Assembly BillNo. 1541

3

22580.  

(a) An operator of an Internet Webbegin delete site, online service,
4online application, or mobile applicationend deletebegin insert site or online service,
5such as an online application or a mobile application,end insert directed to
6minors shall not market or advertise a product or service described
7in subdivision (i) on its Internet Webbegin delete site, online service, online
8application, or mobile applicationend deletebegin insert site or online service, such as
9an online application or a mobile application,end insert directed to minors.

10(b) An operator of an Internet Webbegin delete site, online service, online
11application, or mobile applicationend deletebegin insert site or online service, such as
12an online application or a mobile applicationend insert:

13(1) Shall not market or advertise a product or service described
14in subdivision (i) to a minor who the operator has actual knowledge
15is using its Internet Webbegin delete site, online service, online application,
16or mobile applicationend deletebegin insert site or online service, such as an online
17application or a mobile application,end insert and is a minor, if the
18marketing or advertising is specifically directed to that minor based
19upon information specific to that minor, including, but not limited
20to, the minor’s profile, activity, address, or location sufficient to
21establish contact with a minor, and excluding Internet Protocol
22(IP) address and product identification numbers for the operation
23of a service.

24(2) Shall be deemed to be in compliance with paragraph (1) if
25the operator takes reasonable actions in good faith designed to
26avoid marketing or advertising under circumstances prohibited
27under paragraph (1).

P3    1(c) An operator of an Internet Webbegin delete site, online service, online
2application, or mobile applicationend deletebegin insert site or online service, such as
3an online application or a mobile application,end insert directed to minors
4or who has actual knowledge that a minor is using its Internet Web
5begin delete site, online service, online application, or mobile application,end deletebegin insert site
6or online service, such as an online application or a mobile
7application,end insert shall not knowingly use, disclose, compile, or allow
8a third party to use, disclose, or compile, the personal information
9of a minor with actual knowledge that the use, disclosure, or
10compilation is for the purpose of marketing or advertising products
11or services to that minor for a product described in subdivision (i).

12(d) “Minor” means a natural person under 18 years of age who
13resides in the state.

14(e) “Internet Webbegin delete site, online service, online application, or
15mobile applicationend deletebegin insert site or online service, such as an online
16application or a mobile application,end insert directed to minors” mean an
17Internet Webbegin delete site, online service, online application, or mobile
18application,end deletebegin insert site or online service, such as an online application
19or a mobile application,end insert or a portion thereof, that is created for the
20purpose of reaching an audience that is predominately comprised
21of minors, and is not intended for a more general audience
22comprised of adults. Provided, however, that an Internet Webbegin delete site,
23online service, online application, or mobile application,end deletebegin insert site or
24online service, such as an online application or a mobile
25 application,end insert or a portion thereof, shall not be deemed to be directed
26at minors solely because it refers or links to an Internet Web begin delete site,
27online service, online application, or mobile applicationend delete begin insert site or
28online service, such as an online application or a mobile
29application,end insert directed to minors by using information location tools,
30including a directory, index, reference, pointer, or hypertext link.

31(f) “Operator” means any person or entity that owns an Internet
32Webbegin delete site, online service, online application, or mobile applicationend delete
33begin insert site or online service, such as an online application or a mobile
34applicationend insert. It does not include any third party that operates, hosts,
35or manages, but does not own, an Internet Webbegin delete site, online service,
36online application, or mobile applicationend deletebegin insert site or online service,
37such as an online application or a mobile application,end insert on the
38owner’s behalf or processes information on the owner’s behalf.

39(g) This section shall not be construed to require an operator of
40an Internet Webbegin delete site, online service, online application, or mobile
P4    1applicationend deletebegin insert site or online service, such as an online application
2or a mobile application,end insert to collect or retain age information about
3users.

4(h) (1) With respect to marketing or advertising provided by
5an advertising service, the operator of an Internet Webbegin delete site, online
6service, online application, or mobile applicationend deletebegin insert site or online
7service, such as an online application or a mobile application,end insert
8 directed to minors shall be deemed to be in compliance with
9subdivision (a) if the operator notifies the advertising service, in
10the manner required by the advertising service, that the site, service,
11or application is directed to minors.

