Assembly BillNo. 1541

3

22580.  

(a) An operator of an Internet Web site or online
4service, such as an online application or a mobile application,
5directed to minors shall not market or advertise a product or service
6described in subdivision (i) on its Internet Web site or online
7service, such as an online application or a mobile application,
8directed to minors.

9(b) An operator of an Internet Web site or online service, such
10as an online application or a mobile application:

11(1) Shall not market or advertise a product or service described
12in subdivision (i) to a minor who the operator has actual knowledge
13is using its Internet Web site or online service, such as an online
14application or a mobile application, and is a minor, if the marketing
15or advertising is specifically directed to that minor based upon
16information specific to that minor, including, but not limited to,
17the minor’s profile, activity, address, or location sufficient to
18establish contact with a minor, and excluding Internet Protocol
19(IP) address and product identification numbers for the operation
20of a service.

21(2) Shall be deemed to be in compliance with paragraph (1) if
22the operator takes reasonable actions in good faith designed to
23avoid marketing or advertising under circumstances prohibited
24under paragraph (1).

25(c) An operator of an Internet Web site or online service, such
26as an online application or a mobile application, directed to minors
27or who has actual knowledge that a minor is using its Internet Web
P3    1site or online service, such as an online application or a mobile
2application, shall not knowingly use, disclose, compile, or allow
3a third party to use, disclose, or compile, the personal information
4of a minor with actual knowledge that the use, disclosure, or
5compilation is for the purpose of marketing or advertising products
6or services to that minor for a product described in subdivision (i).

7(d) “Minor” means a natural person under 18 years of age who
8resides in the state.

9(e) “Internet Web site or online service, such as an online
10application or a mobile application, directed to minors” mean an
11Internet Web site or online service, such as an online application
12or a mobile application, or a portion thereof, that is created for the
13purpose of reaching an audience that is predominately comprised
14of minors, and is not intended for a more general audience
15comprised of adults. Provided, however, that an Internet Web site
16or online service, such as an online application or a mobile
17 application, or a portion thereof, shall not be deemed to be directed
18at minors solely because it refers or links to an Internet Web site
19or online service, such as an online application or a mobile
20application, directed to minors by using information location tools,
21including a directory, index, reference, pointer, or hypertext link.

22(f) “Operator” means any person or entity that owns an Internet
23Web site or online service, such as an online application or a
24mobile application. It does not include any third party that operates,
25hosts, or manages, but does not own, an Internet Web site or online
26service, such as an online application or a mobile application, on
27the owner’s behalf or processes information on the owner’s behalf.

28(g) This section shall not be construed to require an operator of
29an Internet Web site or online service, such as an online application
30or a mobile application, to collect or retain age information about
31users.

32(h) (1) With respect to marketing or advertising provided by
33an advertising service, the operator of an Internet Web site or
34online service, such as an online application or a mobile
35application, directed to minors shall be deemed to be in compliance
36with subdivision (a) if the operator notifies the advertising service,
37in the manner required by the advertising service, that the site,
38service, or application is directed to minors.

39(2) If an advertising service is notified, in the manner required
40by the advertising service, that an Internet Web site or online
P4    1service, such as an online application or a mobile application, is
2directed to minors pursuant to paragraph (1), the advertising service
3shall not market or advertise a product or service on the operator’s
4Internet Web site or online service, such as an online application
5or a mobile application, that is described in subdivision (i).

6(i) The marketing and advertising restrictions described in
7subdivisions (a) and (b) shall apply to the following products and
8services as they are defined under state law:

9(1) Alcoholic beverages, as referenced in Sections 23003 to
1023009, inclusive, and Section 25658.

11(2) Firearms or handguns, as referenced in Sections 16520,
1216640, and 27505 of the Penal Code.

13(3) Ammunition or reloaded ammunition, as referenced in
14Sections 16150 and 30300 of the Penal Code.

15(4) Handgun safety certificates, as referenced in Sections 31625
16and 31655 of the Penal Code.

17(5) Aerosol container of paint that is capable of defacing
18property, as referenced in Section 594.1 of the Penal Code.

19(6) Etching cream that is capable of defacing property, as
20referenced in Section 594.1 of the Penal Code.

