The New Internet Privacy Protection Act and Its Effect on Schools and Students
On December 28, 2012, Governor Snyder signed into law Public Act 478, the Internet Privacy Protection Act (the "Act"), giving the law immediate effect. The law applies to educational institutions, including public and private elementary and secondary schools. The law also applies to employers, including units of state or local government. Clark Hill's summary of the law's impact on employers is available here .
Of particular relevance to schools and school districts, the law prohibits educational institutions from doing any of the following:
- Requesting a student or prospective student to grant access to, allow observation of, or disclose information that allows access to or observation of the student's personal internet account; or
- Expelling, disciplining, or otherwise penalizing a student for failure to grant access to, allow observation of, or disclose information that allows access to or observation of the student's personal internet account.
"Personal internet account" means "an account created via a bounded system established by an internet-based service that requires a user to input or store access information via an electronic device to view, create, utilize, or edit the user's account information, profile, display, communications, or stored data." This includes students' Facebook and Twitter accounts, and personal email accounts. A student's personal cell phone or smartphone, especially where a password is used to access it, probably also constitutes a "personal internet account" under this definition, although the terminology is not completely clear.
A violation of the Act is a misdemeanor punishable by a fine of not more than $1,000. An aggrieved individual may bring a civil action to enjoin a violation of the Act and may recover not more than $1,000 in damages plus reasonable attorney fees and court costs. Compliance with state and federal laws is an affirmative defense to an alleged violation of the Act.
The law explicitly provides that schools may request or require a student to disclose access information to gain access to an electronic communications device paid for in whole or in part by the educational institution, or an account or service provided by the educational institution that is either obtained by virtue of the student's admission to the educational institution, or used by the student for educational purposes. This provision comports with existing law that provides for no expectations of privacy for students who use school-issued devices.
Schools remain obligated under Michigan law to follow their anti-bullying policies, which are required to include the prompt investigation of reports of bullying of students at school. This includes reports of "cyber-bullying" that occurs off school premises that is conducted through the use of a telecommunications access device or service provider owned by or under the control of the school. ( See MCL § 380.1310b). Under federal civil rights laws, schools are responsible for addressing harassment incidents about which it knows or reasonably should have known, including harassment that occurs through the use of cell phones or the Internet.
Importantly, while employers have an exception under the Act for "conducting an investigation or requiring an employee to cooperate in an investigation," educational institutions investigating student misconduct are not included in this exception. The employers' exception covers, among other things, investigations where there is "specific information about activity on the employee's personal internet account, for the purpose of ensuring compliance with applicable laws, regulatory requirements, or prohibitions against work-related employee misconduct." Educational institutions do not enjoy such an exception from the prohibitions in the Act when investigating school-related student misconduct.
In order to comply with the Act, schools should review and consider revisions to their existing technology and internet policies, as well as their acceptable use policies and agreements. Known threats to or misconduct that implicates the safety of the school and its students and staff, including those communicated by a student from his or her personal internet account, must be reported to law enforcement. Schools must continue to investigate reports of cyber-bullying at school, as well as reports of discriminatory harassment. However, in conducting the investigation or addressing the report, the school must not request that a student grant access to, allow observation of, or disclose information that allows access to or observation of, the student's personal email account, Facebook or Twitter account, or other personal internet account. Nor may the school discipline the student for failure to grant such access.
Please consult your Clark Hill attorney for assistance with complying with this new law.
California’s Sweeping New Insurance Policy Limit Demand Statute Goes Into Effect January 2023Explore more
Religious Accommodations Update: What Manufacturers Need To KnowExplore more
Right To Know - November 30, 2022, Vol. 1
Cyber, Privacy, and Technology Report