SB 1177, as amended, Steinberg. Privacy: students.
Existing law, on and after January 1, 2015, prohibits an operator of an Internet Web site or online service from knowingly using, disclosing, compiling, or allowing a 3rd party to use, disclose, or compile the personal information of a minor for the purpose of marketing or advertising specified types of products or services. Existing law also makes this prohibition applicable to an advertising service that is notified by an operator of an Internet Web site, online service, online application, or mobile application that the site, service, or application is directed to a minor.
This bill would prohibit an operator of an Internet Web site, online service, online application, or mobile application with actual knowledge that the site, service, or application is used for K-12 school purposes, as defined, and was designed and marketed for K-12 school
purposes from using, sharing, disclosing, or compiling personal information about a K-12 student forbegin delete commercial purposes. This bill would require an operator of an Internet Web site, online service, online application, or mobile application with actual knowledge that the site, service, or application is used for K-12 school purposes and was designed and marketed for K-12 school purposesend deletebegin insert any purpose other than the K-12 school purpose and for maintaining, developing, and improving the integrity and effectiveness of the site, service, or application, as specified. The bill would prohibit these operators of Internet Web sites, online services, online applications, or mobile applications from selling the personal information of a student. The bill would require these operators of Internet Web sites, online services, online applications, or mobile
applicationsend insert to ensure that specified encryption processes are used and to delete a student’s personal information under specified circumstances.begin insert The bill’s provisions would become operative January 1, 2016.end insert
Vote: majority. Appropriation: no. Fiscal committee: no. State-mandated local program: no.
The people of the State of California do enact as follows:
Chapter 22.2 (commencing with Section 22584)
2is added to Division 8 of the Business and Professions Code, to
3read:
4
(a) An operator of an Internet Web site, online service,
9online application, or mobile application with actual knowledge
10that the site, service, or application is used for K-12 school
11purposes and was designed and marketed for K-12 school purposes
12shall comply with all of the following requirements:
13(1) It shall not use, share, disclose, or compile personal
14information about a K-12 student for any purpose other than the
15K-12 school purpose and for maintaining, developing, and
16improving the integrity and effectiveness of the site, service, or
17application, as long as no personal information is used for any
18purpose in furtherance of advertising or to amass a profile on the
19student for purposes other than K-12 school purposes.
20(2) It shall not use, share, disclose, or compile a student’s
21personal information for any commercial purpose, including, but
22not limited to, advertising or profiling.
23(2) It shall not sell a student’s personal information.
end insert
P3 1(3) It shall not allow, facilitate, or aid in the marketing or
2advertising of a product or service to a K-12 student on the site,
3service, or application.
4(4) It shall take reasonable steps to protect the personal
5information data at rest and in motion in a manner that meets or
6exceeds reasonable and appropriate commercial best practices. An
7operator shall be deemed to be in compliance with this paragraph
8if the operator ensures the following:
9(A) Valid encryption processes for data at rest in the operator’s
10own data storage systems are consistent with NIST Special
11Publication 800-111, Guide to Storage Encryption Technologies
12for End User Devices.
13(B) Valid encryption processes for data in motion on public
14networks are those that comply, as appropriate, with NIST Special
15Publications 800-52, Guidelines for the Selection and Use of
16Transport Layer Security (TLS) Implementations; NIST Special
17Publication 800-77, Guide to IPsec VPNs; or NIST Special
18Publication 800-113, Guide to SSL VPNs, or others that are Federal
19Information Processing Standards (FIPS) Publication 140-2
20validated.
21(b) An operator of an Internet Web site, online service, online
22application, or mobile application with actual knowledge that the
23site, service, or application is used for K-12 school purposes and
24that it was designed and marketed for K-12 school purposes shall
25delete a student’s personal information if any of the following
26occurs:
27(1) The site, service, or application has actual
knowledge that
28it is no longer used for K-12 schoolbegin delete purposes, unless theend deletebegin insert purposes.
29This paragraph shall not apply toend insert informationbegin insert thatend insert is being used
30or maintained at the direction of a school or school district and is
31under the direct control of the school orbegin delete district.end deletebegin insert district, or
32information that is being used by a student and is under the direct
33control of the student.end insert
34(2) The student requestsbegin delete deletion, unless it isend deletebegin insert
deletion of
35informationend insert being used at the direction ofbegin delete a school or district andend delete
36begin insert the student or thatend insert is under thebegin insert directend insert control of thebegin delete school or begin insert student.end insert
37district.end delete
38(3) The school or school district requests deletionbegin insert of information
39being used at the direction of a school or district and that is under
40the control of the school or school
districtend insert.
