AB 2799, as amended, Chau. Privacy: personal information: preschool and prekindergarten purposes.
Existing law, The Student Online Personal Information Protection Act, restricts the use of information about elementary and secondary school students by operators of certain Internet Web sites and online services and applications by, among other things, prohibiting operators from engaging in targeted advertising, amassing student profiles except for K-12 school purposes, or selling or disclosing student information, as specified. Existing law also requires an operator to implement and maintain reasonable security procedures and practices appropriate to the nature of the covered information to protect the information from unauthorized access, use, and disclosure.
Existing law also prohibits an operator of an Internet Web site or online service from knowingly using, disclosing, compiling, or allowing a 3rd party to use, disclose, or compile the personal information of a minor for the purpose of marketing or advertising specified types of products or services. Existing law also makes this prohibition applicable to an advertising service that is notified by an operator of an Internet Web site, online service, online application, or mobile application that the site, service, or application is directed to a minor.
This bill would, commencing on July 1, 2017, prohibit the operator of an Internet Web site, online service, online application, or mobile application that is used primarily for preschool or prekindergarten purposes, as defined, and was designed and marketed for preschool and prekindergarten purposes, to knowingly engage in specified activities with respect to their site, service, or application, including, among other things, engaging in targeted advertising, using specified information to amass a profile about abegin delete childend deletebegin insert
pupilend insert except in furtherance of preschool or prekindergarten purposes, and selling or disclosing abegin delete child’send deletebegin insert pupil’send insert information, as specified. The bill would also require an operator to, among other things, implement and maintain reasonable security procedures and practices appropriate to the information to protect that information from unauthorized access, and to delete abegin delete child’send deletebegin insert pupil’send insert information at the request of abegin delete preschool orend deletebegin insert
preschool,end insert prekindergarten,begin insert or district,end insert as specified. The bill would authorize the disclosure of abegin delete child’send deletebegin insert
pupil’send insert information under specified circumstances. The bill would also provide that its provisions are severable.
Vote: majority. Appropriation: no. Fiscal committee: no. State-mandated local program: no.
The people of the State of California do enact as follows:
Chapter 22.2.5 (commencing with Section 22586)
2is added to Division 8 of the Business and Professions Code, to
3read:
4
(a) For purposes of thisbegin delete section, “operator”end deletebegin insert section:end insert
9begin insert(1)end insertbegin insert end insertbegin insert“Operator”end insert means the operator of an Internet Web site,
10online service, online application, or mobile application with actual
11knowledge that the site, service, or application is used primarily
12for preschool or prekindergarten purposes and was designed and
13marketed for preschool and prekindergarten
purposes.
14
(2) “Pupil” means a child enrolled in a preschool or
15prekindergarten course of instruction.
16(b) An operator shall not knowingly engage in any of the
17following activities with respect to their site, service, or application:
P3 1(1) (A) Engage in targeted advertising on the operator’s site,
2service, or application.
3(B) Target advertising on any other site, service, or application
4if the targeting of the advertising is based upon any information,
5including covered information and persistent unique identifiers,
6that the operator has acquired because of the
use of that operator’s
7site, service, or application described in subdivision (a).
8(2) Use information, including persistent unique identifiers,
9created or gathered by the operator’s site, service, or application,
10to amass a profile about abegin delete childend deletebegin insert pupilend insert except in furtherance of
11preschool or prekindergarten purposes.
12(3) Sell abegin delete child’send deletebegin insert pupil’send insert information, including covered
13information. This prohibition does not apply to the purchase,
14merger, or other type
of acquisition of an operator by another
15entity, provided that the operator or successor entity continues to
16be subject to the provisions of this section with respect to
17previously acquiredbegin delete childend deletebegin insert pupilend insert information.
