Amended IN Assembly March 24, 2025 CALIFORNIA LEGISLATURE 20252026 REGULAR SESSION Assembly Bill No. 1159Introduced by Assembly Member AddisFebruary 20, 2025 An act to amend Section 22575 of Sections 22584 and 22586 of, to add Section 22586.1 to, to add Chapter 22.2.6 (commencing with Section 22587) to Division 8 of, to repeal Section 22587 of, and to repeal and add Section 22585 of, the Business and Professions Code, relating to privacy.LEGISLATIVE COUNSEL'S DIGESTAB 1159, as amended, Addis. Commercial internet websites: privacy policies. Student personal information.Existing law, the K12 Pupil Online Personal Information Protection Act (KOPIPA), generally protects the personal information of a student enrolled in a K12 course of instruction, defined as a pupil, by prescribing requirements and prohibitions applicable to an operator of an internet website, online service, online application, or mobile application with actual knowledge that the site, service, or application is used primarily for K12 school purposes and was designed and marketed for K12 school purposes.Existing law, the Early Learning Personal Information Protection Act (ELPIPA), generally protects the personal information of a child enrolled in a preschool or prekindergarten course of instruction, defined as a pupil, by prescribing requirements and prohibitions applicable to an operator of an internet website, online service, online application, or mobile application with actual knowledge that the site, service, or application is used primarily for preschool or prekindergarten purposes and was designed and marketed for preschool and prekindergarten purposes.This bill would instead apply the provisions of KOPIPA and ELPIPA to an operator of an internet website, online service, online application, or mobile application with actual knowledge that the site, service, or application is used for the applicable school purposes and was designed or marketed for those purposes, as specified. The bill would, among other changes to KOPIPA and ELPIPA related to protecting the personal information of students, prohibit an operator from using information, including persistent unique identifiers, created or gathered by the operators site, service, or application to train a generative artificial intelligence system or service or develop an artificial intelligence system unless it is in the furtherance of the relevant type of school purpose and for the use and benefit of the school.This bill would also enact the Higher Education Student Information Protection Act (HESIPA), which would generally protect the personal information of a student enrolled in a higher education institution, as defined, in a similar manner as KOPIPA and ELPIPA. The bill would make HESIPA operative on July 1, 2026.This bill would authorize a pupil or student actually harmed by the noncompliance with KOPIPA, ELPIPA, or HESIPA to bring a civil action against the noncompliant operator, as prescribed.Existing law requires an operator of a commercial internet website or online service that collects personally identifiable information through the internet about individual consumers residing in California who use or visit its commercial internet website or online service to conspicuously make its privacy policy available, as specified.This bill would make nonsubstantive changes to those provisions.Digest Key Vote: MAJORITY Appropriation: NO Fiscal Committee: NOYES Local Program: NO Bill TextThe people of the State of California do enact as follows:SECTION 1. Section 22584 of the Business and Professions Code is amended to read:22584. (a) For purposes of this chapter:(1) Artificial intelligence has the same meaning as defined in Section 3110 of the Civil Code.(1)(2) California Consumer Privacy Act-excluded covered information or CCPA-excluded covered information means covered information that is not subject to the California Consumer Privacy Act of 2018 (Title 1.81.5 (commencing with Section 1798.100) of Part 4 of Division 3 of the Civil Code).(2)(3) Covered information means personally identifiable information or materials, in any media or format that meets any of the following:(A) Is created or provided by a pupil, or the pupils parent or legal guardian, to an operator in the course of the pupils, parents, or legal guardians use of the operators site, service, or application for K12 school purposes.(B) Is created or provided by an employee or agent of the school or local educational agency to an operator.(C) Is gathered by an operator through the operation of a site, service, or application described in paragraph (6) and is descriptive of a pupil or otherwise identifies a pupil, including, but not limited to, information in the pupils educational record or email, first and last name, home address, telephone number, email address, or other information that allows physical or online contact, discipline records, test results, special education data, juvenile dependency records, grades, evaluations, criminal records, medical records, health records, social security number, biometric information, disabilities, socioeconomic information, food purchases, political affiliations, religious information, text messages, documents, pupil identifiers, search activity, photographs, voice recordings, or geolocation information.(4) Generative artificial intelligence has the same meaning as defined in Section 3110 of the Civil Code.(3)(5) K12 school purposes means purposes that customarily take place at the direction of the K12 school, teacher, or local educational agency or aid in the administration of school activities, including, but not limited to, instruction in the classroom or at home, administrative activities, and collaboration between pupils, school personnel, or parents, or are for the use and benefit of the school.(4)(6) Local educational agency means a school district, county office of education, charter school, or the state special schools for the blind and the deaf.(5)(7) National assessment provider means a person that develops, sponsors, or administers standardized tests.(6)(8) Online service includes cloud computing services, which must comply with this section if they otherwise meet the definition of an operator.(7)(9) Operator means the operator of an internet website, online service, online application, or mobile application with actual knowledge that the site, service, or application is usedprimarily for K12 school purposes and was designed and or marketed for K12 school purposes. purposes, including a provider of digital educational software or services, including digital course books.(8)(10) Pupil means a student enrolled in a K12 course of instruction.(9)(11) Standardized test means a test administered in California at the expense of the test subject that meets either of the following criteria:(A) The test is used for the purposes of admission to, or class placement in, postsecondary educational institutions or their programs.(B) The test is used for preliminary preparation for a test described in subparagraph (A).(12) Train a generative artificial intelligence system or service has the same meaning as defined in Section 3110 of the Civil Code.(b) An operator shall not knowingly engage in any of the following activities with respect to their the operators site, service, or application:(1) (A) Engage in targeted advertising on the operators site, service, or application, or (B) target advertising on any other site, service, or application application, including via email or other direct communication to the pupil, when the targeting of the advertising is based upon any information, including covered information and persistent unique identifiers, that the operator has acquired because of the use of that operators site, service, or application described in paragraph (6) of subdivision (a).(2) Use information, including persistent unique identifiers, created or gathered by the operators site, service, or application, to amass a profile about a pupil enrolled in a local educational agency, except in furtherance of K12 school purposes.(3) Sell a pupils information, including covered information. This prohibition does not apply to the purchase, merger, or other type of acquisition of an operator by another entity, provided that the operator or successor entity continues to be subject to the provisions of this section with respect to previously acquired pupil information. information, unless the sale meets either of the following criteria:(A) The sale is for the purchase, merger, or other type of acquisition of an operator by another entity, provided that the operator or successor entity continues to be subject to the provisions of this section with respect to previously acquired pupil information.(B) The sale is made by a national assessment provider to a K12 school, local educational agency, or higher education institution, as defined in Section 22587, solely for assessment, admissions, or other K12 school purposes or higher education purposes, as defined in Section 22587, for the benefit and use of the receiving institution.(4) Disclose covered information unless the disclosure is made: meets any of the following criteria:(A) In The disclosure is in furtherance of the K12 purpose of the site, service, or application, provided application and the recipient of the covered information disclosed pursuant to this subparagraph: subparagraph meets both of the following criteria:(i) Shall The recipient does not further disclose the information unless done to allow or improve operability and functionality within that pupils classroom or school; and school.