SB 1177, as amended, Steinberg. Privacy: students.
Existing law, on and after January 1, 2015, prohibits an operator of an Internet Web site or online service from knowingly using, disclosing, compiling, or allowing a 3rd party to use, disclose, or compile the personal information of a minor for the purpose of marketing or advertising specified types of products or services. Existing law also makes this prohibition applicable to an advertising service that is notified by an operator of an Internet Web site, online service, online application, or mobile application that the site, service, or application is directed to a minor.
This bill would prohibit an operator of an Internet Web site, online service, online application, or mobile applicationbegin delete with actual knowledge that the site, service, or application is used for K-12 school purposes, as defined, and was designed and marketed for K-12 school
purposes, from using, sharing, disclosing, or compiling information, as defined, about a K-12 student for any purpose other than K-12 school purposes. The bill would generally prohibit an operator from selling or disclosing the information of a student.end deletebegin insert from knowingly engaging in targeted advertising to students or their parents or legal guardians, using covered information to amass a profile about a K-12 student, selling a student’s information, or disclosing covered information, as provided.end insert The bill would require an operator to implement and maintain reasonable security procedures and practices appropriate to the nature of thebegin insert coveredend insert information, to protect thebegin delete personalend delete information from unauthorized
access, destruction, use, modification, or disclosure, and to delete a student’s covered information if the school or district requests deletion of data under the control of the school or district. The bill would authorize the disclosure of covered information of a student under specified circumstances. The bill’s provisions would become operative January 1, 2016.
Vote: majority. Appropriation: no. Fiscal committee: no. State-mandated local program: no.
The people of the State of California do enact as follows:
Chapter 22.2 (commencing with Section 22584)
2is added to Division 8 of the Business and Professions Code, to
3read:
4
(a) begin deleteAn end deletebegin insertFor the purposes of this section, “operator”
9means the operator of an Internet Web site, online service, online
10application, or mobile application with actual knowledge that the
11site, service, or application is used primarily for K-12 school
12purposes and was designed and marketed for K-12 school
13purposes.end insert
14begin insert(b)end insertbegin insert end insertbegin insertAnend insert operator shallbegin delete comply with all of the following with begin insert
not
15respect to the site, service, or application of the operator:end delete
16knowingly engage in any of the following activities with respect
17to their site, service, or application:end insert
P3 1(1) It shall not use, share, disclose, or compile information about
2a K-12 student for any purpose in furtherance of targeted
3advertising or to amass a profile on a student for any purpose other
4than K-12 school purposes. Nothing in this provision shall be
5construed to prohibit the use of information for maintaining,
6developing, or improving
the site, service, or application of the
7operator.
8(1) (A) Engage in targeted advertising on the operator’s site,
9service, or application, or (B) target advertising on any other site,
10service, or application when the targeting of the advertising is
11based upon any information, including covered information and
12persistent unique identifiers, that the operator has acquired
13because of the use of that operator’s site, service, or application
14described in subdivision (a).
15(2) Use information, including persistent unique identifiers,
16created or gathered by the operator’s site, service, or application,
17to amass a profile about a K-12 student except in
furtherance of
18K-12 school purposes.
17 19(2) It shall not sell or disclose
end delete
20begin insert(3)end insertbegin insert end insertbegin insertSellend insert a student’sbegin delete information.end deletebegin insert information, including covered
21information.end insert This prohibition does not apply to the purchase,
22merger, or other type of acquisition of anbegin delete entity that operates an begin insert
operatorend insert by another entitybegin insert, provided that the operator
23Internet Web site, online service, online application, or mobile
24applicationend delete
25or successor entity continues to be subject to the provisions of this
26section with respect to previously acquired student informationend insert.
