BILL NUMBER: SB 1177	AMENDED
	BILL TEXT

	AMENDED IN ASSEMBLY  JULY 2, 2014
	AMENDED IN ASSEMBLY  JUNE 10, 2014
	AMENDED IN ASSEMBLY  JUNE 5, 2014
	AMENDED IN SENATE  APRIL 21, 2014

INTRODUCED BY   Senator Steinberg

                        FEBRUARY 20, 2014

   An act to add Chapter 22.2 (commencing with Section 22584) to
Division 8 of the Business and Professions Code, relating to privacy.


	LEGISLATIVE COUNSEL'S DIGEST


   SB 1177, as amended, Steinberg. Privacy: students.
   Existing law, on and after January 1, 2015, prohibits an operator
of an Internet Web site or online service from knowingly using,
disclosing, compiling, or allowing a 3rd party to use, disclose, or
compile the personal information of a minor for the purpose of
marketing or advertising specified types of products or services.
Existing law also makes this prohibition applicable to an advertising
service that is notified by an operator of an Internet Web site,
online service, online application, or mobile application that the
site, service, or application is directed to a minor.
   This bill would prohibit an operator of an Internet Web site,
online service, online application, or mobile application with actual
knowledge that the site, service, or application is used for K-12
school purposes, as defined, and was designed and marketed for K-12
school  purposes   purposes,  from using,
sharing, disclosing, or compiling covered information, as defined,
about a K-12 student for any purpose other than  the
 K-12 school  purpose and for maintaining,
developing, and improving the integrity and effectiveness of the
site, service, or application, as specified.   purposes.
 The bill would  generally  prohibit  these
operators of Internet Web sites, online services, online
applications, or mobile applications   an operator 
from selling  or disclosing  the  covered 
information of a student. The bill would require  these
operators of Internet Web sites, online services, online
applications, or mobile applications to ensure that covered
information is protected in a manner that meets or exceeds reasonable
and appropriate commercial best practices   an operator
to implement and maintain reasonable security procedures and
practices appropriate to the nature of the information, to protect
the personal information from unauthorized access, destruction, use,
modification, or disclosure,  and to delete a student's covered
information if the school or district requests  deletion.
  deletion of data under the control of the school or
district. The bill would authorize the disclosure of covered
information of a student under specified circumstances.  The
bill's provisions would become operative January 1, 2016.
   Vote: majority. Appropriation: no. Fiscal committee: no.
State-mandated local program: no.


THE PEOPLE OF THE STATE OF CALIFORNIA DO ENACT AS FOLLOWS:

  SECTION 1.  Chapter 22.2 (commencing with Section 22584) is added
to Division 8 of the Business and Professions Code, to read:
      CHAPTER 22.2.  STUDENT ONLINE PERSONAL INFORMATION PROTECTION
ACT


   22584.  (a) An operator  of an Internet Web site, online
service, online application, or mobile application with actual
knowledge that the site, service, or application is used primarily
for K-12 school purposes and was designed and marketed for K-12
school purposes  shall comply with all of the following
 requirements:   with respect to the site,
service, or application of the operator: 
   (1) It shall not use, share, disclose, or compile covered
information about a K-12 student for any  purpose in furtherance
of targeted advertising or to amass a profile on a student for any
 purpose other than  the  K-12 school 
purpose and   purposes. Nothing in this provision shall
be construed to prohibit the use of information  for
maintaining, developing,  and   or 
improving  the integrity and effectiveness of  the
site, service, or  application, as long as no personal
information is used for any purpose in furtherance of targeted
advertising or to amass a profile on the student for purposes other
than K-12 school purposes.   application of the
operator. 
   (2) It shall not sell or disclose a student's  covered
 information.  This prohibition does not apply to the
purchase, merger, or other type of acquisition of an entity that
operates an Internet Web site, online service, online application, or
mobile application by another   entity.  
   (3) It shall take reasonable steps to protect the covered
information at rest and in transmission in a manner that meets or
exceeds reasonable and appropriate commercial best practices.
 
