Amended IN Assembly March 04, 2024 CALIFORNIA LEGISLATURE 20232024 REGULAR SESSION Assembly Bill No. 1971Introduced by Assembly Member AddisJanuary 30, 2024An act to amend Section 22584 of the Business and Professions Code, relating to personal information.LEGISLATIVE COUNSEL'S DIGESTAB 1971, as amended, Addis. Student Online Personal Information Protection Act: test sponsors. administration of standardized tests.The California Consumer Privacy Act of 2018 (CCPA) grants to a consumer various rights with respect to personal information, as defined, that is collected by a business, as defined, including the right to opt out of the selling or sharing of personal information about the consumer to third parties. Additionally, the CCPA prohibits a business from selling or sharing the personal information of a consumer if the business has actual knowledge that the consumer is less than 16 years of age, unless the consumer, in the case of a consumer at least 13 years of age and less than 16 years of age, or the consumers parent or guardian, in the case of consumers who are less than 13 years of age, has affirmatively authorized the sale or sharing of the consumers personal information.The Student Online Personal Information Protection Act (SOPIPA) prohibits an operator of an internet website, online service, online application, or mobile application with actual knowledge that the site, service, or application is used primarily for K12 school purposes and was designed and marketed for K12 school purposes from knowingly engaging in certain activities with respect to the operators site, service, or application, including selling a students information, including covered information, as defined, or using information, including persistent unique identifiers, created or gathered by the operators site, service, or application, to amass a profile about a K12 student except in furtherance of K12 school purposes. SOPIPA also prohibits an operator from disclosing covered information unless the disclosure is made for certain purposes, including to ensure legal and regulatory compliance. SOPIPA defines K12 school purposes to mean purposes that customarily take place at the direction of the K12 school, teacher, or school district or aid in the administration of school activities, as specified.The Student Test Taker Privacy Protection Act prohibits a business providing proctoring services in an educational setting from collecting, retaining, using, or disclosing personal information, as defined, except to the extent necessary to provide those proctoring services and in other specified circumstances.This bill would additionally apply SOPIPA to an individual, partnership, corporation, association, company, firm, institution, society, trust, or joint stock company that develops, sponsors, or administers standardized tests. additionally define K12 school purposes to mean the administration in the state of a standardized test that a K12 student has paid to take that is used for the purpose of bolstering the K12 students application for admission to a postsecondary educational institution or a postsecondary institutions program or a test used for preparation for a standardized test. The bill would additionally authorize an operator to disclose covered information if the disclosure is to a postsecondary institution for the purpose of facilitating a K12 students admission to that institution only if the K12 student, or the K12 students legal guardian, has consented to the disclosure.Digest Key Vote: MAJORITY Appropriation: NO Fiscal Committee: NO Local Program: NO Bill TextThe people of the State of California do enact as follows:SECTION 1. Section 22584 of the Business and Professions Code is amended to read:22584. (a) For purposes of this section, operator means either of the following: the operator of an internet website, online service, online application, or mobile application with actual knowledge that the site, service, or application is used primarily for K12 school purposes and was designed and marketed for K12 school purposes. (1)The operator of an internet website, online service, online application, or mobile application with actual knowledge that the site, service, or application is used primarily for K12 school purposes and was designed and marketed for K12 school purposes.(2)A test sponsor, as defined in Section 99151 of the Education Code.(b) An operator shall not knowingly engage in any of the following activities with respect to the operators site, service, or application:(1) Engage in targeted advertising on the operators site, service, or application or target advertising on any other site, service, or application when the targeting of the advertising is based upon any information, including covered information and persistent unique identifiers, that the operator has acquired because of the use of that operators site, service, or application described in subdivision (a).(2) Use information, including persistent unique identifiers, created or gathered by the operators site, service, or application to amass a profile about a K12 student except in furtherance of K12 school purposes.(3) Sell a students information, including covered information. This prohibition does not apply to the purchase, merger, or other type of acquisition of an operator by another entity if the operator or successor entity continues to be subject to the provisions of this section with respect to previously acquired student information.(4) Disclose covered information unless the disclosure is made:(A) In furtherance of the K12 purpose of the site, service, or application, provided the recipient of the covered information disclosed pursuant to this subparagraph:(i) Shall not further disclose the information unless done to allow or improve operability and functionality within that students classroom or school; and(ii) Is legally required to comply with subdivision (d);(B) To ensure legal and regulatory compliance;(C) To respond to or participate in judicial process;(D) To protect the safety of users or others or security of the site; or(E) To a service provider, provided the operator contractually (i) prohibits the service provider from using any covered information for any purpose other than providing the contracted service to, or on behalf of, the operator, (ii) prohibits the service provider from disclosing any covered information provided by the operator with subsequent third parties, and (iii) requires the service provider to implement and maintain reasonable security procedures and practices as provided in subdivision (d).(F) To a postsecondary institution for the purpose of facilitating a K12 students admission to that institution only if the K12 student, or the K12 students legal guardian, has consented to the disclosure.(c) Nothing in subdivision (b) shall be construed to prohibit the operators use of information for maintaining, developing, supporting, improving, or diagnosing the operators site, service, or application.(d) An operator shall do both of the following:(1) Implement and maintain reasonable security procedures and practices appropriate to the nature of the covered information, and protect that information from unauthorized access, destruction, use, modification, or disclosure.(2) Delete a students covered information if the school or district requests deletion of data under the control of the school or district.(e) Notwithstanding paragraph (4) of subdivision (b), an operator may disclose covered information of a student, as long as paragraphs (1) to (3), inclusive, of subdivision (b) are not violated, under all of the following circumstances:(1) If other provisions of federal or state law require the operator to disclose the information, and the operator complies with the requirements of federal and state law in protecting and disclosing that information.(2) For legitimate research purposes as required by state or federal law and subject to the restrictions under applicable state and federal law or as allowed by state or federal law and under the direction of a school, school district, or state department of education, if no covered information is used for any purpose in furtherance of advertising or to amass a profile on the student for purposes other than K12 school purposes.(3) To a state or local educational agency, including schools and school districts, for K12 school purposes, as permitted by state or federal law.(f) Nothing in this section prohibits an operator from using deidentified student covered information as follows:(1) Within the operators site, service, or application or other sites, services, or applications owned by the operator to improve educational products.(2) To demonstrate the effectiveness of the operators products or services, including in their marketing.(g) Nothing in this section prohibits an operator from sharing aggregated deidentified student covered information for the development and improvement of educational sites, services, or applications.(h) Online service includes cloud computing services, which must comply with this section if they otherwise meet the definition of an operator.(i) Covered information means personally identifiable information or materials in any media or format that meets any of the following:(1) Is created or provided by a student, or the students parent or legal guardian, to an operator in the course of the students, parents, or legal guardians use of the operators site, service, or application for K12 school purposes.(2) Is created or provided by an employee or agent of the K12 school, school district, local education agency, or county office of education, to an operator.(3) Is gathered by an operator through the operation of a site, service, or application described in subdivision (a) and is descriptive of a student or otherwise identifies a student, including, but not limited to, information in the students educational record or email, first and last name, home address, telephone number, email address, or other information that allows physical or online contact, discipline records, test results, special education data, juvenile dependency records, grades, evaluations, criminal records, medical records, health records, social security number, biometric information, disabilities, socioeconomic information, food purchases, political affiliations, religious information, text messages, documents, student identifiers, persistent unique identifiers, search activity, photos, voice recordings, or geolocation information.