The California Supreme Court will soon decide the scope of two education data privacy laws.

An appellate court ruled in July that the case J.M. v. Illuminate Education Inc. remanded the case to the California Supreme Court, which agreed to hear the case in October. J.M., an 11-year-old student who was the lead plaintiff of the case, alleged that Illuminate Education Inc. – a company that was the target of a data breach and did not inform users about the leak for five months – failed to adequately protect his data.

Attorneys for the plaintiff argue that under California’s Confidentiality of Medical Information Act and Customer Records Statute, Illuminate Education could be found liable for the breach.

Alex Alben, a privacy, data and cybersecurity professor at the UCLA School of Law, said he believes there has been a growing problem regarding data security over the last couple of decades.

“As companies collect more and more data about us, there used to be a separation between the physical world and the online world,” Alben said. “That separation has faded away, where all of our data – even if it’s collected in a physical environment – is put into an online format.”

A main allegation brought forward by J.M. was that Illuminate Education collected students’ mental, physical and emotional health records for educational institutions. The plaintiff claimed Illuminate Education had promised to keep this information confidential, but ultimately failed to protect it.

The lack of a national privacy law leads to people having to rely on their state law in order to protect their privacy rights, which does not always result in the same protections from state to state, Alben said. California currently holds some of the most comprehensive privacy laws in the country, including the California Privacy Rights Act which gives consumers more control over what data companies collect from them.

J.M. cited some of California’s laws in the case, including the California Confidentiality of Medical Information Act, which protects the confidentiality of consumers’ medical information. However, had the suit taken place in another state, it would not be subject to the same acts – whereas federal regulations would protect all states equally.

“Many of us believe that privacy is a fundamental right,” Alben said. “(Privacy is) not recognized as a fundamental right in the U.S. Constitution.”

Robert Braun, partner and co-chair of the cybersecurity and privacy group at Jeffer Mangels Butler & Mitchell LLP, said there should be a federal standard for privacy. Since this case took place in California, Illuminate Education will have to defend its actions under both the CMIA and CRA, he added.

“The most important thing a company can do is practice data minimization,” Braun said. “The first step is not to collect more data than you need and not to keep that data longer than you need it.”

According to the lawsuit, the legal basis for collecting J.M.’s data was for the purpose of evaluating his educational progress.

E. Burton Swanson, a research professor and director of the Information Systems Research Program at UCLA Anderson School of Management, said data is always permanent in the digital realm.

Swanson added that people should be cognizant of where their data goes, but that it is also the responsibility of a company to ensure records are secure. In this case, it was a serious issue for Illuminate Education – which claims to prioritize security – to have their student records breached, he said.

“Any time you interact online, … the data that is associated with that transaction or interaction is recorded and becomes essentially owned, often by a platform with which you’re interacting and that data is there forever, more or less,” Swanson said.

Ramesh Srinivasan, an information studies professor at the UCLA Graduate School of Education & Information Studies, said he believes companies who profit off of data collection are seldom held accountable for their misdeeds to those who are affected.

“There needs to be, at the minimum, that understanding that there are these massive forces at work that are collecting, capturing, storing and computing to make decisions essentially about everything from what we might desire to what we might consume to how we might feel,” he said.

Srinivasan added that the data of minors should be at the forefront of protective legislation.

“It’s very troubling to have children be the site of data surveillance,” he said.