SB 1177, as amended, Steinberg. Privacy: students.
Existing law, on and after January 1, 2015, prohibits an operator of an Internet Web site or online service from knowingly using, disclosing, compiling, or allowing a 3rd party to use, disclose, or compile the personal information of a minor for the purpose of marketing or advertising specified types of products or services. Existing law also makes this prohibition applicable to an advertising service that is notified by an operator of an Internet Web site, online service, online application, or mobile application that the site, service, or application is directed to a minor.
This bill would prohibit an operator of an Internet Web site, online service, online application, or mobile application with actual knowledge that the site, service, or application is used for K-12 school purposes, as defined, and was designed and marketed for K-12 schoolbegin delete purposesend deletebegin insert
purposes,end insert from using, sharing, disclosing, or compiling covered information, as defined, about a K-12 student for any purpose other thanbegin delete theend delete K-12 schoolbegin delete purpose and for maintaining, developing, and improving the integrity and effectiveness of the site, service, or application, as specified.end deletebegin insert purposes.end insert The bill wouldbegin insert generallyend insert prohibitbegin delete these operators of Internet Web sites, online services, online applications, or mobile applicationsend deletebegin insert
an operatorend insert from sellingbegin insert or disclosingend insert thebegin delete coveredend delete information of a student. The bill would requirebegin delete these operators of
Internet Web sites, online services, online applications, or mobile applications to ensure that covered information is protected in a manner that meets or exceeds reasonable and appropriate commercial best practicesend deletebegin insert an operator to implement and maintain reasonable security procedures and practices appropriate to the nature of the information, to protect the personal information from unauthorized access, destruction, use, modification, or disclosure,end insert and to delete a student’s covered information if the school or district requestsbegin delete deletion.end deletebegin insert
deletion of data under the control of the school or district. The bill would authorize the disclosure of covered information of a student under specified circumstances.end insert The bill’s provisions would become operative January 1, 2016.
Vote: majority. Appropriation: no. Fiscal committee: no. State-mandated local program: no.
The people of the State of California do enact as follows:
Chapter 22.2 (commencing with Section 22584)
2is added to Division 8 of the Business and Professions Code, to
3read:
4
(a) An operatorbegin delete of an Internet Web site, online service, shall comply with all of the following
9online application, or mobile application with actual knowledge
10that the site, service, or application is used primarily for K-12
11school purposes and was designed and marketed for K-12 school
12purposesend deletebegin delete requirements:end deletebegin insert with
13respect to the site, service, or application of the operator:end insert
14(1) It shall not use, share, disclose, or
compile covered
15information about a K-12 student for anybegin insert purpose in furtherance
16of targeted advertising or to amass a profile on a student for anyend insert
17 purpose other thanbegin delete theend delete K-12 schoolbegin delete purpose andend deletebegin insert purposes. Nothing
18in this provision shall be construed to prohibit the use of
P3 1informationend insert for maintaining, developing,begin delete andend deletebegin insert orend insert improvingbegin delete the
the site, service, or
2integrity and effectiveness ofend deletebegin delete application, as begin insert application
3long as no personal information is used for any purpose in
4furtherance of targeted advertising or to amass a profile on the
5student for purposes other than K-12 school purposes.end delete
6of the operator.end insert
7(2) It shall not sell or disclose a student’sbegin delete coveredend delete information.
8begin insert This prohibition does not apply to the purchase, merger, or other
9type of acquisition of an entity that operates an Internet Web site,
10online service, online application, or mobile application by another
11
entity.end insert
12(3) It shall take reasonable steps to protect the covered
13information at rest and in transmission in a manner that meets or
14exceeds reasonable and appropriate commercial best practices.
15(3) It shall implement and maintain reasonable security
16procedures and practices appropriate to the nature of the
17information, to protect the personal information from unauthorized
18access, destruction, use, modification, or disclosure.
19(b) An operatorbegin delete of an Internet Web site, online service, online
shall delete a student’s covered information if the school
20application, or mobile application with actual knowledge that the
21site, service, or application is used primarily for K-12 school
22purposes and that it was designed and marketed for K-12 school
23purposesend delete
24or district requestsbegin delete deletion.end deletebegin insert deletion of data under the control of
25the school or district.end insert
26(c) Notwithstanding subdivision (a), an operatorbegin delete of an Internet
27Web site, online service, online application, or mobile applicationend delete
28 may disclose covered information of a studentbegin delete if other provisions
29of federal or state law require the operator to disclose the
30information, and the operator complies with the requirements of
31federal and state law in protecting and disclosing that information.end delete
32begin insert
under the following circumstances:end insert
33(1) If other provisions of federal or state law require the
34operator to disclose the information, and the operator complies
35with the requirements of federal and state law in protecting and
36disclosing that information.
37(2) For legitimate research purposes as required by state and
38federal law and subject to the restrictions under state and federal
39law or as allowed by state and federal law and under the direction
40of a school, school district, or state department of education, if no
P4 1covered information is used for any purpose in furtherance of
2advertising or to amass a profile on the student for purposes other
3than K-12 school purposes.