(j) K12 school purposes means purposes that customarily take place at the direction of the K12 school, teacher, or school district or aid in the administration of school activities, including, but not limited to, instruction in the classroom or at home, administrative activities, and collaboration between students, school personnel, or parents, or are for the use and benefit of the school. either of the following:(1) Purposes that customarily take place at the direction of the K12 school, teacher, or school district or aid in the administration of school activities, including, but not limited to, instruction in the classroom or at home, administrative activities, and collaboration between students, school personnel, or parents, or are for the use and benefit of the school.(2) The administration in the state of either of the following:(A) A standardized test that a K12 student takes for the purpose of bolstering the K12 students application for admission to a postsecondary educational institution or a postsecondary institutions program. (B) A test used for preparation for a standardized test described by subparagraph (A).(k) This section shall not be construed to limit the authority of a law enforcement agency to obtain any content or information from an operator as authorized by law or pursuant to an order of a court of competent jurisdiction.(l) This section does not limit the ability of an operator to use student data, including covered information, for adaptive learning or customized student learning purposes.(m) This section does not apply to general audience Internet Web sites, internet websites, general audience online services, general audience online applications, or general audience mobile applications, even if login credentials created for an operators site, service, or application may be used to access those general audience sites, services, or applications.(n) This section does not limit internet service providers from providing internet connectivity to schools or students and their families.(o) This section shall not be construed to prohibit an operator of an internet website, online service, online application, or mobile application from marketing educational products directly to parents so long as the marketing did not result from the use of covered information obtained by the operator through the provision of services covered under this section.(p) This section does not impose a duty upon a provider of an electronic store, gateway, marketplace, or other means of purchasing or downloading software or applications to review or enforce compliance of this section on those applications or software.(q) This section does not impose a duty upon a provider of an interactive computer service, as defined in Section 230 of Title 47 of the United States Code, to review or enforce compliance with this section by third-party content providers.(r) This section does not impede the ability of students to download, export, or otherwise save or maintain their own student created data or documents.
Amended IN Assembly March 04, 2024 CALIFORNIA LEGISLATURE 20232024 REGULAR SESSION Assembly Bill No. 1971Introduced by Assembly Member AddisJanuary 30, 2024An act to amend Section 22584 of the Business and Professions Code, relating to personal information.LEGISLATIVE COUNSEL'S DIGESTAB 1971, as amended, Addis. Student Online Personal Information Protection Act: test sponsors. administration of standardized tests.The California Consumer Privacy Act of 2018 (CCPA) grants to a consumer various rights with respect to personal information, as defined, that is collected by a business, as defined, including the right to opt out of the selling or sharing of personal information about the consumer to third parties. Additionally, the CCPA prohibits a business from selling or sharing the personal information of a consumer if the business has actual knowledge that the consumer is less than 16 years of age, unless the consumer, in the case of a consumer at least 13 years of age and less than 16 years of age, or the consumers parent or guardian, in the case of consumers who are less than 13 years of age, has affirmatively authorized the sale or sharing of the consumers personal information.The Student Online Personal Information Protection Act (SOPIPA) prohibits an operator of an internet website, online service, online application, or mobile application with actual knowledge that the site, service, or application is used primarily for K12 school purposes and was designed and marketed for K12 school purposes from knowingly engaging in certain activities with respect to the operators site, service, or application, including selling a students information, including covered information, as defined, or using information, including persistent unique identifiers, created or gathered by the operators site, service, or application, to amass a profile about a K12 student except in furtherance of K12 school purposes. SOPIPA also prohibits an operator from disclosing covered information unless the disclosure is made for certain purposes, including to ensure legal and regulatory compliance. SOPIPA defines K12 school purposes to mean purposes that customarily take place at the direction of the K12 school, teacher, or school district or aid in the administration of school activities, as specified.The Student Test Taker Privacy Protection Act prohibits a business providing proctoring services in an educational setting from collecting, retaining, using, or disclosing personal information, as defined, except to the extent necessary to provide those proctoring services and in other specified circumstances.This bill would additionally apply SOPIPA to an individual, partnership, corporation, association, company, firm, institution, society, trust, or joint stock company that develops, sponsors, or administers standardized tests. additionally define K12 school purposes to mean the administration in the state of a standardized test that a K12 student has paid to take that is used for the purpose of bolstering the K12 students application for admission to a postsecondary educational institution or a postsecondary institutions program or a test used for preparation for a standardized test. The bill would additionally authorize an operator to disclose covered information if the disclosure is to a postsecondary institution for the purpose of facilitating a K12 students admission to that institution only if the K12 student, or the K12 students legal guardian, has consented to the disclosure.Digest Key Vote: MAJORITY Appropriation: NO Fiscal Committee: NO Local Program: NO
Amended IN Assembly March 04, 2024
Amended IN Assembly March 04, 2024
CALIFORNIA LEGISLATURE 20232024 REGULAR SESSION
Assembly Bill
No. 1971
Introduced by Assembly Member AddisJanuary 30, 2024
Introduced by Assembly Member Addis
January 30, 2024
An act to amend Section 22584 of the Business and Professions Code, relating to personal information.
LEGISLATIVE COUNSEL'S DIGEST
## LEGISLATIVE COUNSEL'S DIGEST
AB 1971, as amended, Addis. Student Online Personal Information Protection Act: test sponsors. administration of standardized tests.
The California Consumer Privacy Act of 2018 (CCPA) grants to a consumer various rights with respect to personal information, as defined, that is collected by a business, as defined, including the right to opt out of the selling or sharing of personal information about the consumer to third parties. Additionally, the CCPA prohibits a business from selling or sharing the personal information of a consumer if the business has actual knowledge that the consumer is less than 16 years of age, unless the consumer, in the case of a consumer at least 13 years of age and less than 16 years of age, or the consumers parent or guardian, in the case of consumers who are less than 13 years of age, has affirmatively authorized the sale or sharing of the consumers personal information.The Student Online Personal Information Protection Act (SOPIPA) prohibits an operator of an internet website, online service, online application, or mobile application with actual knowledge that the site, service, or application is used primarily for K12 school purposes and was designed and marketed for K12 school purposes from knowingly engaging in certain activities with respect to the operators site, service, or application, including selling a students information, including covered information, as defined, or using information, including persistent unique identifiers, created or gathered by the operators site, service, or application, to amass a profile about a K12 student except in furtherance of K12 school purposes. SOPIPA also prohibits an operator from disclosing covered information unless the disclosure is made for certain purposes, including to ensure legal and regulatory compliance. SOPIPA defines K12 school purposes to mean purposes that customarily take place at the direction of the K12 school, teacher, or school district or aid in the administration of school activities, as specified.The Student Test Taker Privacy Protection Act prohibits a business providing proctoring services in an educational setting from collecting, retaining, using, or disclosing personal information, as defined, except to the extent necessary to provide those proctoring services and in other specified circumstances.This bill would additionally apply SOPIPA to an individual, partnership, corporation, association, company, firm, institution, society, trust, or joint stock company that develops, sponsors, or administers standardized tests. additionally define K12 school purposes to mean the administration in the state of a standardized test that a K12 student has paid to take that is used for the purpose of bolstering the K12 students application for admission to a postsecondary educational institution or a postsecondary institutions program or a test used for preparation for a standardized test. The bill would additionally authorize an operator to disclose covered information if the disclosure is to a postsecondary institution for the purpose of facilitating a K12 students admission to that institution only if the K12 student, or the K12 students legal guardian, has consented to the disclosure.
