “directory information exception, which allows information such as students’ names, addresses, and telephone numbers to be released unless parents are given the opportunity of opting out at the beginning of the school year. Given the routine use of this type of information in class lists, athletic rosters, and the like, many parents choose not to opt out.' Because directory information may be shared without violating FERPA, this creates an opportunity for advertisers to use directed marketing to students. ‘ Additionally, as described in earlier sections, access to seemingly harmless pieces of information can be combined with other ata collected elsewhere to create a much more encompassing picture of

an individual. Thus, marketers who are in the business of aggregating data may look to schools’ directories for easy access to information that can be combined with other data at a later point.

In addition to FERPA’s weaknesses when it comes to protecting student privacy, the responsibilities that are placed on school districts can be quite burdensome because federal regulations further defining FERPA, as well as California law,128 carve out a “school official” exception that allows student data to be shared with vendors who contract with a school to perform a function that would otherwise be performed by a school employee.129 This exception attempts to maintain protections for student privacy because, under the regulation, the vendor must have a legitimate educational interest in the information and the vendor is prohibited from re-disclosing the information without consent trom the school and written permission from the parent.130 However, the schooi must be in direct control of the vendor’s use and maintenance of the data. This is also true under newly enacted California Education Code section 49073.1. - This means that the district must be able to provide access to such data to any parent who requests it.133 Districts

126. 20 U.S.C. § 1232g(a)(5) (2013). 127. Cascia, supra note 111 at 898. 128. Cal. Educ. Code § 49076(2)(G)(i) (2014). 129. 34C.F.R. § 99.31 (a)( 1 )(i)(B) (2012). 130. 20 U.S.C. § 1232g(b)(4)(B) (2013). 131. 34 C.F.R. § 99.31(a)(1) (2012). 132. Cal. Educ. Code §49073.1 (West 2015). 133. 20 U.S.C. § 1232g(a)(l)(A) (2013).

Summer 2015] Using Digital Technology in Public Schools 319

should keep this in mind when contracting with vendors. Their agreements must include provisions that allow for either direct or indirect parental access. It also means that for every vendor that collects and maintains student data on behalf of a school or district (for example, a biometric identification system), the district must keep a ̂record of who has accessed the data and what information was shared. 1 This task can become arduous, especially for districts that have hired third party vendors to help reduce some of the time commitment, manpower and resources necessary to perform the original function.

Furthermore, districts need to be cautious when entering into what are commonly known as “click-wrap” agreements, which offer licenses for software and are extremely easy to accept. Such software licenses are frequently available through simple Internet downloads. While the software terms may vary widely, a user confirms acceptance of the terms by clicking an “accept” button in a pop-up window or dialog box. Typically, these agreements are not negotiable and may not be compliant with FERPA and other California law. These are enforceable agreements, and if the terms allow third-party access to FERPA- protected information but do not allow a district to maintain direct control” over the use and maintenance of that information, this could create problems for the district. 135 Thus, districts are wise to discuss ahead of time which employees have the authority to enter into such agreements so as to avoid the potential situation where an unsuspecting employee unwittingly obligates the district to a software license agreement that is not FERPA compliant.

Additionally, not all companies are forthcoming with how they use consumer information, or even intentionally misrepresent how they use it. A U.S. Government Accountability Office report pointed out that “some [W]eb filtering systems used in schools that block student access to certain [websites] also allow the company that maintains that software to measure and analyze how children use the Internet by

134. 20 U.S.C. § 1232g(b)(2)(A) (2013). 135. Student Data Privacy Guidance Issued, T hrun Law Firm, P.C. (Oct. 1, 2014)

http://www.thrunlaw.com/content/student-data-privacy-guidance-issued.

320 Journal of Law & Education [Vol. 44, No. 3

tracking which websites they visit and how long they stay there. ” 136 Understandably, this can create problems for a district that thinks it is purchasing a system to protect its students from harmful or inappropriate web content, only to be unintentionally handing over student data directly to the company that is supposed to be protecting them. As mentioned above, under FERPA, a district must maintain control over any student data that are shared with third parties If the district is not even aware the information is being shared, how can it ensure control over that data? To complicate matters further, if a vendor oes share student data without the requisite permission, the district will

not only be prohibited from allowing that vendor to access student data or at least five years, if not more, 137 but the district can also potentially ose funding. Therefore, not only must a school or district carefully

monitor third party vendors who are collecting student data, but also, if a violation does occur, that school or district will be unable to benefit trom the services for which the vendor was hired.

b. Problems Arising Under COP PA

Although COPPA does not obligate schools directly, it does pose some of its own issues for school districts that are using applications - d PrAograms that alIow third parties to collect student data. Under COPPA, upon obtaining parental permission to collect student data, website operators must provide a privacy policy explaining their collection practices. Oftentimes, these privacy policies include an option to unilaterally amend the policies, leaving to parents the task of regularly monitoring the policies to ensure their children are not

exPosed to unacceptable privacy exposures. While COPPA does grant parents the right to refuse permission to store or use a child s personal information at any time after permission has been

D i s ^ L Cr ° mme7 iar Af VitieSJ n Schools: Use ° / Student Data is Limited and Additional Dissemination o f Guidance Could Help Districts Develop Policies, United States S T 5 W * 2004). h V w . w . g a o ^ J S

137. 20 U.S.C. § 1232g(b)(4)(B) (2013). 138. 20 U.S.C. § 1232g(b)(2) (2013). 139. 15 U.S.C. § 6502(b) (2014).

Summer 2015] Using Digital Technology in Public Schools 321

granted, continued data collection is the default, furthering the parental burden of monitoring which websites are collecting what information. Although this is not necessarily a burden for school districts, it is something of which they should be aware because of the ways in which website operators and mobile app providers have managed to shift responsibility from themselves to schools.

A perfect example of this comes from one of the more popular providers, Google. A cheaper option than the popular iPad, Google Chromebooks are being used in schools across the country, and now Google is offering schools an educational suite package called “Google Apps for Education” which includes services for email, calendar, and chat, among many others. Google is advertising their product so as to be particularly attractive to schools, including the fact that K-12 Google Apps for Education users will not see ads when they use Google Search if they are signed in with the Apps for Education account.