27(4) Disclose covered information unless the disclosure is made:
end insertbegin insert
28(A) In furtherance of the K-12 purpose of the site, service, or
29application, provided the recipient of the covered information
30disclosed pursuant to this subparagraph:
31(i) Shall not further disclose the information unless done to
32allow or improve operability and functionality within that student’s
33classroom or school; and
34(ii) Is legally required to comply with subdivision (d);
end insertbegin insert35(B) To ensure legal and regulatory compliance;
end insertbegin insert36(C) To respond to or participate in judicial process;
end insertbegin insert
37(D) To protect the safety of users or others or security of the
38site; or
39(E) To a service provider, provided the operator contractually
40(i) prohibits the service provider from using any covered
P4 1information for any purpose other than providing the contracted
2service to, or on behalf of, the operator, (ii) prohibits the service
3provider from disclosing any covered information provided by the
4operator with subsequent third parties, and (iii) requires the service
5provider to implement and maintain reasonable security
6procedures and practices
as provided in subdivision (d).
7(c) Nothing in subdivision (b) shall be construed to prohibit the
8operator’s use of information for maintaining, developing,
9supporting, improving, or diagnosing the operator’s site, service,
10or application.
11(d) An operator shall:
end insert21 12(3) It shall implement
end delete
13begin insert(1)end insertbegin insert end insertbegin insertImplementend insert and maintain reasonable security procedures and
14practices appropriate to the nature of thebegin delete information, to protect begin insert
covered information, and protect thatend insert information
15the personalend delete
16from unauthorized access, destruction, use, modification, or
17disclosure.
P3 1 18(b) An operator shall delete
end delete
19begin insert(2)end insertbegin insert end insertbegin insertDeleteend insert a student’s covered information if the school or
20district requests deletion of data under the control of the school or
21district.
4 22(c)
end delete
23begin insert(e)end insert Notwithstandingbegin insert paragraph (4) ofend insert subdivisionbegin delete (a),end deletebegin insert (b),end insert an
24operator may disclose covered information of abegin delete studentend deletebegin insert student,
25as long as paragraphs (1) to (3), inclusive, of subdivision (b) are
26not violated,end insert
under the following circumstances:
27(1) If other provisions of federal or state law require the operator
28to disclose the information, and the operator complies with the
29requirements of federal and state law in protecting and disclosing
30that information.
31(2) For legitimate research purposesbegin insert: (A)end insert as required by state
32begin delete andend deletebegin insert orend insert federal law and subject to the restrictions underbegin insert applicableend insert
33 state and federal law orbegin insert
(B)end insert as allowed by statebegin delete andend deletebegin insert orend insert federal law
34and under the direction of a school, school district, or state
35department of education, if no covered information is used for any
36purpose in furtherance of advertising or to amass a profile on the
37student for purposes other than K-12 school purposes.
38(3) To a state or local educational agency, including schools
39and school districts, for K-12 school purposes, as permitted by
40state or federal law.
18 P5 1(d) An operator may use
end delete
2begin insert(f)end insertbegin insert end insertbegin insertNothing in this section prohibits an operator from usingend insert
3
deidentifiedbegin delete student covered information, including aggregated begin insert student covered
4and deidentified student covered information,end delete
5informationend insert as follows:
6(1) Within the operator’s site, service, or application or other
7sites, services, or applications owned by the operator to improve
8educationalbegin delete products, for adaptive learning purposes, and for begin insert products.end insert
9customizing student learning.end delete
10(2) To demonstrate the effectiveness of the operator’sbegin delete products,end delete
11begin insert
products or services,end insert including in their marketing.
12(3) An operator may share
end delete
13begin insert(g)end insertbegin insert end insertbegin insertNothing in this section prohibits an operator from sharingend insert
14 aggregated deidentifiedbegin delete student coveredend deletebegin insert student coveredend insert
15 information for the development and improvement of educational
16sites, services, or applications.
30 17(e)
end delete
18begin insert(h)end insert “Online service” includes cloud computingbegin delete services.end deletebegin insert services,
19which must comply with this section if they otherwise meet the
20definition of an operator.end insert
21(f) “Operator” means the operator of an Internet Web site, online
22service, online application, or mobile application with actual
23knowledge that the site, service, or application is used primarily
24for K-12 school purposes and was designed and marketed for
25K-12 school purposes.
