BILL NUMBER: AB 2799	ENROLLED
	BILL TEXT

	PASSED THE SENATE  AUGUST 23, 2016
	PASSED THE ASSEMBLY  AUGUST 29, 2016
	AMENDED IN SENATE  JUNE 21, 2016
	AMENDED IN ASSEMBLY  APRIL 7, 2016

INTRODUCED BY   Assembly Member Chau

                        FEBRUARY 19, 2016

   An act to add Chapter 22.2.5 (commencing with Section 22586) to
Division 8 of the Business and Professions Code, relating to privacy.


	LEGISLATIVE COUNSEL'S DIGEST


   AB 2799, Chau. Privacy: personal information: preschool and
prekindergarten purposes.
   Existing law, The Student Online Personal Information Protection
Act, restricts the use of information about elementary and secondary
school students by operators of certain Internet Web sites and online
services and applications by, among other things, prohibiting
operators from engaging in targeted advertising, amassing student
profiles except for K-12 school purposes, or selling or disclosing
student information, as specified. Existing law also requires an
operator to implement and maintain reasonable security procedures and
practices appropriate to the nature of the covered information to
protect the information from unauthorized access, use, and
disclosure.
   Existing law also prohibits an operator of an Internet Web site or
online service from knowingly using, disclosing, compiling, or
allowing a 3rd party to use, disclose, or compile the personal
information of a minor for the purpose of marketing or advertising
specified types of products or services. Existing law also makes this
prohibition applicable to an advertising service that is notified by
an operator of an Internet Web site, online service, online
application, or mobile application that the site, service, or
application is directed to a minor.
   This bill would, commencing on July 1, 2017, prohibit the operator
of an Internet Web site, online service, online application, or
mobile application that is used primarily for preschool or
prekindergarten purposes, as defined, and was designed and marketed
for preschool and prekindergarten purposes, to knowingly engage in
specified activities with respect to their site, service, or
application, including, among other things, engaging in targeted
advertising, using specified information to amass a profile about a
pupil except in furtherance of preschool or prekindergarten purposes,
and selling or disclosing a pupil's information, as specified. The
bill would also require an operator to, among other things, implement
and maintain reasonable security procedures and practices
appropriate to the information to protect that information from
unauthorized access, and to delete a pupil's information at the
request of a preschool, prekindergarten, or district, as specified.
The bill would authorize the disclosure of a pupil's information
under specified circumstances. The bill would also provide that its
provisions are severable.


THE PEOPLE OF THE STATE OF CALIFORNIA DO ENACT AS FOLLOWS:

  SECTION 1.  Chapter 22.2.5 (commencing with Section 22586) is added
to Division 8 of the Business and Professions Code, to read:
      CHAPTER 22.2.5.  EARLY LEARNING PERSONAL INFORMATION PROTECTION
ACT