Google Apps for Education is governed by COPPA because it is an online service that is directed to children. Google’s terms of service policy for their education edition recognizes the need to comply with COPPA; however, it places the onus on the school district to obtain parental’ consent.142 While the user agreement does not address data collection, the privacy policy is the document that explains what information is collected and how it is used. The privacy policy is a standard policy that applies to all users, so there is little to no room for negotiation of the terms. Therefore, under the user agreement, Google can (and does) collect student data,143 but districts must do their part to

140 Frederic Lardinois, With 1M Sold In The Last Quarter, Google’s Chromebooks Are A Hit With Schools, Tech Crunch (July 19, 2014), http://techcrunch.com/2014/07/19/with-lm- sold-in-the-last-quarter-googles-chromebooks-are-a-hit-with-schools/

141. Google Apps fo r Education-Common Questions, GOOGLE (S e p t. 4 , ZU14J, https://support.google.eom/a/answer/l 39019?hl=en.

1 42. Google Apps for Education (Online) Agreement, GOOGLE APPS (S e p t. 4 , 2 0 1 4 ) , http://www.google.com/apps/intl/en/terms/education_terms.html.

143. This practice landed Google in the middle of a lawsuit last year. In re Google nc. 2013 WL 5423918 (N D Cal. 2013); Benjamin Herold, Google Under Fire fo r Data-Mining Student Email Messages, Education Week (Mar. 26, 2014), http://www.edweekAtrg/ew/ articles/2014/03/13/26google.h.33.html?cmp=ENL-EU-NEWS2; Additionally, HISD declined to incorporate Google Apps for Education due to the controversy surrounding how Google handles student information.

322 Journal of Law & Education [Vol. 44, No. 3

ensure compliance with the law by obtaining the requisite parental consent. This places parents in a difficult position of having to choose between consenting to Google’s privacy policies or refusing to allow their child to participate in the educational activities associated with the Google Education App. I f the district does not obtain consent from a parent, then the district is left with the problem of providing alternative instruction for that student, or declining the Google package. This may also raise legal concerns regarding equal educational access for all students.

Because Google’s privacy policy is the same for all users, districts ave little say in ensuring student privacy even where parents agree to

the terms. This is particularly true because Google reserves the right to unilaterally amend its privacy policy, which essentially renders the policy meaningless. Google does not directly notify individuals of policy changes, but rather posts updates to the Google Privacy Policy page. This can create an onerous task for districts and parents who must continuously monitor privacy policies to ensure private information is not being collected and shared. 145 The burden is on schools to investigate the services that providers offer. Schools should think about whether they are trading the electronic privacy of staff and students in order to access technology, though at this point in time there does not

< « « • 3>. 2 0 .4 , h „p://„w w .goo8, e . W

These C'° nS,eqUences were somewhat mitigated in January 2015 when Google joined several other technology companies in signing the Student Privacy Pledge. The pledge was introduced by the Future o f Privacy Forum and The Software & Information Industry Association and designed to safeguard student privacy regarding the collection, maintenance, and use o f student personal information,” although critics still feel more is required to ensure

u ent privacy. As part o f the pledge, the companies promise to “not make material changes to school service provider consumer privacy policies without first providing prominent notice to he account holder(s) (i.e., the educational institution/agency, or the parent/student when the

h em T h ^ c IShCf H dlreCtly, fr0m the student with student/parent consent) and allowing em choices before data is used in any manner inconsistent with terms they were initially

provided; and not make material changes to other policies or practices governing the use o f student personal information that are inconsistent with contractual requirements ” studentpnvacypledge.org/?page_id=45 (last visited Mar. 5, 2015).

Summer 2015] Using Digital Technology in Public Schools 323

appear to be a legal responsibility to do so as long as FERPA and PPRA requirements are being met.146

Another problem with the Google model is that it combines data collected from students using the Education Apps with information gathered from other Google services.147 “This means that Google may elect to use data aggregation to combine student information from the Education Apps with other information gathered from personal use of Google applications. Google states that they require opting in for sharing of ‘sensitive information,’” which refers to only a small grouping of highly personal information including “confidential medical facts, racial or ethnic origins, political or religious beliefs or sexuality.”148 Thus, there is a large range of information that can be collected outside of this narrow definition, and consequently shared with user consent. Of course, as already explained, user consent is somewhat illusory because of the ephemerality of the privacy agreement. . . . , ,

Of course, under Senate Bill 1177, regardless of the terms established between a district and a service provider, service providers are prohibited from knowingly engaging in targeted advertising to students when the advertising is based upon information that the provider has collected from a student’s use of his or her website or mobile app. Furthermore, service providers are prohibited from using information to amass a profile of a K-12 student, except in furtherance of school

146. Google Apps for Education also creates a burden for school districts to comply with FERPA requirements. The Apps for Education user agreement explicitly asserts that Google is considered a “school official” for purposes of applying the school official exception created under FERPA. As mentioned earlier, the school official exception allows a district to give student information to a third-party vendor provided the district remains in direct control of the student information. This may have the potential to create a substantial burden for a district that is tasked with maintaining direct control over data collected by Google. Although the user agreement states that Google will comply with FERPA, districts must be careful to ensure that compliance in fact is occurring. This is because unlike COPPA, the district is the only party liable for a FERPA violation.

147. Supra note 144. 148. Key Terms, Google Privacy & Terms (Sept. 4, 2014), http://www.google.com/mtl/

en/policies/privacy/key-terms/#toc-terms-sensitive-info. / u n s i 149. SB 1177, Steinberg (2014) http://www.leginfo.ca.gov/pub/13-14/bill/sen/SD_lloi-

1200/sb_l 177_bill_20140929_chaptered.pdf. Cal. Bus. & Prof. Code § 22584(b)(1) (West 2016).

324 Journal of Law & Education [Vol. 44, No. 3

purposes.150 Service providers are also prohibited from selling or disclosing any personally identifiable information. Beginning January 1, 2016, this offers some protection to California students because Google cannot shift its responsibilities under the new law to school districts.