(ii) Is The recipient is legally required to comply with subdivision (d); (d).(B) To The disclosure is to ensure legal and regulatory compliance; compliance.(C) To The disclosure is to respond to or participate in judicial process; process.(D) To The disclosure is to protect the safety of users or others or security of the site; or site.(E) To The disclosure is to a service provider, provided and the operator contractually (i) prohibits the service provider from using any covered information for any purpose other than providing the contracted service to, or on behalf of, the operator, (ii) prohibits the service provider from disclosing any covered information provided by the operator with subsequent third parties, and (iii) requires the service provider to implement and maintain reasonable security procedures and practices as provided in subdivision (d).(F) By a national assessment provider to a K12 school, local educational agency, or higher education institution, as defined in Section 22587, solely for assessment, admissions, or other K12 school purposes or higher education purposes, as defined in Section 22587, for the benefit and use of the receiving institution.(5) Use information, including persistent unique identifiers, created or gathered by the operators site, service, or application to train a generative artificial intelligence system or service or develop an artificial intelligence system unless it is in the furtherance of a K12 school purpose and for the use and benefit of the school.(6) Collect, use, retain, or disclose covered information relating to a pupils reproductive or sexual health, immigration status, or sexual orientation or gender identity, except if both of the following are true:(A) The covered information is relevant and limited to what is necessary in relation to a K12 school purpose and for the use and benefit of the school.(B) In the case of disclosure to third parties, the disclosure is strictly necessary to further the purpose described in subparagraph (A).(c) Subdivision (b) does not prohibit the operators use of information for maintaining, developing, supporting, improving, or diagnosing the operators site, service, or application.(d) An operator shall do all of the following:(1) Implement and maintain reasonable security procedures and practices appropriate to the nature of the covered information, and protect that information from unauthorized access, destruction, use, modification, or disclosure.(2) (A) Delete a pupils covered information if the school or local educational agency requests deletion of data under the control of the school or local educational agency.(B) This paragraph does not require the deletion of pupil records held by a national assessment provider and that only include standardized test results.(3) (A) Delete a pupils CCPA-excluded covered information under the operators control if a pupils parent or guardian or, in the case of a former pupil who is 18 years of age or older, the pupil requests an operator to delete the covered information under the operators control if the pupil has been no longer enrolled in the local educational agency for at least 60 days.(B) Before deleting any information described in subparagraph (A), the operator shall require documentation that the pupil is no longer enrolled in the local educational agency.(C) This paragraph does not require deletion of mandatory permanent pupil records, described in Section 430 of Title 5 of the California Code of Regulations, or any official records or files directly related to a pupil and maintained by the operator, school, or local educational agency, including, but not limited to, records of achievement and results of evaluative tests or records encompassing all of the material kept in the pupils cumulative folder that is maintained by the school or local educational agency, including, but not limited to, general identifying data, records of attendance and of academic work completed, health data, disciplinary status, test protocols, individualized education programs, or pupil records held by a national assessment provider and that only include standardized test results.(4) (A) Subject to subparagraph (B), retain covered information only as long as reasonably necessary to fulfill the specific purpose for which the information was collected and delete the information using reasonable measures to protect against unauthorized access to, or use or disclosure of, the information in connection with its deletion when the specific purpose for which the information was collected is accomplished.(B) This paragraph does not require deletion of mandatory permanent pupil records, described in Section 430 of Title 5 of the California Code of Regulations, or any official records or files directly related to a pupil and maintained by the operator, school, or local educational agency, including, but not limited to, records of achievement and results of evaluative tests or records encompassing all of the material kept in the pupils cumulative folder that is maintained by the school or local educational agency, including, but not limited to, general identifying data, records of attendance and of academic work completed, health data, disciplinary status, test protocols, individualized education programs, or pupil records held by a national assessment provider that include only standardized test results.(5) Establish, implement, and maintain a written data retention policy, which shall be made available upon request to a pupil, parent, or K12 personnel that states the purposes for which covered information is collected, the purpose for retaining the information, and a timeframe for deleting the information pursuant to paragraph (4).(e) Notwithstanding paragraph (4) of subdivision (b), an operator may disclose covered information of a pupil, as long as paragraphs (1) to (3), inclusive, of subdivision (b) are not violated, under the following circumstances:(1) If other provisions of federal or state law require the operator to disclose the information, and the operator complies with the requirements of federal and state law in protecting and disclosing that information.(2) For legitimate research purposes: (A) as required by state or federal law and subject to the restrictions under applicable state and federal law or (B) as allowed by state or federal law and under the direction of a local educational agency or state department of education, if no covered information is used for any purpose in furtherance of advertising or to amass a profile on the pupil for purposes other than K12 school purposes.(3) To a state or local educational agency, including schools of local educational agencies, for K12 school purposes, as permitted by state or federal law.(f) This section does not prohibit an operator from using deidentified pupil covered information as follows:(1) Within the operators site, service, or application or other sites, services, or applications owned by the operator to improve educational products.(2) To demonstrate the effectiveness of the operators products or services, including in their marketing.(g) This section does not prohibit an operator from sharing aggregated deidentified pupil covered information for the development and improvement of educational sites, services, or applications.(h) This section does not limit the authority of a law enforcement agency to obtain any content or information from an operator as authorized by law or pursuant to an order of a court of competent jurisdiction.(i) This section does not limit the ability of an operator to use pupil data, including covered information, for adaptive learning or customized pupil learning purposes.(j) This section does not apply to general audience internet websites, general audience online services, general audience online applications, or general audience mobile applications, applications that are not designed or marketed for K12 school purposes, even if login credentials created for an operators site, service, or application may be used to access those general audience sites, services, or applications.(k) This section does not limit internet service providers from providing internet connectivity to schools or pupils and their families.(l) This section does not prohibit an operator of an internet website, online service, online application, or mobile application from marketing educational products directly to parents so long as the marketing did not result from the use of covered information obtained by the operator through the provision of services covered under this section.(m) This section does not impose a duty upon a provider of an electronic store, gateway, marketplace, or other means of purchasing or downloading software or applications to review or enforce compliance of this section on those applications or software.(n) This section does not impose a duty upon a provider of an interactive computer service, as defined in Section 230 of Title 47 of the United States Code, to review or enforce compliance with this section by third-party content providers.(o) This section does not impede the ability of pupils to download, export, or otherwise save or maintain their own pupil-created data or documents.