BILL NUMBER: SB 1177AMENDED BILL TEXT AMENDED IN ASSEMBLY AUGUST 4, 2014 AMENDED IN ASSEMBLY JULY 2, 2014 AMENDED IN ASSEMBLY JUNE 10, 2014 AMENDED IN ASSEMBLY JUNE 5, 2014 AMENDED IN SENATE APRIL 21, 2014 INTRODUCED BY Senator Steinberg FEBRUARY 20, 2014 An act to add Chapter 22.2 (commencing with Section 22584) to Division 8 of the Business and Professions Code, relating to privacy. LEGISLATIVE COUNSEL'S DIGEST SB 1177, as amended, Steinberg. Privacy: students. Existing law, on and after January 1, 2015, prohibits an operator of an Internet Web site or online service from knowingly using, disclosing, compiling, or allowing a 3rd party to use, disclose, or compile the personal information of a minor for the purpose of marketing or advertising specified types of products or services. Existing law also makes this prohibition applicable to an advertising service that is notified by an operator of an Internet Web site, online service, online application, or mobile application that the site, service, or application is directed to a minor. This bill would prohibit an operator of an Internet Web site, online service, online application, or mobile application with actual knowledge that the site, service, or application is used for K-12 school purposes, as defined, and was designed and marketed for K-12 school purposes, from using, sharing, disclosing, or compilingcoveredinformation, as defined, about a K-12 student for any purpose other than K-12 school purposes. The bill would generally prohibit an operator from selling or disclosing the information of a student. The bill would require an operator to implement and maintain reasonable security procedures and practices appropriate to the nature of the information, to protect the personal information from unauthorized access, destruction, use, modification, or disclosure, and to delete a student's covered information if the school or district requests deletion of data under the control of the school or district. The bill would authorize the disclosure of covered information of a student under specified circumstances. The bill's provisions would become operative January 1, 2016. Vote: majority. Appropriation: no. Fiscal committee: no. State-mandated local program: no. THE PEOPLE OF THE STATE OF CALIFORNIA DO ENACT AS FOLLOWS: SECTION 1. Chapter 22.2 (commencing with Section 22584) is added to Division 8 of the Business and Professions Code, to read: CHAPTER 22.2. STUDENT ONLINE PERSONAL INFORMATION PROTECTION ACT 22584. (a) An operator shall comply with all of the following with respect to the site, service, or application of the operator: (1) It shall not use, share, disclose, or compilecoveredinformation about a K-12 student for any purpose in furtherance of targeted advertising or to amass a profile on a student for any purpose other than K-12 school purposes. Nothing in this provision shall be construed to prohibit the use of information for maintaining, developing, or improving the site, service, or application of the operator. (2) It shall not sell or disclose a student's information. This prohibition does not apply to the purchase, merger, or other type of acquisition of an entity that operates an Internet Web site, online service, online application, or mobile application by another entity. (3) It shall implement and maintain reasonable security procedures and practices appropriate to the nature of the information, to protect the personal information from unauthorized access, destruction, use, modification, or disclosure. (b) An operator shall delete a student's covered information if the school or district requests deletion of data under the control of the school or district. (c) Notwithstanding subdivision (a), an operator may disclose covered information of a student under the following circumstances: (1) If other provisions of federal or state law require the operator to disclose the information, and the operator complies with the requirements of federal and state law in protecting and disclosing that information. (2) For legitimate research purposes as required by state and federal law and subject to the restrictions under state and federal law or as allowed by state and federal law and under the direction of a school, school district, or state department of education, if no covered information is used for any purpose in furtherance of advertising or to amass a profile on the student for purposes other than K-12 school purposes. (d) An operator may use deidentified student covered information, including aggregated and deidentified student covered information, as follows: (1) Within the operator's site, service, or application or other sites, services, or applications owned by the operator to improve educational products, for adaptive learning purposes, and for customizing student learning. (2) To demonstrate the effectiveness of the operator's products, including in their marketing. (3) An operator may share aggregated deidentified student covered information for the development and improvement of educational sites, services, or applications. (e) "Online service" includes cloud computing services. (f) "Operator" means the operator of an Internet Web site, online service, online application, or mobile application with actual knowledge that the site, service, or application is used primarily for K-12 school purposes and was designed and marketed for K-12 school purposes. (g) "Covered information" means personally identifiable information or materials in any media or format that meets any of the following: (1) Are created or provided by a student, or the student's parent or legal guardian, in the course of the student's, parent's, or legal guardian's use of the site, service, or application for K-12 school purposes. (2) Are created or provided by an employee or agent of the educational institution. (3) Are gathered by the site, service, or application, that is descriptive of a student or otherwise personally identifies a student, including, but not limited to, information in the student's educational record or email, first and last name, home address, telephone number, email address, or other information that allows physical or online contact, discipline records, test results, special education data, juvenile dependency records, grades, evaluations, criminal records, medical records, health records, social security number, biometric information, disabilities, socioeconomic information, food purchases, political affiliations, religious information, text messages, documents, persistent unique identifiers, search activity, photos, voice recordings, or geolocation information. (h) "K-12 school purposes" means purposes that customarily take place at the direction of the school, teacher, or school district or aid in the administration of school activities, including, but not limited to, instruction in the classroom or at home, administrative activities, and collaboration between students, school personnel, or parents, or are for the use and benefit of the school. (i) This section shall not be construed to limit the authority of a law enforcement agency to obtain any content or information from an operator as authorized by law or pursuant to an order of a court of competent jurisdiction. (j) This section does not limit the ability of an operator of an Internet Web site, online service, online application, or mobile application to use student data for adaptive learning or customized student learning purposes. (k) This chapter does not apply to general audience Internet Web sites, general audience online services, general audience online applications, or general audience mobile applications. (l) This section does not limit Internet service providers from providing Internet connectivity to schools or students and their families. (m) This section shall not be construed to prohibit an operator of an Internet Web site, online service, online application, or mobile application from marketing educational products directly to parents so long as the marketing was not the result of student covered information obtained by the operator through the provision of services covered under this section. (n) This section does not impose a duty upon a provider of an electronic store, gateway, marketplace, or other means of purchasing or downloading software or applications to review or enforce compliance of this section on those applications or software. (o) This section does not impede the ability of students to download, export, or otherwise save or maintain their own student created data or documents. 22585. This chapter shall become operative on January 1, 2016. SEC. 2. The provisions of this act are severable. If any provision of this act or its application is held invalid, that invalidity shall not affect other provisions or applications that can be given effect without the invalid provision or application.