AB 2799, as amended, Chau. Privacy: personal information: preschool and prekindergarten purposes.
Existing law, The Student Online Personal Information Protection Act, restricts the use of information about elementary and secondary school students by operators of certain Internet Web sites and online services and applications by, among other things, prohibiting operators from engaging in targeted advertising, amassing student profiles except for K-12 school purposes, or selling or disclosing student information, as specified. Existing law also requires an operator to implement and maintain reasonable security procedures and practices appropriate to the nature of the covered information to protect the information from unauthorized access, use, and disclosure.
Existing law also prohibits an operator of an Internet Web site or online service from knowingly using, disclosing, compiling, or allowing a 3rd party to use, disclose, or compile the personal information of a minor for the purpose of marketing or advertising specified types of products or services. Existing law also makes this prohibition applicable to an advertising service that is notified by an operator of an Internet Web site, online service, online application, or mobile application that the site, service, or application is directed to a minor.
This bill would, commencing on July 1, 2017, prohibit the operator of an Internet Web site, online service, online application, or mobile application that is used primarily for preschool or prekindergarten purposes, as defined, and was designed and marketed for preschool and prekindergarten purposes, to knowingly engage in specified activities with respect to their site, service, or application, including, among other things, engaging in targeted advertising, using specified information to amass a profile about a pupil except in furtherance of preschool or prekindergarten purposes, and selling or disclosing a pupil’s information, as specified. The bill would also require an operator to, among other things, implement and maintain reasonable security procedures and practices appropriate to the information to protect that information from unauthorized access, and to delete a pupil’s information at the request of a preschool, prekindergarten, or district, as specified. The bill would authorize the disclosure of a pupil’s information under specified circumstances. The bill would also provide that its provisions are severable.
Vote: majority. Appropriation: no. Fiscal committee: no. State-mandated local program: no.
The people of the State of California do enact as follows:
Chapter 22.2.5 (commencing with Section 22586)
2is added to Division 8 of the Business and Professions Code, to
3read:
4
(a) For purposes of this section:
9(1) “Operator” means the operator of an Internet Web site, online
10service, online application, or mobile application with actual
11knowledge that the site, service, or application is used primarily
12for preschool or prekindergarten purposes and was designed and
13marketed for preschool and prekindergarten purposes.
14(2) “Pupil” means a child enrolled in a preschool or
15prekindergarten course of instruction.
P3 1(b) An operator shall not knowingly engage in any of the
2following activities with respect to their site, service, or
application:
3(1) (A) Engage in targeted advertising on the operator’s site,
4service, or application.
5(B) Target advertising on any other site, service, or application
6begin delete ifend deletebegin insert whenend insert the targeting of the advertising is based upon any
7information, including covered information and persistent unique
8identifiers, that the operator has acquired because of the use of
9that operator’s site, service, or application described in subdivision
10(a).
11(2) Use information, including persistent unique identifiers,
12created or gathered by the operator’s site,
service, or application,
13to amass a profile about a pupil except in furtherance of preschool
14or prekindergarten purposes.
15(3) Sell a pupil’s information, including covered information.
16This prohibition does not apply to the purchase, merger, or other
17type of acquisition of an operator by another entity, provided that
18the operator or successor entity continues to be subject to the
19provisions of this section with respect to previously acquired pupil
20information.
21(4) Disclose covered information unless the disclosure is made:
22(A) In furtherance of the preschool and prekindergarten purposes
23of the site, service, or application, provided that the recipient of
24the covered information disclosed pursuant to this subparagraph:
25(i)begin delete end deletebegin deleteIs prohibited from further disclosure ofend deletebegin insert end insertbegin insertShall not further
26discloseend insert the information unless done to allow or improve
27operability and functionality within that pupil’s classroom,
28preschool, or prekindergarten.
29(ii) Isbegin insert legallyend insert required to comply with subdivisionbegin delete (d).end deletebegin insert (d);end insert
30(B) To ensure legal and regulatorybegin delete compliance.end deletebegin insert compliance;end insert
31(C) To respond to or participate in a judicialbegin delete process.end deletebegin insert process;end insert
32(D) To protect the safety of users orbegin delete others, or theend deletebegin insert others orend insert
33 security of thebegin delete site.end deletebegin insert
site; orend insert
34(E) To a service provider,begin delete ifend deletebegin insert
providedend insert the operator contractually
35(i) prohibits the service provider from using any covered
36information for any purpose other than providing the contracted
37service to, or on behalf of, the operator, (ii) prohibits the service
38provider from disclosing any covered information providedbegin delete toend deletebegin insert byend insert
39 the operator with subsequent third parties, and (iii) requires the
P4 1service provider to implement and maintain reasonable security
2procedures and practices as provided in subdivision (d).
3(c) Nothing in subdivision (b) shall be construed to prohibit the
4operator’s use of information for maintaining, developing,
5supporting, improving, or
diagnosing the operator’s site, service,
6or application.
7(d) An operator shall:
8(1) Implement and maintain reasonable security procedures and
9practices appropriate to the nature of the covered information, and
10protect that information from unauthorized access, destruction,
11use, modification, or disclosure.
12(2) Delete a pupil’s covered information if the preschool,
13prekindergarten, or district requestsbegin delete theend delete deletion of data under the
14control of the preschool, prekindergarten, or district.