12(2) If an advertising service is notified, in the manner required
13by the advertising service, that an Internet Webbegin delete site, online service,
14online application, or mobile applicationend deletebegin insert site or online service,
15such as an online application or a mobile application,end insert is directed
16to minors pursuant to paragraph (1), the advertising service shall
17not market or advertise a product or service on the operator’s
18Internet Webbegin delete site, online service, online application, or mobile
19applicationend deletebegin insert site or online service, such as an online application
20or a mobile application,end insert that is described in subdivision (i).

21(i) The marketing and advertising restrictions described in
22subdivisions (a) and (b) shall apply to the following products and
23services as they are defined under state law:

24(1) Alcoholic beverages, as referenced in Sections 23003 to
2523009, inclusive, and Section 25658.

26(2) Firearms or handguns, as referenced in Sections 16520,
2716640, and 27505 of the Penal Code.

28(3) Ammunition or reloaded ammunition, as referenced in
29Sections 16150 and 30300 of the Penal Code.

30(4) Handgun safety certificates, as referenced in Sections 31625
31and 31655 of the Penal Code.

32(5) Aerosol container of paint that is capable of defacing
33property, as referenced in Section 594.1 of the Penal Code.

34(6) Etching cream that is capable of defacing property, as
35referenced in Section 594.1 of the Penal Code.

36(7) Any tobacco, cigarette, or cigarette papers, or blunt wraps,
37or any other preparation of tobacco, or any other instrument or
38paraphernalia that is designed for the smoking or ingestion of
39tobacco, products prepared from tobacco, or any controlled
40substance, as referenced in Division 8.5 (commencing with Section
P5    122950) and Sections 308, 308.1, 308.2, and 308.3 of the Penal
2Code.

3(8) BB device, as referenced in Sections 16250 and 19910 of
4the Penal Code.

5(9) Dangerous fireworks, as referenced in Sections 12505 and
612689 of the Health and Safety Code.

7(10) Tanning in an ultraviolet tanning device, as referenced in
8Sections 22702 and 22706.

9(11) Dietary supplement products containing ephedrine group
10alkaloids, as referenced in Section 110423.2 of the Health and
11Safety Code.

12(12) Tickets or shares in a lottery game, as referenced in Sections
138880.12 and 8880.52 of the Government Code.

14(13) Salvia divinorum or Salvinorin A, or any substance or
15material containing Salvia divinorum or Salvinorin A, as referenced
16in Section 379 of the Penal Code.

17(14) Body branding, as referenced in Sections 119301 and
18119302 of the Health and Safety Code.

19(15) Permanent tattoo, as referenced in Sections 119301 and
20119302 of the Health and Safety Code and Section 653 of the Penal
21Code.

22(16) Drug paraphernalia, as referenced in Section 11364.5 of
23the Health and Safety Code.

24(17) Electronic cigarette, as referenced in Section 119405 of
25the Health and Safety Code.

26(18) Obscene matter, as referenced in Section 311 of the Penal
27Code.

28(19) A less lethal weapon, as referenced in Sections 16780 and
2919405 of the Penal Code.

30(j) The marketing and advertising restrictions described in
31subdivisions (a), (b), and (c) shall not apply to the incidental
32placement of products or services embedded in content if the
33content is not distributed by or at the direction of the operator
34primarily for the purposes of marketing and advertising of the
35products or services described in subdivision (i).

36(k) “Marketing or advertising” means, in exchange for monetary
37compensation, to make a communication to one or more
38individuals, or to arrange for the dissemination to the public of a
39communication, about a product or service the primary purpose
P6    1of which is to encourage recipients of the communication to
2purchase or use the product or service.

5

22581.  

(a) An operator of an Internet Webbegin delete site, online service,
6online application, or mobile applicationend deletebegin insert site or online service,
7such as an online application or a mobile application,end insert directed to
8minors or an operator of an Internet Webbegin delete site, online service, online
9application, or mobile applicationend deletebegin insert site or online service, such as
10an online application or a mobile application,end insert that has actual
11knowledge that a minor is using its Internet Webbegin delete site, online
12service, online application, or mobile applicationend deletebegin insert site or online
13service, such as an online application or a mobile application,end insert
14 shall do all of the following:

15(1) Permit a minor who is a registered user of the operator’s
16Internet Webbegin delete site, online service, online application, or mobile
17applicationend deletebegin insert site or online service, such as an online application
18or a mobile application,end insert to remove or, if the operator prefers, to
19request and obtain removal of, content or information posted on
20the operator’s Internet Webbegin delete site, online service, online application,
21or mobile applicationend deletebegin insert site or online service, such as an online
22application or a mobile application,end insert by the user.

