BILL NUMBER: SB 1177	INTRODUCED
	BILL TEXT


INTRODUCED BY   Senator Steinberg

                        FEBRUARY 20, 2014

   An act to add Chapter 22.2 (commencing with Section 22584) to
Division 8 of the Business and Professions Code, relating to privacy.


	LEGISLATIVE COUNSEL'S DIGEST


   SB 1177, as introduced, Steinberg. Privacy: students.
   Existing law, on and after January 1, 2015, prohibits an operator
of an Internet Web site or online service from knowingly using,
disclosing, compiling, or allowing a 3rd party to use, disclose, or
compile the personal information of a minor for the purpose of
marketing or advertising specified types of products or services.
Existing law also makes this prohibition applicable to an advertising
service that is notified by an operator of an Internet Web site,
online service, online application, or mobile application that the
site, service, or application is directed to a minor.
   This bill would prohibit an operator of an Internet Web site,
online service, online application, or mobile application with actual
knowledge that the site, service, or application is used for K-12
school purposes and was designed and marketed for K-12 school
purposes from using, sharing, disclosing, or compiling personal
information about a K-12 student for commercial purposes. This bill
would require an operator of an Internet Web site, online service,
online application, or mobile application with actual knowledge that
the site, service, or application is used for K-12 school purposes
and was designed and marketed for K-12 school purposes to ensure that
specified encryption processes are used, to provide a notice to the
operator of a secondary site, service, or application that is
accessible through the noticing operator's site, service, or
application that their secondary site, service, or application is
used for K-12 school purposes on a site, service, or application
designed and marketed for K-12 school purposes, and to delete a
student's personal information under specified circumstances.
   Vote: majority. Appropriation: no. Fiscal committee: no.
State-mandated local program: no.


THE PEOPLE OF THE STATE OF CALIFORNIA DO ENACT AS FOLLOWS:

  SECTION 1.  Chapter 22.2 (commencing with Section 22584) is added
to Division 8 of the Business and Professions Code, to read:
      CHAPTER 22.2.  STUDENT ONLINE PERSONAL INFORMATION PROTECTION
ACT


   22584.  (a) An operator of an Internet Web site, online service,
online application, or mobile application with actual knowledge that
the site, service, or application is used for K-12 school purposes
and was designed and marketed for K-12 school purposes shall comply
with all of the following requirements:
   (1) It shall not use, share, disclose, or compile personal
information about a K-12 student for any purpose other than the K-12
school purpose and for maintaining the integrity of the site,
service, or application.
   (2) It shall not use, share, disclose, or compile a student's
personal information for any commercial purpose, including, but not
limited to, advertising or profiling.
   (3) It shall not allow, facilitate, or aid in the marketing or
advertising of a product or service to a K-12 student on the site,
service, or application.
   (4) It shall take all reasonable steps to protect the data at rest
and in motion in a manner that meets or exceeds commercial best
practices. An operator shall be deemed to be in compliance with this
paragraph if the operator ensures the following:
   (A) Valid encryption processes for data at rest are consistent
with NIST Special Publication 800-111, Guide to Storage Encryption
Technologies for End User Devices.
   (B) Valid encryption processes for data in motion are those that
comply, as appropriate, with NIST Special Publications 800-52,
Guidelines for the Selection and Use of Transport Layer Security
(TLS) Implementations; 800-77, Guide to IPsec VPNs; or 800-113, Guide
to SSL VPNs, or others that are Federal Information Processing
Standards (FIPS) 140-2 validated.
   (b) (1) An operator of an Internet Web site, online service,
online application, or mobile application with actual knowledge that
the site, service, or application is used for K-12 school purposes
and the site, service, or application was designed and marketed for
K-12 school purposes shall provide a notice to the operator of a
secondary site, service, or application that is accessible through
the noticing operator's site, service, or application that the
secondary site, service, or application is used for K-12 school
purposes on a site, service, or application designed and marketed for
K-12 school purposes.
   (2) An operator of a site, service, or application designed and
marketed for K-12 school purposes shall comply with this section upon
either receiving notice under paragraph (1) that the site, service,
or application is used for K-12 school purposes or if the operator
otherwise has actual knowledge that the site, service, or application
is used for K-12 school purposes.
   (3) An operator that fails to provide the notice required by
paragraph (1) to a secondary site, service, or application shall be
liable for the secondary site, service, or application's compliance
with this section, unless that secondary site, service, or
application had actual knowledge it was being used for K-12 purposes
and was designed and marketed for K-12 school purposes.
   (c) An operator of an Internet Web site, online service, online
application, or mobile application with actual knowledge that the
site, service, or application is used for K-12 school purposes and
that it was designed and marketed for K-12 school purposes shall
delete a student's personal information if any of the following
occurs:
   (1) The site, service or application is no longer used for the
original K-12 school purpose.
   (2) The student requests deletion, unless it is being used at the
direction of a school or district for legitimate educational purposes
and is under the control of the school or district.
   (3) The student ceases to be a student at the institution and the
operator becomes aware the student is no longer a student, unless it
is being used at the direction of a school or district for legitimate
educational purposes and is under the control of the school or
district.
   (d) Notwithstanding subdivision (a), an operator of an Internet
Web site, online service, online application, or mobile application
may disclose personal information of a student if other provisions of
federal or state law require the operator to disclose the
information, and the operator complies with the requirements of
federal and state law in disclosing that information.
   (e) An "online service" includes cloud computing services.
   (f) Notwithstanding subdivision (a), an operator of an Internet
Web site, online service, online application, or mobile application
may disclose personal information of a student for legitimate
research purposes as required by state and federal law and subject to
the restrictions under state and federal law.
   (g) For purposes of this section, "personal information" shall
mean any information or materials in any media or format created or
provided by a student, or the student's parent or legal guardian, in
the course of the student's, or parent's or legal guardian's, use of
the site, service, or application or an employee or agent of the
educational institution, or gathered by the site, service, or
application, that is related to a student and shall include, but not
be limited to, information in the student's educational record, the
student's email address, first and last name, home address, telephone
number, other information that permits physical or online contact of
a specific individual, discipline records, test results, special
education data, juvenile delinquency records, grades, evaluations,
criminal records, medical records, health records, social security
number, biometric information, disabilities, socioeconomic
information, food purchases, political affiliations, religious
information, email messages, documents, unique identifiers, profile,
search activity, location information, Internet Protocol (IP)
address, metadata, any aggregation or derivative thereof, or any
information gained through tracking, including login and logoff
information, searches, typing, photos, voice recordings, and
geolocation information.
   (h) This section shall not be construed to limit the authority of
a law enforcement agency to obtain any content or information from an
operator as authorized by law or pursuant to an order of a court of
competent jurisdiction.
   (i) It is not the intent of the Legislature for this chapter to
apply to general audience Internet Web sites.
  SEC. 2.  The provisions of this act are severable. If any provision
of this act or its application is held invalid, that invalidity
shall not affect other provisions or applications that can be given
effect without the invalid provision or application.