18(4) Disclose covered information unless the disclosure is made:
19(A) In furtherance of the preschool and prekindergarten purposes
20of the site, service, or application, provided that the recipient of
21the covered information disclosed pursuant to this subparagraph:
22(i) Is prohibited from further disclosure of the information unless
23begin delete the disclosure isend delete
done to allow or improve operability and
24functionality within thatbegin delete child’s preschool andend deletebegin insert pupil’s classroom,
25preschool, orend insert prekindergarten.
26(ii) Is required to comply with subdivision (d).
27(B) To ensure legal and regulatory compliance.
28(C) To respond to or participate in a judicial process.
29(D) To protect the safety of users or others, or the security of
30the site.
31(E) To a service provider, if the operator contractually (i)
32prohibits
the service provider from using any covered information
33for any purpose other than providing the contracted service to, or
34on behalf of, the operator, (ii) prohibits the service provider from
35disclosing any covered information provided to the operator with
36subsequent third parties, and (iii) requires the service provider to
37implement and maintain reasonable security procedures and
38practices as provided in subdivision (d).
39(c) Nothing in subdivision (b) shall bebegin delete constructedend deletebegin insert
construedend insert
40 to prohibit the operator’s use of information for maintaining,
P4 1developing, supporting, improving, or diagnosing the operator’s
2site, service, or application.
3(d) An operator shall:
4(1) Implement and maintain reasonable security procedures and
5practices appropriate to the nature of the covered information, and
6protect that information from unauthorized access, destruction,
7use, modification, or disclosure.
8(2) Delete abegin delete child’send deletebegin insert pupil’send insert covered information if thebegin delete preschool begin insert
preschool, prekindergarten, or districtend insert requests
9or prekindergartenend delete
10the deletion of data under the control of the preschool,
11prekindergarten,begin delete school,end delete orbegin delete schoolend delete
district.
12(e) Notwithstanding paragraph (4) of subdivision (b), an operator
13may disclose covered information of abegin delete childend deletebegin insert pupilend insert if paragraphs
14(1) to (3), inclusive, of subdivision (b) are not violated under the
15following circumstances:
16(1) If other provisions ofbegin insert federal or stateend insert law require the operator
17to disclose the information, and the operator complies withbegin delete thatend delete
18begin insert
the requirements of federal and stateend insert law in protecting and
19disclosingbegin delete theend deletebegin insert thatend insert information.
20(2) For research purposes (A) as required bybegin insert state or federalend insert
21 law and subject to the restrictions underbegin delete thatend deletebegin insert applicable state or
22federalend insert law or (B) asbegin delete permitted byend deletebegin insert
allowed by state or federalend insert law
23and under the direction of a preschool, prekindergarten,begin delete school,end delete
24 school district, or state department of education, if no covered
25information is used for any purpose in furtherance of advertising
26or to amass a profile of thebegin delete childend deletebegin insert pupilend insert for purposes other than
27preschool and prekindergarten purposes.
28(3) To a state or local educational agency, includingbegin delete preschools begin insert
preschools, prekindergartens,end insert and
29and prekindergartens, schoolsend delete
30school districts, for preschool and prekindergarten purposes, as
31permitted by state or federal law.
32(f) Nothing in this section prohibits an operator from using
33deidentifiedbegin insert pupilend insert covered informationbegin delete of a childend delete as follows:
34(1) Within the operator’s site, service, or application or other
35sites, services, or applications owned by the operator to improve
36educational products.
37(2) To demonstrate the effectiveness of the operator’s products
38or services, including their marketing.
39(g) Nothing in this section prohibits an operator from sharing
40aggregated deidentified covered information of abegin delete childend deletebegin insert pupilend insert for
P5 1the development and improvement of educational sites, services,
2or applications.
3(h) “Online service” includesbegin delete aend delete cloud computingbegin delete service,end delete
4begin insert services,end insert which must comply with this section if it otherwise meets
5the definition of an operator.
