BILL NUMBER: SB 1177AMENDED BILL TEXT AMENDED IN ASSEMBLY JUNE 5, 2014 AMENDED IN SENATE APRIL 21, 2014 INTRODUCED BY Senator Steinberg FEBRUARY 20, 2014 An act to add Chapter 22.2 (commencing with Section 22584) to Division 8 of the Business and Professions Code, relating to privacy. LEGISLATIVE COUNSEL'S DIGEST SB 1177, as amended, Steinberg. Privacy: students. Existing law, on and after January 1, 2015, prohibits an operator of an Internet Web site or online service from knowingly using, disclosing, compiling, or allowing a 3rd party to use, disclose, or compile the personal information of a minor for the purpose of marketing or advertising specified types of products or services. Existing law also makes this prohibition applicable to an advertising service that is notified by an operator of an Internet Web site, online service, online application, or mobile application that the site, service, or application is directed to a minor. This bill would prohibit an operator of an Internet Web site, online service, online application, or mobile application with actual knowledge that the site, service, or application is used for K-12 school purposes, as defined, and was designed and marketed for K-12 school purposes from using, sharing, disclosing, or compiling personal information about a K-12 student forcommercial purposes. This bill would require an operator of an Internet Web site, online service, online application, or mobile application with actual knowledge that the site, service, or application is used for K-12 school purposes and was designed and marketed for K-12 school purposesany purpose other than the K-12 school purpose and for maintaining, developing, and improving the integrity and effectiveness of the site, service, or application, as specified. The bill would prohibit these operators of Internet Web sites, online services, online applications, or mobile applications from selling the personal information of a student. The bill would require these operators of Internet Web sites, online services, online applications, or mobile applications to ensure that specified encryption processes are used and to delete a student's personal information under specified circumstances. The bill's provisions would become operative January 1, 2016. Vote: majority. Appropriation: no. Fiscal committee: no. State-mandated local program: no. THE PEOPLE OF THE STATE OF CALIFORNIA DO ENACT AS FOLLOWS: SECTION 1. Chapter 22.2 (commencing with Section 22584) is added to Division 8 of the Business and Professions Code, to read: CHAPTER 22.2. STUDENT ONLINE PERSONAL INFORMATION PROTECTION ACT 22584. (a) An operator of an Internet Web site, online service, online application, or mobile application with actual knowledge that the site, service, or application is used for K-12 school purposes and was designed and marketed for K-12 school purposes shall comply with all of the following requirements: (1) It shall not use, share, disclose, or compile personal information about a K-12 student for any purpose other than the K-12 school purpose and for maintaining, developing, and improving the integrity and effectiveness of the site, service, or application, as long as no personal information is used for any purpose in furtherance of advertising or to amass a profile on the student for purposes other than K-12 school purposes.(2) It shall not use, share, disclose, or compile a student's personal information for any commercial purpose, including, but not limited to, advertising or profiling.(2) It shall not sell a student's personal information. (3) It shall not allow, facilitate, or aid in the marketing or advertising of a product or service to a K-12 student on the site, service, or application. (4) It shall take reasonable steps to protect the personal information data at rest and in motion in a manner that meets or exceeds reasonable and appropriate commercial best practices. An operator shall be deemed to be in compliance with this paragraph if the operator ensures the following: (A) Valid encryption processes for data at rest in the operator's own data storage systems are consistent with NIST Special Publication 800-111, Guide to Storage Encryption Technologies for End User Devices. (B) Valid encryption processes for data in motion on public networks are those that comply, as appropriate, with NIST Special Publications 800-52, Guidelines for the Selection and Use of Transport Layer Security (TLS) Implementations; NIST Special Publication 800-77, Guide to IPsec VPNs; or NIST Special Publication 800-113, Guide to SSL VPNs, or others that are Federal Information Processing Standards (FIPS) Publication 140-2 validated. (b) An operator of an Internet Web site, online service, online application, or mobile application with actual knowledge that the site, service, or application is used for K-12 school purposes and that it was designed and marketed for K-12 school purposes shall delete a student's personal information if any of the following occurs: (1) The site, service, or application has actual knowledge that it is no longer used for K-12 schoolpurposes, unless thepurposes. This paragraph shall not apply to information that is being used or maintained at the direction of a school or school district and is under the direct control of the school ordistrict.district, or information that is being used by a student and is under the direct control of the student. (2) The student requestsdeletion, unless it isdeletion of information being used at the direction ofa school or