SB 1177, as amended, Steinberg. Privacy: students.
Existing law, on and after January 1, 2015, prohibits an operator of an Internet Web site or online service from knowingly using, disclosing, compiling, or allowing a 3rd party to use, disclose, or compile the personal information of a minor for the purpose of marketing or advertising specified types of products or services. Existing law also makes this prohibition applicable to an advertising service that is notified by an operator of an Internet Web site, online service, online application, or mobile application that the site, service, or application is directed to a minor.
This bill would prohibit an operator of an Internet Web site, online service, online application, or mobile application with actual knowledge that the site, service, or application is used for K-12 school purposes, as defined, and was designed and marketed for K-12 school
purposes from using, sharing, disclosing, or compilingbegin delete personalend deletebegin insert coveredend insert informationbegin insert, as defined,end insert about a K-12 student for any purpose other than the K-12 school purpose and for maintaining, developing, and improving the integrity and effectiveness of the site, service, or application, as specified. The bill would prohibit these operators of Internet Web sites, online services, online applications, or mobile applications from selling thebegin delete personalend deletebegin insert coveredend insert information of a student. The bill would require these operators of
Internet Web sites, online services, online applications, or mobile applications to ensure thatbegin delete specified encryption processes are usedend deletebegin insert covered information is protected in a manner that meets or exceeds reasonable and appropriate commercial best practicesend insert and to delete a student’sbegin delete personalend deletebegin insert coveredend insert informationbegin delete under specified circumstancesend deletebegin insert if the school or district requests deletionend insert. The bill’s provisions would become operative January 1,
2016.
Vote: majority. Appropriation: no. Fiscal committee: no. State-mandated local program: no.
The people of the State of California do enact as follows:
Chapter 22.2 (commencing with Section 22584)
2is added to Division 8 of the Business and Professions Code, to
3read:
4
(a) An operator of an Internet Web site, online service,
9online application, or mobile application with actual knowledge
10that the site, service, or application is usedbegin insert primarilyend insert for K-12
11school purposes and was designed and marketed for K-12 school
12purposes shall comply with all of the following requirements:
13(1) It shall not use, share, disclose, or compilebegin delete personalend deletebegin insert coveredend insert
14 information about a K-12 student
for any purpose other than the
15K-12 school purpose and for maintaining, developing, and
16improving the integrity and effectiveness of the site, service, or
17application, as long as no personal information is used for any
18purpose in furtherance ofbegin insert targetedend insert advertising or to amass a profile
19on the student for purposes other than K-12 school purposes.
20(2) It shall not sellbegin insert or discloseend insert a student’sbegin delete personalend deletebegin insert coveredend insert
21 information.
22(3) It shall not allow, facilitate, or aid in the marketing or
23advertising of a product or service to a K-12 student on the site,
24service, or application.
P3 1(4)
end delete
2begin insert(end insertbegin insert3)end insert It shall take reasonable steps to protect thebegin delete personalend deletebegin insert coveredend insert
3 informationbegin delete dataend delete at rest and inbegin delete motionend deletebegin insert transmissionend insert in a manner
4that meets or exceeds reasonable and appropriate commercial best
5practices.begin delete An operator shall be deemed to be in compliance with
6this paragraph if the operator ensures the following:end delete
7(A) Valid encryption processes for data at rest in the operator’s
8own data storage systems are consistent with NIST Special
9Publication 800-111, Guide to Storage Encryption Technologies
10for End User Devices.
11(B) Valid encryption processes for data in motion on public
12networks are those that comply, as appropriate, with NIST Special
13Publications 800-52, Guidelines for the Selection and Use of
14Transport Layer Security (TLS) Implementations; NIST Special
15Publication 800-77, Guide to IPsec VPNs; or NIST Special
16Publication 800-113, Guide to SSL VPNs, or others that are Federal
17Information Processing Standards (FIPS) Publication 140-2
18validated.
19(b) An operator of an Internet Web site, online service, online
20application, or mobile application with actual knowledge that the
21site, service, or application is usedbegin insert primarilyend insert for K-12 school
22purposes and that it was designed and marketed for K-12 school
23purposes shall delete a student’sbegin delete personalend deletebegin insert coveredend insert information if
24begin delete any of the following occurs:end deletebegin insert the school or district requests deletion.end insert
25(1) The site, service, or application has actual
knowledge that
26it is no longer used for K-12 school purposes. This paragraph shall
27not apply to information that is being used or maintained at the
28direction of a school or school district and is under the direct
29control of the school or district, or information that is being used
30by a student and is under the direct control of the student.
31(2) The student requests
deletion of information being used at
32the direction of the student or that is under the direct control of
33the student.
34(3) The school or school district requests deletion of information
35being used at the direction of a school or district and that is under
36the control of the school or school
district.
37(c) Notwithstanding subdivision (a), an operator of an Internet
38Web site, online service, online application, or mobile application
39may disclosebegin delete personalend deletebegin insert coveredend insert information of a student if other
40provisions of federal or state law require the operator to disclose
P4 1the information, and the operator complies with the requirements
2of federal and state law in protecting and disclosing that
3information.