P4 1(c) Notwithstanding subdivision (a), an operator of an Internet
2Web site, online service, online application, or mobile application
3may disclose personal information of a student if other provisions
4of federal or state law require the operator to disclose the
5information, and the operator complies with the requirements of
6federal and state law in protecting and disclosing that information.
7(d) An “online service” includes cloud computing services.
8(e) Notwithstanding subdivision (a), an operator of an Internet
9Web site, online service, online application, or mobile application
10may disclose personal information of a student for legitimate
11research purposes as required by state and federal law and subject
12to the restrictions under state and federal law or as allowed by state
13and
federal law and under the direction of a school, school district,
14or state department of education, as long as no personal information
15is used for any purpose in furtherance of advertising or to amass
16a profile on the student for purposes other than K-12 school
17purposes.
18(f) For purposes of this section, “personal information” shall
19mean any information or materials in any media or format created
20or provided by a student, or the student’s parent or legal guardian,
21in the course of the student’s, or parent’s or legal guardian’s, use
22of the site, service, or application or an employee or agent of the
23educational institution, or gathered by the site, service, or
24application, that is related to a student and shall include, but not
25be limited to, information in the student’s educational record, the
26student’s e-mail address, first and last name, home address,
27telephone number, other information that permits physical or online
28contact of a specific
individual, discipline records, test results,
29special education data, juvenile delinquency records, grades,
30evaluations, criminal records, medical records, health records,
31social security number, biometric information, disabilities,
32socioeconomic information, food purchases, political affiliations,
33religious information, e-mail messages, documents, unique
34identifiers, profile, search activity, location information, Internet
35Protocol (IP) address, metadata, any aggregation or derivative
36thereof, or any information gained through tracking, including
37login and logoff information, searches, typing, photos, voice
38recordings, and geolocation information.
39(g) For purposes of this section, “K-12 school purposes” shall
40mean purposes that customarily take place at the direction of the
P5 1school, teacher, or school district or aid in the administration of
2school activities, including, but not limited to, instruction in the
3classroom or at home,
administrative activities, and collaboration
4between students, school personnel, or parents, or are for the use
5and benefit of the school.
6(h) This section shall not be construed to limit the authority of
7a law enforcement agency to obtain any content or information
8from an operator as authorized by law or pursuant to an order of
9a court of competent jurisdiction.
10(i) It is not the intent of the Legislature for this chapter to apply
11to general audience Internet Web sitesbegin insert, general audience online
12services, general audience online applications, or general audience
13mobile applicationsend insert.
14(j) It is not the intent of the Legislature for this section to limit
15Internet service providers from providing Internet
connectivity to
16schools or students and their families.
17(k) (1) An operator of an Internet Web site, online service,
18online application, or mobile application may use deidentified
19student personal informationbegin insert, including aggregated deidentified
20student personal information,end insert within the operator’s site, service,
21or application or other sites, services, or applications owned by
22the operator to improve educational products, for adaptive learning
23purposes, and for customizing student learning.
24(2) Subparagraph (1) shall not apply if the
deidentified student
25personal information is used for purposes of advertising.
26(2) An operator of an Internet Web site, online service, online
27application, or mobile application may use deidentified student
28personal information, including aggregated deidentified student
29personal information, to demonstrate the effectiveness of the
30operator’s products, including in their marketing.
31(3) An operator of an Internet Web site, online service, online
32application, or mobile application may share aggregated
33deidentified student personal information for the development and
34improvement of educational sites, services, or applications.
35(l) This section shall not be construed to prohibit an operator
36of an Internet Web site, online service, online application, or
37mobile application from marketing educational products directly
38to parents so long as the marketing was not the result of student
39personal information provided to the operator of the Internet Web
40site, online service, online application, or mobile application.
This chapter shall become operative on January 1,
22016.
The provisions of this act are severable. If any
4provision of this act or its application is held invalid, that invalidity
5shall not affect other provisions or applications that can be given
6effect without the invalid provision or application.
O
97