The California Consumer Privacy Act of 2018 (CCPA) grants to a consumer various rights with respect to personal information, as defined, that is collected by a business, as defined, including the right to opt out of the selling or sharing of personal information about the consumer to third parties. Additionally, the CCPA prohibits a business from selling or sharing the personal information of a consumer if the business has actual knowledge that the consumer is less than 16 years of age, unless the consumer, in the case of a consumer at least 13 years of age and less than 16 years of age, or the consumers parent or guardian, in the case of consumers who are less than 13 years of age, has affirmatively authorized the sale or sharing of the consumers personal information.
The Student Online Personal Information Protection Act (SOPIPA) prohibits an operator of an internet website, online service, online application, or mobile application with actual knowledge that the site, service, or application is used primarily for K12 school purposes and was designed and marketed for K12 school purposes from knowingly engaging in certain activities with respect to the operators site, service, or application, including selling a students information, including covered information, as defined, or using information, including persistent unique identifiers, created or gathered by the operators site, service, or application, to amass a profile about a K12 student except in furtherance of K12 school purposes. SOPIPA also prohibits an operator from disclosing covered information unless the disclosure is made for certain purposes, including to ensure legal and regulatory compliance. SOPIPA defines K12 school purposes to mean purposes that customarily take place at the direction of the K12 school, teacher, or school district or aid in the administration of school activities, as specified.
The Student Test Taker Privacy Protection Act prohibits a business providing proctoring services in an educational setting from collecting, retaining, using, or disclosing personal information, as defined, except to the extent necessary to provide those proctoring services and in other specified circumstances.
This bill would additionally apply SOPIPA to an individual, partnership, corporation, association, company, firm, institution, society, trust, or joint stock company that develops, sponsors, or administers standardized tests. additionally define K12 school purposes to mean the administration in the state of a standardized test that a K12 student has paid to take that is used for the purpose of bolstering the K12 students application for admission to a postsecondary educational institution or a postsecondary institutions program or a test used for preparation for a standardized test. The bill would additionally authorize an operator to disclose covered information if the disclosure is to a postsecondary institution for the purpose of facilitating a K12 students admission to that institution only if the K12 student, or the K12 students legal guardian, has consented to the disclosure.
## Digest Key
## Bill Text
The people of the State of California do enact as follows:SECTION 1. Section 22584 of the Business and Professions Code is amended to read:22584. (a) For purposes of this section, operator means either of the following: the operator of an internet website, online service, online application, or mobile application with actual knowledge that the site, service, or application is used primarily for K12 school purposes and was designed and marketed for K12 school purposes. (1)The operator of an internet website, online service, online application, or mobile application with actual knowledge that the site, service, or application is used primarily for K12 school purposes and was designed and marketed for K12 school purposes.(2)A test sponsor, as defined in Section 99151 of the Education Code.(b) An operator shall not knowingly engage in any of the following activities with respect to the operators site, service, or application:(1) Engage in targeted advertising on the operators site, service, or application or target advertising on any other site, service, or application when the targeting of the advertising is based upon any information, including covered information and persistent unique identifiers, that the operator has acquired because of the use of that operators site, service, or application described in subdivision (a).(2) Use information, including persistent unique identifiers, created or gathered by the operators site, service, or application to amass a profile about a K12 student except in furtherance of K12 school purposes.(3) Sell a students information, including covered information. This prohibition does not apply to the purchase, merger, or other type of acquisition of an operator by another entity if the operator or successor entity continues to be subject to the provisions of this section with respect to previously acquired student information.(4) Disclose covered information unless the disclosure is made:(A) In furtherance of the K12 purpose of the site, service, or application, provided the recipient of the covered information disclosed pursuant to this subparagraph:(i) Shall not further disclose the information unless done to allow or improve operability and functionality within that students classroom or school; and(ii) Is legally required to comply with subdivision (d);(B) To ensure legal and regulatory compliance;(C) To respond to or participate in judicial process;(D) To protect the safety of users or others or security of the site; or(E) To a service provider, provided the operator contractually (i) prohibits the service provider from using any covered information for any purpose other than providing the contracted service to, or on behalf of, the operator, (ii) prohibits the service provider from disclosing any covered information provided by the operator with subsequent third parties, and (iii) requires the service provider to implement and maintain reasonable security procedures and practices as provided in subdivision (d).(F) To a postsecondary institution for the purpose of facilitating a K12 students admission to that institution only if the K12 student, or the K12 students legal guardian, has consented to the disclosure.(c) Nothing in subdivision (b) shall be construed to prohibit the operators use of information for maintaining, developing, supporting, improving, or diagnosing the operators site, service, or application.(d) An operator shall do both of the following:(1) Implement and maintain reasonable security procedures and practices appropriate to the nature of the covered information, and protect that information from unauthorized access, destruction, use, modification, or disclosure.(2) Delete a students covered information if the school or district requests deletion of data under the control of the school or district.(e) Notwithstanding paragraph (4) of subdivision (b), an operator may disclose covered information of a student, as long as paragraphs (1) to (3), inclusive, of subdivision (b) are not violated, under all of the following circumstances:(1) If other provisions of federal or state law require the operator to disclose the information, and the operator complies with the requirements of federal and state law in protecting and disclosing that information.(2) For legitimate research purposes as required by state or federal law and subject to the restrictions under applicable state and federal law or as allowed by state or federal law and under the direction of a school, school district, or state department of education, if no covered information is used for any purpose in furtherance of advertising or to amass a profile on the student for purposes other than K12 school purposes.(3) To a state or local educational agency, including schools and school districts, for K12 school purposes, as permitted by state or federal law.(f) Nothing in this section prohibits an operator from using deidentified student covered information as follows:(1) Within the operators site, service, or application or other sites, services, or applications owned by the operator to improve educational products.(2) To demonstrate the effectiveness of the operators products or services, including in their marketing.(g) Nothing in this section prohibits an operator from sharing aggregated deidentified student covered information for the development and improvement of educational sites, services, or applications.(h) Online service includes cloud computing services, which must comply with this section if they otherwise meet the definition of an operator.(i) Covered information means personally identifiable information or materials in any media or format that meets any of the following:(1) Is created or provided by a student, or the students parent or legal guardian, to an operator in the course of the students, parents, or legal guardians use of the operators site, service, or application for K12 school purposes.(2) Is created or provided by an employee or agent of the K12 school, school district, local education agency, or county office of education, to an operator.(3) Is gathered by an operator through the operation of a site, service, or application described in subdivision (a) and is descriptive of a student or otherwise identifies a student, including, but not limited to, information in the students educational record or email, first and last name, home address, telephone number, email address, or other information that allows physical or online contact, discipline records, test results, special education data, juvenile dependency records, grades, evaluations, criminal records, medical records, health records, social security number, biometric information, disabilities, socioeconomic information, food purchases, political affiliations, religious information, text messages, documents, student identifiers, persistent unique identifiers, search activity, photos, voice recordings, or geolocation information.(j) K12 school purposes means purposes that customarily take place at the direction of the K12 school, teacher, or school district or aid in the administration of school activities, including, but not limited to, instruction in the classroom or at home, administrative activities, and collaboration between students, school personnel, or parents, or are for the use and benefit of the school. either of the following:(1) Purposes that customarily take place at the direction of the K12 school, teacher, or school district or aid in the administration of school activities, including, but not limited to, instruction in the classroom or at home, administrative activities, and collaboration between students, school personnel, or parents, or are for the use and benefit of the school.(2) The administration in the state of either of the following:(A) A standardized test that a K12 student takes for the purpose of bolstering the K12 students application for admission to a postsecondary educational institution or a postsecondary institutions program. (B) A test used for preparation for a standardized test described by subparagraph (A).(k) This section shall not be construed to limit the authority of a law enforcement agency to obtain any content or information from an operator as authorized by law or pursuant to an order of a court of competent jurisdiction.(l) This section does not limit the ability of an operator to use student data, including covered information, for adaptive learning or customized student learning purposes.(m) This section does not apply to general audience Internet Web sites, internet websites, general audience online services, general audience online applications, or general audience mobile applications, even if login credentials created for an operators site, service, or application may be used to access those general audience sites, services, or applications.(n) This section does not limit internet service providers from providing internet connectivity to schools or students and their families.(o) This section shall not be construed to prohibit an operator of an internet website, online service, online application, or mobile application from marketing educational products directly to parents so long as the marketing did not result from the use of covered information obtained by the operator through the provision of services covered under this section.(p) This section does not impose a duty upon a provider of an electronic store, gateway, marketplace, or other means of purchasing or downloading software or applications to review or enforce compliance of this section on those applications or software.(q) This section does not impose a duty upon a provider of an interactive computer service, as defined in Section 230 of Title 47 of the United States Code, to review or enforce compliance with this section by third-party content providers.(r) This section does not impede the ability of students to download, export, or otherwise save or maintain their own student created data or documents.