4(d) An operator may use
deidentified student covered
5information, including aggregated and deidentified student covered
6information, as follows:
7(1) Within the operator’s site, service, or application or other
8sites, services, or applications owned by the operator to improve
9educational products, for adaptive learning purposes, and for
10customizing student learning.
11(2) To demonstrate the effectiveness of the operator’s products,
12including in their marketing.
13(3) An operator may share aggregated deidentified student
14covered information for the development and improvement of
15educational sites, services, or applications.
16(d) An “online
end delete17begin insert(e)end insertbegin insert end insertbegin insert“Onlineend insert service” includes cloud computing services.
18(e) Notwithstanding subdivision (a), an operator of an Internet
19Web site,
online service, online application, or mobile application
20may disclose covered information of a student for legitimate
21research purposes as required by state and federal law and subject
22to the restrictions under state and federal law or as allowed by state
23and federal law and under the direction of a school, school district,
24or state department of education, as long as no covered information
25is used for any purpose in furtherance of advertising or to amass
26a profile on the student for purposes other than K-12 school
27purposes.
28 (f) “Operator” means the operator of an Internet Web site,
29online service, online application, or mobile application with
30actual knowledge that the site, service, or application is used
31primarily for K-12
school purposes and was designed and
32marketed for K-12 school purposes.
33(f)
end delete
34begin insert(g)end insert “Covered information” meansbegin insert personally identifiableend insert
35 information or materials in any media or format that meets any of
36the following:
37(1) Are created or provided by a student, or the student’s parent
38or legal guardian, in the course of the student’s, parent’s,begin insert orend insert
legal
39begin delete guardian’s,end deletebegin insert
guardian’send insert
use of the site, service, or application for
40K-12 school purposes.
P5 1(2) Are created or provided by an employee or agent of the
2educational institution.
3(3) Are gathered by the site, service, or application, that is
4descriptive of a student or otherwisebegin delete identifiedend deletebegin insert personally identifiesend insert
5 a student, including, but not limited to, information in the student’s
6educational record or email, first and last name, home address,
7telephone number, email address, or other information that allows
8physical or online contact, discipline records, test results, special
9education data, juvenile dependency records, grades,
evaluations,
10criminal records, medical records, health records, social security
11number, biometric information, disabilities, socioeconomic
12information, food purchases, political affiliations, religious
13information, text messages, documents, persistent unique
14identifiers, search activity, photos, voice recordings, or geolocation
15information.
16(g)
end delete
17begin insert(h)end insert “K-12 school purposes”
means purposes that customarily
18take place at the direction of the school, teacher, or school district
19or aid in the administration of school activities, including, but not
20limited to, instruction in the classroom or at home, administrative
21activities, and collaboration between students, school personnel,
22or parents, or are for the use and benefit of the school.
23(h)
end delete
24begin insert(i)end insert This section shall not be construed to limit the authority of
25a law enforcement agency to obtain any content or information
26from an operator as authorized by law or pursuant to an order of
27a court of competent
jurisdiction.
28(j) This section does not limit the ability of an operator of an
29Internet Web site, online service, online application, or mobile
30application to use student data for adaptive learning or customized
31student learning purposes.
32(i)
end delete
33begin insert(k)end insert This
chapter does not apply to general audience Internet
34Web sites, general audience online services, general audience
35online applications, or general audience mobile applications.
36(j)
end delete
37begin insert(l)end insert This section does not limit Internet service providers from
38providing Internet connectivity to schools or students and their
39families.
P6 1(k) (1) An operator of an Internet Web site, online service,
2online application, or mobile application may use deidentified
3student
covered information, including aggregated deidentified
4student
covered information, within the operator’s site, service, or
5application or other sites, services, or applications owned by the
6operator to improve educational products, for adaptive learning
7purposes, and for customizing student learning.
8(2) An operator of an Internet Web site, online service, online
9application, or mobile application may use deidentified student
10covered information, including aggregated deidentified student
11covered
information, to demonstrate the effectiveness of the
12operator’s products, including in their marketing.
13(3) An operator of an Internet Web site, online service, online
14application, or mobile application may share aggregated
15deidentified student covered information for the development and
16improvement of educational sites, services, or applications.
17(l)
end delete
18begin insert(m)end insert This section shall not be construed to prohibit an operator
19of an Internet Web site, online service, online application, or
20mobile
application from marketing educational products directly
21to parents so long as the marketing was not the result of student
22 covered informationbegin delete provided toend deletebegin insert obtained byend insert the operatorbegin delete of the begin insert through the provision of services covered under this
23Internet Web site, online service, online application, or mobile
24application.end delete
25section.end insert
26(n) This section does not impose a duty upon a provider of an
27electronic store, gateway, marketplace, or other means of
28purchasing or downloading software or applications to review or
29enforce compliance of this section on those
applications or
30software.
31(o) This section does not impede the ability of students to
32download, export, or otherwise save or maintain their own student
33created data or documents.
This chapter shall become operative on January 1, 2016.
The provisions of this act are severable. If any
36provision of this act or its application is held invalid, that invalidity
37shall not affect other provisions or applications that can be given
38effect without the invalid provision or application.
O
95