AB 2799, as introduced, Chau. Privacy: personal information: preschool and prekindergarten purposes.
Existing law, The Student Online Personal Information Protection Act, restricts the use of information about elementary and secondary school students by operators of certain Internet Web sites and online services and applications by, among other things, prohibiting operators from engaging in targeted advertising, amassing student profiles except for K-12 school purposes, or selling or disclosing student information, as specified. Existing law also requires an operator to implement and maintain reasonable security procedures and practices appropriate to the nature of the covered information to protect the information from unauthorized access, use, and disclosure.
Existing law also prohibits an operator of an Internet Web site or online service from knowingly using, disclosing, compiling, or allowing a 3rd party to use, disclose, or compile the personal information of a minor for the purpose of marketing or advertising specified types of products or services. Existing law also makes this prohibition applicable to an advertising service that is notified by an operator of an Internet Web site, online service, online application, or mobile application that the site, service, or application is directed to a minor.
This bill would, commencing on July 1, 2017, prohibit the operator of an Internet Web site, online service, online application, or mobile application that is used primarily for preschool or prekindergarten purposes, as defined, and was designed and marketed for preschool and prekindergarten purposes, to knowingly engage in specified activities with respect to their site, service, or application, including, among other things, engaging in targeted advertising, using specified information to amass a profile about a child except in furtherance of preschool or prekindergarten purposes, and selling or disclosing a child’s information, as specified. The bill would also require an operator to, among other things, implement and maintain reasonable security procedures and practices appropriate to the information to protect that information from unauthorized access, and to delete a child’s information at the request of a preschool or prekindergarten, as specified. The bill would authorize the disclosure of a child’s information under specified circumstances. The bill would also provide that its provisions are severable.
Vote: majority. Appropriation: no. Fiscal committee: no. State-mandated local program: no.
The people of the State of California do enact as follows:
Chapter 22.2.5 (commencing with Section 22586)
2is added to Division 8 of the Business and Professions Code, to
3read:
4
(a) For purposes of this section, “operator” means the
9operator of an Internet Web site, online service, online application,
10or mobile application with actual knowledge that the site, service,
11or application is used primarily for preschool or prekindergarten
12purposes and was designed and marketed for preschool and
13prekindergarten purposes.
14(b) An operator shall not knowingly engage in any of the
15following activities with respect to their site, service, or application:
16(1) (A) Engage in targeted advertising on the operator’s site,
17service, or application.
18(B) Target advertising on any other site,
service, or application
19if the targeting of the advertising is based upon any information,
P3 1including covered information and persistent unique identifiers,
2that the operator has acquired because of the use of that operator’s
3site, service, or application described in subdivision (a).
4(2) Use information, including persistent unique identifiers,
5created or gathered by the operator’s site, service, or application,
6to amass a profile about a child except in furtherance of preschool
7or prekindergarten purposes.
8(3) Sell a child’s information, including covered information.
9This prohibition does not apply to the purchase, merger, or other
10type of acquisition of an operator by another entity, provided that
11the operator or successor entity continues to be subject to the
12provisions of this section with respect to previously acquired child
13information.
14(4) Disclose covered information unless the disclosure is made:
15(A) In furtherance of the preschool and prekindergarten purposes
16of the site, service, or application, provided that the recipient of
17the covered information disclosed pursuant to this subparagraph:
18(i) Is prohibited from further disclosure of the information unless
19the disclosure is done to allow or improve operability and
20functionality within that child’s preschool and prekindergarten.
21(ii) Is required to comply with subdivision (d).
22(B) To ensure legal and regulatory compliance.
23(C) To respond to or participate in a judicial process.
24(D) To protect the safety of users or others, or the security of
25the site.
26(E) To a service provider, if the operator contractually (i)
27prohibits the service provider from using any covered information
28for any purpose other than providing the contracted service to, or
29on behalf of, the operator, (ii) prohibits the service provider from
30disclosing any covered information provided to the operator with
31subsequent third parties, and (iii) requires the service provider to
32implement and maintain reasonable security procedures and
33practices as provided in subdivision (d).
34(c) Nothing in subdivision (b) shall be constructed to prohibit
35the operator’s use of information for maintaining, developing,
36supporting, improving, or diagnosing the operator’s site, service,
37or application.
38(d) An operator shall:
39(1) Implement and maintain reasonable security procedures and
40practices appropriate to the nature of the covered information, and
P4 1protect that information from unauthorized access, destruction,
2use, modification, or disclosure.
3(2) Delete a child’s covered information if the preschool or
4prekindergarten requests the deletion of data under the control of
5the preschool, prekindergarten, school, or school district.