10. Considerations fo r Districts When Contracting with Service Providers

Data mining is a highly lucrative business, and so many service providers that engage in data collection can afford to offer their services ree of charge to their clients in exchange for information. Most districts

are on tight budgets and the financial burden of having to pay for technology software and other applications can be daunting, making tree services very appealing. Section 35182.5 of the California Education Code prohibits schools from entering into a contract for electronic products or services if the contract requires the dissemination of advertising to students unless the product or service would be integral to education and the product is not affordable without contracting to permit the dissemination of advertising.151

Even when districts can afford to contract for products that do not advertise, there are other factors to consider when selecting service providers. Newly-added California Education Code section 49073 1 allows schools to contract with third parties to provide digital storage management, and data retrieval of student records as long as the contract affirms that student records will remain the property of, and under the control of, the district. Such contracts also must describe the manner in which the third party will secure the confidentiality of student records, as well as the manner in which the district will maintain compliance with FERPA.152

Other aspects of a contract a district might keep in mind when contracting with service providers:153

150. Cal. Bus. & Prof. Code § 22584(b)(2) (West 2016). 151. Cal. E duc. Code § 35182.5(c)(3) (West 2014).

1600/;fh' (? ° I4) httP://www-leSinto.ca.gov/pub/13-14/bill/asm/ab_l551 - 600^ V ? 47 b L 2° 40929- Chaptered-pdf' CAL- EduC' Code § 49073.1 (West 2015)

S ervice' n f r on Protecting Student Privacy While Using Online Educational ervices, U.S. Department of Education, http://www.ed.gov/news/press-releases/euidance-

Summer 2015] Using Digital Technology in Public Schools 325

• Marketing and Advertising: Terms of service agreements should be clear that data may not be used to create user profiles for the purpose of targeting students or their parents for advertising and marketing, which could violate privacy laws.

• Data Collection: Agreements should include a provision that limits data to only what is necessary to fulfill the terms.

• Data Use: Schools and districts should restrict data use to only the purposes outlined in the agreement.

• Data Sharing: While providers can use subcontractors, schools and districts should be made aware of these arrangements, and subcontractors should be bound by the limitations in the terms of service.

• Access: Federal student records laws require schools and districts to make education records accessible to parents. A good contract will acknowledge the need to share student security controls. Failure to provide adequate security could lead to a violation of FERPA.

B. Criminals Criminals access personal information in order to commit identity

fraud, or harass or stalk victims. Technologically savvy criminals are able to use information called geotags to track movements or identify where victims live. Geotagging is the process of adding geographical information to photographs, video, websites and text messages. Many digital devices, including smartphones and tablets, have the capability to add geotags to content. Often these metadata are embedded unbeknownst to the user. 154 In fact, iPhones and iPads come equipped with the geotagging feature, and the default setting is “on.” Therefore, if someone does not wish to have their photos embedded with geolocation

issued-protecting-student-privacy-while-using-online-educational-services (last visited Apr. 10,

“015j ’54. H o w to Avoid the Potential Risks o f Geotagging, WlKlHow (Oct. 1, 2014), http://www.wikihow.com/Avoid-the-Potential-Risks-of-Geotagging.

326 Journal of Law & Education [Vol. 44, No. 3

data, they must physically disable that feature on their device, which is not always an intuitive process.155 With a simple downloadable piece of technology, the geotag can be viewed by anyone who has access to the image. When an image with a geotag is posted to the Internet along with text giving context clues, just like data miners using aggregation, criminals can easily construct broader spectrum information about their victims. For example, a student might post a picture of a college acceptance letter, with the caption, “Look what came in the mail today!” or a picture of a new car in the driveway with a caption reading, “Best Sweet 16 Present Ever!” In the first example, anyone with access to the geotag technology will know where the student lives, that the student is a senior in high school and therefore between the ages of seventeen and eighteen, what college that student may be attending in the fall, and any other contextual clues in the image. In the second example, information about the person’s age, the car they drive and where they live is readily discemable. Furthermore, geotags have the capability of establishing patterns of a particular individual. If that individual posts photos on a regular basis, it is easy to determine common locations (e.g., home, school) and the time of day when the individual is expected to be there.

Facebook apparently does take precautions to limit geotag infor­ mation from photographs that are posted on its site.157 However, Facebook is not the only social networking website that allows photos to be posted. Privacy policies on such sites are in a constant state of flux,

155. To disable geotagging on the iPhone, a user must go to the “privacy” tab under the settings menu. Then, under “location services,” disable the camera setting. For more detailed instructions, see, Dave Taylor, Disable Geotagging On Iphone/lpad Photos? ASK Dave

photosT 6C' 28’ 2013)’ http://www-askdavetay lorcom /disable-geotagging-on-iphone-ipad-

156. Supra note 154. 151. In a 2011 Security Blog article on WindowsITPro, Jeff James claims that when he

contacted Facebook about the way it handles geotagging the response he received was “we make limited use o f camera EXIF/IPTC data. EXIF rotation information is no longer ignored Photo comments are automatically populated with the IPTC title and caption . . . w e’re looking into more deeply integrating other EXIF/IPTC data into the product, but want to do so in a way that s reliable and respects the privacy o f people on Facebook.” Jeff James, How Facebook Handles Image EXIF Data, Security Blog, WindowsITPro, (Dec 7 2011) http://w m dow sitpro.com /bIog/how -facebook-handles-im age-exif-data.

Summer 2015] Using Digital Technology in Public Schools 327

and new sites are popping up all the time. Many people, students included, also have their own personal blog or website, and it is not uncommon for owners of blogs or websites to post photographs or other content that might have geotags attached. Moreover, technology is constantly evolving in ways that allow for circumvention of security measures that were designed to address outdated technology.

Hackers can access entire databases of information to steal identities of their victims. More and more, schools are becoming targets for hackers looking to access names, birthdates and social security numbers.158 At this point in time there is little information indicating what a school or district’s liability would be to students when their private information is compromised. FERPA has no bearing in such cases because FERPA only deals with intentional sharing of student information and not unintentional data breaches.