23(2) Provide notice to a minor who is a registered user of the
24operator’s Internet Webbegin delete site, online service, online application, or
25mobile applicationend deletebegin insert site or online service, such as an online
26application or a mobile application,end insert that the minor may remove
27or, if the operator prefers, request and obtain removal of, content
28or information posted on the operator’s Internet Webbegin delete site, online
29service, online application, or mobile applicationend deletebegin insert site or online
30service, such as an online application or a mobile application,end insert by
31the registered user.

32(3) Provide clear instructions to a minor who is a registered user
33of the operator’s Internet Webbegin delete site, online service, online
34application, or mobile applicationend deletebegin insert site or online service, such as
35an online application or a mobile application,end insert on how the user
36may remove or, if the operator prefers, request and obtain the
37removal of content or information posted on the operator’s Internet
38Webbegin delete site, online service, online application, or mobile applicationend delete
39begin insert site or online service, such as an online application or a mobile
40applicationend insert.

P7    1(4) Provide notice to a minor who is a registered user of the
2operator’s Internet Webbegin delete site, online service, online application, or
3mobile applicationend deletebegin insert site or online service, such as an online
4application or a mobile application,end insert that the removal described
5under paragraph (1) does not ensure complete or comprehensive
6removal of the content or information posted on the operator’s
7Internet Webbegin delete site, online service, online application, or mobile
8applicationend deletebegin insert site or online service, such as an online application
9or a mobile application,end insert by the registered user.

10(b) An operator or a third party is not required to erase or
11otherwise eliminate, or to enable erasure or elimination of, content
12or information in any of the following circumstances:

13(1) Any other provision of federal or state law requires the
14operator or third party to maintain the content or information.

15(2) The content or information was stored on or posted to the
16operator’s Internet Webbegin delete site, online service, online application, or
17mobile applicationend deletebegin insert site or online service, such as an online
18application or a mobile application,end insert by a third party other than the
19minor, who is a registered user, including any content or
20information posted by the registered user that was stored,
21republished, or reposted by the third party.

22(3) The operator anonymizes the content or information posted
23by the minor who is a registered user, so that the minor who is a
24registered user cannot be individually identified.

25(4) The minor does not follow the instructions provided to the
26minor pursuant to paragraph (3) of subdivision (a) on how the
27registered user may request and obtain the removal of content or
28information posted on the operator’s Internet Webbegin delete site, online
29service, online application, or mobile applicationend deletebegin insert site or online
30service, such as an online application or a mobile application,end insert by
31the registered user.

32(5) The minor has received compensation or other consideration
33for providing the content.

34(c) This section shall not be construed to limit the authority of
35a law enforcement agency to obtain any content or information
36from an operator as authorized by law or pursuant to an order of
37a court of competent jurisdiction.

38(d) An operator shall be deemed compliant with this section if:

39(1) It renders the content or information posted by the minor
40user no longer visible to other users of the service and the public
P8    1even if the content or information remains on the operator’s servers
2in some form.

3(2) Despite making the original posting by the minor user
4invisible, it remains visible because a third party has copied the
5posting or reposted the content or information posted by the minor.

6(e) This section shall not be construed to require an operator of
7an Internet Webbegin delete site, online service, online application, or mobile
8applicationend deletebegin insert site or online service, such as an online application
9or a mobile application,end insert to collect age information about users.

10(f) “Posted” means content or information that can be accessed
11by a user in addition to the minor who posted the content or
12information, whether the user is a registered user or not, of the
13Internet Webbegin delete site, online service, online application, or mobile
14applicationend deletebegin insert site or online service, such as an online application
15or a mobile application,end insert where the content or information is posted.

18

22584.  

