Assembly BillNo. 817

3

22584.  

(a) For the purposes of this section, “operator” means
4the operator of an Internet Web site, online service, online
5application, or mobile applicationbegin delete with actual knowledge thatend deletebegin insert that,
6pursuant to a contract or agreement with a school or district,
7establishesend insert the site, service, or applicationbegin insert thatend insert is used primarily
8for K-12 school purposes and was designed and marketed
9begin insertprimarily end insertfor K-12 school purposes.

10(b) An operator shall not knowingly engage in any of the
11following activities with respect to their site, service, or application:

12(1) (A) Engage in targeted advertising on the operator’s site,
13service, or application, or (B) target advertising on any other site,
14service, or application when the targeting of the advertising is
15based upon any information, including covered information and
16persistent unique identifiers, that the operator has acquired because
17of the use of that operator’s site, service, or application described
18in subdivision (a).

19(2) Use information, including persistent unique identifiers,
20created or gathered by the operator’s site, service, or application,
21to amass a profile about a K-12 student except in furtherance of
22K-12 school purposes.

23(3) Sell a student’s information, including covered information.
24This prohibition does not apply to the purchase, merger, or other
25type of acquisition of an operator by another entity, provided that
26the operator or successor entity continues to be subject to the
27provisions of this section with respect to previously acquired
28student information.

29(4) Disclose covered information unless the disclosure is made:

30(A) In furtherance of the K-12 purpose of the site, service, or
31application, provided the recipient of the covered information
32disclosed pursuant to this subparagraph:

33(i) Shall not further disclose the information unless done to
34allow or improve operability and functionality within that student’s
35classroom or school; and

36(ii) Is legally required to comply with subdivision (d);

37(B) To ensure legal and regulatory compliance;

38(C) To respond to or participate in judicial process;

P3    1(D) To protect the safety of users or others or security of the
2site; or

3(E) To a service provider, provided the operator contractually
4(i) prohibits the service provider from using any covered
5information for any purpose other than providing the contracted
6service to, or on behalf of, the operator, (ii) prohibits the service
7provider from disclosing any covered information provided by the
8operator with subsequent third parties, and (iii) requires the service
9provider to implement and maintain reasonable security procedures
10and practices as provided in subdivision (d).

11(c) Nothing in subdivision (b) shall be construed to prohibit the
12operator’s use of information for maintaining, developing,
13supporting, improving, or diagnosing the operator’s site, service,
14or application.

15(d) An operator shall:

16(1) Implement and maintain reasonable security procedures and
17practices appropriate to the nature of the covered information, and
18protect that information from unauthorized access, destruction,
19use, modification, or disclosure.

20(2) Delete a student’s covered information if the school or
21district requests deletion of data under the control of the school or
22district.

23(e) Notwithstanding paragraph (4) of subdivision (b), an operator
24 may disclose covered information of a student, as long as
25paragraphs (1) to (3), inclusive, of subdivision (b) are not violated,
26under the following circumstances:

27(1) If other provisions of federal or state law require the operator
28to disclose the information, and the operator complies with the
29requirements of federal and state law in protecting and disclosing
30that information.

31(2) For legitimate research purposes: (A) as required by state
32or federal law and subject to the restrictions under applicable state
33and federal law or (B) as allowed by state or federal law and under
34the direction of a school, school district, or state department of
35education, if no covered information is used for any purpose in
36furtherance of advertising or to amass a profile on the student for
37purposes other than K-12 school purposes.

38(3) To a state or local educational agency, including schools
39and school districts, for K-12 school purposes, as permitted by
40state or federal law.

P4    1(f) Nothing in this section prohibits an operator from using
2deidentified student covered information as follows:

3(1) Within the operator’s site, service, or application or other
4sites, services, or applications owned by the operator to improve
5educational products.

6(2) To demonstrate the effectiveness of the operator’s products
7or services, including in their marketing.

8(g) Nothing in this section prohibits an operator from sharing
9aggregated deidentified student covered information for the
10development and improvement of educational sites, services, or
11applications.

12(h) “Online service” includes cloud computing services, which
13must comply with this section if they otherwise meet the definition
14of an operator.

15(i) “Covered information” means personally identifiable
16information or materials, in any media or format that meets any
17of the following:

18(1) Is created or provided by a student, or the student’s parent
19or legal guardian, to an operator in the course of the student’s,
20parent’s, or legal guardian’s use of the operator’s site, service, or
21application for K-12 school purposes.

22(2) Is created or provided by an employee or agent of the K-12
23school, school district, local education agency, or county office of
24education, to an operatorbegin insert for K-end insertbegin insert12 school purposesend insert.

25(3) Is gathered by an operator through the operation of a site,
26service, or application described in subdivision (a) and is
27descriptive of a student or otherwise identifies a student, including,
28but not limited to, information in the student’s educational record
29or email, first and last name, home address, telephone number,
30email address, or other information that allows physical or online
31contact, discipline records, test results, special education data,
32juvenile dependency records, grades, evaluations, criminal records,
33medical records, health records, social security number, biometric
34information, disabilities, socioeconomic information, food
35purchases, political affiliations, religious information, text
36messages, documents, student identifiers, search activity, photos,
37 voice recordings, or geolocation information.

38(j) “K-12 school purposes” means purposes that customarily
39take place at the direction of the K-12 school, teacher, or school
40district or aid in the administration of school activities, including,
P5    1but not limited to, instruction in the classroom or at home,
2administrative activities, and collaboration between students, school
3personnel, or parents, or are for the use and benefit of the school.

4(k) This section shall not be construed to limit the authority of
5a law enforcement agency to obtain any content or information
6from an operator as authorized by law or pursuant to an order of
7a court of competent jurisdiction.

8(l) This section does not limit the ability of an operator to use
9student data, including covered information, for adaptive learning
10or customized student learning purposes.

11(m) This section does not apply to general audience Internet
12Web sites, general audience online services, general audience
13online applications, or general audience mobile applications, even
14if login credentials created for an operator’s site, service, or
15application may be used to access those general audience sites,
16services, or applications.

17(n) This section does not limit Internet service providers from
18providing Internet connectivity to schools or students and their
19families.

20(o) This section shall not be construed to prohibit an operator
21of an Internet Web site, online service, online application, or
22mobile application from marketing educational products directly
23to parents so long as the marketing did not result from the use of
24covered information obtained by the operator through the provision
25of services covered under this section.

26(p) This section does not impose a duty upon a provider of an
27electronic store, gateway, marketplace, or other means of
28purchasing or downloading software or applications to review or
29enforce compliance of this section on those applications or
30software.

31(q) This section does not impose a duty upon a provider of an
32interactive computer service, as defined in Section 230 of Title 47
33of the United States Code, to review or enforce compliance with
34this section by third-party content providers.

35(r) This section does not impede the ability of students to
36download, export, or otherwise save or maintain their own student
37created data or documents.