The people of the State of California do enact as follows:
## The people of the State of California do enact as follows:
SECTION 1. Section 22584 of the Business and Professions Code is amended to read:22584. (a) For purposes of this section, operator means either of the following: the operator of an internet website, online service, online application, or mobile application with actual knowledge that the site, service, or application is used primarily for K12 school purposes and was designed and marketed for K12 school purposes. (1)The operator of an internet website, online service, online application, or mobile application with actual knowledge that the site, service, or application is used primarily for K12 school purposes and was designed and marketed for K12 school purposes.(2)A test sponsor, as defined in Section 99151 of the Education Code.(b) An operator shall not knowingly engage in any of the following activities with respect to the operators site, service, or application:(1) Engage in targeted advertising on the operators site, service, or application or target advertising on any other site, service, or application when the targeting of the advertising is based upon any information, including covered information and persistent unique identifiers, that the operator has acquired because of the use of that operators site, service, or application described in subdivision (a).(2) Use information, including persistent unique identifiers, created or gathered by the operators site, service, or application to amass a profile about a K12 student except in furtherance of K12 school purposes.(3) Sell a students information, including covered information. This prohibition does not apply to the purchase, merger, or other type of acquisition of an operator by another entity if the operator or successor entity continues to be subject to the provisions of this section with respect to previously acquired student information.(4) Disclose covered information unless the disclosure is made:(A) In furtherance of the K12 purpose of the site, service, or application, provided the recipient of the covered information disclosed pursuant to this subparagraph:(i) Shall not further disclose the information unless done to allow or improve operability and functionality within that students classroom or school; and(ii) Is legally required to comply with subdivision (d);(B) To ensure legal and regulatory compliance;(C) To respond to or participate in judicial process;(D) To protect the safety of users or others or security of the site; or(E) To a service provider, provided the operator contractually (i) prohibits the service provider from using any covered information for any purpose other than providing the contracted service to, or on behalf of, the operator, (ii) prohibits the service provider from disclosing any covered information provided by the operator with subsequent third parties, and (iii) requires the service provider to implement and maintain reasonable security procedures and practices as provided in subdivision (d).(F) To a postsecondary institution for the purpose of facilitating a K12 students admission to that institution only if the K12 student, or the K12 students legal guardian, has consented to the disclosure.(c) Nothing in subdivision (b) shall be construed to prohibit the operators use of information for maintaining, developing, supporting, improving, or diagnosing the operators site, service, or application.(d) An operator shall do both of the following:(1) Implement and maintain reasonable security procedures and practices appropriate to the nature of the covered information, and protect that information from unauthorized access, destruction, use, modification, or disclosure.(2) Delete a students covered information if the school or district requests deletion of data under the control of the school or district.(e) Notwithstanding paragraph (4) of subdivision (b), an operator may disclose covered information of a student, as long as paragraphs (1) to (3), inclusive, of subdivision (b) are not violated, under all of the following circumstances:(1) If other provisions of federal or state law require the operator to disclose the information, and the operator complies with the requirements of federal and state law in protecting and disclosing that information.(2) For legitimate research purposes as required by state or federal law and subject to the restrictions under applicable state and federal law or as allowed by state or federal law and under the direction of a school, school district, or state department of education, if no covered information is used for any purpose in furtherance of advertising or to amass a profile on the student for purposes other than K12 school purposes.(3) To a state or local educational agency, including schools and school districts, for K12 school purposes, as permitted by state or federal law.(f) Nothing in this section prohibits an operator from using deidentified student covered information as follows:(1) Within the operators site, service, or application or other sites, services, or applications owned by the operator to improve educational products.(2) To demonstrate the effectiveness of the operators products or services, including in their marketing.(g) Nothing in this section prohibits an operator from sharing aggregated deidentified student covered information for the development and improvement of educational sites, services, or applications.(h) Online service includes cloud computing services, which must comply with this section if they otherwise meet the definition of an operator.(i) Covered information means personally identifiable information or materials in any media or format that meets any of the following:(1) Is created or provided by a student, or the students parent or legal guardian, to an operator in the course of the students, parents, or legal guardians use of the operators site, service, or application for K12 school purposes.(2) Is created or provided by an employee or agent of the K12 school, school district, local education agency, or county office of education, to an operator.(3) Is gathered by an operator through the operation of a site, service, or application described in subdivision (a) and is descriptive of a student or otherwise identifies a student, including, but not limited to, information in the students educational record or email, first and last name, home address, telephone number, email address, or other information that allows physical or online contact, discipline records, test results, special education data, juvenile dependency records, grades, evaluations, criminal records, medical records, health records, social security number, biometric information, disabilities, socioeconomic information, food purchases, political affiliations, religious information, text messages, documents, student identifiers, persistent unique identifiers, search activity, photos, voice recordings, or geolocation information.(j) K12 school purposes means purposes that customarily take place at the direction of the K12 school, teacher, or school district or aid in the administration of school activities, including, but not limited to, instruction in the classroom or at home, administrative activities, and collaboration between students, school personnel, or parents, or are for the use and benefit of the school. either of the following:(1) Purposes that customarily take place at the direction of the K12 school, teacher, or school district or aid in the administration of school activities, including, but not limited to, instruction in the classroom or at home, administrative activities, and collaboration between students, school personnel, or parents, or are for the use and benefit of the school.(2) The administration in the state of either of the following:(A) A standardized test that a K12 student takes for the purpose of bolstering the K12 students application for admission to a postsecondary educational institution or a postsecondary institutions program. (B) A test used for preparation for a standardized test described by subparagraph (A).(k) This section shall not be construed to limit the authority of a law enforcement agency to obtain any content or information from an operator as authorized by law or pursuant to an order of a court of competent jurisdiction.(l) This section does not limit the ability of an operator to use student data, including covered information, for adaptive learning or customized student learning purposes.(m) This section does not apply to general audience Internet Web sites, internet websites, general audience online services, general audience online applications, or general audience mobile applications, even if login credentials created for an operators site, service, or application may be used to access those general audience sites, services, or applications.(n) This section does not limit internet service providers from providing internet connectivity to schools or students and their families.(o) This section shall not be construed to prohibit an operator of an internet website, online service, online application, or mobile application from marketing educational products directly to parents so long as the marketing did not result from the use of covered information obtained by the operator through the provision of services covered under this section.(p) This section does not impose a duty upon a provider of an electronic store, gateway, marketplace, or other means of purchasing or downloading software or applications to review or enforce compliance of this section on those applications or software.(q) This section does not impose a duty upon a provider of an interactive computer service, as defined in Section 230 of Title 47 of the United States Code, to review or enforce compliance with this section by third-party content providers.(r) This section does not impede the ability of students to download, export, or otherwise save or maintain their own student created data or documents.
