New California Law Bans Google From Data Mining and Profiling Students For Profit

California has enacted the Student Online Personal Information Protection Act (SOPIPA or SB 1177) that better protects the personal privacy of students.  According to the bill's Legislative Counsel's Digest, "[t]his bill would prohibit an operator of an Internet Web site, online service, online application, or mobile application from knowingly engaging in targeted advertising to students or their parents or legal guardians, using covered information to amass a profile about a K–12 student, selling a student’s information, or disclosing covered information..."

One of new law's staunchest supporters is Common Sense Media's CEO and founder James Steyer.  On October 14, 2013 Common Sense Media sent an open letter and publicly sounded the alarm regarding the need to better safeguard the personal privacy of our children's school created digital data.  According to The New York Times, the organization sent a letter to 16 educational technology vendors to start a conversation on how to better protect student privacy.  The New York Times reported that Google declined to comment on Common Sense Media's public call for stronger privacy safeguards for students.

Google's refusal to comment on Common Sense Media's open letter to the educational technology industry followed an earlier sidestep to the Rhode Island School of Design's questions about its privacy protections for students who utilize Google's Apps For Education service by allegedly equating "not serving ads" to "no student data mining".  While Google may not be serving behavioral based ads to students through its school offerings at this point, this does not mean it is not data mining personal student information for other non-educational purposes.

Common Sense Media's concerns about  a lack of strong privacy protections for students were validated with the release of Fordham University Law School's Privacy and Cloud Computing Study.   According to the Huffington Post, the Fordham Study "found that only one-fourth of [school] districts tell parents about these services [new cloud based technologies] and one-fifth of districts don't have policies explicitly governing their use [of the data collected]. Many contracts between districts and technology vendors don't have privacy policies, and less than 7 percent of the contracts restrict vendors from selling student information. The agreements rarely address security, according to the Fordham research."  These findings were very disturbing and further confirmed the importance of Common Sense Media's call to strengthen student privacy laws.

Education Week's March 2014  investigative report regarding the federal Google Gmail wiretap lawsuit uncovered that Google "scans and indexes" student emails for advertising purposes.  At that time, Google refused to answer whether it was building user profiles of students based upon its access to their school work.  This troubling admission and refusal to be fully transparent about its student data collection and usage practices set off such a huge firestorm that on April 30, 2014,  Google announced it would allegedly discontinue the practice of scanning student emails for advertising purposes.  

In response to Google's alleged policy change, privacy law scholar Prof. Joel Reidenberg of Fordham told Education Week, Google's measure is "a positive step,"....... [however] "he identified two "significant problems" with it: Google can change this policy at any time, and, the scanning disclaimer is associated with advertising purposes only. There may be other commercial uses that they are exploiting student data for,...."... "such as selling information to textbook publishers, or test-preparation services."  Prof. Reidenberg's statements were prescient because subsequently Politico investigated the educational technology industry and validated his concerns that student data may be utilized by vendors for "other commercial uses".

More than 93% of Google's 2013 $55 billion dollars in revenue was derived from advertising.  While this is slightly lower than 2009's 97% figure, it demonstrates that Google's primary business for years has been data acquisition and mining to create user profiles for advertising purposes.  Google's advertising business has propelled it to become the 2nd most valuable company in the world.  While becoming the most valuable advertising/data mining company in the history of the world, Google has on multiple occasions intentionally cut corners and violated the personal privacy and safety of its users.  During the past several years, privacy regulators around the world have fined Google tens of millions of dollars for its illegal practices.    

The 2011 FTC-Google Buzz Agreement banned Google from making future privacy misrepresentations.  Unfortunately for users, Google wasted no time in breaching this agreement because in 2012 it paid a $22.5 million dollar record fine for misleading users about its privacy practices regarding the scandal known as the Apple "Safari Hack".  In 2013, Google entered into a multi-million dollar privacy violation settlement with 38 states regarding its Street View Project's data collection practices.  In Septemberof 2014, Germany's Hamburg data protection (privacy) regulator ruled that "Google is ordered to take the necessary technical and organizational measures to guarantee that their users can decide on their own if and to what extend their data is used for profiling."

When Education Week contacted Google regarding its position on SB 1177, "Google...declined to clarify whether it scans student email messages sent using its wildly popular Apps for Education tool suite in order to build profiles that might be used for commercial purposes other than targeted advertising...."  Google's refusal to emphatically deny it scans student emails to create user profiles for non-educational purposes may indicate that it is violating the 2011 FTC-Google Buzz Agreement, and/or its 2013 multi-state Attorney Generals Street View Project Agreement. 

While the EU generally appears to be moving in the right direction regarding enforcing its data protection laws against Google, the company so far has not been held accountable in the United States for violating the personal privacy of millions of students who utilize its school provided services.  When will Google be required by a regulatory authority or a court of law to answer the following questions relating to its student data collection and usage practices?: 

1.   How long has Google been scanning the emails of students for advertising/potential advertising purposes (List dates) and which school and how many students by school were affected by this practice?
2.  Has Google deleted the information it collected under the policy of scanning student emails for advertising/potential advertising purposes?  If so, when?

3.  Why was Google scanning student emails for advertising/potential advertising purposes?

4.  Does Google scan student emails or other student content for any purpose other than virus checking/spam filtering?  If yes, for what other purposes?

5.  Does Google create user profiles and/or combine multiple data points on students for any purpose other than to deliver school contracted services?  If yes, what data points is Google collecting, why is it collecting these data points, and when will Google delete these data points? 

Google's troubling behavior and policy reversal appears to have been the spark that ensured SB 1177 was passed by the state legislature and signed into law.  In addition, Google's unfair and deceptive trade practices demonstrate the need for greater accountability and enforcement to ensure that our children's personal privacy and safety are not compromised for corporate profit.  While the enactment of SB 1177 is a positive development, it is time for students, parents, school administrators, lawmakers, privacy advocates, and regulators to start holding Google accountable for its illegal student data mining and usage.

Copyright 2014 by Shear Law, LLC All rights reserved.