Although only tangentially related to privacy, schools and districts that are distributing expensive pieces of mobile technology for students to use both in the classroom and at home need to be aware that this practice can cause the school or student to be a target for theft and violence. In 2012, the Cleveland Heights University School District in northeastern Ohio distributed 1,300 iPads to middle school students, but

158. FTC Testifies on Children’s Identity Theft, FEDERAL TRADE COMMISSION (Sept. 1, 2011) http://www.ftc.eov/news-events/press-releases/2011/09/ftc-testifies-childrens-identity- theft. See e.g., Eyder Peralta, Data Breach A t University o f Maryland Exposes 309,000 Records, THE t w o - w a y (Feb. 20, 2014), http://www.npr.org/blogs/thetwo-way/2014/02/20/ 280195882/data-breach-at-university-of-maryland-exposes-309-000-records (the University of Maryland had one of its databases hacked, which compromised the personal information of over 300,000 students, staff and faculty members, and in 2010, Ohio State University was the victim of a data breach that exposed the names, birth dates and social security numbers of 750 000 people.); see e.g., Associated Press, 200K Students' Information Stolen in Massive Computer Hacking At FL College, CBS M i a m i (Oct. 10, 2012, 7:36 PM), http://miami.cbslocal.eom/2012/10/10/200k-students-information-stolen-m-massive-computer- hackine-at-fl-college/ (300,000 students, faculty and employees at Florida Panhandle college had personal information compromised in 2012, when 200,000 records were stolen by hackers); see e.g., Sharyn Jackson, Data Breach Could Affect 30,000 Iowa State Students, T h e D es M o in e s Re g is t e r (Apr. 22, 2014, 12:04 PM), http://www.desmoinesrepster.com/story/ news/education/2()14/04/22/isu-servers-hacked-social-security-numbersexposed/8006303/ (Iowa State University students were victimized earlier this year when records containing social security and university ID numbers were hacked. The documents included students who were enrolled between 1995 and 2012.).

328 Journal of Law & Education [Vol. 44, No. 3

less than a week after the tablets were handed out, more than a dozen students had been mugged on the way home from school.”159 Eventually the district stopped allowing students to take the iPads home, which frustrated the purpose of obtaining the devices in the first place.160 In response to this, other districts around the country are taking precautions. But, what is a district’s responsibility to protect students from harm when the district has distributed valuable technology to each student to carry from school to home?

Students are entitled to a safe school environment under both the California Constitution and the California Education Code, but “school districts and their employers have never been considered insurers of the physical safety of their students.”161 Generally, a school district is not responsible for student safety once a student has left school property. However, there are a few exceptions to this. Section 44808 of the Education Code specifically states that a district will not be responsible or liable for the conduct or safety of a pupil “at any time when such pupil is not on school property, unless . . . [the district] has otherwise specifically assumed such responsibility or liability or has failed to exercise reasonable care under the circumstances.”162 Whether a district assumes responsibility by issuing valuable technology to its students thereby causing the student to be a target for violence is not known at this time. Until the legislature or a court of law rules on this issue, it will remain unknown. There are a few cases that give a little insight however.

159‘ Brett M- Kelman, Thieves swipe school-issued iPads, USA Today (Nov. 4, 2013 3 4 1 8 2 0 5 / htt|,://www‘usatoday‘com ŝtory/news/nation/20! 3/11 /03/thieves-swipe-school-ipads/

160. Id. 161. Cerna v. City o f Oakland, 161 Cal. App. 4th 1340, 1353 (2008) 162. Cal. Educ. Code § 44808 (West 1977). 163. The language in the statute is ambiguous. No school district is liahlp fn r thr. , , f

section 44808 that refers to failing to exercise reasonable care does not create a common law form of general negligence; it refers to the failure to exercise reasonable care during one of the mentioned undertakings.” Bassett v. Lakeside Inn, Inc., 140 Cal. App. 4th 863, 871 (2006).

Summer 2015] Using Digital Technology in Public Schools 329

In Cerna v. City o f Oakland, a California Court of Appeal found that the school district did not assume responsibility for students crossing a busy street on the way to school even though the district had noted the heavy traffic pattern when it approved the school site and adopted a mitigation plan in compliance with the “School Area Pedestrian Safety manual.164 The court said that the School Area Pedestrian Safety manual did not create a mandatory duty on the district. Nor did the district assume responsibility for student safety by “inducing parents to transfer their children to the [s]chool by representations that adequate safety measures would be installed and enforced,” including the promise of a crossing guard.165 The court said the district did not assume responsibility because the promise of the crossing guard was in the “indefinite future” and that crossing guards are a “municipal obligation outside the responsibility of school districts.”166 The court also found that crossing guards provide a police function in controlling traffic and enforcing traffic laws, and because “public entities are immune prom liability for asserted failures to provide police and security services” this meant the school was not responsible.167

However, a different court in Joyce v. Simi Valley Unified School District, ruled that where the district is aware of a dangerous condition (busy intersection) and has the ability to “take reasonable action to protect against a foreseeable and substantial risk of injury (such as closing a gate near the busy intersection), the district had failed to exercise reasonable care in those circumstances.168

How do these cases apply to districts that issue technology to students for use at home and at school? Only time will tell. The purpose of section 44808 is to limit a school district’s liability for injuries to pupils before or after school hours while they are going to or coming home from school.169 Under Cerna, a district bears no liability for injuries caused to students outside of school property when the district

164. Cerna , 161 Cal. App. 4th at 1359. 165. Id. at 1360. 166. Id.

168' Joyce v. Simi Valley Unified School District, 110 Cal. App. 4th 292, 300 (2003). 169. Bassett v. Lakeside Inn, Inc., 140 Cal. App. 4th 863 (2006).

330 Journal of Law & Education [Vol. 44, No. 3

has not specifically assumed responsibility to do so. A court could find that in a situation where students are attacked because of expensive devices they carry, the district has assumed no responsibility and therefore is not liable for any injury. Alternatively, Joyce suggests that where a district can reasonably foresee a substantial risk of injury, the district must take measures to reduce that risk. Under this concept,’ if a district is aware of the danger posed to students who are carrying technological devices to and from school, a district may be liable for any injury imposed on a student if the district does not take measures to protect him or her. In either case, a district would be remiss to not consider the conditions of the surrounding community when sending students home with highly valuable equipment.