SECTION 1. Section 22584 of the Business and Professions Code is amended to read:
### SECTION 1.
22584. (a) For purposes of this section, operator means either of the following: the operator of an internet website, online service, online application, or mobile application with actual knowledge that the site, service, or application is used primarily for K12 school purposes and was designed and marketed for K12 school purposes. (1)The operator of an internet website, online service, online application, or mobile application with actual knowledge that the site, service, or application is used primarily for K12 school purposes and was designed and marketed for K12 school purposes.(2)A test sponsor, as defined in Section 99151 of the Education Code.(b) An operator shall not knowingly engage in any of the following activities with respect to the operators site, service, or application:(1) Engage in targeted advertising on the operators site, service, or application or target advertising on any other site, service, or application when the targeting of the advertising is based upon any information, including covered information and persistent unique identifiers, that the operator has acquired because of the use of that operators site, service, or application described in subdivision (a).(2) Use information, including persistent unique identifiers, created or gathered by the operators site, service, or application to amass a profile about a K12 student except in furtherance of K12 school purposes.(3) Sell a students information, including covered information. This prohibition does not apply to the purchase, merger, or other type of acquisition of an operator by another entity if the operator or successor entity continues to be subject to the provisions of this section with respect to previously acquired student information.(4) Disclose covered information unless the disclosure is made:(A) In furtherance of the K12 purpose of the site, service, or application, provided the recipient of the covered information disclosed pursuant to this subparagraph:(i) Shall not further disclose the information unless done to allow or improve operability and functionality within that students classroom or school; and(ii) Is legally required to comply with subdivision (d);(B) To ensure legal and regulatory compliance;(C) To respond to or participate in judicial process;(D) To protect the safety of users or others or security of the site; or(E) To a service provider, provided the operator contractually (i) prohibits the service provider from using any covered information for any purpose other than providing the contracted service to, or on behalf of, the operator, (ii) prohibits the service provider from disclosing any covered information provided by the operator with subsequent third parties, and (iii) requires the service provider to implement and maintain reasonable security procedures and practices as provided in subdivision (d).(F) To a postsecondary institution for the purpose of facilitating a K12 students admission to that institution only if the K12 student, or the K12 students legal guardian, has consented to the disclosure.(c) Nothing in subdivision (b) shall be construed to prohibit the operators use of information for maintaining, developing, supporting, improving, or diagnosing the operators site, service, or application.(d) An operator shall do both of the following:(1) Implement and maintain reasonable security procedures and practices appropriate to the nature of the covered information, and protect that information from unauthorized access, destruction, use, modification, or disclosure.(2) Delete a students covered information if the school or district requests deletion of data under the control of the school or district.(e) Notwithstanding paragraph (4) of subdivision (b), an operator may disclose covered information of a student, as long as paragraphs (1) to (3), inclusive, of subdivision (b) are not violated, under all of the following circumstances:(1) If other provisions of federal or state law require the operator to disclose the information, and the operator complies with the requirements of federal and state law in protecting and disclosing that information.(2) For legitimate research purposes as required by state or federal law and subject to the restrictions under applicable state and federal law or as allowed by state or federal law and under the direction of a school, school district, or state department of education, if no covered information is used for any purpose in furtherance of advertising or to amass a profile on the student for purposes other than K12 school purposes.(3) To a state or local educational agency, including schools and school districts, for K12 school purposes, as permitted by state or federal law.(f) Nothing in this section prohibits an operator from using deidentified student covered information as follows:(1) Within the operators site, service, or application or other sites, services, or applications owned by the operator to improve educational products.(2) To demonstrate the effectiveness of the operators products or services, including in their marketing.(g) Nothing in this section prohibits an operator from sharing aggregated deidentified student covered information for the development and improvement of educational sites, services, or applications.(h) Online service includes cloud computing services, which must comply with this section if they otherwise meet the definition of an operator.(i) Covered information means personally identifiable information or materials in any media or format that meets any of the following:(1) Is created or provided by a student, or the students parent or legal guardian, to an operator in the course of the students, parents, or legal guardians use of the operators site, service, or application for K12 school purposes.(2) Is created or provided by an employee or agent of the K12 school, school district, local education agency, or county office of education, to an operator.(3) Is gathered by an operator through the operation of a site, service, or application described in subdivision (a) and is descriptive of a student or otherwise identifies a student, including, but not limited to, information in the students educational record or email, first and last name, home address, telephone number, email address, or other information that allows physical or online contact, discipline records, test results, special education data, juvenile dependency records, grades, evaluations, criminal records, medical records, health records, social security number, biometric information, disabilities, socioeconomic information, food purchases, political affiliations, religious information, text messages, documents, student identifiers, persistent unique identifiers, search activity, photos, voice recordings, or geolocation information.(j) K12 school purposes means purposes that customarily take place at the direction of the K12 school, teacher, or school district or aid in the administration of school activities, including, but not limited to, instruction in the classroom or at home, administrative activities, and collaboration between students, school personnel, or parents, or are for the use and benefit of the school. either of the following:(1) Purposes that customarily take place at the direction of the K12 school, teacher, or school district or aid in the administration of school activities, including, but not limited to, instruction in the classroom or at home, administrative activities, and collaboration between students, school personnel, or parents, or are for the use and benefit of the school.(2) The administration in the state of either of the following:(A) A standardized test that a K12 student takes for the purpose of bolstering the K12 students application for admission to a postsecondary educational institution or a postsecondary institutions program. (B) A test used for preparation for a standardized test described by subparagraph (A).(k) This section shall not be construed to limit the authority of a law enforcement agency to obtain any content or information from an operator as authorized by law or pursuant to an order of a court of competent jurisdiction.(l) This section does not limit the ability of an operator to use student data, including covered information, for adaptive learning or customized student learning purposes.(m) This section does not apply to general audience Internet Web sites, internet websites, general audience online services, general audience online applications, or general audience mobile applications, even if login credentials created for an operators site, service, or application may be used to access those general audience sites, services, or applications.(n) This section does not limit internet service providers from providing internet connectivity to schools or students and their families.(o) This section shall not be construed to prohibit an operator of an internet website, online service, online application, or mobile application from marketing educational products directly to parents so long as the marketing did not result from the use of covered information obtained by the operator through the provision of services covered under this section.(p) This section does not impose a duty upon a provider of an electronic store, gateway, marketplace, or other means of purchasing or downloading software or applications to review or enforce compliance of this section on those applications or software.(q) This section does not impose a duty upon a provider of an interactive computer service, as defined in Section 230 of Title 47 of the United States Code, to review or enforce compliance with this section by third-party content providers.(r) This section does not impede the ability of students to download, export, or otherwise save or maintain their own student created data or documents.