(p) This section shall not be interpreted to limit or supersede any rights or requirements under the federal Individuals with Disabilities Education Act (20 U.S.C. Sec. 1400 et seq.), the Rehabilitation Act of 1973 (29 U.S.C. Sec. 701 et seq.), and any rules or regulations promulgated pursuant to those laws.SEC. 2. Section 22585 of the Business and Professions Code is repealed.22585.This chapter shall become operative on January 1, 2016.SEC. 3. Section 22585 is added to the Business and Professions Code, to read:22585. (a) A pupil, or the pupils parent or guardian, who suffers actual damages as a result of an operators failure to comply with this chapter may, subject to subdivisions (b) to (e), inclusive, bring an action on that persons behalf and on behalf of a similarly situated class of pupils against that operator to recover or obtain any of the following relief:(1) The greater of actual damages or five hundred dollars ($500) per plaintiff, per violation.(2) Injunctive relief.(3) Punitive damages.(4) Reasonable attorneys fees and costs.(b) (1) At least 45 days before bringing an action pursuant to this section, a pupil shall do both of the following:(A) Provide written notice to the operator alleged to have violated this chapter regarding the nature of the alleged violations.(B) Demand that the operator correct and remedy the alleged violations.(2) The notice required by this subdivision shall be sent by certified or registered mail, return receipt requested, to the operators address on file with the state or to the operators principal place of business within the state.(c) An action pursuant to this section brought by a pupil only on that pupils behalf shall not be maintained upon a showing by an operator that an appropriate correction and remedy has been made, or agreed to be made within a reasonable time, to the pupil within 30 days after receipt of the notice required by subdivision (b).(d) An action pursuant to this section brought by a pupil on both the pupils behalf and on behalf of a similarly situated class of pupils shall not be maintained upon a showing by an operator that all of the following are true:(1) Any pupil similarly situated has been identified, or a reasonable effort to identify the pupil has been made.(2) Any similarly situated pupil identified has been made, notified that, upon the pupils request, the operator shall make the appropriate correction and remedy.(3) The correction and remedy requested by the pupil has been made, or in a reasonable time will be made.(4) The operator has ceased, or will cease within a reasonable time, violating this chapter.(e) (1) Attempts to comply with a demand described in subdivision (b) by an operator shall be deemed an offer to compromise and shall be inadmissible under Section 1152 of the Evidence Code and shall not be deemed an admission of violating this chapter. (2) A defendant may introduce evidence of compliance or attempts to comply with this section for the purpose of establishing good faith or to show compliance with this chapter.SEC. 4. Section 22586 of the Business and Professions Code is amended to read:22586. (a) For purposes of this chapter:(1) Artificial intelligence has the same meaning as defined in Section 3110 of the Civil Code.(1)(2) California Consumer Privacy Act-excluded covered information or CCPA-excluded covered information means covered information that is not subject to the California Consumer Privacy Act of 2018 (Title 1.81.5 (commencing with Section 1798.100) of Part 4 of Division 3 of the Civil Code).(2)(3) Covered information means personally identifiable information or materials, in any media or format that meets any of the following:(A) Is created or provided by a pupil, or the pupils parent or legal guardian, to an operator in the course of the pupils, parents, or legal guardians use of the operators site, service, or application for preschool and prekindergarten purposes.(B) Is created or provided by an employee or agent of the preschool, prekindergarten, school district, local educational agency, or county office of education, to an operator.(C) Is gathered by an operator through the operation of a site, service, or application described in paragraph (4), and is descriptive of a pupil or otherwise identifies a pupil, including, but not limited to, information in the pupils educational record or email, first and last name, home address, telephone number, email address, or other information that allows physical or online contact, discipline records, test results, special education data, juvenile dependency records, grades, evaluations, criminal records, medical records, health records, social security number, biometric information, disabilities, socioeconomic information, food purchases, political affiliations, religious information, text messages, documents, pupil identifiers, search activity, photographs, voice recordings, or geolocation information.(4) Generative artificial intelligence has the same meaning as defined in Section 3110 of the Civil Code.(3)(5) Online service includes cloud computing services, which must comply with this section if they otherwise meet the definition of an operator.(4)(6) Operator means the operator of an internet website, online service, online application, or mobile application with actual knowledge that the site, service, or application is used primarily for preschool or prekindergarten purposes and was designed and marketed for preschool and prekindergarten purposes. purposes, including a provider of digital educational software or services, including digital course books.(5)(7) Preschool or prekindergarten purposes means purposes that customarily take place at the direction of the preschool, prekindergarten, teacher, or school district, or aid in the administration of preschool or prekindergarten activities, including, but not limited to, instruction in the classroom or at home, administrative activities, and collaboration between pupils, preschool or prekindergarten personnel, or parents, or are for the use and benefit of the preschool or prekindergarten.(6)(8) Pupil means a child enrolled in a preschool or prekindergarten course of instruction.(9) Train a generative artificial intelligence system or service has the same meaning as defined in Section 3110 of the Civil Code.(b) An operator shall not knowingly engage in any of the following activities with respect to their the operators site, service, or application:(1) (A) Engage in targeted advertising on the operators site, service, or application.(B) Target advertising on any other site, service, or application application, including via email or other direct communication to the pupil when the targeting of the advertising is based upon any information, including covered information and persistent unique identifiers, that the operator has acquired because of the use of that operators site, service, or application described in paragraph (4) of subdivision (a).(2) Use information, including persistent unique identifiers, created or gathered by the operators site, service, or application, to amass a profile about a pupil, except in furtherance of preschool or prekindergarten purposes.(3) Sell a pupils information, including covered information. This prohibition does not apply to the purchase, merger, or other type of acquisition of an operator by another entity, provided that the operator or successor entity continues to be subject to the provisions of this section with respect to previously acquired pupil information.(4) Disclose covered information unless the disclosure is made: meets any of the following criteria:(A) In The disclosure is in furtherance of the preschool and prekindergarten purposes of the site, service, or application, provided that and the recipient of the covered information disclosed pursuant to this subparagraph: subparagraph meets both of the following criteria:(i) Shall not The recipient does not further disclose the information unless done to allow or improve operability and functionality within that pupils preschool or prekindergarten.(ii) Is The recipient is legally required to comply with subdivision (d); (d).(B) To The disclosure is to ensure legal and regulatory compliance; compliance.(C) To The disclosure is to respond to or participate in a judicial process; process.(D) To The disclosure is to protect the safety of users or others or security of the site; or site.(E) To The disclosure is to a service provider, provided the operator contractually (i) prohibits the service provider from using any covered information for any purpose other than providing the contracted service to, or on behalf of, the operator, (ii) prohibits the service provider from disclosing any covered information provided by the operator with subsequent third parties, and (iii) requires the service provider to implement and maintain reasonable security procedures and practices as provided in subdivision (d).(5) Use information, including persistent unique identifiers, created or gathered by the operators site, service, or application to train a generative artificial intelligence system or service or develop an artificial intelligence system unless it is in the furtherance of preschool or prekindergarten purposes and for the use and benefit of the preschool or prekindergarten.