21(7) Any tobacco, cigarette, or cigarette papers, or blunt wraps,
22or any other preparation of tobacco, or any other instrument or
23paraphernalia that is designed for the smoking or ingestion of
24tobacco, products prepared from tobacco, or any controlled
25substance, as referenced in Division 8.5 (commencing with Section
2622950) and Sections 308, 308.1, 308.2, and 308.3 of the Penal
27Code.

28(8) BB device, as referenced in Sections 16250 and 19910 of
29the Penal Code.

30(9) Dangerous fireworks, as referenced in Sections 12505 and
3112689 of the Health and Safety Code.

32(10) Tanning in an ultraviolet tanning device, as referenced in
33Sections 22702 and 22706.

34(11) Dietary supplement products containing ephedrine group
35alkaloids, as referenced in Section 110423.2 of the Health and
36Safety Code.

37(12) Tickets or shares in a lottery game, as referenced in Sections
388880.12 and 8880.52 of the Government Code.

P5    1(13) Salvia divinorum or Salvinorin A, or any substance or
2material containing Salvia divinorum or Salvinorin A, as referenced
3in Section 379 of the Penal Code.

4(14) Body branding, as referenced in Sections 119301 and
5119302 of the Health and Safety Code.

6(15) Permanent tattoo, as referenced in Sections 119301 and
7119302 of the Health and Safety Code and Section 653 of the Penal
8Code.

9(16) Drug paraphernalia, as referenced in Section 11364.5 of
10the Health and Safety Code.

11(17) Electronic cigarette, as referenced in Section 119405 of
12the Health and Safety Code.

13(18) Obscene matter, as referenced in Section 311 of the Penal
14Code.

15(19) A less lethal weapon, as referenced in Sections 16780 and
1619405 of the Penal Code.

17(j) The marketing and advertising restrictions described in
18subdivisions (a), (b), and (c) shall not apply to the incidental
19placement of products or services embedded in content if the
20content is not distributed by or at the direction of the operator
21primarily for the purposes of marketing and advertising of the
22products or services described in subdivision (i).

23(k) “Marketing or advertising” means, in exchange for monetary
24compensation, to make a communication to one or more
25individuals, or to arrange for the dissemination to the public of a
26communication, about a product or service the primary purpose
27of which is to encourage recipients of the communication to
28purchase or use the product or service.

31

22581.  

(a) An operator of an Internet Web site or online
32service, such as an online application or a mobile application,
33directed to minors or an operator of an Internet Web site or online
34service, such as an online application or a mobile application, that
35has actual knowledge that a minor is using its Internet Web site
36or online service, such as an online application or a mobile
37application, shall do all of the following:

38(1) Permit a minor who is a registered user of the operator’s
39Internet Web site or online service, such as an online application
40or a mobile application, to remove or, if the operator prefers, to
P6    1request and obtain removal of, content or information posted on
2the operator’s Internet Web site or online service, such as an online
3application or a mobile application, by the user.

4(2) Provide notice to a minor who is a registered user of the
5operator’s Internet Web site or online service, such as an online
6application or a mobile application, that the minor may remove
7or, if the operator prefers, request and obtain removal of, content
8or information posted on the operator’s Internet Web site or online
9service, such as an online application or a mobile application, by
10the registered user.

11(3) Provide clear instructions to a minor who is a registered user
12of the operator’s Internet Web site or online service, such as an
13online application or a mobile application, on how the user may
14remove or, if the operator prefers, request and obtain the removal
15of content or information posted on the operator’s Internet Web
16site or online service, such as an online application or a mobile
17application.

18(4) Provide notice to a minor who is a registered user of the
19operator’s Internet Web site or online service, such as an online
20application or a mobile application, that the removal described
21under paragraph (1) does not ensure complete or comprehensive
22removal of the content or information posted on the operator’s
23Internet Web site or online service, such as an online application
24or a mobile application, by the registered user.

25(b) An operator or a third party is not required to erase or
26otherwise eliminate, or to enable erasure or elimination of, content
27or information in any of the following circumstances:

28(1) Any other provision of federal or state law requires the
29operator or third party to maintain the content or information.

30(2) The content or information was stored on or posted to the
31operator’s Internet Web site or online service, such as an online
32application or a mobile application, by a third party other than the
33minor, who is a registered user, including any content or
34information posted by the registered user that was stored,
35republished, or reposted by the third party.

36(3) The operator anonymizes the content or information posted
37by the minor who is a registered user, so that the minor who is a
38registered user cannot be individually identified.