   22586.  (a) For purposes of this section:
   (1) "Operator" means the operator of an Internet Web site, online
service, online application, or mobile application with actual
knowledge that the site, service, or application is used primarily
for preschool or prekindergarten purposes and was designed and
marketed for preschool and prekindergarten purposes.
   (2) "Pupil" means a child enrolled in a preschool or
prekindergarten course of instruction.
   (b) An operator shall not knowingly engage in any of the following
activities with respect to their site, service, or application:
   (1) (A) Engage in targeted advertising on the operator's site,
service, or application.
   (B) Target advertising on any other site, service, or application
when the targeting of the advertising is based upon any information,
including covered information and persistent unique identifiers, that
the operator has acquired because of the use of that operator's
site, service, or application described in subdivision (a).
   (2) Use information, including persistent unique identifiers,
created or gathered by the operator's site, service, or application,
to amass a profile about a pupil except in furtherance of preschool
or prekindergarten purposes.
   (3) Sell a pupil's information, including covered information.
This prohibition does not apply to the purchase, merger, or other
type of acquisition of an operator by another entity, provided that
the operator or successor entity continues to be subject to the
provisions of this section with respect to previously acquired pupil
information.
   (4) Disclose covered information unless the disclosure is made:
   (A) In furtherance of the preschool and prekindergarten purposes
of the site, service, or application, provided that the recipient of
the covered information disclosed pursuant to this subparagraph:
   (i) Shall not further disclose the information unless done to
allow or improve operability and functionality within that pupil's
classroom, preschool, or prekindergarten.
   (ii) Is legally required to comply with subdivision (d);
   (B) To ensure legal and regulatory compliance;
   (C) To respond to or participate in a judicial process;
   (D) To protect the safety of users or others or security of the
site; or
   (E) To a service provider, provided the operator contractually (i)
prohibits the service provider from using any covered information
for any purpose other than providing the contracted service to, or on
behalf of, the operator, (ii) prohibits the service provider from
disclosing any covered information provided by the operator with
subsequent third parties, and (iii) requires the service provider to
implement and maintain reasonable security procedures and practices
as provided in subdivision (d).
   (c) Nothing in subdivision (b) shall be construed to prohibit the
operator's use of information for maintaining, developing,
supporting, improving, or diagnosing the operator's site, service, or
application.
   (d) An operator shall:
   (1) Implement and maintain reasonable security procedures and
practices appropriate to the nature of the covered information, and
protect that information from unauthorized access, destruction, use,
modification, or disclosure.
   (2) Delete a pupil's covered information if the preschool,
prekindergarten, or district requests deletion of data under the
control of the preschool, prekindergarten, or district.
   (e) Notwithstanding paragraph (4) of subdivision (b), an operator
may disclose covered information of a pupil, as long as paragraphs
(1) to (3), inclusive, of subdivision (b) are not violated, under the
following circumstances:
   (1) If other provisions of federal or state law require the
operator to disclose the information, and the operator complies with
the requirements of federal and state law in protecting and
disclosing that information.
   (2) For legitimate research purposes: (A) as required by state or
federal law and subject to the restrictions under applicable state
and federal law or (B) as allowed by state or federal law and under
the direction of a preschool, prekindergarten, school district, or
state department of education, if no covered information is used for
any purpose in furtherance of advertising or to amass a profile on
the pupil for purposes other than preschool and prekindergarten
purposes.
   (3) To a state or local educational agency, including preschools,
prekindergartens, and school districts, for preschool and
prekindergarten purposes, as permitted by state or federal law.
   (f) Nothing in this section prohibits an operator from using
deidentified pupil covered information as follows:
   (1) Within the operator's site, service, or application or other
sites, services, or applications owned by the operator to improve
educational products.
   (2) To demonstrate the effectiveness of the operator's products or
services, including in their marketing.
   (g) Nothing in this section prohibits an operator from sharing
aggregated deidentified pupil covered information for the development
and improvement of educational sites, services, or applications.
   (h) "Online service" includes cloud computing services, which must
comply with this section if they otherwise meet the definition of an
operator.
   (i) "Covered information" means personally identifiable
information or materials, in any media or format that meets any of
the following:
   (1) Is created or provided by a pupil, or the pupil's parent or
legal guardian, to an operator in the course of the pupil's, parent'
s, or legal guardian's use of the operator's site, service, or
application for preschool and prekindergarten purposes.
   (2) Is created or provided by an employee or agent of the
preschool, prekindergarten, school district, local educational
agency, or county office of education, to an operator.
   (3) Is gathered by an operator through the operation of a site,
service, or application described in subdivision (a), and is
descriptive of a pupil or otherwise identifies a pupil, including,
but not limited to, information in the pupil's educational record or
email, first and last name, home address, telephone number, email
address, or other information that allows physical or online contact,
discipline records, test results, special education data, juvenile
dependency records, grades, evaluations, criminal records, medical
records, health records, social security number, biometric
information, disabilities, socioeconomic information, food purchases,
political affiliations, religious information, text messages,
documents, student identifiers, search activity, photos, voice
recordings, or geolocation information.
   (j) "Preschool or prekindergarten purposes" means purposes that
customarily take place at the direction of the preschool,
prekindergarten, teacher, or school district, or aid in the
administration of preschool or prekindergarten activities, including,
but not limited to, instruction in the classroom or at home,
administrative activities, and collaboration between pupils,
preschool or prekindergarten personnel, or parents, or are for the
use and benefit of the preschool or prekindergarten.
   (k) This section shall not be construed to limit the authority of
a law enforcement agency to obtain any content or information from an
operator as authorized by law or pursuant to an order of a court of
competent jurisdiction.
   (l) This section does not limit the ability of an operator to use
a pupil's data, including covered information, for adaptive learning
or customized early learning purposes.
   (m) This section does not apply to general audience Internet Web
sites, general audience online services, general audience online
applications, or general audience mobile applications, even if login
credentials created for an operator's site, service, or application
may be used to access those general audience sites, services, or
applications.
   (n) This section does not limit Internet service providers from
providing Internet connectivity to preschools, prekindergartens, or
pupils and their families.
   (o) This section shall not be construed to prohibit an operator of
an Internet Web site, online service, online application, or mobile
application from marketing educational products directly to parents
so long as the marketing did not result from the use of covered
information obtained by the operator through the provision of
services covered under this section.
   (p) This section does not impose a duty upon a provider of an
electronic store, gateway, marketplace, or other means of purchasing
or downloading software or applications to review or enforce
compliance of this section on those applications or software.
   (q) This section does not impose a duty upon a provider of an
interactive computer service, as defined in Section 230 of Title 47
of the United States Code, to review or enforce compliance with this
section by third-party content providers.
   (r) This section does not impede the ability of pupils to
download, export, or otherwise save or maintain their own personally
created data or documents.
   22587.  This chapter shall become operative on July 1, 2017.
  SEC. 2.  The provisions of this act are severable. If any provision
of this act or its application is held invalid, that invalidity
shall not affect other provisions or applications that can be given
effect without the invalid provision or application.