(6) Collect, use, retain, or disclose covered information relating to a pupils reproductive or sexual health, immigration status, or sexual orientation or gender identity, except if both of the following are true:(A) The covered information is relevant and limited to what is necessary in relation to preschool or prekindergarten purposes and for the use and benefit of the preschool or prekindergarten.(B) In the case of disclosure to third parties, the disclosure is strictly necessary to further the purpose described in subparagraph (A).(c) Subdivision (b) does not prohibit the operators use of information for maintaining, developing, supporting, improving, or diagnosing the operators site, service, or application.(d) An operator shall do all of the following:(1) Implement and maintain reasonable security procedures and practices appropriate to the nature of the covered information, and protect that information from unauthorized access, destruction, use, modification, or disclosure.(2) Delete a pupils covered information if the preschool, prekindergarten, or district requests deletion of data under the control of the preschool, prekindergarten, or district.(3) (A) Delete a pupils CCPA-excluded covered information under the operators control if a pupils parent, guardian, or education rights holder or, in the case of a former pupil 18 years of age or older, the pupil requests an operator to delete the covered information under the operators control if the pupil has been no longer enrolled in the preschool, prekindergarten, or district for at least 60 days.(B) Before deleting any information described in subparagraph (A), the operator shall require documentation that the pupil is no longer enrolled in the preschool, prekindergarten, or district.(4) (A) Subject to subparagraph (B), retain covered information only as long as reasonably necessary to fulfill the specific purpose for which the information was collected and delete the information using reasonable measures to protect against unauthorized access to, or use or disclosure of, the information in connection with its deletion when the specific purpose for which the information was collected is accomplished.(B) This paragraph does not require deletion of mandatory permanent pupil records, described in Section 430 of Title 5 of the California Code of Regulations, or any official records or files directly related to a pupil and maintained by the operator, school, or local educational agency, including, but not limited to, records of achievement and results of evaluative tests or records encompassing all of the material kept in the pupils cumulative folder that is maintained by the school or local educational agency, including, but not limited to, general identifying data, records of attendance and of academic work completed, health data, disciplinary status, test protocols, individualized education programs, or pupil records held by a national assessment provider that include only standardized test results.(5) Establish, implement, and maintain a written data retention policy, which shall be made available upon request to a pupil, parent, or preschool or prekindergarten personnel that states the purposes for which covered information is collected, the purpose for retaining the information, and a timeframe for deleting the information pursuant to paragraph (4).(e) Notwithstanding paragraph (4) of subdivision (b), an operator may disclose covered information of a pupil, as long as paragraphs (1) to (3), inclusive, of subdivision (b) are not violated, under the following circumstances:(1) If other provisions of federal or state law require the operator to disclose the information, and the operator complies with the requirements of federal and state law in protecting and disclosing that information.(2) For legitimate research purposes: (A) as required by state or federal law and subject to the restrictions under applicable state and federal law or (B) as allowed by state or federal law and under the direction of a preschool, prekindergarten, school district, or state department of education, if no covered information is used for any purpose in furtherance of advertising or to amass a profile on the pupil for purposes other than preschool and prekindergarten purposes.(3) To a state or local educational agency, including preschools, prekindergartens, and school districts, for preschool and prekindergarten purposes, as permitted by state or federal law.(f) This section does not prohibit an operator from using deidentified pupil covered information as follows:(1) Within the operators site, service, or application or other sites, services, or applications owned by the operator to improve educational products.(2) To demonstrate the effectiveness of the operators products or services, including in their marketing.(g) This section does not prohibit an operator from sharing aggregated deidentified pupil covered information for the development and improvement of educational sites, services, or applications.(h) This section does not limit the authority of a law enforcement agency to obtain any content or information from an operator as authorized by law or pursuant to an order of a court of competent jurisdiction.(i) This section does not limit the ability of an operator to use a pupils data, including covered information, for adaptive learning or customized early learning purposes.(j) This section does not apply to general audience internet websites, general audience online services, general audience online applications, or general audience mobile applications, applications that are not designed or marketed for preschool or prekindergarten purposes, even if login credentials created for an operators site, service, or application may be used to access those general audience sites, services, or applications.(k) This section does not limit internet service providers from providing internet connectivity to preschools, prekindergartens, or pupils and their families.(l) This section does not prohibit an operator of an internet website, online service, online application, or mobile application from marketing educational products directly to parents so long as the marketing did not result from the use of covered information obtained by the operator through the provision of services covered under this section.(m) This section does not impose a duty upon a provider of an electronic store, gateway, marketplace, or other means of purchasing or downloading software or applications to review or enforce compliance of this section on those applications or software.(n) This section does not impose a duty upon a provider of an interactive computer service, as defined in Section 230 of Title 47 of the United States Code, to review or enforce compliance with this section by third-party content providers.(o) This section does not impede the ability of pupils to download, export, or otherwise save or maintain their own personally created data or documents.(p) This section shall not be interpreted to limit or supersede any rights or requirements under the federal Individuals with Disabilities Education Act (20 U.S.C. Sec. 1400 et seq.), the Rehabilitation Act of 1973 (29 U.S.C. Sec. 701 et seq.), and any rules or regulations promulgated pursuant to those laws.SEC. 5. Section 22586.1 is added to the Business and Professions Code, to read:22586.1. (a) A pupil, or the pupils parent or guardian, who suffers actual damages as a result of an operators failure to comply with this chapter may, subject to subdivisions (b) to (e), inclusive, bring an action on that persons behalf and on behalf of a similarly situated class of pupils against that operator to recover or obtain any of the following relief:(1) The greater of actual damages or five hundred dollars ($500) per plaintiff, per violation.(2) Injunctive relief.(3) Punitive damages.(4) Reasonable attorneys fees and costs.(b) (1) At least 45 days before bringing an action pursuant to this section, a pupil shall do both of the following:(A) Provide written notice to the operator alleged to have violated this chapter regarding the nature of the alleged violations.(B) Demand that the operator correct and remedy the alleged violations.(2) The notice required by this subdivision shall be sent by certified or registered mail, return receipt requested, to the operators address on file with the state or to the operators principal place of business within the state.(c) An action pursuant to this section brought by a pupil only on that pupils behalf shall not be maintained upon a showing by an operator that an appropriate correction and remedy has been made, or agreed to be made within a reasonable time, to the pupil within 30 days after receipt of the notice required by subdivision (b).(d) An action pursuant to this section brought by a pupil on both the pupils behalf and on behalf of a similarly situated class of pupils shall not be maintained upon a showing by an operator that all of the following are true:(1) Any pupil similarly situated has been identified, or a reasonable effort to identify the pupil has been made.(2) Any similarly situated pupil identified has been notified that, upon the pupils request, the operator shall make the appropriate correction and remedy.(3) The correction and remedy requested by the pupil has been made, or in a reasonable time will be made.(4) The operator has ceased, or will cease within a reasonable time, violating this chapter.