At this point, it is worth considering that students may be the perpetrators of theft or violence. California Education Code section 44807 dictates that districts will hold students “to a strict account for their conduct on the way to and from school” as well as while on campus. 0 Teachers and school administrators may use physical control that is reasonably necessary to maintain order, protect property, or protect the health and safety of pupils, or to maintain proper and appropriate conditions conducive to learning.”171 Although it is unclear to what extent a district must go to protect students from violence, if the perpetrator is another student, the district assumes responsibility for disciplinary measures.

C. The Government

When it comes to governmental privacy invasions, violations may be intentional or unintentional. School districts hold stores of student information, which make them susceptible to unintentional data breaches. Unintentional breaches occur when information is inadvertently shared because documents are not properly secured or when sensitive information is shared with an unauthorized recipient.172

170. Cal. Educ. Code § 44807 (West 1977) 171. Id. 172. Such was the case in June of this year, when Riverside Community College District

enroHment information was emailed to the wrong recipient, exposing sensitive information of 35,212 students. Dayna Straehley, Colleges: RCC, Moreno Valley, Norco students’ personal

Summer 2015] Using Digital Technology in Public Schools 331

Of course, government records are also susceptible to theft or hacking incidents.173 While legal guidance in all of these circumstances is lacking, under California law an agency that owns, licenses, or maintains computerized data that includes PI1 must notify any potential victim when a data breach has occurred.174 Under which circumstances, and to what extent, a school district will be liable to students for a data breach remains unclear. Thus, the focus of this section will be what rights are extended to students regarding intentional digital privacy invasions by school districts.

A district might intrude on a student’s digital privacy for many reasons, particularly when it comes to ensuring student safety and enforcing school policies. Districts are charged with maintaining a safe school environment, but with the prevalence of cyberbullying and other inappropriate digital interactions occurring among students, districts are often left unsure about how to address such problems without violating student privacy rights. There is increased pressure for district officials to search electronic devices, such as cell phones or laptops, or to access a

data breached, The Press Enterprise (June 17, 2014) http://www.pe.com/articles/district- 696343-students-credit.html. Another example occurred in Loudoun County, Virginia, a webpage containing personal information about Loudoun County Public Schools students and staff that was thought to be password protected, was made available to the public during a bne period of technical testing. This incident appears to have been an oversight, but during that time, more than 1,200 links sharing sensitive data were made available through a simple Google search. Danielle Nadler, Loudoun Schools Repair Online Data Breach, Leesburg Today (Jan. 7, 2014) http://www.leesburgtoday.com/news/loudoun-schools-repair-online-data- breach/article_c633baea-77a4-l Ie3-8f36-001a4bcf887a.html.

173. Three computers in the Student Health Center at the University of California Irvine were compromised when a keylogging virus captured keystrokes as information was entered into the computers. The hackers were able to gain information from mid-February -01 through to the end of March 2014. The information the hackers obtained included names, unencrypted medical information, student ID numbers, mailing addresses, telephone numbers, and payment information such as bank names and check numbers. J. Price, U.C. Irvine Student Health Data Breach Hits 1,800, TweakTown, (May, 15, 2014, 2:24 PM), http://www tweaktown com/news/37919/university-of-califomia-irvine-breached-student-information-at-nsk/ index.html; And, in July, the Douglas County School District fell victim to privacy invasions when a laptop containing personal employee information was stolen. Stolen laptop security breach fo r DougCo schools, 9NEWS (July 15, 2014, 9:21 PM), http://www.9news.com/story/news/local/2014/07/15/stolen-laptop-causes-secunty-breach-lor-

dougco-schools/12717149/. 174. Cal. Civ. Code § 1798.29 (2014).

332 Journal of Law & Education [Vol. 44, No. 3

student s social media accounts and other digital interactions, like text messages or blog posts, in an effort to monitor student behavior. Law enforcement agencies often use the Internet and social media sites to uncover evidence and identify suspects in a crime.175 Using social media in this way implies law enforcement and school officials may be able to search for and obtain personal information without the need for procedure. Additionally law enforcement and school officials may initiate data searches without any requisite level of suspicion.

New legislation in California, AB 1442, effective January 1, 2015, allows school officials to consider using social media to obtain information about students.176 Under the new law, parents must be informed when a school is considering implementing a program that would allow the school to gather information about a student through social media websites and then maintain that information in the education record.177 Additionally, such information would have to be destroyed after the student leaves the district or turns nineteen.178 The law says nothing of a district’s liability for any privacy invasion occurring in contravention of the law.

1. Expectations o f Privacy

The Fourth Amendment of the United States Constitution protects citizens from unreasonable searches and seizures of their private effects, papers, homes, and bodies.179 This is a well-established doctrine that has been extended to students through case law.180 Students generally have a reasonable expectation of privacy within the personal belongings they

|3-5’ Sef Martha Nei1’ Love my dress' Facebook Selfie Puts Police On Trail O f Shoplifting Suspect, A B A JOURNAL (July 21, 2 0 1 4 ), http://w w w .abajoum al.com /new s/article/ love_m y dress_facebook_selfie_puts_police_on_trail_of_shoplifting_suspect/?utm_source=maestro& utm _m edium =em ail& utm _cam paign=tech_m onthly.

176. Assemb. 1442, 2013-2014 Leg., Reg. Sess. (Cal. 2014). 177. Ca l . E d u c . Code § 49073.6(b) (2014). 178. Ed u c . § 49073.6(c). 179. U.S. Co n s t , amend. IV. 180. See Application o f Gault, 387 U.S. 1, 12-13 (1967) (acknowledging that “neither the

Fourteenth Amendment nor the Bill of Rights is for adults alone.”).

Summer 2015] Using Digital Technology in Public Schools 333

bring to school, like purses and backpacks. 181 Because of this expectation of privacy, school officials cannot search these belongings without justification. Of course, this does not establish a definitive boundary—rather, the individual circumstances will dictate the reasonableness of a search—but technology has amplified the vagueness of how privacy concepts should be applied.

