BILL NUMBER: SB 1177	AMENDED
	BILL TEXT

	AMENDED IN ASSEMBLY  AUGUST 21, 2014
	AMENDED IN ASSEMBLY  AUGUST 4, 2014
	AMENDED IN ASSEMBLY  JULY 2, 2014
	AMENDED IN ASSEMBLY  JUNE 10, 2014
	AMENDED IN ASSEMBLY  JUNE 5, 2014
	AMENDED IN SENATE  APRIL 21, 2014

INTRODUCED BY   Senator Steinberg

                        FEBRUARY 20, 2014

   An act to add Chapter 22.2 (commencing with Section 22584) to
Division 8 of the Business and Professions Code, relating to privacy.


	LEGISLATIVE COUNSEL'S DIGEST


   SB 1177, as amended, Steinberg. Privacy: students.
   Existing law, on and after January 1, 2015, prohibits an operator
of an Internet Web site or online service from knowingly using,
disclosing, compiling, or allowing a 3rd party to use, disclose, or
compile the personal information of a minor for the purpose of
marketing or advertising specified types of products or services.
Existing law also makes this prohibition applicable to an advertising
service that is notified by an operator of an Internet Web site,
online service, online application, or mobile application that the
site, service, or application is directed to a minor.
   This bill would prohibit an operator of an Internet Web site,
online service, online application, or mobile application 
with actual knowledge that the site, service, or application is used
for K-12 school purposes, as defined, and was designed and marketed
for K-12 school purposes, from using, sharing, disclosing, or
compiling information, as defined, about a K-12 student for any
purpose other than K-12 school purposes. The bill would generally
prohibit an operator from selling or disclosing the information of a
student.   from knowingly engaging in targeted
advertising to students or their parents or legal guardians, using
covered information to amass a profile about a K-12 student, selling
a student's information, or disclosing covered information, as
provided.  The bill would require an operator to implement and
maintain reasonable security procedures and practices appropriate to
the nature of the  covered  information, to protect the
 personal  information from unauthorized access,
destruction, use, modification, or disclosure, and to delete a
student's covered information if the school or district requests
deletion of data under the control of the school or district. The
bill would authorize the disclosure of covered information of a
student under specified circumstances. The bill's provisions would
become operative January 1, 2016.
   Vote: majority. Appropriation: no. Fiscal committee: no.
State-mandated local program: no.


THE PEOPLE OF THE STATE OF CALIFORNIA DO ENACT AS FOLLOWS:

  SECTION 1.  Chapter 22.2 (commencing with Section 22584) is added
to Division 8 of the Business and Professions Code, to read:
      CHAPTER 22.2.  STUDENT ONLINE PERSONAL INFORMATION PROTECTION
ACT


   22584.  (a)  An   For the purposes of this
section, "operator" means the operator of an Internet Web site,
online service, online application, or mobile application with actual
knowledge that the site, service, or application is used primarily
for K-12 school purposes and was designed and marketed for K-12
school purposes. 
    (b)     An  operator shall 
comply with all of the following with respect to the site, service,
or application of the operator:   not knowingly engage
in any of the following activities with respect to their site,
service, or application:  
   (1) It shall not use, share, disclose, or compile information
about a K-12 student for any purpose in furtherance of targeted
advertising or to amass a profile on a student for any purpose other
than K-12 school purposes. Nothing in this provision shall be
construed to prohibit the use of information for maintaining,
developing, or improving the site, service, or application of the
operator.  
   (1) (A) Engage in targeted advertising on the operator's site,
service, or application, or (B) target advertising on any other site,
service, or application when the targeting of the advertising is
based upon any information, including covered information and
persistent unique identifiers, that the operator has acquired because
of the use of that operator's site, service, or application
described in subdivision (a).  
   (2) Use information, including persistent unique identifiers,
created or gathered by the operator's site, service, or application,
to amass a profile about a K-12 student except in furtherance of K-12
school purposes.  
   (2) It shall not sell or disclose 
    (3)     Sell  a student's 
information.   information, including covered
information.  This prohibition does not apply to the purchase,
merger, or other type of acquisition of an  entity that
operates an Internet Web site, online service, online application, or
mobile application   operator  by another entity
 , provided that the operator or successor entity continues to be
subject to the provisions of this section with respect to previously
acquired student information  . 
   (4) Disclose covered information unless the disclosure is made:
 
   (A) In furtherance of the K-12 purpose of the site, service, or
application, provided the recipient of the covered information
disclosed pursuant to this subparagraph:  
   (i) Shall not further disclose the information unless done to
allow or improve operability and functionality within that student's
classroom or school; and  
   (ii) Is legally required to comply with subdivision (d); 

   (B) To ensure legal and regulatory compliance;  
   (C) To respond to or participate in judicial process;  
   (D) To protect the safety of users or others or security of the
site; or  
   (E) To a service provider, provided the operator contractually (i)
prohibits the service provider from using any covered information
for any purpose other than providing the contracted service to, or on
behalf of, the operator, (ii) prohibits the service provider from
disclosing any covered information provided by the operator with
subsequent third parties, and (iii) requires the service provider to
implement and maintain reasonable security procedures and practices
as provided in subdivision (d).  
   (c) Nothing in subdivision (b) shall be construed to prohibit the
operator's use of information for maintaining, developing,
supporting, improving, or diagnosing the operator's site, service, or
application.  
   (d) An operator shall:  
   (3) It shall implement 
    (1)     Implement  and maintain
reasonable security procedures and practices appropriate to the
nature of the  information, to protect the personal 
 covered information, and protect that  information from
unauthorized access, destruction, use, modification, or disclosure.