   (3) It shall implement and maintain reasonable security procedures
and practices appropriate to the nature of the information, to
protect the personal information from unauthorized access,
destruction, use, modification, or disclosure. 
   (b) An operator of an Internet Web site, online service,
online application, or mobile application with actual knowledge that
the site, service, or application is used primarily for K-12 school
purposes and that it was designed and marketed for K-12 school
purposes  shall delete a student's covered information if
the school or district requests  deletion.  
deletion of data under the control of the school or district. 
   (c) Notwithstanding subdivision (a), an operator  of an
Internet Web site, online service, online application, or mobile
application  may disclose covered information of a student
 if other provisions of federal or state law require the
operator to disclose the information, and the operator complies with
the requirements of federal and state law in protecting and
disclosing that information.   under the following
circumstances:  
   (1) If other provisions of federal or state law require the
operator to disclose the information, and the operator complies with
the requirements of federal and state law in protecting and
disclosing that information.  
   (2) For legitimate research purposes as required by state and
federal law and subject to the restrictions under state and federal
law or as allowed by state and federal law and under the direction of
a school, school district, or state department of education, if no
covered information is used for any purpose in furtherance of
advertising or to amass a profile on the student for purposes other
than K-12 school purposes.  
   (d) An operator may use deidentified student covered information,
including aggregated and deidentified student covered information, as
follows:  
   (1) Within the operator's site, service, or application or other
sites, services, or applications owned by the operator to improve
educational products, for adaptive learning purposes, and for
customizing student learning.  
   (2) To demonstrate the effectiveness of the operator's products,
including in their marketing.  
   (3) An operator may share aggregated deidentified student covered
information for the development and improvement of educational sites,
services, or applications.  
   (d) An "online 
    (e)     "Online  service" includes
cloud computing services. 
   (e) Notwithstanding subdivision (a), an operator of an Internet
Web site, online service, online application, or mobile application
may disclose covered information of a student for legitimate research
purposes as required by state and federal law and subject to the
restrictions under state and federal law or as allowed by state and
federal law and under the direction of a school, school district, or
state department of education, as long as no covered information is
used for any purpose in furtherance of advertising or to amass a
profile on the student for purposes other than K-12 school purposes.
 
    (f) "Operator" means the operator of an Internet Web site, online
service, online application, or mobile application with actual
knowledge that the site, service, or application is used primarily
for K-12 school purposes and was designed and marketed for K-12
school purposes.  
   (f) 
    (g)  "Covered information" means  personally
identifiable  information or materials in any media or format
that meets any of the following:
   (1) Are created or provided by a student, or the student's parent
or legal guardian, in the course of the student's, parent's,  or
 legal  guardian's,   guardian's  use
of the site, service, or application for K-12 school purposes.
   (2) Are created or provided by an employee or agent of the
educational institution.
   (3) Are gathered by the site, service, or application, that is
descriptive of a student or otherwise  identified 
 personally identifies  a student, including, but not
limited to, information in the student's educational record or email,
first and last name, home address, telephone number, email address,
or other information that allows physical or online contact,
discipline records, test results, special education data, juvenile
dependency records, grades, evaluations, criminal records, medical
records, health records, social security number, biometric
information, disabilities, socioeconomic information, food purchases,
political affiliations, religious information, text messages,
documents, persistent unique identifiers, search activity, photos,
voice recordings, or geolocation information. 
   (g) 
   (h)  "K-12 school purposes" means purposes that
customarily take place at the direction of the school, teacher, or
school district or aid in the administration of school activities,
including, but not limited to, instruction in the classroom or at
home, administrative activities, and collaboration between students,
school personnel, or parents, or are for the use and benefit of the
school. 
   (h) 
    (i)  This section shall not be construed to limit the
authority of a law enforcement agency to obtain any content or
information from an operator as authorized by law or pursuant to an
order of a court of competent jurisdiction. 
   (j) This section does not limit the ability of an operator of an
Internet Web site, online service, online application, or mobile
application to use student data for adaptive learning or customized
student learning purposes.  
   (i) 
    (k)  This chapter does not apply to general audience
Internet Web sites, general audience online services, general
audience online applications, or general audience mobile
applications. 
   (j) 
    (l)  This section does not limit Internet service
providers from providing Internet connectivity to schools or students
and their families. 
   (k) (1) An operator of an Internet Web site, online service,
online application, or mobile application may use deidentified
student covered information, including aggregated deidentified
student covered information, within the operator's site, service, or
application or other sites, services, or applications owned by the
operator to improve educational products, for adaptive learning
purposes, and for customizing student learning.  
   (2) An operator of an Internet Web site, online service, online
application, or mobile application may use deidentified student
covered information, including aggregated deidentified student
covered information, to demonstrate the effectiveness of the operator'
s products, including in their marketing.  
   (3) An operator of an Internet Web site, online service, online
application, or mobile application may share aggregated deidentified
student covered information for the development and improvement of
educational sites, services, or applications.  
   (l) 
    (m)  This section shall not be construed to prohibit an
operator of an Internet Web site, online service, online application,
or mobile application from marketing educational products directly
to parents so long as the marketing was not the result of student
covered information  provided to   obtained by
 the operator  of the Internet Web site, online service,
online application, or mobile application.   through
the provision of services covered under this section.  
   (n) This section does not impose a duty upon a provider of an
electronic store, gateway, marketplace, or other means of purchasing
or downloading software or applications to review or enforce
compliance of this section on those applications or software. 

   (o) This section does not impede the ability of students to
download, export, or otherwise save or maintain their own student
created data or documents. 
   22585.  This chapter shall become operative on January 1, 2016.
  SEC. 2.  The provisions of this act are severable. If any provision
of this act or its application is held invalid, that invalidity
shall not affect other provisions or applications that can be given
effect without the invalid provision or application.