The key to Fourth Amendment protection, however, is that it only protects individuals from searches where there is a reasonable expectation of privacy. 182 Technology has changed the manner in which, as well as how, we store information, and so the question of, When is it reasonable to expect privacy, and in what context? becomes central to the discussion. As technology has shifted the traditional limits on where information is kept and how it is accessed, the definition of reasonable privacy expectations is rather murky. Even the United States Supreme Court agrees that “it would be foolish to contend that the degree of privacy secured to citizens by the Fourth Amendment has been entirely unaffected by the advance of technology.” 183

In order to understand the current state of reasonable expectations in privacy, the following section provides an overview of how technology has shaped the evolution of this concept, followed by a brief discussion of how student expectations in privacy differ from those of the general public before a conclusion of specifically student expectations of privacy in digital technology.

a. Expectations of Privacy in Digital Devices

Every time a new piece of technology is invented, there is a paradigm shift regarding what constitutes a reasonable expectation of privacy. For example, the advent and popularity of aviation changed whether a

181. See Safford Unified Sch. Dist. No. 1 v. Redding, 557 U.S. 364, 373 n.3 (2009); New Jersey, v. T.L.O., 469 U.S. 325, 338-39 (1985).

182. See California v. Greenwood, 486 U.S. 35, 39-40 (1988); see also Katz v. United States, 389 U.S. 347, 360 (1967) (“ [T]he rule that has emerged from prior decisions is . . . first that a person [has] exhibited an actual (subjective) expectation of privacy and, second, that the expectation be one that society is prepared to recognize as ‘reasonable.’”) (Harlan, J., concurring).

183. Kyllo v. United States, 533 U.S. 27, 33 (2001).

334 Journal of Law & Education [Vol. 44, No. 3

person had a reasonable expectation of privacy within his own back yard since it was now reasonable that someone could view the contents of a backyard without engaging in a traditional “search. ” 184 More recently, courts have had to contend with computers, followed by the smartphone. Courts have offered differing opinions as to how to treat computer searches. One California court claimed that a personal computer is like a folder possibly containing identifying information and thus is “seizable immediately as indicia, ” 185 while other courts have declared personal computers as entitled to a reasonable expectation of privacy.

Cell phones offer some perplexing challenges as well. Typically, upon arrest, a person may be searched, along with the contents of any items found on the person, such as a cigarette packet187 or articles of clothing. Most people carry their cell phone on their person, and thus the question arises, Can a cell phone be searched incident to arrest? Courts have had differing opinions about how to treat cell phones, but the Supreme Court recently inserted its opinion, substantially calming the debate. In a ruling handed down earlier this summer, the Court declared that a cell phone incident to arrest is generally not valid without a warrant. 189 In Riley v. California, the Court recognized that cell phones are unlike any other object that may be found on an individual, and thus deserving of more protection from unwanted searches:

Modern cell phones, as a category, implicate privacy concerns far beyond those implicated by the search of a cigarette pack, a wallet, or a purse . . . . Cell phones differ in both a quantitative and a

8f fi J ' S1̂ > re/ * onable expectation of privacy in a person’s backyard. See Florida v. ley, 488 U.S. 445, 451-52 (1989) (holding a helicopter flight at 400 feet to observe a

backyard was not a search” for purposes o f the Fourth Amendment); California v. Ciraolo, , , 1014 o 986) (determining that a warrantless aerial observation of a fenced-in backyard within the curtilage of the home was not unconstitutional).

185. People v. Balint, 138 Cal. App. 4th 200. 215 (2006)

4 8 2 F.3d m U lm fm n A"drUS' U 3 R M ' • 718<2° ° 7); - 187. United States v. Robinson, 414 U.S. 218, 224 (1973). 188. United States v. Edwards, 415 U.S. 800, 804—05 (1974). 189. Riley v. California, 134 S.Ct. 2473, 2485 (2014).

Summer 2015] Using Digital Technology in Public Schools 335

qualitative sense from other objects that might be kept on an arrestee’s person. . . . [M]any of these devices are in fact minicomputers that also happen to have the capacity to be used as a telephone. They could just as easily be called cameras, video players, rolodexes, calendars, tape recorders, libraries, diaries, albums, televisions, maps, or newspapers.190 One of the most notable distinguishing features of modem cell phones is their immense storage capacity. Before cell phones, a search of a person was limited by physical realities and tended as a general matter to constitute only a narrow intrusion on privacy. Most people cannot luff around every piece of mail they have received for the past several months, every picture they have taken, or every book or article they have read—nor would they have any reason to attempt to do so. And if they did, they would have to drag behind them a trunk of the sort held to require a search warrant in Chadwick, rather than a container the size of the cigarette package in Robinson.19'

Ultimately, Riley stands for the conclusion that the information on a cell phone is entitled to more protection than other common items found in someone’s pocket or purse.

b. Student Expectations o f Privacy in General

As with many other constitutional protections, Fourth Amendment rights began with the general public, and were then extended to students through case law. However, that case law has limited the protections offered to students. The famous Supreme Court case, Tinker v. Des Moines Independent Community School District, held that students do not shed their constitutional rights at the schoolhouse door. The case dealt specifically with the First Amendment freedom of speech, but thereafter the Supreme Court extended these rights to include Fourth Amendment protections as well. In 1975, the Court held in Goss v. Lopezm that once a state has established a public school system,

190. Id. at 2488-89 (citations omitted). 191. Id. at 2489. 192. 393 U.S. 503, 506(1969). 193. 419 U.S. 565,574 (1975).

336 Journal of Law & Education [Vol. 44, No. 3

students are extended a property right in obtaining an education. This right cannot be revoked without due process as established by the Fourth Amendment. 194 A decade later the Supreme Court held in New Jersey v. T.L.O. that the Fourth Amendment’s prohibition on unreasonable search and seizure applies to searches conducted by public school officials. 195

