Senate BillNo. 1177

8

22584.  

(a) An operator of an Internet Web site, online service,
9online application, or mobile application with actual knowledge
10that the site, service, or application is used for K-12 school
11purposes and was designed and marketed for K-12 school purposes
12shall comply with all of the following requirements:

13(1) It shall not use, share, disclose, or compile personal
14information about a K-12 student for any purpose other than the
15K-12 school purpose and for maintainingbegin insert, developing, and
16improvingend insert the integritybegin insert and effectivenessend insert of the site, service, or
17applicationbegin insert, as long as no personal information is used for any
18purpose in furtherance of advertising or to amass a profile on the
19student for purposes other than K-12 school purposesend insert.

20(2) It shall not use, share, disclose, or compile a student’s
21personal information for any commercial purpose, including, but
22not limited to, advertising or profiling.

23(3) It shall not allow, facilitate, or aid in the marketing or
24advertising of a product or service to a K-12 student on the site,
25service, or application.

26(4) It shall takebegin delete allend delete reasonable steps to protect thebegin insert personal
27informationend insert data at rest and in motion in a manner that meets or
28exceedsbegin insert reasonable and appropriateend insert commercial best practices.
29An operator shall be deemed to be in compliance with this
30paragraph if the operator ensures the following:

P3    1(A) Valid encryption processes for data at restbegin insert in the operator’s
2own data storage systemsend insert are consistent with NIST Special
3Publication 800-111, Guide to Storage Encryption Technologies
4for End User Devices.

5(B) Valid encryption processes for data in motionbegin insert on public
6networksend insert are those that comply, as appropriate, with NIST Special
7Publications 800-52, Guidelines for the Selection and Use of
8Transport Layer Security (TLS) Implementations;begin insert NIST Special
9Publicationend insert 800-77, Guide to IPsec VPNs; orbegin insert NIST Special
10Publicationend insert 800-113, Guide to SSL VPNs, or others that are
11Federal Information Processing Standards (FIPS)begin insert Publicationend insert
12 140-2 validated.

begin delete

13(b) (1) An operator of an Internet Web site, online service,
14online application, or mobile application with actual knowledge
15that the site, service, or application is used for K-12 school
16purposes and the site, service, or application was designed and
17marketed for K-12 school purposes shall provide a notice to the
18operator of a secondary site, service, or application that is
19accessible through the noticing operator’s site, service, or
20application that the secondary site, service, or application is used
21for K-12 school purposes on a site, service, or application designed
22and marketed for K-12 school purposes.

23(2) An operator of a site, service, or application designed and
24marketed for K-12 school purposes shall comply with this section
25upon either receiving notice under paragraph (1) that the site,
26service, or application is used for K-12 school purposes or if the
27operator otherwise has actual knowledge that the site, service, or
28application is used for K-12 school purposes.

29(3) An operator that fails to provide the notice required by
30paragraph (1) to a secondary site, service, or application shall be
31liable for the secondary site, service, or application’s compliance
32with this section, unless that secondary site, service, or application
33had actual knowledge it was being used for K-12 purposes and
34was designed and marketed for K-12 school purposes.

35(c)

end delete

36begin insert(end insertbegin insertb)end insert An operator of an Internet Web site, online service, online
37application, or mobile application with actual knowledge that the
38site, service, or application is used for K-12 school purposes and
39that it was designed and marketed for K-12 school purposes shall
P4    1delete a student’s personal information if any of the following
2occurs:

3(1) The site,begin delete serviceend deletebegin insert service,end insert or applicationbegin insert has actual knowledge
4that itend insert is no longer used forbegin delete the originalend delete K-12 schoolbegin delete purpose.end delete
5begin insert purposes, unless the information is being used or maintained at
6the direction of a school or school district and is under the direct
7control of the school or district.end insert

8(2) The student requests deletion, unless it is being used at the
9direction of a school or districtbegin delete for legitimate educational purposesend delete
10 and is under the control of the school or district.

11(3) begin deleteThe student ceases to be a student at the institution and the
12operator becomes aware the student is no longer a student, unless
13it is being used at the direction of a school or district for legitimate
14educational purposes and is under the control of the school or
15district.end deletebegin insert The school or school district requests deletion.end insert

begin delete

16(d)

end delete

17begin insert(end insertbegin insertc)end insert Notwithstanding subdivision (a), an operator of an Internet
18Web site, online service, online application, or mobile application
19may disclose personal information of a student if other provisions
20of federal or state law require the operator to disclose the
21information, and the operator complies with the requirements of
22federal and state law inbegin insert protecting andend insert disclosing that information.

begin delete

23(e)

end delete

24begin insert(end insertbegin insertd)end insert An “online service” includes cloud computing services.

begin delete

25(f)

end delete

26begin insert(end insertbegin inserte)end insert Notwithstanding subdivision (a), an operator of an Internet
27Web site, online service, online application, or mobile application
28may disclose personal information of a student for legitimate
29research purposes as required by state and federal law and subject
30to the restrictions under state and federal lawbegin insert or as allowed by
31state and federal law and under the direction of a school, school
32district, or state department of education, as long as no personal
33information is used for any purpose in furtherance of advertising
34or to amass a profile on the student for purposes other than K-12
35school purposesend insert.

begin delete

36(g)

end delete

37begin insert(end insertbegin insertf)end insert For purposes of this section, “personal information” shall
38mean any information or materials in any media or format created
39or provided by a student, or the student’s parent or legal guardian,
40in the course of the student’s, or parent’s or legal guardian’s, use
P5    1of the site, service, or application or an employee or agent of the
2educational institution, or gathered by the site, service, or
3application, that is related to a student and shall include, but not
4be limited to, information in the student’s educational record, the
5student’sbegin delete emailend deletebegin insert e-mailend insert address, first and last name, home address,
6telephone number, other information that permits physical or online
7contact of a specific individual, discipline records, test results,
8special education data, juvenile delinquency records, grades,
9evaluations, criminal records, medical records, health records,
10social security number, biometric information, disabilities,
11socioeconomic information, food purchases, political affiliations,
12religious information,begin delete emailend deletebegin insert e-mailend insert messages, documents, unique
13identifiers, profile, search activity, location information, Internet
14Protocol (IP) address, metadata, any aggregation or derivative
15thereof, or any information gained through tracking, including
16login and logoff information, searches, typing, photos, voice
17recordings, and geolocation information.

begin insert

18(g) For purposes of this section, “K-12 school purposes” shall
19mean purposes that customarily take place at the direction of the
20school, teacher, or school district or aid in the administration of
21school activities, including, but not limited to, instruction in the
22classroom or at home, administrative activities, and collaboration
23between students, school personnel, or parents, or are for the use
24and benefit of the school.

end insert

25(h) This section shall not be construed to limit the authority of
26a law enforcement agency to obtain any content or information
27from an operator as authorized by law or pursuant to an order of
28a court of competent jurisdiction.

29(i) It is not the intent of the Legislature for this chapter to apply
30to general audience Internet Web sites.

begin insert

31(j) It is not the intent of the Legislature for this section to limit
32internet service providers from providing internet connectivity to
33schools or students and their families.

end insertbegin insert

34(k) (1) An operator of an Internet Web site, online service,
35online application, or mobile application may use deidentified
36student personal information within the operator’s site, service,
37or application or other sites, services, or applications owned by
38the operator to improve educational products, for adaptive learning
39purposes, and for customizing student learning.

end insertbegin insert

P6    1(2) Subparagraph (1) shall not apply if the deidentified student
2personal information is used for purposes of advertising.

end insert