Assembly BillNo. 817

3

22584.  

(a) For the purposes of this section, “operator” means
4the operator of an Internet Web site, online service, online
5application, or mobile application begin deletethat,end deletebegin deletepursuant to a contract or
6agreement with a school or district, establishesend deletebegin insert with actual
7knowledge thatend insert the site, service, or applicationbegin delete thatend delete is used primarily
8for K-12 school purposes and was designed and marketed begin deleteprimarilyend delete
9 for K-12 school purposes.

10(b) An operator shall not knowingly engage in any of the
11following activities with respect to their site, service, or application:

12(1) (A) Engage in targeted advertising on the operator’s site,
13service, or application, or (B) target advertising on any other site,
14service, or application when the targeting of the advertising is
15based upon any information, including covered information and
16persistent unique identifiers, that the operator has acquired because
17of the use of that operator’s site, service, or application described
18in subdivision (a).

19(2) Use information, including persistent unique identifiers,
20created or gathered by the operator’s site, service, or application,
21to amass a profile about a K-12 student except in furtherance of
22K-12 school purposes.

23(3) Sell a student’s information, including covered information.
24This prohibition does not apply to the purchase, merger, or other
25type of acquisition of an operator by another entity, provided that
26the operator or successor entity continues to be subject to the
27provisions of this section with respect to previously acquired
28student information.

29(4) Disclose covered information unless the disclosure is made:

P3    1(A) In furtherance of the K-12 purpose of the site, service, or
2application, provided the recipient of the covered information
3disclosed pursuant to this subparagraph:

4(i) Shall not further disclose the information unless done to
5allow or improve operability and functionality within that student’s
6classroom or school; and

7(ii) Is legally required to comply with subdivision (d);

8(B) To ensure legal and regulatory compliance;

9(C) To respond to or participate in judicial process;

10(D) To protect the safety of users or others or security of the
11site; or

12(E) To a service provider, provided the operator contractually
13(i) prohibits the service provider from using any covered
14information for any purpose other than providing the contracted
15service to, or on behalf of, the operator, (ii) prohibits the service
16provider from disclosing any covered information provided by the
17operator with subsequent third parties, and (iii) requires the service
18provider to implement and maintain reasonable security procedures
19and practices as provided in subdivision (d).

20(c) Nothing in subdivision (b) shall be construed to prohibit the
21operator’s use of information for maintaining, developing,
22supporting, improving, or diagnosing the operator’s site, service,
23or application.

24(d) An operator shall:

25(1) Implement and maintain reasonable security procedures and
26practices appropriate to the nature of the covered information, and
27protect that information from unauthorized access, destruction,
28use, modification, or disclosure.

29(2) Delete a student’s covered information if the school or
30district requests deletion of data under the control of the school or
31district.

32(e) Notwithstanding paragraph (4) of subdivision (b), an operator
33 may disclose covered information of a student, as long as
34paragraphs (1) to (3), inclusive, of subdivision (b) are not violated,
35under the following circumstances:

36(1) If other provisions of federal or state law require the operator
37to disclose the information, and the operator complies with the
38requirements of federal and state law in protecting and disclosing
39that information.

P4    1(2) For legitimate research purposes: (A) as required by state
2or federal law and subject to the restrictions under applicable state
3and federal law or (B) as allowed by state or federal law and under
4the direction of a school, school district, or state department of
5education, if no covered information is used for any purpose in
6furtherance of advertising or to amass a profile on the student for
7purposes other than K-12 school purposes.

8(3) To a state or local educational agency, including schools
9and school districts, for K-12 school purposes, as permitted by
10state or federal law.

11(f) Nothing in this section prohibits an operator from using
12deidentified student covered information as follows:

13(1) Within the operator’s site, service, or application or other
14sites, services, or applications owned by the operator to improve
15educational products.

16(2) To demonstrate the effectiveness of the operator’s products
17or services, including in their marketing.

18(g) Nothing in this section prohibits an operator from sharing
19aggregated deidentified student covered information for the
20development and improvement of educational sites, services, or
21applications.

22(h) “Online service” includes cloud computing services, which
23must comply with this section if they otherwise meet the definition
24of an operator.

25(i) “Covered information” means personally identifiable
26information or materials, in any media or format that meets any
27of the following:

28(1) Is created or provided by a student, or the student’s parent
29or legal guardian, to an operator in the course of the student’s,
30parent’s, or legal guardian’s use of the operator’s site, service, or
31application for K-12 school purposes.

32(2) Is created or provided by an employee or agent of the K-12
33school, school district, local education agency, or county office of
34education, to an operator for K-12 school purposes.

35(3) Is gathered by an operator through the operation of a site,
36service, or application described in subdivision (a) and is
37descriptive of a student or otherwise identifies a student, including,
38but not limited to, information in the student’s educational record
39or email, first and last name, home address, telephone number,
40email address, or other information that allows physical or online
P5    1contact, discipline records, test results, special education data,
2juvenile dependency records, grades, evaluations, criminal records,
3medical records, health records, social security number, biometric
4information, disabilities, socioeconomic information, food
5purchases, political affiliations, religious information, text
6messages, documents, student identifiers, search activity, photos,
7 voice recordings, or geolocation information.

8(j) “K-12 school purposes” means purposes that customarily
9take place at the direction of the K-12 school, teacher, or school
10district or aid in the administration of school activities, including,
11but not limited to, instruction in the classroom or at home,
12administrative activities, and collaboration between students, school
13personnel, or parents, or are for the use and benefit of the school.
14begin insert “K-12 school purposes” do not include communications to and
15from parents or students 14 years of age or older regarding
16postsecondary or extracurricular educational, military, or career
17products or services, including, but not limited to, college readiness
18assessments and preparation for them, recruitment for and
19financing of the costs of those product and service opportunities,
20and educational assistance or enrichment opportunities.end insert

21(k) This section shall not be construed to limit the authority of
22a law enforcement agency to obtain any content or information
23from an operator as authorized by law or pursuant to an order of
24a court of competent jurisdiction.

25(l) This section does not limit the ability of an operator to use
26student data, including covered information, for adaptive learning
27or customized student learning purposes.

28(m) This section does not apply to general audience Internet
29Web sites, general audience online services, general audience
30online applications, or general audience mobile applications, even
31if login credentials created for an operator’s site, service, or
32application may be used to access those general audience sites,
33services, or applications.

34(n) This section does not limit Internet service providers from
35providing Internet connectivity to schools or students and their
36families.

37(o) This section shall not be construed to prohibit an operator
38of an Internet Web site, online service, online application, or
39mobile application from marketing educational products directly
40to parents so long as the marketing did not result from the use of
P6    1covered information obtained by the operator through the provision
2of services covered under this section.

3(p) This section does not impose a duty upon a provider of an
4electronic store, gateway, marketplace, or other means of
5purchasing or downloading software or applications to review or
6enforce compliance of this section on those applications or
7software.

8(q) This section does not impose a duty upon a provider of an
9interactive computer service, as defined in Section 230 of Title 47
10of the United States Code, to review or enforce compliance with
11this section by third-party content providers.

12(r) This section does not impede the ability of students to
13download, export, or otherwise save or maintain their own student
14created data or documents.