4(d) An “online service” includes cloud computing services.
5(e) Notwithstanding subdivision (a), an operator of an Internet
6Web site,
online service, online application, or mobile application
7may disclosebegin delete personalend deletebegin insert coveredend insert information of a student for
8legitimate research purposes as required by state and federal law
9and subject to the restrictions under state and federal law or as
10allowed by state and federal law and under the direction of a school,
11school district, or state department of education, as long as no
12begin delete personalend deletebegin insert coveredend insert information is used for any purpose in furtherance
13of advertising or to amass a profile on the student for purposes
14other than K-12 school purposes.
15(f) For purposes of this section, “personal information” shall
16mean any information or materials in any media or format created
17or provided by a student, or the student’s parent or legal guardian,
18in the course of the student’s, or parent’s or legal guardian’s, use
19of the site, service, or application or an employee or agent of the
20educational institution, or gathered by the site, service, or
21application, that is related to a student and shall include, but not
22be limited to, information in the student’s educational record, the
23student’s e-mail address, first and last name, home address,
24telephone number, other information that permits physical or online
25contact of a specific
individual, discipline records, test results,
26special education data, juvenile delinquency records, grades,
27evaluations, criminal records, medical records, health records,
28social security number, biometric information, disabilities,
29socioeconomic information, food purchases, political affiliations,
30religious information, e-mail messages, documents, unique
31identifiers, profile, search activity, location information, Internet
32Protocol (IP) address, metadata, any aggregation or derivative
33thereof, or any information gained through tracking, including
34login and logoff information, searches, typing, photos, voice
35recordings, and geolocation information.
36(f) “Covered information” means information or materials
in
37any media or format that meets any of the following:
38(1) Are created or provided by a student, or the student’s parent
39or legal guardian, in the course of the student’s, parent’s, legal
P5 1guardian’s, use of the site, service, or application for K-12 school
2purposes.
3(2) Are created or provided by an employee or agent of the
4educational institution.
5(3) Are gathered by the site, service, or application, that is
6descriptive of a student or otherwise identified a student, including,
7but not limited
to, information in the student’s educational record
8or email, first and last name, home address, telephone number,
9email address, or other information that allows physical or online
10contact, discipline records, test results, special education data,
11juvenile dependency records, grades, evaluations, criminal records,
12medical records, health records, social security number, biometric
13information, disabilities, socioeconomic information, food
14purchases, political affiliations, religious information, text
15messages, documents, persistent unique identifiers, search activity,
16photos, voice recordings, or geolocation information.
17(g) begin deleteFor purposes of this section, end delete“K-12 school purposes”begin delete shall begin insert
meansend insert purposes that customarily take place at the direction
18meanend delete
19of the school, teacher, or school district or aid in the administration
20of school activities, including, but not limited to, instruction in the
21classroom or at home, administrative activities, and collaboration
22between students, school personnel, or parents, or are for the use
23and benefit of the school.
24(h) This section shall not be construed to limit the authority of
25a law enforcement agency to obtain any content or information
26from an operator as authorized by law or pursuant to an order of
27a court of competent jurisdiction.
28(i) begin deleteIt is not the intent of the Legislature for this chapter toend deletebegin insertThis
29
chapter does notend insert apply to general audience Internet Web sites,
30general audience online services, general audience online
31applications, or general audience mobile applications.
32(j) begin deleteIt is not the intent of the Legislature for this section toend deletebegin insertThis
33section does notend insert limit Internet service providers from providing
34Internet connectivity to schools or students and their families.
35(k) (1) An operator of an Internet Web site, online service,
36online application, or mobile application may use deidentified
37studentbegin delete personalend deletebegin insert
coveredend insert information, including aggregated
38deidentified studentbegin delete personalend deletebegin insert
coveredend insert information, within the
39operator’s site, service, or application or other sites, services, or
40applications owned by the operator to improve educational
P6 1products, for adaptive learning purposes, and for customizing
2student learning.
3(2) An operator of an Internet Web site, online service, online
4application, or mobile application may use deidentified student
5begin delete personalend deletebegin insert coveredend insert information, including aggregated deidentified
6studentbegin delete personalend deletebegin insert coveredend insert
information, to demonstrate the
7effectiveness of the operator’s products, including in their
8marketing.
9(3) An operator of an Internet Web site, online service, online
10application, or mobile application may share aggregated
11deidentified studentbegin delete personalend deletebegin insert coveredend insert information for the
12development and improvement of educational sites, services, or
13applications.
14(l) This section shall not be construed to prohibit an operator
15of an Internet Web site, online service, online application, or
16mobile application from marketing educational products directly
17to parents so long as the marketing was not the result of
student
18begin delete personalend deletebegin insert
coveredend insert information provided to the operator of the
19Internet Web site, online service, online application, or mobile
20application.
This chapter shall become operative on January 1, 2016.
The provisions of this act are severable. If any
23provision of this act or its application is held invalid, that invalidity
24shall not affect other provisions or applications that can be given
25effect without the invalid provision or application.
O
96