(e) (1) Attempts to comply with a demand described in subdivision (b) by an operator shall be deemed an offer to compromise and shall be inadmissible under Section 1152 of the Evidence Code and shall not be deemed an admission of violating this chapter.(2) A defendant may introduce evidence of compliance or attempts to comply with this section for the purpose of establishing good faith or to show compliance with this chapter.SEC. 6. Section 22587 of the Business and Professions Code is repealed.22587.This chapter shall become operative on July 1, 2017.SEC. 7. Chapter 22.2.6 (commencing with Section 22587) is added to Division 8 of the Business and Professions Code, to read: CHAPTER 22.2.6. Higher Education Student Information Protection Act22587. (a) For purposes of this chapter:(1) Artificial intelligence has the same meaning as defined in Section 3110 of the Civil Code.(2) California Consumer Privacy Act-excluded covered information or CCPA-excluded covered information means covered information that is not subject to the California Consumer Privacy Act of 2018 (Title 1.81.5 (commencing with Section 1798.100) of Part 4 of Division 3 of the Civil Code).(3) Covered information means personally identifiable information or materials, in any media or format, that is any of the following:(A) Created or provided by a student to an operator in the course of the students use of the operators site, service, or application for higher education purposes.(B) Created or provided by an employee or agent of a higher education institution to an operator.(C) Gathered by an operator through the operation of a site, service, or application described in paragraph (8) and is descriptive of a student, or otherwise identifies a student, including, but not limited to, information in the students educational record or email, first and last name, home address, telephone number, or other information that allows physical or online contact, discipline records, test results, special education data, juvenile dependency records, grades, evaluations, criminal records, medical records, health records, social security number, biometric information, disabilities, socioeconomic information, food purchases, political affiliations, religious information, text messages, documents, student identifiers, online search activity, photographs, voice recordings, or geolocation information.(4) Generative artificial intelligence has the same meaning as defined in Section 3110 of the Civil Code.(5) Higher education institution means a postsecondary institution, vocational program, or postgraduate program that is accredited by an accrediting agency or organization recognized by the state or the United States Department of Education.(6) Higher education purposes means purposes that customarily take place at the direction of the instructor or higher education institution or aid in the administration of higher education institution activities, including, but not limited to, instruction in the classroom or at home, administrative activities, and collaboration between students and higher education institution personnel or are for the use and benefit of the higher education institution.(7) National assessment provider means a person that develops, sponsors, or administers standardized tests.(8) Online service includes a cloud computing service, which shall comply with this section if it is an operator.(9) Operator means the operator of an internet website, online service, online application, or mobile application with actual knowledge that the site, service, or application is used for higher educational purposes and was designed and marketed for higher educational purposes, including a provider of digital educational software or services, including digital course books.(10) Student means a student enrolled in a higher education institution.(11) Train a generative artificial intelligence system or service has the same meaning as defined in Section 3110 of the Civil Code.(b) An operator shall not knowingly engage in any of the following activities with respect to the operators site, service, or application:(1) (A) Engage in targeted advertising on the operators site, service, or application, or (B) target advertising on any other site, service, or application, including via email or other direct communication to the student, when the targeting of the advertising is based upon any information, including covered information and persistent unique identifiers, that the operator has acquired because of the use of that operators site, service, or application described in paragraph (6) of subdivision (a).(2) Use information, including persistent unique identifiers, created or gathered by the operators site, service, or application, to amass a profile about a student, unless it is in the furtherance of higher education purposes.(3) Use information, including persistent unique identifiers, created or gathered by the operators site, service, or application, to train a generative artificial intelligence system or service or develop an artificial intelligence system, unless it is in the furtherance of higher educational purposes and for the use and benefit of the higher education institution.(4) Sell a students information, including covered information, unless the sale meets either of the following criteria:(A) The sale is for the purchase, merger, or other type of acquisition of an operator by another entity, provided that the operator or successor entity continues to be subject to the provisions of this section with respect to previously acquired student information.(B) The sale is made by a national assessment provider to a K12 school, local educational agency, or higher education institution solely for assessment, admissions, or other K12 school purposes or higher education purposes for the benefit and use of the receiving institution.(5) Disclose covered information unless the disclosure meets any of the following criteria:(A) The disclosure is in furtherance of the higher education purposes of the site, service, or application, and the recipient of the covered information disclosed pursuant to this subparagraph meets both of the following criteria:(i) The recipient does not further disclose the information unless done to allow or improve operability and functionality within that students higher education institution.(ii) The recipient is legally required to comply with subdivision (d).(B) The disclosure is to ensure legal and regulatory compliance.(C) The disclosure is to respond to or participate in judicial process.(D) The disclosure is to protect the safety of users or others or security of the site.(E) The disclosure is to a service provider, provided the operator contractually (i) prohibits the service provider from using any covered information for any purpose other than providing the contracted service to, or on behalf of, the operator, (ii) prohibits the service provider from disclosing any covered information provided by the operator with subsequent third parties, and (iii) requires the service provider to implement and maintain reasonable security procedures and practices as provided in subdivision (d).(F) The disclosure is by a national assessment provider to a higher education institution, or K12 school or local educational agency, as defined in Section 22584, solely for assessment, admissions, or other higher education purposes or K12 school purposes, as defined in Section 22584, for the use and benefit of the receiving institution.(G) The disclosure is for legitimate research purposes under the direction of a higher education institution or state department of education and covered information is not used for advertising or to amass a profile on the student for purposes other than higher education purposes.(H) The disclosure is to a state agency or higher education institution, including schools of local educational agencies, for higher education purposes.(6) Use information, including persistent unique identifiers, created or gathered by the operators site, service, or application to train a generative artificial intelligence system or service or develop an artificial intelligence system unless it is in the furtherance of a K12 school purpose and for the use and benefit of a school.(c) Subdivision (b) does not prohibit the operators use of information for maintaining, developing, supporting, improving, or diagnosing the operators site, service, or application.(d) An operator shall do all of the following:(1) Implement and maintain reasonable security procedures and practices appropriate to the nature of the covered information, and protect that information from unauthorized access, destruction, use, modification, or disclosure.(2) Delete a students covered information if the higher education institution requests deletion of data under the control of the higher education institution.(3) (A) Delete a students CCPA-excluded covered information under the operators control if a student or, if the student is under 18 years of age, the students parent or guardian or education rights holder requests an operator to delete the covered information under the operators control if the student has been no longer enrolled in the higher education institution for at least 60 days.(B) Before deleting any information described in subparagraph (A), the operator shall require documentation that the student is no longer enrolled in the higher education institution.