22584. (a) For purposes of this section, operator means either of the following: the operator of an internet website, online service, online application, or mobile application with actual knowledge that the site, service, or application is used primarily for K12 school purposes and was designed and marketed for K12 school purposes. (1)The operator of an internet website, online service, online application, or mobile application with actual knowledge that the site, service, or application is used primarily for K12 school purposes and was designed and marketed for K12 school purposes.(2)A test sponsor, as defined in Section 99151 of the Education Code.(b) An operator shall not knowingly engage in any of the following activities with respect to the operators site, service, or application:(1) Engage in targeted advertising on the operators site, service, or application or target advertising on any other site, service, or application when the targeting of the advertising is based upon any information, including covered information and persistent unique identifiers, that the operator has acquired because of the use of that operators site, service, or application described in subdivision (a).(2) Use information, including persistent unique identifiers, created or gathered by the operators site, service, or application to amass a profile about a K12 student except in furtherance of K12 school purposes.(3) Sell a students information, including covered information. This prohibition does not apply to the purchase, merger, or other type of acquisition of an operator by another entity if the operator or successor entity continues to be subject to the provisions of this section with respect to previously acquired student information.(4) Disclose covered information unless the disclosure is made:(A) In furtherance of the K12 purpose of the site, service, or application, provided the recipient of the covered information disclosed pursuant to this subparagraph:(i) Shall not further disclose the information unless done to allow or improve operability and functionality within that students classroom or school; and(ii) Is legally required to comply with subdivision (d);(B) To ensure legal and regulatory compliance;(C) To respond to or participate in judicial process;(D) To protect the safety of users or others or security of the site; or(E) To a service provider, provided the operator contractually (i) prohibits the service provider from using any covered information for any purpose other than providing the contracted service to, or on behalf of, the operator, (ii) prohibits the service provider from disclosing any covered information provided by the operator with subsequent third parties, and (iii) requires the service provider to implement and maintain reasonable security procedures and practices as provided in subdivision (d).(F) To a postsecondary institution for the purpose of facilitating a K12 students admission to that institution only if the K12 student, or the K12 students legal guardian, has consented to the disclosure.(c) Nothing in subdivision (b) shall be construed to prohibit the operators use of information for maintaining, developing, supporting, improving, or diagnosing the operators site, service, or application.(d) An operator shall do both of the following:(1) Implement and maintain reasonable security procedures and practices appropriate to the nature of the covered information, and protect that information from unauthorized access, destruction, use, modification, or disclosure.(2) Delete a students covered information if the school or district requests deletion of data under the control of the school or district.(e) Notwithstanding paragraph (4) of subdivision (b), an operator may disclose covered information of a student, as long as paragraphs (1) to (3), inclusive, of subdivision (b) are not violated, under all of the following circumstances:(1) If other provisions of federal or state law require the operator to disclose the information, and the operator complies with the requirements of federal and state law in protecting and disclosing that information.(2) For legitimate research purposes as required by state or federal law and subject to the restrictions under applicable state and federal law or as allowed by state or federal law and under the direction of a school, school district, or state department of education, if no covered information is used for any purpose in furtherance of advertising or to amass a profile on the student for purposes other than K12 school purposes.(3) To a state or local educational agency, including schools and school districts, for K12 school purposes, as permitted by state or federal law.(f) Nothing in this section prohibits an operator from using deidentified student covered information as follows:(1) Within the operators site, service, or application or other sites, services, or applications owned by the operator to improve educational products.(2) To demonstrate the effectiveness of the operators products or services, including in their marketing.(g) Nothing in this section prohibits an operator from sharing aggregated deidentified student covered information for the development and improvement of educational sites, services, or applications.(h) Online service includes cloud computing services, which must comply with this section if they otherwise meet the definition of an operator.(i) Covered information means personally identifiable information or materials in any media or format that meets any of the following:(1) Is created or provided by a student, or the students parent or legal guardian, to an operator in the course of the students, parents, or legal guardians use of the operators site, service, or application for K12 school purposes.(2) Is created or provided by an employee or agent of the K12 school, school district, local education agency, or county office of education, to an operator.(3) Is gathered by an operator through the operation of a site, service, or application described in subdivision (a) and is descriptive of a student or otherwise identifies a student, including, but not limited to, information in the students educational record or email, first and last name, home address, telephone number, email address, or other information that allows physical or online contact, discipline records, test results, special education data, juvenile dependency records, grades, evaluations, criminal records, medical records, health records, social security number, biometric information, disabilities, socioeconomic information, food purchases, political affiliations, religious information, text messages, documents, student identifiers, persistent unique identifiers, search activity, photos, voice recordings, or geolocation information.(j) K12 school purposes means purposes that customarily take place at the direction of the K12 school, teacher, or school district or aid in the administration of school activities, including, but not limited to, instruction in the classroom or at home, administrative activities, and collaboration between students, school personnel, or parents, or are for the use and benefit of the school. either of the following:(1) Purposes that customarily take place at the direction of the K12 school, teacher, or school district or aid in the administration of school activities, including, but not limited to, instruction in the classroom or at home, administrative activities, and collaboration between students, school personnel, or parents, or are for the use and benefit of the school.(2) The administration in the state of either of the following:(A) A standardized test that a K12 student takes for the purpose of bolstering the K12 students application for admission to a postsecondary educational institution or a postsecondary institutions program. (B) A test used for preparation for a standardized test described by subparagraph (A).(k) This section shall not be construed to limit the authority of a law enforcement agency to obtain any content or information from an operator as authorized by law or pursuant to an order of a court of competent jurisdiction.(l) This section does not limit the ability of an operator to use student data, including covered information, for adaptive learning or customized student learning purposes.(m) This section does not apply to general audience Internet Web sites, internet websites, general audience online services, general audience online applications, or general audience mobile applications, even if login credentials created for an operators site, service, or application may be used to access those general audience sites, services, or applications.(n) This section does not limit internet service providers from providing internet connectivity to schools or students and their families.(o) This section shall not be construed to prohibit an operator of an internet website, online service, online application, or mobile application from marketing educational products directly to parents so long as the marketing did not result from the use of covered information obtained by the operator through the provision of services covered under this section.(p) This section does not impose a duty upon a provider of an electronic store, gateway, marketplace, or other means of purchasing or downloading software or applications to review or enforce compliance of this section on those applications or software.(q) This section does not impose a duty upon a provider of an interactive computer service, as defined in Section 230 of Title 47 of the United States Code, to review or enforce compliance with this section by third-party content providers.(r) This section does not impede the ability of students to download, export, or otherwise save or maintain their own student created data or documents.