district andthe student or that is under the direct control of theschool or district.student. (3) The school or school district requests deletion of information being used at the direction of a school or district and that is under the control of the school or school district . (c) Notwithstanding subdivision (a), an operator of an Internet Web site, online service, online application, or mobile application may disclose personal information of a student if other provisions of federal or state law require the operator to disclose the information, and the operator complies with the requirements of federal and state law in protecting and disclosing that information. (d) An "online service" includes cloud computing services. (e) Notwithstanding subdivision (a), an operator of an Internet Web site, online service, online application, or mobile application may disclose personal information of a student for legitimate research purposes as required by state and federal law and subject to the restrictions under state and federal law or as allowed by state and federal law and under the direction of a school, school district, or state department of education, as long as no personal information is used for any purpose in furtherance of advertising or to amass a profile on the student for purposes other than K-12 school purposes. (f) For purposes of this section, "personal information" shall mean any information or materials in any media or format created or provided by a student, or the student's parent or legal guardian, in the course of the student's, or parent's or legal guardian's, use of the site, service, or application or an employee or agent of the educational institution, or gathered by the site, service, or application, that is related to a student and shall include, but not be limited to, information in the student's educational record, the student's e-mail address, first and last name, home address, telephone number, other information that permits physical or online contact of a specific individual, discipline records, test results, special education data, juvenile delinquency records, grades, evaluations, criminal records, medical records, health records, social security number, biometric information, disabilities, socioeconomic information, food purchases, political affiliations, religious information, e-mail messages, documents, unique identifiers, profile, search activity, location information, Internet Protocol (IP) address, metadata, any aggregation or derivative thereof, or any information gained through tracking, including login and logoff information, searches, typing, photos, voice recordings, and geolocation information. (g) For purposes of this section, "K-12 school purposes" shall mean purposes that customarily take place at the direction of the school, teacher, or school district or aid in the administration of school activities, including, but not limited to, instruction in the classroom or at home, administrative activities, and collaboration between students, school personnel, or parents, or are for the use and benefit of the school. (h) This section shall not be construed to limit the authority of a law enforcement agency to obtain any content or information from an operator as authorized by law or pursuant to an order of a court of competent jurisdiction. (i) It is not the intent of the Legislature for this chapter to apply to general audience Internet Web sites , general audience online services, general audience online applications, or general audience mobile applications . (j) It is not the intent of the Legislature for this section to limit Internet service providers from providing Internet connectivity to schools or students and their families. (k) (1) An operator of an Internet Web site, online service, online application, or mobile application may use deidentified student personal information , including aggregated deidentified student personal information, within the operator's site, service, or application or other sites, services, or applications owned by the operator to improve educational products, for adaptive learning purposes, and for customizing student learning.(2) Subparagraph (1) shall not apply if the deidentified student personal information is used for purposes of advertising.(2) An operator of an Internet Web site, online service, online application, or mobile application may use deidentified student personal information, including aggregated deidentified student personal information, to demonstrate the effectiveness of the operator's products, including in their marketing. (3) An operator of an Internet Web site, online service, online application, or mobile application may share aggregated deidentified student personal information for the development and improvement of educational sites, services, or applications. (l) This section shall not be construed to prohibit an operator of an Internet Web site, online service, online application, or mobile application from marketing educational products directly to parents so long as the marketing was not the result of student personal information provided to the operator of the Internet Web site, online service, online application, or mobile application. 22585. This chapter shall become operative on January 1, 2016. SEC. 2. The provisions of this act are severable. If any provision of this act or its application is held invalid, that invalidity shall not affect other provisions or applications that can be given effect without the invalid provision or application.