In T.L.O., a vice principal searched a student’s purse after she was found smoking in the girls’ restroom. The search turned up a small amount of marijuana and drug paraphernalia. 196 The Court rejected the idea that public schools’ authority over students is entirely that of the parents, therefore not subject to constitutional constraints. Instead, the Court found that Fourth Amendment protections apply to students’ but are limited in scope. Rather than applying the traditional “probable cause” standard afforded to the general public, the Court focused on the need for a balancing test to weigh students’ expectation of privacy against administrators’ need to maintain discipline and order in the classroom and on school grounds. 197 It recognized that “maintaining order in the schools requires a certain degree of flexibility in school disciplinary procedures. ” 198 The Court emphasized the value of preserving the informality of the student-teacher relationship—rejecting the idea of a required warrant while simultaneously reducing the requisite level of suspicion from “probable cause” to a simple reliance on the reasonableness of the search given the circumstances under which it took place. 199 The reasonableness of a search depends on whether the search was “justified at its inception,” and whether it was reasonably related in scope to the circumstances which justified the

interference in the first place. ” 200 Ultimately, the Court held that the search was justified because the student was found smoking in the bathroom, in violation of school policy, but denied the charges against her. The Court felt the vice principal was justified in searching the

194. Id. 195. 469 U.S. at 333. 196. I d at 328. 197. Id. at 339-40. 198. I d at 340. 199. Id. at 340-41. 200. I d at 342 (citation omitted).

Summer 2015] Using Digital Technology in Public Schools 337

student’s bag for cigarettes. Upon finding drug paraphernalia, the vice principal had reason to suspect that the purse also contained marijuana, justifying the continued search of her bag. ' 01

Another insightful case is Safford Unified School District N o.l v. Redding. 202 In Redding, school authorities subjected a student to a strip search after they suspected her of distributing prescription-strength pain medication to other students. The U.S. Supreme Court ruled in favor of the student who charged the school with a Fourth Amendment violation because the scope of the search was not reasonably related to the circumstances that justified the inspection. Elaborating on the reasonable test from T.L.O., the Court held that a search of a student is reasonable if there is a “moderate chance of finding evidence of wrongdoing.” 203 Furthermore, the Court said the circumstances were sufficient to justify a search of her backpack and outer clothing, but because there was no evidence to suggest she was concealing items in her underwear, and the focus of the search was on common pain relievers equivalent to two Advil or one Aleve, the school s interest in conducting the search did not justify the intrusive nature of it.

The importance of this case is that it extends a reasonable expectation of privacy to students regarding their personal belongings. Coupled with the Riley case, which states that cell phones are entitled to a higher degree of privacy than other common objects, students may have a reasonable expectation of privacy in their digital devices. One thing to note, however, is that students who do experience privacy violations often have little recourse because school officials are protected under the doctrine of qualified immunity. Under this doctrine, school officials who engage in student searches are protected unless there ls ^clearly established law” indicating a Fourth Amendment violation.' Thus, even where student rights have been directly stated, the district may still be protected by immunity.

201. Id. 202. 557 U.S. 364. 203. Id. at 371. 204. See id. at 373-76. 205. Id. at 377.

338 Journal of Law & Education [Vol. 44, No. 3

c. Student Expectation o f Privacy in Digital Devices

There are a few cases that address students’ expectations of privacy in digital devices specifically. Unsurprisingly, courts are divided on the issue, leading to a lack of clear guidance on the subject. In an unreported case from Mississippi, J.W. v. Desoto County School District,^ a student, R.W., was expelled from school after school employees discovered photographs on his phone implicating him in gang activity. Even though possessing a phone on school grounds was against school policy, R.W. opened his cell phone while in class to retrieve a text message from his father. The cell phone was confiscated as a result of the violation, and three school officials and one police sergeant reviewed the phone’s contents. The court used the two-part reasonableness test established in T.L.O.—was the search justified at its inception and was it reasonably related in scope— and determined that it was reasonable for school officials to search the phone. The court said the search was justified at its inception because the phone was not permitted on campus and R.W. “greatly increased his chances of being caught with that contraband (and of being suspected of further misconduct) when he elected to use it on school grounds. ” 207 The court thought it was “reasonable for a school official to seek to determine to what end the student was improperly using that phone. ” 208 The court also found that “the search itself was ‘reasonably related in scope to the circumstances which justified the interference in the first place, ” ’209 though it did not articulate why.

Another case, G.C. v. Owensboro Public Schools, 210 offers a strong juxtaposition to J.W. In G.C., when the student was caught sending text messages in class, a school official confiscated his phone and read his text messages. The school official testified that she had looked at the text messages because G.C. had a history of drug use and suicidal

206. This is an unreported MPM-DAS, 2010 WL 4394059

207. Id. at 4.

case, and thus not binding authority. No. 2:09-cv-00155- (N. D. Miss. November 1, 2010).

208. Id. 209. Id. 210. 711 F.3d 623 (6th Cir. 2013).

Summer 2015] Using Digital Technology in Public Schools 339

thoughts, and she was concerned for his safety. 211 The court expounded on the two-part reasonableness test from T.L.O. and further defined when a search is “justified in its inception.” A search is “justified in its inception,” the court said, “when there are reasonable grounds for suspecting that the search will gamer evidence that a student has violated or is violating the law or the rules of the school, or is in imminent danger of injury on school premises.”' 1" Continuing with its elaboration, the court said, “a search will be permissible in its scope when the measures adopted are reasonably related to the objectives of the search and not excessively intrusive in light of the age and sex of the student and the nature of the infraction.” 213 Furthermore, “[i]n determining whether a search is excessive in its scope, the nature and immediacy of the governmental concern that prompted the search is considered.” 214

Using this explanation, the court disagreed with the way the J.W. court had applied the legal standard set out in T.L.O.. It rejected the J.W. court’s logic that simply because a student is caught using his cell phone, the school is justified in searching his phone. Instead, the court held that a “search is justified at its inception if there is reasonable suspicion that a search will uncover evidence of further wrongdoing or of injury to the student or another. ” 215 It then emphasized that “[n]ot all infractions involving cell phones will present such indications. Ultimately, the court applied this logic to the facts and determined that the search was not justified in its inception. Even though G.C. had a history of drug abuse and depressive tendencies, this fact without more, was insufficient to justify a search. There was no evidence to suggest that G.C. was engaging in unlawful activity or contemplating injury to himself or others. Rather, the evidence indicated that G.C. was sitting in class when his teacher caught him using the phone. The court felt this did not indicate that a search would reveal evidence of criminal activity or potential to harm anyone in the school. Thus, while J.W. stands for

211. Id. at 628. 212. Id. at 632. 213. Id. 214. Id. 215. Id.

340 Journal of Law & Education [Vol. 44, No. 3

the likelihood that searches of student cell phones are reasonable, G.C. stands for the likelihood that they are not.