(a) For the purposes of this section, “operator” means
19the operator of an Internet Webbegin delete site, online service, online
20application, or mobile applicationend deletebegin insert site or online service, such as
21an online application or a mobile application,end insert with actual
22knowledge that thebegin delete site, service, or applicationend deletebegin insert Internet Web site
23or online service, such as an online application or a mobile
24application,end insert is used primarily for K-12 school purposes and was
25designed and marketed for K-12 school purposes.

26(b) An operator shall not knowingly engage in any of the
27following activities with respect to theirbegin delete site, service, or applicationend delete
28begin insert Internet Web site or online service, such as an online application
29or a mobile applicationend insert:

30(1) (A) Engage in targeted advertising on the operator’sbegin delete site,
31service, or application,end deletebegin insert Internet Web site or online service, such
32as an online application or a mobile application,end insert or (B) target
33advertising on any otherbegin delete site, service, or applicationend deletebegin insert Internet Web
34site or online service, such as an online application or a mobile
35application,end insert when the targeting of the advertising is based upon
36any information, including covered information and persistent
37unique identifiers, that the operator has acquired because of the
38use of that operator’sbegin delete site, service, or applicationend deletebegin insert Internet Web site
39or online service, such as an online application or a mobile
40application,end insert described in subdivision (a).

P9    1(2) Use information, including persistent unique identifiers,
2created or gathered by the operator’sbegin delete site, service, or application,end delete
3begin insert Internet Web site or online service, such as an online application
4or a mobile application,end insert to amass a profile about a K-12 student
5except in furtherance of K-12 school purposes.

6(3) Sell a student’s information, including covered information.
7This prohibition does not apply to the purchase, merger, or other
8type of acquisition of an operator by another entity, provided that
9the operator or successor entity continues to be subject to the
10provisions of this section with respect to previously acquired
11student information.

12(4) Disclose covered information unless the disclosure is made:

13(A) In furtherance of the K-12 purpose of thebegin delete site, service, or
14application,end deletebegin insert Internet Web site or online service, such as an online
15application or a mobile application,end insert provided the recipient of the
16covered information disclosed pursuant to this subparagraph:

17(i) Shall not further disclose the information unless done to
18allow or improve operability and functionality within that student’s
19classroom or school; and

20(ii) Is legally required to comply with subdivision (d);

21(B) To ensure legal and regulatory compliance;

22(C) To respond to or participate in judicial process;

23(D) To protect the safety of users or others or security of the
24site; or

25(E) To a service provider, provided the operator contractually
26(i) prohibits the service provider from using any covered
27information for any purpose other than providing the contracted
28service to, or on behalf of, the operator, (ii) prohibits the service
29provider from disclosing any covered information provided by the
30operator with subsequent third parties, and (iii) requires the service
31provider to implement and maintain reasonable security procedures
32and practices as provided in subdivision (d).

33(c) Nothing in subdivision (b) shall be construed to prohibit the
34operator’s use of information for maintaining, developing,
35supporting, improving, or diagnosing the operator’sbegin delete site, service,
36or applicationend deletebegin insert Internet Web site or online service, such as an online
37application or a mobile applicationend insert.

38(d) An operator shall:

39(1) Implement and maintain reasonable security procedures and
40practices appropriate to the nature of the covered information, and
P10   1protect that information from unauthorized access, destruction,
2use, modification, or disclosure.

3(2) Delete a student’s covered information if the school or
4district requests deletion of data under the control of the school or
5district.

6(e) Notwithstanding paragraph (4) of subdivision (b), an operator
7may disclose covered information of a student, as long as
8paragraphs (1) to (3), inclusive, of subdivision (b) are not violated,
9under the following circumstances:

10(1) If other provisions of federal or state law require the operator
11to disclose the information, and the operator complies with the
12requirements of federal and state law in protecting and disclosing
13that information.

14(2) For legitimate research purposes: (A) as required by state
15or federal law and subject to the restrictions under applicable state
16and federal law or (B) as allowed by state or federal law and under
17the direction of a school, school district, or state department of
18education, if no covered information is used for any purpose in
19furtherance of advertising or to amass a profile on the student for
20purposes other than K-12 school purposes.

21(3) To a state or local educational agency, including schools
22and school districts, for K-12 school purposes, as permitted by
23state or federal law.