39(4) The minor does not follow the instructions provided to the
40minor pursuant to paragraph (3) of subdivision (a) on how the
P7    1registered user may request and obtain the removal of content or
2information posted on the operator’s Internet Web site or online
3service, such as an online application or a mobile application, by
4the registered user.

5(5) The minor has received compensation or other consideration
6for providing the content.

7(c) This section shall not be construed to limit the authority of
8a law enforcement agency to obtain any content or information
9from an operator as authorized by law or pursuant to an order of
10a court of competent jurisdiction.

11(d) An operator shall be deemed compliant with this section if:

12(1) It renders the content or information posted by the minor
13user no longer visible to other users of the service and the public
14even if the content or information remains on the operator’s servers
15in some form.

16(2) Despite making the original posting by the minor user
17invisible, it remains visible because a third party has copied the
18posting or reposted the content or information posted by the minor.

19(e) This section shall not be construed to require an operator of
20an Internet Web site or online service, such as an online application
21or a mobile application, to collect age information about users.

22(f) “Posted” means content or information that can be accessed
23by a user in addition to the minor who posted the content or
24information, whether the user is a registered user or not, of the
25Internet Web site or online service, such as an online application
26or a mobile application, where the content or information is posted.

29

22584.  

(a) For the purposes of this section, “operator” means
30the operator of an Internet Web site or online service, such as an
31online application or a mobile application, with actual knowledge
32that the Internet Web site or online service, such as an online
33application or a mobile application, is used primarily for K-12
34school purposes and was designed and marketed for K-12 school
35purposes.

36(b) An operator shall not knowingly engage in any of the
37following activities with respect to their Internet Web site or online
38service, such as an online application or a mobile application:

39(1) (A) Engage in targeted advertising on the operator’s Internet
40Web site or online service, such as an online application or a
P8    1mobile application, or (B) target advertising on any other Internet
2Web site or online service, such as an online application or a
3mobile application, when the targeting of the advertising is based
4upon any information, including covered information and persistent
5unique identifiers, that the operator has acquired because of the
6use of that operator’s Internet Web site or online service, such as
7an online application or a mobile application, described in
8subdivision (a).

9(2) Use information, including persistent unique identifiers,
10created or gathered by the operator’s Internet Web site or online
11service, such as an online application or a mobile application, to
12amass a profile about a K-12 student except in furtherance of K-12
13school purposes.

14(3) Sell a student’s information, including covered information.
15This prohibition does not apply to the purchase, merger, or other
16type of acquisition of an operator by another entity, provided that
17the operator or successor entity continues to be subject to the
18provisions of this section with respect to previously acquired
19student information.

20(4) Disclose covered information unless the disclosure is made:

21(A) In furtherance of the K-12 purpose of the Internet Web site
22or online service, such as an online application or a mobile
23application, provided the recipient of the covered information
24disclosed pursuant to this subparagraph:

25(i) Shall not further disclose the information unless done to
26allow or improve operability and functionality within that student’s
27classroom or school; and

28(ii) Is legally required to comply with subdivision (d);

29(B) To ensure legal and regulatory compliance;

30(C) To respond to or participate in judicial process;

31(D) To protect the safety of users or others or security of the
32site; or

33(E) To a service provider, provided the operator contractually
34(i) prohibits the service provider from using any covered
35information for any purpose other than providing the contracted
36service to, or on behalf of, the operator, (ii) prohibits the service
37provider from disclosing any covered information provided by the
38operator with subsequent third parties, and (iii) requires the service
39provider to implement and maintain reasonable security procedures
40and practices as provided in subdivision (d).

P9    1(c) Nothing in subdivision (b) shall be construed to prohibit the
2operator’s use of information for maintaining, developing,
3supporting, improving, or diagnosing the operator’s Internet Web
4site or online service, such as an online application or a mobile
5application.

6(d) An operator shall:

7(1) Implement and maintain reasonable security procedures and
8practices appropriate to the nature of the covered information, and
9protect that information from unauthorized access, destruction,
10use, modification, or disclosure.

11(2) Delete a student’s covered information if the school or
12district requests deletion of data under the control of the school or
13district.