22584. (a) For purposes of this section, operator means either of the following: the operator of an internet website, online service, online application, or mobile application with actual knowledge that the site, service, or application is used primarily for K12 school purposes and was designed and marketed for K12 school purposes. (1)The operator of an internet website, online service, online application, or mobile application with actual knowledge that the site, service, or application is used primarily for K12 school purposes and was designed and marketed for K12 school purposes.(2)A test sponsor, as defined in Section 99151 of the Education Code.(b) An operator shall not knowingly engage in any of the following activities with respect to the operators site, service, or application:(1) Engage in targeted advertising on the operators site, service, or application or target advertising on any other site, service, or application when the targeting of the advertising is based upon any information, including covered information and persistent unique identifiers, that the operator has acquired because of the use of that operators site, service, or application described in subdivision (a).(2) Use information, including persistent unique identifiers, created or gathered by the operators site, service, or application to amass a profile about a K12 student except in furtherance of K12 school purposes.(3) Sell a students information, including covered information. This prohibition does not apply to the purchase, merger, or other type of acquisition of an operator by another entity if the operator or successor entity continues to be subject to the provisions of this section with respect to previously acquired student information.(4) Disclose covered information unless the disclosure is made:(A) In furtherance of the K12 purpose of the site, service, or application, provided the recipient of the covered information disclosed pursuant to this subparagraph:(i) Shall not further disclose the information unless done to allow or improve operability and functionality within that students classroom or school; and(ii) Is legally required to comply with subdivision (d);(B) To ensure legal and regulatory compliance;(C) To respond to or participate in judicial process;(D) To protect the safety of users or others or security of the site; or(E) To a service provider, provided the operator contractually (i) prohibits the service provider from using any covered information for any purpose other than providing the contracted service to, or on behalf of, the operator, (ii) prohibits the service provider from disclosing any covered information provided by the operator with subsequent third parties, and (iii) requires the service provider to implement and maintain reasonable security procedures and practices as provided in subdivision (d).(F) To a postsecondary institution for the purpose of facilitating a K12 students admission to that institution only if the K12 student, or the K12 students legal guardian, has consented to the disclosure.(c) Nothing in subdivision (b) shall be construed to prohibit the operators use of information for maintaining, developing, supporting, improving, or diagnosing the operators site, service, or application.(d) An operator shall do both of the following:(1) Implement and maintain reasonable security procedures and practices appropriate to the nature of the covered information, and protect that information from unauthorized access, destruction, use, modification, or disclosure.(2) Delete a students covered information if the school or district requests deletion of data under the control of the school or district.(e) Notwithstanding paragraph (4) of subdivision (b), an operator may disclose covered information of a student, as long as paragraphs (1) to (3), inclusive, of subdivision (b) are not violated, under all of the following circumstances:(1) If other provisions of federal or state law require the operator to disclose the information, and the operator complies with the requirements of federal and state law in protecting and disclosing that information.(2) For legitimate research purposes as required by state or federal law and subject to the restrictions under applicable state and federal law or as allowed by state or federal law and under the direction of a school, school district, or state department of education, if no covered information is used for any purpose in furtherance of advertising or to amass a profile on the student for purposes other than K12 school purposes.(3) To a state or local educational agency, including schools and school districts, for K12 school purposes, as permitted by state or federal law.(f) Nothing in this section prohibits an operator from using deidentified student covered information as follows:(1) Within the operators site, service, or application or other sites, services, or applications owned by the operator to improve educational products.(2) To demonstrate the effectiveness of the operators products or services, including in their marketing.(g) Nothing in this section prohibits an operator from sharing aggregated deidentified student covered information for the development and improvement of educational sites, services, or applications.(h) Online service includes cloud computing services, which must comply with this section if they otherwise meet the definition of an operator.(i) Covered information means personally identifiable information or materials in any media or format that meets any of the following:(1) Is created or provided by a student, or the students parent or legal guardian, to an operator in the course of the students, parents, or legal guardians use of the operators site, service, or application for K12 school purposes.(2) Is created or provided by an employee or agent of the K12 school, school district, local education agency, or county office of education, to an operator.(3) Is gathered by an operator through the operation of a site, service, or application described in subdivision (a) and is descriptive of a student or otherwise identifies a student, including, but not limited to, information in the students educational record or email, first and last name, home address, telephone number, email address, or other information that allows physical or online contact, discipline records, test results, special education data, juvenile dependency records, grades, evaluations, criminal records, medical records, health records, social security number, biometric information, disabilities, socioeconomic information, food purchases, political affiliations, religious information, text messages, documents, student identifiers, persistent unique identifiers, search activity, photos, voice recordings, or geolocation information.(j) K12 school purposes means purposes that customarily take place at the direction of the K12 school, teacher, or school district or aid in the administration of school activities, including, but not limited to, instruction in the classroom or at home, administrative activities, and collaboration between students, school personnel, or parents, or are for the use and benefit of the school. either of the following:(1) Purposes that customarily take place at the direction of the K12 school, teacher, or school district or aid in the administration of school activities, including, but not limited to, instruction in the classroom or at home, administrative activities, and collaboration between students, school personnel, or parents, or are for the use and benefit of the school.(2) The administration in the state of either of the following:(A) A standardized test that a K12 student takes for the purpose of bolstering the K12 students application for admission to a postsecondary educational institution or a postsecondary institutions program. (B) A test used for preparation for a standardized test described by subparagraph (A).(k) This section shall not be construed to limit the authority of a law enforcement agency to obtain any content or information from an operator as authorized by law or pursuant to an order of a court of competent jurisdiction.(l) This section does not limit the ability of an operator to use student data, including covered information, for adaptive learning or customized student learning purposes.(m) This section does not apply to general audience Internet Web sites, internet websites, general audience online services, general audience online applications, or general audience mobile applications, even if login credentials created for an operators site, service, or application may be used to access those general audience sites, services, or applications.(n) This section does not limit internet service providers from providing internet connectivity to schools or students and their families.(o) This section shall not be construed to prohibit an operator of an internet website, online service, online application, or mobile application from marketing educational products directly to parents so long as the marketing did not result from the use of covered information obtained by the operator through the provision of services covered under this section.(p) This section does not impose a duty upon a provider of an electronic store, gateway, marketplace, or other means of purchasing or downloading software or applications to review or enforce compliance of this section on those applications or software.(q) This section does not impose a duty upon a provider of an interactive computer service, as defined in Section 230 of Title 47 of the United States Code, to review or enforce compliance with this section by third-party content providers.(r) This section does not impede the ability of students to download, export, or otherwise save or maintain their own student created data or documents.