15(e) Notwithstanding paragraph (4) of subdivision (b), an operator
16may disclose covered
information of abegin delete pupil ifend deletebegin insert pupil, as long asend insert
17 paragraphs (1) to (3), inclusive, of subdivision (b) are notbegin delete violatedend delete
18begin insert violated,end insert under the following circumstances:
19(1) If other provisions of federal or state law require the operator
20to disclose the information, and the operator complies with the
21requirements of federal and state law in protecting and disclosing
22that information.
23(2) Forbegin insert
legitimateend insert researchbegin delete purposesend deletebegin insert purposes:end insert (A) as required
24by state or federal law and subject to the restrictions under
25applicable statebegin delete orend deletebegin insert andend insert federal law or (B) as allowed by state or
26federal law and under the direction of a preschool, prekindergarten,
27school district, or state department of education, if no covered
28information is used for any purpose in furtherance of advertising
29or to amass a profilebegin delete ofend deletebegin insert
onend insert the pupil for purposes other than
30preschool and prekindergarten purposes.
31(3) To a state or local educational agency, including preschools,
32prekindergartens, and school districts, for preschool and
33prekindergarten purposes, as permitted by state or federal law.
34(f) Nothing in this section prohibits an operator from using
35deidentified pupil covered information as follows:
36(1) Within the operator’s site, service, or application or other
37sites, services, or applications owned by the operator to improve
38educational products.
39(2) To demonstrate the effectiveness of the operator’s products
40or services, includingbegin insert
inend insert their marketing.
P5 1(g) Nothing in this section prohibits an operator from sharing
2aggregated deidentifiedbegin insert pupilend insert covered informationbegin delete of a pupilend delete for
3the development and improvement of educational sites, services,
4or applications.
5(h) “Online service” includes cloud computing services, which
6must comply with this section ifbegin delete itend deletebegin insert theyend insert otherwisebegin delete meetsend deletebegin insert
meetend insert the
7definition of an operator.
8(i) “Covered information” means personally identifiable
9information or materials, in any media or format that meets any
10of the following:
11(1) Is created or provided by a pupil, or the pupil’s parent or
12legal guardian, to an operator in the course of the pupil’s, parent’s,
13or legal guardian’s use of the operator’s site, service, or application
14for preschool and prekindergarten purposes.
15(2) Is created or provided by an employee or agent of the
16preschool, prekindergarten, school district, local educational
17agency, or county office of education, to an operator.
18(3) Is gathered by an operator through the
operation ofbegin delete theend deletebegin insert aend insert
19
site, service, or application described in subdivision (a), and is
20descriptive of a pupil or otherwise identifies a pupil, including,
21but not limited to, information in the pupil’s educational record or
22email, first and last name, home address, telephone number, email
23address, or other information that allows physical or online contact,
24discipline records, test results, special education data, juvenile
25dependency records, grades, evaluations, criminal records, medical
26records, health records, social security number, biometric
27information, disabilities, socioeconomic information, food
28purchases, political affiliations, religious information, text
29messages, documents, student identifiers, search activity, photos,
30voice recordings, or geolocation information.
31(j) “Preschool or prekindergarten purposes” means purposes
32that
customarily take place at the direction of the preschool,
33prekindergarten, teacher, or school district, or aid in the
34administration of preschool or prekindergarten activities, including,
35but not limited to, instruction in thebegin delete classroom,end deletebegin insert classroomend insert or at
36home, administrative activities, and collaboration between pupils,
37preschool or prekindergarten personnel, or parents, or are for the
38use and benefit of the preschool or prekindergarten.
39(k) This section shall not be construed to limit the authority of
40a law enforcement agency to obtain any content or information
P6 1from an operator as authorized by law or pursuant to an order of
2a court of competent
jurisdiction.
3(l) This section does not limit the ability of an operator to use
4a pupil’sbegin delete educationalend delete data, including covered information, for
5adaptive learning or customized early learning purposes.
6(m) This section does not apply to general audience Internet
7Webbegin delete site,end deletebegin insert sites,end insert general audience online services, general audience
8online applications, or general audience mobile applications, even
9if login credentials created for an operator’s site, service, or
10application may be used to access those general audience sites,
11services, or applications.
12(n) This section does not limit Internet service providers from
13providing Internet connectivity to preschools, prekindergartens,
14or pupils and their families.
15(o) This section shall not be construed to prohibit an operator
16of an Internet Web site, online service, online application, or
17mobile application from marketing educational products directly
18to parents so long as the marketing did not result from the use of
19covered information obtained by the operator through the provision
20of services coveredbegin delete byend deletebegin insert underend insert this section.
21(p) This section does not
impose a duty upon a provider of an
22electronic store, gateway, marketplace, or other means of
23purchasing or downloading software or applications to review or
24enforce compliance of this section on those applications or
25software.
26(q) This section does not impose a duty upon a provider of an
27interactive computer service, as defined in Section 230 of Title 47
28of the United States Code, to review or enforce compliance with
29this section by third-party content providers.
30(r) This section does not impede the ability of pupils to
31download, export, or otherwise save or maintain their own
32personally created data or documents.
This chapter shall become operative on July 1, 2017.
The provisions of this act are severable. If any
35provision of this act or its application is held invalid, that invalidity
36shall not affect other provisions or applications that can be given
37effect without the invalid provision or application.
O
97