14(e) Notwithstanding paragraph (4) of subdivision (b), an operator
15may disclose covered information of a student, as long as
16paragraphs (1) to (3), inclusive, of subdivision (b) are not violated,
17under the following circumstances:

18(1) If other provisions of federal or state law require the operator
19to disclose the information, and the operator complies with the
20requirements of federal and state law in protecting and disclosing
21that information.

22(2) For legitimate research purposes: (A) as required by state
23or federal law and subject to the restrictions under applicable state
24and federal law or (B) as allowed by state or federal law and under
25the direction of a school, school district, or state department of
26education, if no covered information is used for any purpose in
27furtherance of advertising or to amass a profile on the student for
28purposes other than K-12 school purposes.

29(3) To a state or local educational agency, including schools
30and school districts, for K-12 school purposes, as permitted by
31state or federal law.

32(f) Nothing in this section prohibits an operator from using
33deidentified student covered information as follows:

34(1) Within the operator’s Internet Web site or online service,
35such as an online application or a mobile application, or other
36Internet Web sites or online services, such as online applications
37or mobile applications, owned by the operator to improve
38educational products.

39(2) To demonstrate the effectiveness of the operator’s products
40or services, including in their marketing.

P10   1(g) Nothing in this section prohibits an operator from sharing
2aggregated deidentified student covered information for the
3development and improvement of educational Internet Web Sites
4or online services, such as online applications or mobile
5applications.

6(h) “Online service” includes, but is not limited to, cloud
7computing services, which must comply with this section if they
8otherwise meet the definition of an operator.

9(i) “Covered information” means personally identifiable
10information or materials, in any media or format that meets any
11of the following:

12(1) Is created or provided by a student, or the student’s parent
13or legal guardian, to an operator in the course of the student’s,
14parent’s, or legal guardian’s use of the operator’s Internet Web
15site or online service, such as an online application or a mobile
16application, for K-12 school purposes.

17(2) Is created or provided by an employee or agent of the K-12
18school, school district, local education agency, or county office of
19education, to an operator.

20(3) Is gathered by an operator through the operation of an
21Internet Web site or online service, such as an online application
22or a mobile application, described in subdivision (a) and is
23descriptive of a student or otherwise identifies a student, including,
24but not limited to, information in the student’s educational record
25or email, first and last name, home address, telephone number,
26email address, or other information that allows physical or online
27contact, discipline records, test results, special education data,
28juvenile dependency records, grades, evaluations, criminal records,
29medical records, health records, social security number, biometric
30information, disabilities, socioeconomic information, food
31purchases, political affiliations, religious information, text
32messages, documents, student identifiers, search activity, photos,
33voice recordings, or geolocation information.

34(j) “K-12 school purposes” means purposes that customarily
35take place at the direction of the K-12 school, teacher, or school
36district or aid in the administration of school activities, including,
37but not limited to, instruction in the classroom or at home,
38administrative activities, and collaboration between students, school
39personnel, or parents, or are for the use and benefit of the school.

P11   1(k) This section shall not be construed to limit the authority of
2a law enforcement agency to obtain any content or information
3from an operator as authorized by law or pursuant to an order of
4a court of competent jurisdiction.

5(l) This section does not limit the ability of an operator to use
6student data, including covered information, for adaptive learning
7or customized student learning purposes.

8(m) This section does not apply to general audience Internet
9Web sites or general audience online services, such as general
10audience online applications or general audience mobile
11applications, even if login credentials created for an operator’s
12 Internet Web Sites or online service, such as online application or
13a mobile application, may be used to access those general audience
14Internet Web site or online services, such as an online applications
15or mobile applications.

16(n) This section does not limit Internet service providers from
17providing Internet connectivity to schools or students and their
18families.

19(o) This section shall not be construed to prohibit an operator
20of an Internet Web site or online service, such as an online
21application or a mobile application, from marketing educational
22products directly to parents so long as the marketing did not result
23from the use of covered information obtained by the operator
24through the provision of services covered under this section.

25(p) This section does not impose a duty upon a provider of an
26electronic store, gateway, marketplace, or other means of
27purchasing or downloading software or applications to review or
28enforce compliance of this section on those applications or
29software.

30(q) This section does not impose a duty upon a provider of an
31interactive computer service, as defined in Section 230 of Title 47
32of the United States Code, to review or enforce compliance with
33this section by third-party content providers.

34(r) This section does not impede the ability of students to
35download, export, or otherwise save or maintain their own student
36created data or documents.