EdLawConnect Blog

Internet Safety Policies

School districts are responsible for monitoring students’ online activities under the federal Children’s Internet Protection Act (“CIPA”). CIPA provides that if a local educational agency receives discounts from an Internet service provider, the district must certify annually that it is enforcing a policy of Internet safety for minors. The policy must include monitoring the online activities of minors and the operation of technology protection measures with respect to any of its computers with Internet access. The technology protection measures must also protect against access to materials that are obscene, child pornography, or are considered harmful to minors. The district must also implement an Internet safety policy to educate minors about appropriate online behavior, including appropriate interaction on social media and cyberbullying awareness and response. (See 47 U.S.C. § 254(h)(5).)

To support implementation of CIPA, federal regulations provide a checklist for what a school district’s Internet safety policy must address, including:

(A) Access by minors to inappropriate matter on the Internet and World Wide Web;

(B) The safety and security of minors when using electronic mail, chat rooms, and other forms of direct electronic communications;

(C) Unauthorized access, including so-called “hacking,” and other unlawful activities by minors online;

(D) Unauthorized disclosure, use, and dissemination of personal information regarding minors; and

(E) Measures designed to restrict minors' access to materials harmful to minors.

(47 C.F.R. § 54.520(c)(1)(ii).)

While the determination of what is harmful to minors is up to local discretion, the law provides the following framework to make that determination. Any picture, image, graphic image file (aka a .gif), or other visual depiction is harmful to minors if:

(A) Taken as a whole and with respect to minors, appeals to a prurient interest in nudity, sex, or excretion;

(B) Depicts, describes, or represents, in a patently offensive way with respect to what is suitable for minors, an actual or simulated sexual act or sexual contact, actual or simulated normal or perverted sexual acts, or a lewd exhibition of the genitals; and

(C) Taken as a whole, lacks serious literary, artistic, political, or scientific value as to minors.

(47 C.F.R. § 54.520(a)(4)(iv).)

In 2003, the United States Supreme Court determined that: 1) CIPA did not violate the First Amendment free speech clause, and 2) CIPA did not impose an unconstitutional condition on public libraries. (U.S. v. American Library Ass'n, Inc. (2003) 539 U.S. 194.) In that case, a library association argued that the condition to install software that blocked obscene or pornographic images and that prevented minors from accessing harmful material on the Internet was an impermissible condition to receive federal assistance for Internet access. The library association and the lower court took the position that a content-filtering software like the one required under CIPA was a content-based restriction on access to a public forum for purposes of the First Amendment. Therefore, they argued that the condition was subject to the highest level of scrutiny, “strict scrutiny”, and that while there was a compelling interest to prevent access to material harmful to minors, the library association contended that the imposition of filters was too broad to meet that interest.

The Supreme Court disagreed and ultimately found that a computer with Internet access in a public library was not considered a “public forum” for purposes of the First Amendment. The Court explained that an Internet terminal at the library did not encourage a diversity of views from private speakers. Rather, Internet access in a public library was offered to facilitate research and learning. In fact, Congress described the Internet as “simply another method for making information available in a school or library, which was ‘no more than the technological extension of the book stack.’” Congress’s description of the Internet suggests that the same ideas and principles can be applied to schools as well, and further supports application of CIPA.

Privacy & Records-Related Concerns

Because district devices and Internet technology are owned by the district and used for instruction, students do not have a reasonable expectation privacy when using those devices and/or technology. As such, students and  parents/ guardians should be notified that there is no expectation of privacy. This is typically accomplished through the student’s Acceptable Use Policy (“AUP”) and/or district Board policy.

Further, if a district uses a content-filtering software that sends an alert when a student tries to access a blocked site or searched for harmful material and/or the district implements any type of tracking system for a student's online activities, that may generate a “pupil record” for purposes under the law. California’s Education Code defines “pupil record” as any item of information directly related to an identifiable pupil that is maintained by the school district or required to be maintained by an employee in the performance of their duties whether recorded by handwriting, print, etc. As an example, if someone at the district or a particular site (i.e. the school’s IT person) views and keeps (or tracks through their own developed spreadsheet) alerts, those items would become pupil records.  So when a district has to respond to a FERPA request, request for records pursuant to the Education Code, or subpoena for student records, a district must ensure it is obtaining any records that may be retained related to these filters and alerts. Therefore, we recommend that for districts who receive these types of alerts and track them, this information should be noted in the student information system (e.g., Aeries, or Q) so information is readily available in the event of a records request. This type of pupil record would be considered a “permitted” record as opposed to a “mandatory” record, which means that it may be destroyed when its usefulness ceases or six months after the student’s completion of or withdrawal from the educational program.

Important Considerations & Takeaways

Knowing that CIPA requires districts who receive federal discounts on Internet service to monitor students’ online activities, what does this mean for districts on a practical level? Districts should check to make sure they have an appropriate Internet safety policy for monitoring students’ online activities available through its Board polices and/or AUP for students. Districts should also work with IT departments to determine whether they have the appropriate technology protection measures (i.e. content-filtering software) to prohibit access to obscene and pornographic material, and any material that is considered “harmful to minors” as defined above.

This summer is a great time to  review Board policies on “Student Use of Technology” and student AUPs, ensuring both documents comply with the requirements outlined in CIPA and related regulations. Contact your AALRR attorney if you would like suggested language to consider for your AUP or for a review of your AUP and Board policies.

This AALRR post is intended for informational purposes only and should not be relied upon in reaching a conclusion in a particular area of law. Applicability of the legal principles discussed may differ substantially in individual situations. Receipt of this or any other AALRR publication does not create an attorney-client relationship. The Firm is not responsible for inadvertent errors that may occur in the publishing process. 

© 2021 Atkinson, Andelson, Loya, Ruud & Romo