6(e) Notwithstanding paragraph (4) of subdivision (b), an operator
7may disclose covered information of a child if paragraphs (1) to
8(3), inclusive, of subdivision (b) are not violated under the
9following circumstances:
10(1) If other provisions of law require the
operator to disclose
11the information, and the operator complies with that law in
12protecting and disclosing the information.
13(2) For research purposes (A) as required by law and subject to
14the restrictions under that law or (B) as permitted by law and under
15the direction of a preschool, prekindergarten, school, school district,
16or state department of education, if no covered information is used
17for any purpose in furtherance of advertising or to amass a profile
18of the child for purposes other than preschool and prekindergarten
19purposes.
20(3) To a state or local educational agency, including preschools
21and prekindergartens, schools and school districts, for preschool
22and prekindergarten purposes, as permitted by state or federal law.
23(f) Nothing in this section prohibits an operator from using
24deidentified covered
information of a child as follows:
25(1) Within the operator’s site, service, or application or other
26sites, services, or applications owned by the operator to improve
27educational products.
28(2) To demonstrate the effectiveness of the operator’s products
29or services, including their marketing.
30(g) Nothing in this section prohibits an operator from sharing
31aggregated deidentified covered information of a child for the
32development and improvement of educational sites, services, or
33applications.
34(h) “Online service” includes a cloud computing service, which
35must comply with this section if it otherwise meets the definition
36of an operator.
37(i) “Covered information” means personally identifiable
38
information or materials, in any media or format that meets any
39of the following:
P5 1(1) Is created or provided by a child, or the child’s parent or
2legal guardian, to an operator in the course of the child’s, parent’s,
3or legal guardian’s use of the operator’s site, service, or application
4for preschool and prekindergarten purposes.
5(2) Is created or provided by an employee or agent of the
6preschool, prekindergarten, school district, local educational
7agency, or county office of education, to an operator.
8(3) Is gathered by an operator through the operation of the site,
9service, or application described in subdivision (a), and is
10descriptive of a child or otherwise identifies a child, including, but
11not limited to, information in the child’s educational record, first
12and last name, home address, telephone number, email
address,
13or other information that allows physical or online contact,
14discipline records, test results, special education data, juvenile
15dependency records, grades, evaluations, criminal records, medical
16records, health records, social security number, biometric
17information, disabilities, socioeconomic information, food
18purchases, political affiliations, religious information, text
19messages, documents, student identifiers, search activity, photos,
20voice recordings, or geolocation information.
21(j) “Preschool or prekindergarten purposes” means purposes
22that customarily take place at the direction of preschools,
23prekindergartens, teachers, school districts, and aids, including,
24but not limited to, instruction in the classroom, facility, or home,
25administrative activities, and collaboration between children, early
26learning personnel, or parents, or are for the use and benefit of the
27preschools, prekindergartens, school district, or early learning
28
personnel.
29(k) This section shall not be construed to limit the authority of
30a law enforcement agency to obtain any content or information
31from an operator as authorized by law or pursuant to an order of
32a court of competent jurisdiction.
33(l) This section does not limit the ability of an operator to use
34a child’s educational data, including covered information, for
35adaptive learning or customized early learning purposes.
36(m) This section does not apply to general audience Internet
37Web site, general audience online services, general audience online
38applications, or general audience mobile applications, even if login
39credentials created for an operator’s site, service, or application
P6 1may be used to access those general audience sites, services, or
2applications.
3(n) This section does not limit Internet service providers from
4providing Internet connectivity to preschools, prekindergartens,
5schools, or children and their families.
6(o) This section shall not be construed to prohibit an operator
7of an Internet Web site, online service, online application, or
8mobile application from marketing educational products directly
9to parents so long as the marketing did not result from the use of
10covered information obtained by the operator through the provision
11of services covered by this section.
12(p) This section does not impose a duty upon a provider of an
13electronic store, gateway, marketplace, or other means of
14purchasing or downloading software or applications to review or
15enforce compliance of this section on those applications or
16software.
17(q) This section does not
impose a duty upon a provider of an
18interactive computer service, as defined in Section 230 of Title 47
19of the United States Code, to review or enforce compliance with
20this section by third-party content providers.
21(r) This section does not impede the ability of minors to
22download, export, or otherwise save or maintain their own
23personally created data or documents.
This chapter shall become operative on July 1, 2017.
The provisions of this act are severable. If any
26provision of this act or its application is held invalid, that invalidity
27shall not affect other provisions or applications that can be given
28effect without the invalid provision or application.
O
99