22584. (a) For purposes of this section, operator means either of the following: the operator of an internet website, online service, online application, or mobile application with actual knowledge that the site, service, or application is used primarily for K12 school purposes and was designed and marketed for K12 school purposes.
(1)The operator of an internet website, online service, online application, or mobile application with actual knowledge that the site, service, or application is used primarily for K12 school purposes and was designed and marketed for K12 school purposes.
(2)A test sponsor, as defined in Section 99151 of the Education Code.
(b) An operator shall not knowingly engage in any of the following activities with respect to the operators site, service, or application:
(1) Engage in targeted advertising on the operators site, service, or application or target advertising on any other site, service, or application when the targeting of the advertising is based upon any information, including covered information and persistent unique identifiers, that the operator has acquired because of the use of that operators site, service, or application described in subdivision (a).
(2) Use information, including persistent unique identifiers, created or gathered by the operators site, service, or application to amass a profile about a K12 student except in furtherance of K12 school purposes.
(3) Sell a students information, including covered information. This prohibition does not apply to the purchase, merger, or other type of acquisition of an operator by another entity if the operator or successor entity continues to be subject to the provisions of this section with respect to previously acquired student information.
(4) Disclose covered information unless the disclosure is made:
(A) In furtherance of the K12 purpose of the site, service, or application, provided the recipient of the covered information disclosed pursuant to this subparagraph:
(i) Shall not further disclose the information unless done to allow or improve operability and functionality within that students classroom or school; and
(ii) Is legally required to comply with subdivision (d);
(B) To ensure legal and regulatory compliance;
(C) To respond to or participate in judicial process;
(D) To protect the safety of users or others or security of the site; or
(E) To a service provider, provided the operator contractually (i) prohibits the service provider from using any covered information for any purpose other than providing the contracted service to, or on behalf of, the operator, (ii) prohibits the service provider from disclosing any covered information provided by the operator with subsequent third parties, and (iii) requires the service provider to implement and maintain reasonable security procedures and practices as provided in subdivision (d).
(F) To a postsecondary institution for the purpose of facilitating a K12 students admission to that institution only if the K12 student, or the K12 students legal guardian, has consented to the disclosure.
(c) Nothing in subdivision (b) shall be construed to prohibit the operators use of information for maintaining, developing, supporting, improving, or diagnosing the operators site, service, or application.
(d) An operator shall do both of the following:
(1) Implement and maintain reasonable security procedures and practices appropriate to the nature of the covered information, and protect that information from unauthorized access, destruction, use, modification, or disclosure.
(2) Delete a students covered information if the school or district requests deletion of data under the control of the school or district.
(e) Notwithstanding paragraph (4) of subdivision (b), an operator may disclose covered information of a student, as long as paragraphs (1) to (3), inclusive, of subdivision (b) are not violated, under all of the following circumstances:
(1) If other provisions of federal or state law require the operator to disclose the information, and the operator complies with the requirements of federal and state law in protecting and disclosing that information.
(2) For legitimate research purposes as required by state or federal law and subject to the restrictions under applicable state and federal law or as allowed by state or federal law and under the direction of a school, school district, or state department of education, if no covered information is used for any purpose in furtherance of advertising or to amass a profile on the student for purposes other than K12 school purposes.
(3) To a state or local educational agency, including schools and school districts, for K12 school purposes, as permitted by state or federal law.
(f) Nothing in this section prohibits an operator from using deidentified student covered information as follows:
(1) Within the operators site, service, or application or other sites, services, or applications owned by the operator to improve educational products.
(2) To demonstrate the effectiveness of the operators products or services, including in their marketing.
(g) Nothing in this section prohibits an operator from sharing aggregated deidentified student covered information for the development and improvement of educational sites, services, or applications.
(h) Online service includes cloud computing services, which must comply with this section if they otherwise meet the definition of an operator.
(i) Covered information means personally identifiable information or materials in any media or format that meets any of the following:
(1) Is created or provided by a student, or the students parent or legal guardian, to an operator in the course of the students, parents, or legal guardians use of the operators site, service, or application for K12 school purposes.
(2) Is created or provided by an employee or agent of the K12 school, school district, local education agency, or county office of education, to an operator.
(3) Is gathered by an operator through the operation of a site, service, or application described in subdivision (a) and is descriptive of a student or otherwise identifies a student, including, but not limited to, information in the students educational record or email, first and last name, home address, telephone number, email address, or other information that allows physical or online contact, discipline records, test results, special education data, juvenile dependency records, grades, evaluations, criminal records, medical records, health records, social security number, biometric information, disabilities, socioeconomic information, food purchases, political affiliations, religious information, text messages, documents, student identifiers, persistent unique identifiers, search activity, photos, voice recordings, or geolocation information.
(j) K12 school purposes means purposes that customarily take place at the direction of the K12 school, teacher, or school district or aid in the administration of school activities, including, but not limited to, instruction in the classroom or at home, administrative activities, and collaboration between students, school personnel, or parents, or are for the use and benefit of the school. either of the following:
(1) Purposes that customarily take place at the direction of the K12 school, teacher, or school district or aid in the administration of school activities, including, but not limited to, instruction in the classroom or at home, administrative activities, and collaboration between students, school personnel, or parents, or are for the use and benefit of the school.
(2) The administration in the state of either of the following:
(A) A standardized test that a K12 student takes for the purpose of bolstering the K12 students application for admission to a postsecondary educational institution or a postsecondary institutions program.
(B) A test used for preparation for a standardized test described by subparagraph (A).
(k) This section shall not be construed to limit the authority of a law enforcement agency to obtain any content or information from an operator as authorized by law or pursuant to an order of a court of competent jurisdiction.
(l) This section does not limit the ability of an operator to use student data, including covered information, for adaptive learning or customized student learning purposes.
(m) This section does not apply to general audience Internet Web sites, internet websites, general audience online services, general audience online applications, or general audience mobile applications, even if login credentials created for an operators site, service, or application may be used to access those general audience sites, services, or applications.
(n) This section does not limit internet service providers from providing internet connectivity to schools or students and their families.
(o) This section shall not be construed to prohibit an operator of an internet website, online service, online application, or mobile application from marketing educational products directly to parents so long as the marketing did not result from the use of covered information obtained by the operator through the provision of services covered under this section.
(p) This section does not impose a duty upon a provider of an electronic store, gateway, marketplace, or other means of purchasing or downloading software or applications to review or enforce compliance of this section on those applications or software.
(q) This section does not impose a duty upon a provider of an interactive computer service, as defined in Section 230 of Title 47 of the United States Code, to review or enforce compliance with this section by third-party content providers.
(r) This section does not impede the ability of students to download, export, or otherwise save or maintain their own student created data or documents.