Senate BillNo. 1177

8

22584.  

(a) An operator of an Internet Web site, online service,
9online application, or mobile application with actual knowledge
10that the site, service, or application is used for K-12 school
11purposes and was designed and marketed for K-12 school purposes
12shall comply with all of the following requirements:

13(1) It shall not use, share, disclose, or compile personal
14information about a K-12 student for any purpose other than the
15K-12 school purpose and for maintaining the integrity of the site,
16service, or application.

17(2) It shall not use, share, disclose, or compile a student’s
18personal information for any commercial purpose, including, but
19not limited to, advertising or profiling.

20(3) It shall not allow, facilitate, or aid in the marketing or
21advertising of a product or service to a K-12 student on the site,
22service, or application.

23(4) It shall take all reasonable steps to protect the data at rest
24and in motion in a manner that meets or exceeds commercial best
25practices. An operator shall be deemed to be in compliance with
26this paragraph if the operator ensures the following:

27(A) Valid encryption processes for data at rest are consistent
28with NIST Special Publication 800-111, Guide to Storage
29Encryption Technologies for End User Devices.

30(B) Valid encryption processes for data in motion are those that
31comply, as appropriate, with NIST Special Publications 800-52,
32Guidelines for the Selection and Use of Transport Layer Security
P3    1 (TLS) Implementations; 800-77, Guide to IPsec VPNs; or 800-113,
2Guide to SSL VPNs, or others that are Federal Information
3Processing Standards (FIPS) 140-2 validated.

4(b) (1) An operator of an Internet Web site, online service,
5online application, or mobile application with actual knowledge
6that the site, service, or application is used for K-12 school
7purposes and the site, service, or application was designed and
8marketed for K-12 school purposes shall provide a notice to the
9operator of a secondary site, service, or application that is
10accessible through the noticing operator’s site, service, or
11application that the secondary site, service, or application is used
12for K-12 school purposes on a site, service, or application designed
13and marketed for K-12 school purposes.

14(2) An operator of a site, service, or application designed and
15marketed for K-12 school purposes shall comply with this section
16upon either receiving notice under paragraph (1) that the site,
17service, or application is used for K-12 school purposes or if the
18operator otherwise has actual knowledge that the site, service, or
19application is used for K-12 school purposes.

20(3) An operator that fails to provide the notice required by
21paragraph (1) to a secondary site, service, or application shall be
22liable for the secondary site, service, or application’s compliance
23with this section, unless that secondary site, service, or application
24had actual knowledge it was being used for K-12 purposes and
25was designed and marketed for K-12 school purposes.

26(c) An operator of an Internet Web site, online service, online
27application, or mobile application with actual knowledge that the
28site, service, or application is used for K-12 school purposes and
29that it was designed and marketed for K-12 school purposes shall
30delete a student’s personal information if any of the following
31occurs:

32(1) The site, service or application is no longer used for the
33original K-12 school purpose.

34(2) The student requests deletion, unless it is being used at the
35direction of a school or district for legitimate educational purposes
36and is under the control of the school or district.

37(3) The student ceases to be a student at the institution and the
38operator becomes aware the student is no longer a student, unless
39it is being used at the direction of a school or district for legitimate
P4    1educational purposes and is under the control of the school or
2district.

3(d) Notwithstanding subdivision (a), an operator of an Internet
4Web site, online service, online application, or mobile application
5may disclose personal information of a student if other provisions
6of federal or state law require the operator to disclose the
7information, and the operator complies with the requirements of
8federal and state law in disclosing that information.

9(e) An “online service” includes cloud computing services.

10(f) Notwithstanding subdivision (a), an operator of an Internet
11Web site, online service, online application, or mobile application
12may disclose personal information of a student for legitimate
13research purposes as required by state and federal law and subject
14to the restrictions under state and federal law.

15(g) For purposes of this section, “personal information” shall
16mean any information or materials in any media or format created
17or provided by a student, or the student’s parent or legal guardian,
18in the course of the student’s, or parent’s or legal guardian’s, use
19of the site, service, or application or an employee or agent of the
20educational institution, or gathered by the site, service, or
21application, that is related to a student and shall include, but not
22be limited to, information in the student’s educational record, the
23student’s email address, first and last name, home address,
24telephone number, other information that permits physical or online
25contact of a specific individual, discipline records, test results,
26special education data, juvenile delinquency records, grades,
27evaluations, criminal records, medical records, health records,
28social security number, biometric information, disabilities,
29socioeconomic information, food purchases, political affiliations,
30religious information, email messages, documents, unique
31identifiers, profile, search activity, location information, Internet
32Protocol (IP) address, metadata, any aggregation or derivative
33thereof, or any information gained through tracking, including
34login and logoff information, searches, typing, photos, voice
35recordings, and geolocation information.

36(h) This section shall not be construed to limit the authority of
37a law enforcement agency to obtain any content or information
38from an operator as authorized by law or pursuant to an order of
39a court of competent jurisdiction.

P5    1(i) It is not the intent of the Legislature for this chapter to apply
2to general audience Internet Web sites.