   (b) An operator shall delete 
    (2)     Delete  a student's covered
information if the school or district requests deletion of data under
the control of the school or district. 
   (c) 
    (e)  Notwithstanding  paragraph (4) of 
subdivision  (a),   (b),  an operator may
disclose covered information of a  student  
student, as long as paragraphs (1) to (3), inclusive, of subdivision
(b) are not violated,  under the following circumstances:
   (1) If other provisions of federal or state law require the
operator to disclose the information, and the operator complies with
the requirements of federal and state law in protecting and
disclosing that information.
   (2) For legitimate research purposes  : (A)  as required
by state  and   or  federal law and subject
to the restrictions under  applicable  state and federal
law or  (B)  as allowed by state  and  
or  federal law and under the direction of a school, school
district, or state department of education, if no covered information
is used for any purpose in furtherance of advertising or to amass a
profile on the student for purposes other than K-12 school purposes.

   (3) To a state or local educational agency, including schools and
school districts, for K-12 school purposes, as permitted by state or
federal law.  
   (d) An operator may use 
    (f)     Nothing in this section prohibits
an operator from using  deidentified  student covered
information, including aggregated and deidentified student covered
information,   student covered information  as
follows:
   (1) Within the operator's site, service, or application or other
sites, services, or applications owned by the operator to improve
educational  products, for adaptive learning purposes, and
for customizing student learning.   products. 
   (2) To demonstrate the effectiveness of the operator's 
products,   products or services,  including in
their marketing. 
   (3) An operator may share 
    (g)     Nothing in this section prohibits
an operator from sharing  aggregated deidentified 
student covered   student covered  information for
the development and improvement of educational sites, services, or
applications. 
   (e) 
    (h)  "Online service" includes cloud computing 
services.   services, which must comply with this
section if they otherwise meet the definition of an operator. 

   (f) "Operator" means the operator of an Internet Web site, online
service, online application, or mobile application with actual
knowledge that the site, service, or application is used primarily
for K-12 school purposes and was designed and marketed for K-12
school purposes.  
   (g) 
    (i)  "Covered information" means personally identifiable
information or  materials   materials,  in
any media or format that meets any of the following:
   (1)  Are   Is  created or provided by a
student, or the student's parent or legal guardian,  to an
operator  in the course of the student's, parent's, or legal
guardian's use of the operator's  site, service, or
application for K-12 school purposes.
   (2) Are   Is  created or provided by an
employee or agent of the  educational institution. 
 K-12 school, school district, local education agency, or county
office of education, to an operator. 
   (3)  Are   Is    gathered by
 the   an operator through the operation of a
 site, service, or  application, that is  
application described in subdivision (a) and is  descriptive of
a student or otherwise  personally  identifies a
student, including, but not limited to, information in the student's
educational record or email, first and last name, home address,
telephone number, email address, or other information that allows
physical or online contact, discipline records, test results, special
education data, juvenile dependency records, grades, evaluations,
criminal records, medical records, health records, social security
number, biometric information, disabilities, socioeconomic
information, food purchases, political affiliations, religious
information, text messages, documents,  persistent unique
  student  identifiers, search activity, photos,
voice recordings, or geolocation information. 
   (h) 
    (j)  "K-12 school purposes" means purposes that
customarily take place at the direction of the  K-12 
school, teacher, or school district or aid in the administration of
school activities, including, but not limited to, instruction in the
classroom or at home, administrative activities, and collaboration
between students, school personnel, or parents, or are for the use
and benefit of the school. 
   (i) 
    (k)  This section shall not be construed to limit the
authority of a law enforcement agency to obtain any content or
information from an operator as authorized by law or pursuant to an
order of a court of competent jurisdiction. 
   (j) 
    (   l   )  This section does not limit
the ability of an operator  of an Internet Web site, online
service, online application, or mobile application  to use
student  data   data, including covered
information,  for adaptive learning or customized student
learning purposes. 
   (k) 
    (m)  This  chapter   section 
does not apply to general audience Internet Web sites, general
audience online services, general audience online applications, or
general audience mobile  applications.  
applications, even if login credentials created for an operator's
site, service, or application may be used to access those general
audience sites, services, or applications.  
   (l) 
    (n)  This section does not limit Internet service
providers from providing Internet connectivity to schools or students
and their families. 
   (m) 
    (o)  This section shall not be construed to prohibit an
operator of an Internet Web site, online service, online application,
or mobile application from marketing educational products directly
to parents so long as the marketing  was   did
 not  the  result  of student 
 from the use of  covered information obtained by the
operator through the provision of services covered under this
section. 
   (n)
    (p)  This section does not impose a duty upon a provider
of an electronic store, gateway, marketplace, or other means of
purchasing or downloading software or applications to review or
enforce compliance of this section on those applications or software.

   (q) This section does not impose a duty upon a provider of an
interactive computer service, as defined in Section 230 of Title 47
of the United States Code, to review or enforce compliance with this
section by third-party content providers.  
   (o) 
    (r)  This section does not impede the ability of
students to download, export, or otherwise save or maintain their own
student created data or documents.
   22585.  This chapter shall become operative on January 1, 2016.
  SEC. 2.  The provisions of this act are severable. If any provision
of this act or its application is held invalid, that invalidity
shall not affect other provisions or applications that can be given
effect without the invalid provision or application.