Senate BillNo. 1177

8

22584.  

(a) An operator shall comply with all of the following
9with respect to the site, service, or application of the operator:

10(1) It shall not use, share, disclose, or compilebegin delete coveredend delete
11 information about a K-12 student for any purpose in furtherance
12of targeted advertising or to amass a profile on a student for any
13purpose other than K-12 school purposes. Nothing in this provision
14shall be construed to prohibit the use of information for
15maintaining, developing, or improving the site, service, or
16application of the operator.

17(2) It shall not sell or disclose a student’s information. This
18prohibition does not apply to the purchase, merger, or other type
19of acquisition of an entity that operates an Internet Web site, online
20service, online application, or mobile application by another entity.

21(3) It shall implement and maintain reasonable security
22procedures and practices appropriate to the nature of the
23information, to protect the personal information from unauthorized
24access, destruction, use, modification, or disclosure.

P3    1(b) An operator shall delete a student’s covered information if
2the school or district requests deletion of data under the control of
3the school or district.

4(c) Notwithstanding subdivision (a), an operator may disclose
5covered information of a student under the following
6circumstances:

7(1) If other provisions of federal or state law require the operator
8to disclose the information, and the operator complies with the
9requirements of federal and state law in protecting and disclosing
10that information.

11(2) For legitimate research purposes as required by state and
12federal law and subject to the restrictions under state and federal
13law or as allowed by state and federal law and under the direction
14of a school, school district, or state department of education, if no
15covered information is used for any purpose in furtherance of
16advertising or to amass a profile on the student for purposes other
17than K-12 school purposes.

18(d) An operator may use deidentified student covered
19information, including aggregated and deidentified student covered
20information, as follows:

21(1) Within the operator’s site, service, or application or other
22sites, services, or applications owned by the operator to improve
23educational products, for adaptive learning purposes, and for
24customizing student learning.

25(2) To demonstrate the effectiveness of the operator’s products,
26including in their marketing.

27(3) An operator may share aggregated deidentified student
28covered information for the development and improvement of
29educational sites, services, or applications.

30(e) “Online service” includes cloud computing services.

31(f) “Operator” means the operator of an Internet Web site, online
32service, online application, or mobile application with actual
33knowledge that the site, service, or application is used primarily
34for K-12 school purposes and was designed and marketed for
35K-12 school purposes.

36(g) “Covered information” means personally identifiable
37information or materials in any media or format that meets any of
38the following:

39(1) Are created or provided by a student, or the student’s parent
40or legal guardian, in the course of the student’s, parent’s, or legal
P4    1 guardian’s use of the site, service, or application for K-12 school
2purposes.

3(2) Are created or provided by an employee or agent of the
4educational institution.

5(3) Are gathered by the site, service, or application, that is
6descriptive of a student or otherwise personally identifies a student,
7including, but not limited to, information in the student’s
8educational record or email, first and last name, home address,
9telephone number, email address, or other information that allows
10physical or online contact, discipline records, test results, special
11education data, juvenile dependency records, grades, evaluations,
12criminal records, medical records, health records, social security
13number, biometric information, disabilities, socioeconomic
14information, food purchases, political affiliations, religious
15information, text messages, documents, persistent unique
16identifiers, search activity, photos, voice recordings, or geolocation
17information.

18(h) “K-12 school purposes” means purposes that customarily
19take place at the direction of the school, teacher, or school district
20or aid in the administration of school activities, including, but not
21limited to, instruction in the classroom or at home, administrative
22activities, and collaboration between students, school personnel,
23or parents, or are for the use and benefit of the school.

24(i) This section shall not be construed to limit the authority of
25a law enforcement agency to obtain any content or information
26from an operator as authorized by law or pursuant to an order of
27a court of competent jurisdiction.

28(j) This section does not limit the ability of an operator of an
29Internet Web site, online service, online application, or mobile
30application to use student data for adaptive learning or customized
31student learning purposes.

32(k) This chapter does not apply to general audience Internet
33Web sites, general audience online services, general audience
34online applications, or general audience mobile applications.

35(l) This section does not limit Internet service providers from
36providing Internet connectivity to schools or students and their
37families.

38(m) This section shall not be construed to prohibit an operator
39of an Internet Web site, online service, online application, or
40mobile application from marketing educational products directly
P5    1to parents so long as the marketing was not the result of student
2covered information obtained by the operator through the provision
3of services covered under this section.

4(n) This section does not impose a duty upon a provider of an
5electronic store, gateway, marketplace, or other means of
6purchasing or downloading software or applications to review or
7enforce compliance of this section on those applications or
8software.

9(o) This section does not impede the ability of students to
10download, export, or otherwise save or maintain their own student
11created data or documents.

12

22585.  

This chapter shall become operative on January 1, 2016.