24(f) Nothing in this section prohibits an operator from using
25deidentified student covered information as follows:

26(1) Within the operator’sbegin delete site, service, or applicationend deletebegin insert Internet
27Web site or online service, such as an online application or a
28mobile application,end insert or otherbegin delete sites, services, or applicationsend deletebegin insert Internet
29Web sites or online services, such as online applications or mobile
30applications,end insert owned by the operator to improve educational
31products.

32(2) To demonstrate the effectiveness of the operator’s products
33or services, including in their marketing.

34(g) Nothing in this section prohibits an operator from sharing
35aggregated deidentified student covered information for the
36development and improvement of educationalbegin delete sites, services, or
37applicationsend deletebegin insert Internet Web Sites or online services, such as end insertbegin insertonline
38applications or mobile applicationsend insert.

P11   1(h) “Online service”begin delete includesend deletebegin insert includes, but is not limited to,end insert
2 cloud computing services, which must comply with this section if
3they otherwise meet the definition of an operator.

4(i) “Covered information” means personally identifiable
5information or materials, in any media or format that meets any
6of the following:

7(1) Is created or provided by a student, or the student’s parent
8or legal guardian, to an operator in the course of the student’s,
9parent’s, or legal guardian’s use of the operator’sbegin delete site, service, or
10applicationend deletebegin insert Internet Web site or online service, such as an online
11application or a mobile application,end insert for K-12 school purposes.

12(2) Is created or provided by an employee or agent of the K-12
13school, school district, local education agency, or county office of
14education, to an operator.

15(3) Is gathered by an operator through the operation ofbegin delete a site,
16service, or applicationend deletebegin insert an Internet Web site or online service, such
17as an online application or a mobile application,end insert described in
18subdivision (a) and is descriptive of a student or otherwise
19identifies a student, including, but not limited to, information in
20the student’s educational record or email, first and last name, home
21address, telephone number, email address, or other information
22that allows physical or online contact, discipline records, test
23results, special education data, juvenile dependency records, grades,
24evaluations, criminal records, medical records, health records,
25social security number, biometric information, disabilities,
26socioeconomic information, food purchases, political affiliations,
27religious information, text messages, documents, student identifiers,
28search activity, photos, voice recordings, or geolocation
29information.

30(j) “K-12 school purposes” means purposes that customarily
31take place at the direction of the K-12 school, teacher, or school
32district or aid in the administration of school activities, including,
33but not limited to, instruction in the classroom or at home,
34administrative activities, and collaboration between students, school
35personnel, or parents, or are for the use and benefit of the school.

36(k) This section shall not be construed to limit the authority of
37a law enforcement agency to obtain any content or information
38from an operator as authorized by law or pursuant to an order of
39a court of competent jurisdiction.

P12   1(l) This section does not limit the ability of an operator to use
2student data, including covered information, for adaptive learning
3or customized student learning purposes.

4(m) This section does not apply to general audience Internet
5Webbegin delete sites,end deletebegin insert sites orend insert general audience online services,begin insert such asend insert general
6audience onlinebegin delete applications,end deletebegin insert applicationsend insert or general audience
7mobile applications, even if login credentials created for an
8operator’sbegin delete site, service, or applicationend deletebegin insert Internet Web Sites or online
9service, such as end insertbegin insertonline application or a mobile application,end insert may
10be used to access those general audiencebegin delete sites, services, or
11applications.end deletebegin insert Internet Web site or online services, such as an online
12applications or mobile applications.end insert

13(n) This section does not limit Internet service providers from
14providing Internet connectivity to schools or students and their
15families.

16(o) This section shall not be construed to prohibit an operator
17of an Internet Web begin delete site, online service, online application, or
18mobile applicationend delete begin insert site or online service, such as an online
19application or a mobile application,end insert from marketing educational
20products directly to parents so long as the marketing did not result
21from the use of covered information obtained by the operator
22through the provision of services covered under this section.

23(p) This section does not impose a duty upon a provider of an
24electronic store, gateway, marketplace, or other means of
25purchasing or downloading software or applications to review or
26enforce compliance of this section on those applications or
27software.