36 26(g)
end delete
27begin insert(i)end insert “Covered information” means personally identifiable
28information orbegin delete materialsend deletebegin insert materials,end insert in any media or format that
29meets any of the following:
30(1) begin deleteAre end deletebegin insertIs end insertcreated or provided by a student, or the student’s
31parent or legal guardian,begin insert to an operatorend insert in the course of the
32student’s, parent’s, or
legal guardian’s use of thebegin insert operator’send insert site,
33service, or application for K-12 school purposes.
34(2) begin deleteAre end deletebegin insertIs end insertcreated or provided by an employee or agent of the
35begin delete educational institution.end deletebegin insert K-12 school, school district, local
36education agency, or county office of education, to an operator.end insert
37(3) begin deleteAre end deletebegin insertIs
end insertgathered bybegin delete theend deletebegin insert an operator through the operation
38of aend insert site, service, orbegin delete application, that isend deletebegin insert application described in
39subdivision (a) and isend insert descriptive of a student or otherwise
40begin delete personallyend delete identifies a student, including, but not limited to,
P6 1information in the student’s educational record or email, first and
2last name, home address, telephone number, email address, or
3other information that allows physical or online contact, discipline
4records, test results, special education data, juvenile dependency
5records, grades,
evaluations, criminal records, medical records,
6health records, social security number, biometric information,
7disabilities, socioeconomic information, food purchases, political
8affiliations, religious information, text messages, documents,
9begin delete persistent uniqueend deletebegin insert studentend insert identifiers, search activity, photos, voice
10recordings, or geolocation information.
18 11(h)
end delete
12begin insert(j)end insert “K-12 school purposes” means purposes that customarily
13take place at the direction of thebegin insert
K-12end insert school, teacher, or school
14district or aid in the administration of school activities, including,
15but not limited to, instruction in the classroom or at home,
16administrative activities, and collaboration between students, school
17personnel, or parents, or are for the use and benefit of the school.
24 18(i)
end delete
19begin insert(k)end insert This section shall not be construed to limit the authority of
20a law enforcement agency to obtain any content or information
21from an operator as authorized by law or pursuant to an order of
22a court of competent jurisdiction.
28 23(j)
end delete
24begin insert(end insertbegin insertlend insertbegin insert)end insert This section does not limit the ability of an operatorbegin delete of an
to use student
25Internet Web site, online service, online application, or mobile
26applicationend deletebegin delete dataend deletebegin insert
data, including covered information,end insert
27 for adaptive learning or customized student learning purposes.
32 28(k)
end delete
29begin insert(m)end insert Thisbegin delete chapterend deletebegin insert sectionend insert does not apply to general audience
30Internet Web sites, general audience online services, general
31audience online applications, or general audience mobile
32begin delete applications.end deletebegin insert
applications, even if login credentials created for an
33operator’s site, service, or application may be used to access those
34general audience sites, services, or applications.end insert
35 35(l)
end delete
36begin insert(n)end insert This section does not limit Internet service providers from
37providing Internet connectivity to schools or students and their
38families.
38 39(m)
end delete
P7 1begin insert(o)end insert This section shall not be construed to prohibit an operator
2of an Internet Web site, online service, online application, or
3mobile application from marketing educational products directly
4to parents so long as the marketingbegin delete wasend deletebegin insert didend insert notbegin delete theend delete resultbegin delete of studentend delete
5begin insert from the use ofend insert covered information obtained by the operator
6through the provision of services covered under this section.
4 7(n)
end delete
8begin insert(p)end insert This section does not impose a duty upon a provider of an
9electronic store, gateway, marketplace, or other means of
10purchasing or downloading software or applications to review or
11enforce compliance of this section on those applications or
12software.
13(q) This section does not impose a duty upon a provider of an
14interactive computer service, as defined in Section 230 of Title 47
15of the United States Code, to review or enforce compliance with
16this section by third-party content providers.
9 17(o)
end delete
18begin insert(r)end insert This section does not impede the ability of students to
19download, export, or otherwise save or maintain their own student
20created data or documents.
This chapter shall become operative on January 1, 2016.
The provisions of this act are severable. If any
23provision of this act or its application is held invalid, that invalidity
24shall not affect other provisions or applications that can be given
25effect without the invalid provision or application.
O
93