J.W. and G.C. provide opposing viewpoints on a district’s authority to conduct a search of a student’s digital device, and as such, these cases offer little guidance to school administrators who engage in searches of student devices. Moreover, these cases do not give any insight into a school s ability to search a device that has been issued to a student by the district. With many districts implementing, or looking to implement a one-to-one technology program, this question remains problematic. Neither J.W. nor G.C. gives insight into Fourth Amendment concerns arising from school searches of a district issued device, which would presumably be the target of a search where students are using such devices. Arguably, a student may have a further diminished expectation of privacy in a district-owned device than in his or her own personal cell phone or computer, but this has yet to be determined. This is due in part to the fact that presumably, a district’s responsible use policy governing student use of district devices would address the scope of a reasonable search. However, a responsible use policy does not guarantee that a district’s actions are constitutional.

Although it is not a school law case, United States v. Finley216 does offer insight into this responsible use policy. Finley, was arrested after driving another man to a truck stop for the purpose of conducting a drug deal, but only provided transportation. Upon arrest, Finley’s phone was seized and searched. The phone belonged to Finley’s employer and had been issued to Finley for work, but could be used for personal business as well. 7 In determining whether Finley had a reasonable expectation of privacy, the court discussed the distinction between a property interest and a possessory interest in the device targeted in the search. Finley had a possessory interest while his employer had a property interest. The court did not believe that this affected Finley’s expectation of privacy in the device when concerning a government search. “That Finley s employer could have read the text messages once he returned the phone does not imply that a person in Finley’s position should not have reasonably expected to be free from intrusion from both the

216. 477 F.3d 250 (2007). 217. Id. at 254.

Summer 2015] Using Digital Technology in Public Schools 341

government and the general public.” 218 In reaching this conclusion, the court also considered whether Finley had a right to exclude others from the item or place being searched. 219 When person does not have a right to exclude others, his expectation of privacy is diminished."

Significantly, this case suggests that even where a third party has a property interest in a device, the user of the device may still have a reasonable expectation of privacy in that device.221 Under this premise, a student may still have an expectation of privacy in a device that is owned by the district. However, in Finley, the entity with a property interest in the phone and the entity searching the phone were distinct from one another. 222 In the case of a district-issued device, the entity searching the device and the entity owning the device would be the same. Therefore, the principles established in this case do not necessarily translate to a situation where a school wishes to search a district-owned device that has been issued to a student. It would be reasonable to assume that in such a situation, the school would have more authority to search the contents of a device. Presumably, a school’s authority to search one of its own devices issued to a student would be established in the school’s responsible use policy.

Ultimately, it seems that the two-part test established in T.L.O. is the standard for student searches. If a school administrator conducts a search that is justified at its inception and the scope of the search is reasonably related to the circumstances that justified it, then this is sufficient to at least provide qualified immunity from liability to the official conducting the search, if not to justify the search in the first place. 223

A lot of questions remain unanswered, but as more case law develops, certainly some of the issues presented by use of technology in schools will become clearer. This includes Fourth Amendment issues as

218. Id. at 259. 219. Id. at 258-59. 220. See Rakas v. Illinois, 439 U.S. 128, 148-49 (1978) (holding that passengers m a car

searched by police had no legitimate expectation of privacy in the search area since they “asserted neither a property nor a possessory interest in the automobile.”).

221. See Finley, A l l F.3d at 259. 222. Id. 223. See Redding, 557 U.S. at 376-79.

342 Journal of Law & Education [Vol. 44, No. 3

well as other privacy concerns related to data breaches of school information systems as well as data mining by third party vendors. Until that time, however, districts would be wise to consider the issues that surround digital technology and work with legal counsel to develop policies addressing these concerns.

III. CONCLUSION

Advances in technology have brought significant changes to the ways m which schools conduct business. Technology has eased the burden for school districts that are tasked with managing databases of information on students and employees. Mobile technology has created wonderful learning opportunities for students and teachers. Technology can even create greater opportunities for parents to engage with what their children are learning in school. But, with these advantages come some great challenges, particularly when it comes to protecting student privacy.

One of the biggest concerns for student privacy comes from the way data can be collected during ordinary online activity. Data miners have become so sophisticated that school districts often do not recognize where third parties are collecting student data. Likewise, attempting to keep up with how technology is being used to collect data can be futile because technology, and data collection along with it, continues to evolve. Criminals are also becoming more adept at infiltrating databases, leaving less sophisticated district technology at risk of being hacked and student information susceptible to exposure or theft. Finally, as more devices are being used in the classroom, teachers and administrators are faced with the delicate balance between needing to monitor student online activity and not infringing on students’ right to privacy when using digital devices or the Internet.

Further complicating all of these issues is the fact that the law addressing these issues is often vague and sometimes nonexistent.

echnology is advancing at a rapid rate, and where relevant law exists, it has evolved piecemeal, making it difficult to identify and understand how the law applies. Additionally, both federal and state law apply to student privacy issues, as well as local regulations, so more layers must be considered when attempting to decipher the legal puzzle.

Summer 2015] Using Digital Technology in Public Schools 343

Because of the responsibility placed on districts to protect student privacy and the sensitivity of the personal student information that is at risk, districts—particularly those that have or are considering implementing one-to-one technology initiatives—would be wise to consider student privacy issues prior to beginning a technology program. Addressing these concerns in district policy manuals, handbooks, and responsible use policies, as well as seeking advice from legal counsel, is also recommended.

Copyright of Journal of Law & Education is the property of Journal of Law & Education and its content may not be copied or emailed to multiple sites or posted to a listserv without the copyright holder's express written permission. However, users may print, download, or email articles for individual use.