6(i) “Covered information” means personally identifiable
7
information or materials, in any media or format that meets any
8of the following:
9(1) Is created or provided by abegin delete child,end deletebegin insert pupil,end insert or thebegin delete child’send deletebegin insert pupil’send insert
10 parent or legal guardian, to an operator in the course of thebegin delete child’s,end delete
11begin insert pupil’s,end insert parent’s, or legal guardian’s use of the operator’s site,
12service, or application for
preschool and prekindergarten purposes.
13(2) Is created or provided by an employee or agent of the
14preschool, prekindergarten, school district, local educational
15agency, or county office of education, to an operator.
16(3) Is gathered by an operator through the operation of the site,
17service, or application described in subdivision (a), and is
18descriptive of abegin delete childend deletebegin insert pupilend insert or otherwise identifies abegin delete child,end deletebegin insert pupil,end insert
19 including, but not limited to, information in
thebegin delete child’send deletebegin insert pupil’send insert
20 educationalbegin delete record,end deletebegin insert record or email,end insert first and last name, home
21address, telephone number, email address, or other information
22that allows physical or online contact, discipline records, test
23results, special education data, juvenile dependency records, grades,
24evaluations, criminal records, medical records, health records,
25social security number, biometric information, disabilities,
26socioeconomic information, food purchases, political affiliations,
27religious information, text messages, documents, student identifiers,
28search activity, photos, voice
recordings, or geolocation
29information.
30(j) “Preschool or prekindergarten purposes” means purposes
31that customarily take place at the direction ofbegin delete preschools, begin insert the preschool,
32prekindergartens, teachers, school districts, and aids,end delete
33prekindergarten, teacher, or school district, or aid in the
34administration of preschool or prekindergarten activities,end insert
35 including, but not limited to, instruction in the classroom,begin delete facility,end delete
36 orbegin insert atend insert home, administrative activities, and collaboration between
37begin delete children, early learningend deletebegin insert
pupils, preschool or prekindergartenend insert
38 personnel, or parents, or are for the use and benefit of thebegin delete39 preschools, prekindergartens, school district, or early learning
40
personnel.end delete
P6 1(k) This section shall not be construed to limit the authority of
2a law enforcement agency to obtain any content or information
3from an operator as authorized by law or pursuant to an order of
4a court of competent jurisdiction.
5(l) This section does not limit the ability of an operator to use
6abegin delete child’send deletebegin insert pupil’send insert educational data, including covered information,
7for adaptive learning or customized early learning purposes.
8(m) This
section does not apply to general audience Internet
9Web site, general audience online services, general audience online
10applications, or general audience mobile applications, even if login
11credentials created for an operator’s site, service, or application
12may be used to access those general audience sites, services, or
13applications.
14(n) This section does not limit Internet service providers from
15providing Internet connectivity to preschools, prekindergartens,
16begin delete schools, or childrenend deletebegin insert or pupilsend insert and their families.
17(o) This section shall not be construed to prohibit an operator
18of an Internet Web site, online
service, online application, or
19mobile application from marketing educational products directly
20to parents so long as the marketing did not result from the use of
21covered information obtained by the operator through the provision
22of services covered by this section.
23(p) This section does not impose a duty upon a provider of an
24electronic store, gateway, marketplace, or other means of
25purchasing or downloading software or applications to review or
26enforce compliance of this section on those applications or
27software.
28(q) This section does not impose a duty upon a provider of an
29interactive computer service, as defined in Section 230 of Title 47
30of the United States Code, to review or enforce compliance with
31this section by third-party content providers.
32(r) This section does not impede the ability ofbegin delete minorsend deletebegin insert pupilsend insert to
33download, export, or otherwise save or maintain their own
34personally created data or documents.
This chapter shall become operative on July 1, 2017.
The provisions of this act are severable. If any
37provision of this act or its application is held invalid, that invalidity
P7 1shall not affect other provisions or applications that can be given
2effect without the invalid provision or application.
O
98