(4) (A) Subject to subparagraph (B), retain covered information only as long as reasonably necessary to fulfill the specific purpose for which the information was collected and delete the information using reasonable measures to protect against unauthorized access to, or use or disclosure of, the information in connection with its deletion when the specific purpose for which the information was collected is accomplished.(B) This paragraph does not require deletion of mandatory permanent student records, described in Section 430 of Title 5 of the California Code of Regulations, or any official records or files directly related to a student and maintained by the operator or higher education institution, including, but not limited to, records of achievement and results of evaluative tests or records encompassing all of the material kept in the pupils cumulative folder that is maintained by the higher education institution, including, but not limited to, general identifying data, records of attendance and of academic work completed, health data, disciplinary status, test protocols, individualized education programs, or student records held by a national assessment provider that include only standardized test results.(5) Establish, implement, and maintain a written data retention policy, which shall be made available upon request to a student or higher education personnel that states the purposes for which covered information is collected, the purpose for retaining the information, and a timeframe for deleting the information pursuant to paragraph (4).(e) This section does not prohibit an operator from using deidentified student covered information for either of the following purposes:(1) Within the operators site, service, or application or other sites, services, or applications owned by the operator to improve educational products.(2) To demonstrate the effectiveness of the operators products or services, including in the operators marketing.(f) This section does not prohibit an operator from sharing aggregated deidentified student covered information for the development and improvement of educational sites, services, or applications.(g) This section does not limit the authority of a law enforcement agency to obtain any content or information from an operator as authorized by law or pursuant to an order of a court of competent jurisdiction.(h) This section does not limit the ability of an operator to use student data, including covered information, for adaptive learning or customized student learning purposes.(i) This section does not apply to general audience internet websites, general audience online services, general audience online applications, or general audience mobile applications that are not designed or marketed for a higher education purpose, even if login credentials created for an operators site, service, or application may be used to access those general audience sites, services, or applications.(j) This section does not limit internet service providers from providing internet connectivity to higher education institutions or students.(k) This section does not impose a duty upon a provider of an electronic store, gateway, marketplace, or other means of purchasing or downloading software or applications to review or enforce compliance of this section on those applications or software.(l) This section does not impose a duty upon a provider of an interactive computer service, as defined in Section 230 of Title 47 of the United States Code, to review or enforce compliance with this section by third-party content providers.(m) This section does not impede the ability of students to download, export, or otherwise save or maintain their own student-created data or documents.(n) This section shall not be interpreted to limit or supersede any rights or requirements under the federal Individuals with Disabilities Education Act (20 U.S.C. Sec. 1400 et seq.), the Rehabilitation Act of 1973 (29 U.S.C. Sec. 701 et seq.), and any rules or regulations promulgated pursuant to those laws.22587.1. (a) A student, or the students parent or guardian, who suffers actual damages as a result of an operators failure to comply with this chapter may, subject to subdivisions (b) to (e), inclusive, bring an action on that persons behalf and on behalf of a similarly situated class of students against that operator to recover or obtain any of the following relief:(1) The greater of actual damages or five hundred dollars ($500) per plaintiff, per violation.(2) Injunctive relief.(3) Punitive damages.(4) Reasonable attorneys fees and costs.(b) (1) At least 45 days before bringing an action pursuant to this section, a student shall do both of the following:(A) Provide written notice to the operator alleged to have violated this chapter regarding the nature of the alleged violations.(B) Demand that the operator correct and remedy the alleged violations.(2) The notice required by this subdivision shall be sent by certified or registered mail, return receipt requested, to the operators address on file with the state or to the operators principal place of business within the state.(c) An action pursuant to this section brought by a student only on that students behalf shall not be maintained upon a showing by an operator that an appropriate correction and remedy has been made, or agreed to be made within a reasonable time, to the student within 30 days after receipt of the notice required by subdivision (b).(d) An action pursuant to this section brought by a student on both the students behalf and on behalf of a similarly situated class of students shall not be maintained upon a showing by an operator that all of the following are true:(1) Any student similarly situated has been identified, or a reasonable effort to identify the student has been made.(2) Any similarly situated student identified has been notified that, upon the students request, the operator shall make the appropriate correction and remedy.(3) The correction and remedy requested by the student has been made, or in a reasonable time will be made.(4) The operator has ceased, or will cease within a reasonable time, violating this chapter.(e) (1) Attempts to comply with a demand described in subdivision (b) by an operator shall be deemed an offer to compromise and shall be inadmissible under Section 1152 of the Evidence Code and shall not be deemed an admission of violating this chapter.(2) A defendant may introduce evidence of compliance or attempts to comply with this section for the purpose of establishing good faith or to show compliance with this chapter.22587.2. This chapter shall become operative on July 1, 2026.SECTION 1.Section 22575 of the Business and Professions Code is amended to read:22575.(a)An operator of a commercial internet website or online service that collects personally identifiable information through the internet about individual consumers residing in California who use or visit its commercial internet website or online service shall conspicuously post its privacy policy on its internet website, or in the case of an operator of an online service, make that policy available in accordance with paragraph (5) of subdivision (b) of Section 22577. An operator shall be in violation of this subdivision only if the operator fails to post its policy within 30 days after being notified of noncompliance.(b)The privacy policy required by subdivision (a) shall do all of the following:(1)Identify the categories of personally identifiable information that the operator collects through the internet website or online service about individual consumers who use or visit its commercial internet website or online service and the categories of third-party persons or entities with whom the operator may share that personally identifiable information.(2)If the operator maintains a process for an individual consumer who uses or visits its commercial internet website or online service to review and request changes to any of the consumers personally identifiable information that is collected through the internet website or online service, provide a description of that process.(3)Describe the process by which the operator notifies consumers who use or visit its commercial internet website or online service of material changes to the operators privacy policy for that internet website or online service.(4)Identify its effective date.(5)Disclose how the operator responds to web browser do not track signals or other mechanisms that provide consumers the ability to exercise choice regarding the collection of personally identifiable information about an individual consumers online activities over time and across third-party internet websites or online services, if the operator engages in that collection.(6)Disclose whether other parties may collect personally identifiable information about an individual consumers online activities over time and across different internet websites when a consumer uses the operators internet website or service.(7)An operator may satisfy the requirement of paragraph (5) by providing a clear and conspicuous hyperlink in the operators privacy policy to an online location containing a description, including the effects, of any program or protocol the operator follows that offers the consumer that choice.