28(q) This section does not impose a duty upon a provider of an
29interactive computer service, as defined in Section 230 of Title 47
30of the United States Code, to review or enforce compliance with
31this section by third-party content providers.

32(r) This section does not impede the ability of students to
33download, export, or otherwise save or maintain their own student
34created data or documents.

37

1798.81.5.  

(a) (1) It is the intent of the Legislature to ensure
38that personal information about California residents is protected.
39To that end, the purpose of this section is to encourage businesses
P13   1that own, license, or maintain personal information about
2Californians to provide reasonable security for that information.

3(2) For the purpose of this section, the terms “own” and
4“license” include personal information that a business retains as
5part of the business’ internal customer account or for the purpose
6of using that information in transactions with the person to whom
7the information relates. The term “maintain” includes personal
8information that a business maintains but does not own or license.

9(b) A business that owns, licenses, or maintains personal
10information about a California resident shall implement and
11maintain reasonable security procedures and practices appropriate
12to the nature of the information, to protect the personal information
13from unauthorized access, destruction, use, modification, or
14disclosure.

15(c) A business that discloses personal information about a
16California resident pursuant to a contract with a nonaffiliated third
17party that is not subject to subdivision (b) shall require by contract
18that the third party implement and maintain reasonable security
19procedures and practices appropriate to the nature of the
20information, to protect the personal information from unauthorized
21access, destruction, use, modification, or disclosure.

22(d) For purposes of this section, the following terms have the
23following meanings:

24(1) “Personal information” meansbegin insert either of the following:end insertbegin delete anend delete

25begin insert(A)end insertbegin insert end insertbegin insert Aend insertbegin insertnend insert individual’s first name or first initial and his or her last
26name in combination with any one or more of the following data
27elements, when either the name or the data elements are not
28encrypted or redacted:

begin delete

29(A)

end delete

30begin insert(i)end insert Social security number.

begin delete

31(B)

end delete

32begin insert(ii)end insert Driver’s license number or California identification card
33number.

begin delete

34(C)

end delete

35begin insert(iii)end insert Account number, credit or debit card number, in
36combination with any required security code, access code, or
37password that would permit access to an individual’s financial
38account.

begin delete

39(D)

end delete

40begin insert(iv)end insert Medical information.

begin insert

P14   1(v) Health insurance information.

end insertbegin insert

2(B) A username or email address, in combination with a
3password or security question and answer that would permit access
4to an online account.

end insert

5(2) “Medical information” means any individually identifiable
6information, in electronic or physical form, regarding the
7individual’s medical history or medical treatment or diagnosis by
8a health care professional.

begin insert

9(3) “Health insurance information” means an individual’s
10insurance policy number or subscriber identification number, any
11unique identifier used by a health insurer to identify the individual,
12or any information in an individual’s application and claims
13history, including any appeals records.

end insertbegin delete

14(3)

end delete

15begin insert(4)end insert “Personal information” does not include publicly available
16information that is lawfully made available to the general public
17from federal, state, or local government records.

18(e) The provisions of this section do not apply to any of the
19following:

20(1) A provider of health care, health care service plan, or
21contractor regulated by the Confidentiality of Medical Information
22Act (Part 2.6 (commencing with Section 56) of Division 1).

23(2) A financial institution as defined in Section 4052 of the
24Financial Code and subject to the California Financial Information
25Privacy Act (Division 1.2 (commencing with Section 4050) of the
26Financial Code).

27(3) A covered entity governed by the medical privacy and
28security rules issued by the federal Department of Health and
29Human Services, Parts 160 and 164 of Title 45 of the Code of
30Federal Regulations, established pursuant to the Health Insurance
31Portability and Availability Act of 1996 (HIPAA).

32(4) An entity that obtains information under an agreement
33pursuant to Article 3 (commencing with Section 1800) of Chapter
341 of Division 2 of the Vehicle Code and is subject to the
35confidentiality requirements of the Vehicle Code.

36(5) A business that is regulated by state or federal law providing
37greater protection to personal information than that provided by
38this section in regard to the subjects addressed by this section.
39Compliance with that state or federal law shall be deemed
40compliance with this section with regard to those subjects. This
P15   1paragraph does not relieve a business from a duty to comply with
2any other requirements of other state and federal law regarding
3the protection and privacy of personal information.