Amended IN Assembly March 24, 2025 CALIFORNIA LEGISLATURE 20252026 REGULAR SESSION Assembly Bill No. 1159Introduced by Assembly Member AddisFebruary 20, 2025 An act to amend Section 22575 of Sections 22584 and 22586 of, to add Section 22586.1 to, to add Chapter 22.2.6 (commencing with Section 22587) to Division 8 of, to repeal Section 22587 of, and to repeal and add Section 22585 of, the Business and Professions Code, relating to privacy.LEGISLATIVE COUNSEL'S DIGESTAB 1159, as amended, Addis. Commercial internet websites: privacy policies. Student personal information.Existing law, the K12 Pupil Online Personal Information Protection Act (KOPIPA), generally protects the personal information of a student enrolled in a K12 course of instruction, defined as a pupil, by prescribing requirements and prohibitions applicable to an operator of an internet website, online service, online application, or mobile application with actual knowledge that the site, service, or application is used primarily for K12 school purposes and was designed and marketed for K12 school purposes.Existing law, the Early Learning Personal Information Protection Act (ELPIPA), generally protects the personal information of a child enrolled in a preschool or prekindergarten course of instruction, defined as a pupil, by prescribing requirements and prohibitions applicable to an operator of an internet website, online service, online application, or mobile application with actual knowledge that the site, service, or application is used primarily for preschool or prekindergarten purposes and was designed and marketed for preschool and prekindergarten purposes.This bill would instead apply the provisions of KOPIPA and ELPIPA to an operator of an internet website, online service, online application, or mobile application with actual knowledge that the site, service, or application is used for the applicable school purposes and was designed or marketed for those purposes, as specified. The bill would, among other changes to KOPIPA and ELPIPA related to protecting the personal information of students, prohibit an operator from using information, including persistent unique identifiers, created or gathered by the operators site, service, or application to train a generative artificial intelligence system or service or develop an artificial intelligence system unless it is in the furtherance of the relevant type of school purpose and for the use and benefit of the school.This bill would also enact the Higher Education Student Information Protection Act (HESIPA), which would generally protect the personal information of a student enrolled in a higher education institution, as defined, in a similar manner as KOPIPA and ELPIPA. The bill would make HESIPA operative on July 1, 2026.This bill would authorize a pupil or student actually harmed by the noncompliance with KOPIPA, ELPIPA, or HESIPA to bring a civil action against the noncompliant operator, as prescribed.Existing law requires an operator of a commercial internet website or online service that collects personally identifiable information through the internet about individual consumers residing in California who use or visit its commercial internet website or online service to conspicuously make its privacy policy available, as specified.This bill would make nonsubstantive changes to those provisions.Digest Key Vote: MAJORITY Appropriation: NO Fiscal Committee: NOYES Local Program: NO
Amended IN Assembly March 24, 2025
Amended IN Assembly March 24, 2025
CALIFORNIA LEGISLATURE 20252026 REGULAR SESSION
Assembly Bill
No. 1159
Introduced by Assembly Member AddisFebruary 20, 2025
Introduced by Assembly Member Addis
February 20, 2025
An act to amend Section 22575 of Sections 22584 and 22586 of, to add Section 22586.1 to, to add Chapter 22.2.6 (commencing with Section 22587) to Division 8 of, to repeal Section 22587 of, and to repeal and add Section 22585 of, the Business and Professions Code, relating to privacy.
LEGISLATIVE COUNSEL'S DIGEST
## LEGISLATIVE COUNSEL'S DIGEST
AB 1159, as amended, Addis. Commercial internet websites: privacy policies. Student personal information.
Existing law, the K12 Pupil Online Personal Information Protection Act (KOPIPA), generally protects the personal information of a student enrolled in a K12 course of instruction, defined as a pupil, by prescribing requirements and prohibitions applicable to an operator of an internet website, online service, online application, or mobile application with actual knowledge that the site, service, or application is used primarily for K12 school purposes and was designed and marketed for K12 school purposes.Existing law, the Early Learning Personal Information Protection Act (ELPIPA), generally protects the personal information of a child enrolled in a preschool or prekindergarten course of instruction, defined as a pupil, by prescribing requirements and prohibitions applicable to an operator of an internet website, online service, online application, or mobile application with actual knowledge that the site, service, or application is used primarily for preschool or prekindergarten purposes and was designed and marketed for preschool and prekindergarten purposes.This bill would instead apply the provisions of KOPIPA and ELPIPA to an operator of an internet website, online service, online application, or mobile application with actual knowledge that the site, service, or application is used for the applicable school purposes and was designed or marketed for those purposes, as specified. The bill would, among other changes to KOPIPA and ELPIPA related to protecting the personal information of students, prohibit an operator from using information, including persistent unique identifiers, created or gathered by the operators site, service, or application to train a generative artificial intelligence system or service or develop an artificial intelligence system unless it is in the furtherance of the relevant type of school purpose and for the use and benefit of the school.This bill would also enact the Higher Education Student Information Protection Act (HESIPA), which would generally protect the personal information of a student enrolled in a higher education institution, as defined, in a similar manner as KOPIPA and ELPIPA. The bill would make HESIPA operative on July 1, 2026.This bill would authorize a pupil or student actually harmed by the noncompliance with KOPIPA, ELPIPA, or HESIPA to bring a civil action against the noncompliant operator, as prescribed.Existing law requires an operator of a commercial internet website or online service that collects personally identifiable information through the internet about individual consumers residing in California who use or visit its commercial internet website or online service to conspicuously make its privacy policy available, as specified.This bill would make nonsubstantive changes to those provisions.
Existing law, the K12 Pupil Online Personal Information Protection Act (KOPIPA), generally protects the personal information of a student enrolled in a K12 course of instruction, defined as a pupil, by prescribing requirements and prohibitions applicable to an operator of an internet website, online service, online application, or mobile application with actual knowledge that the site, service, or application is used primarily for K12 school purposes and was designed and marketed for K12 school purposes.
Existing law, the Early Learning Personal Information Protection Act (ELPIPA), generally protects the personal information of a child enrolled in a preschool or prekindergarten course of instruction, defined as a pupil, by prescribing requirements and prohibitions applicable to an operator of an internet website, online service, online application, or mobile application with actual knowledge that the site, service, or application is used primarily for preschool or prekindergarten purposes and was designed and marketed for preschool and prekindergarten purposes.
This bill would instead apply the provisions of KOPIPA and ELPIPA to an operator of an internet website, online service, online application, or mobile application with actual knowledge that the site, service, or application is used for the applicable school purposes and was designed or marketed for those purposes, as specified. The bill would, among other changes to KOPIPA and ELPIPA related to protecting the personal information of students, prohibit an operator from using information, including persistent unique identifiers, created or gathered by the operators site, service, or application to train a generative artificial intelligence system or service or develop an artificial intelligence system unless it is in the furtherance of the relevant type of school purpose and for the use and benefit of the school.
This bill would also enact the Higher Education Student Information Protection Act (HESIPA), which would generally protect the personal information of a student enrolled in a higher education institution, as defined, in a similar manner as KOPIPA and ELPIPA. The bill would make HESIPA operative on July 1, 2026.
This bill would authorize a pupil or student actually harmed by the noncompliance with KOPIPA, ELPIPA, or HESIPA to bring a civil action against the noncompliant operator, as prescribed.
Existing law requires an operator of a commercial internet website or online service that collects personally identifiable information through the internet about individual consumers residing in California who use or visit its commercial internet website or online service to conspicuously make its privacy policy available, as specified.
This bill would make nonsubstantive changes to those provisions.
## Digest Key
## Bill Text
The people of the State of California do enact as follows:SECTION 1. Section 22584 of the Business and Professions Code is amended to read:22584. (a) For purposes of this chapter:(1) Artificial intelligence has the same meaning as defined in Section 3110 of the Civil Code.(1)(2) California Consumer Privacy Act-excluded covered information or CCPA-excluded covered information means covered information that is not subject to the California Consumer Privacy Act of 2018 (Title 1.81.5 (commencing with Section 1798.100) of Part 4 of Division 3 of the Civil Code).(2)(3) Covered information means personally identifiable information or materials, in any media or format that meets any of the following:(A) Is created or provided by a pupil, or the pupils parent or legal guardian, to an operator in the course of the pupils, parents, or legal guardians use of the operators site, service, or application for K12 school purposes.(B) Is created or provided by an employee or agent of the school or local educational agency to an operator.(C) Is gathered by an operator through the operation of a site, service, or application described in paragraph (6) and is descriptive of a pupil or otherwise identifies a pupil, including, but not limited to, information in the pupils educational record or email, first and last name, home address, telephone number, email address, or other information that allows physical or online contact, discipline records, test results, special education data, juvenile dependency records, grades, evaluations, criminal records, medical records, health records, social security number, biometric information, disabilities, socioeconomic information, food purchases, political affiliations, religious information, text messages, documents, pupil identifiers, search activity, photographs, voice recordings, or geolocation information.(4) Generative artificial intelligence has the same meaning as defined in Section 3110 of the Civil Code.(3)(5) K12 school purposes means purposes that customarily take place at the direction of the K12 school, teacher, or local educational agency or aid in the administration of school activities, including, but not limited to, instruction in the classroom or at home, administrative activities, and collaboration between pupils, school personnel, or parents, or are for the use and benefit of the school.(4)(6) Local educational agency means a school district, county office of education, charter school, or the state special schools for the blind and the deaf.(5)(7) National assessment provider means a person that develops, sponsors, or administers standardized tests.(6)(8) Online service includes cloud computing services, which must comply with this section if they otherwise meet the definition of an operator.(7)(9) Operator means the operator of an internet website, online service, online application, or mobile application with actual knowledge that the site, service, or application is usedprimarily for K12 school purposes and was designed and or marketed for K12 school purposes. purposes, including a provider of digital educational software or services, including digital course books.(8)(10) Pupil means a student enrolled in a K12 course of instruction.(9)(11) Standardized test means a test administered in California at the expense of the test subject that meets either of the following criteria:(A) The test is used for the purposes of admission to, or class placement in, postsecondary educational institutions or their programs.(B) The test is used for preliminary preparation for a test described in subparagraph (A).(12) Train a generative artificial intelligence system or service has the same meaning as defined in Section 3110 of the Civil Code.(b) An operator shall not knowingly engage in any of the following activities with respect to their the operators site, service, or application:(1) (A) Engage in targeted advertising on the operators site, service, or application, or (B) target advertising on any other site, service, or application application, including via email or other direct communication to the pupil, when the targeting of the advertising is based upon any information, including covered information and persistent unique identifiers, that the operator has acquired because of the use of that operators site, service, or application described in paragraph (6) of subdivision (a).(2) Use information, including persistent unique identifiers, created or gathered by the operators site, service, or application, to amass a profile about a pupil enrolled in a local educational agency, except in furtherance of K12 school purposes.(3) Sell a pupils information, including covered information. This prohibition does not apply to the purchase, merger, or other type of acquisition of an operator by another entity, provided that the operator or successor entity continues to be subject to the provisions of this section with respect to previously acquired pupil information. information, unless the sale meets either of the following criteria:(A) The sale is for the purchase, merger, or other type of acquisition of an operator by another entity, provided that the operator or successor entity continues to be subject to the provisions of this section with respect to previously acquired pupil information.(B) The sale is made by a national assessment provider to a K12 school, local educational agency, or higher education institution, as defined in Section 22587, solely for assessment, admissions, or other K12 school purposes or higher education purposes, as defined in Section 22587, for the benefit and use of the receiving institution.(4) Disclose covered information unless the disclosure is made: meets any of the following criteria:(A) In The disclosure is in furtherance of the K12 purpose of the site, service, or application, provided application and the recipient of the covered information disclosed pursuant to this subparagraph: subparagraph meets both of the following criteria:(i) Shall The recipient does not further disclose the information unless done to allow or improve operability and functionality within that pupils classroom or school; and school.(ii) Is The recipient is legally required to comply with subdivision (d); (d).(B) To The disclosure is to ensure legal and regulatory compliance; compliance.(C) To The disclosure is to respond to or participate in judicial process; process.(D) To The disclosure is to protect the safety of users or others or security of the site; or site.(E) To The disclosure is to a service provider, provided and the operator contractually (i) prohibits the service provider from using any covered information for any purpose other than providing the contracted service to, or on behalf of, the operator, (ii) prohibits the service provider from disclosing any covered information provided by the operator with subsequent third parties, and (iii) requires the service provider to implement and maintain reasonable security procedures and practices as provided in subdivision (d).(F) By a national assessment provider to a K12 school, local educational agency, or higher education institution, as defined in Section 22587, solely for assessment, admissions, or other K12 school purposes or higher education purposes, as defined in Section 22587, for the benefit and use of the receiving institution.(5) Use information, including persistent unique identifiers, created or gathered by the operators site, service, or application to train a generative artificial intelligence system or service or develop an artificial intelligence system unless it is in the furtherance of a K12 school purpose and for the use and benefit of the school.(6) Collect, use, retain, or disclose covered information relating to a pupils reproductive or sexual health, immigration status, or sexual orientation or gender identity, except if both of the following are true:(A) The covered information is relevant and limited to what is necessary in relation to a K12 school purpose and for the use and benefit of the school.(B) In the case of disclosure to third parties, the disclosure is strictly necessary to further the purpose described in subparagraph (A).(c) Subdivision (b) does not prohibit the operators use of information for maintaining, developing, supporting, improving, or diagnosing the operators site, service, or application.(d) An operator shall do all of the following:(1) Implement and maintain reasonable security procedures and practices appropriate to the nature of the covered information, and protect that information from unauthorized access, destruction, use, modification, or disclosure.(2) (A) Delete a pupils covered information if the school or local educational agency requests deletion of data under the control of the school or local educational agency.(B) This paragraph does not require the deletion of pupil records held by a national assessment provider and that only include standardized test results.(3) (A) Delete a pupils CCPA-excluded covered information under the operators control if a pupils parent or guardian or, in the case of a former pupil who is 18 years of age or older, the pupil requests an operator to delete the covered information under the operators control if the pupil has been no longer enrolled in the local educational agency for at least 60 days.(B) Before deleting any information described in subparagraph (A), the operator shall require documentation that the pupil is no longer enrolled in the local educational agency.(C) This paragraph does not require deletion of mandatory permanent pupil records, described in Section 430 of Title 5 of the California Code of Regulations, or any official records or files directly related to a pupil and maintained by the operator, school, or local educational agency, including, but not limited to, records of achievement and results of evaluative tests or records encompassing all of the material kept in the pupils cumulative folder that is maintained by the school or local educational agency, including, but not limited to, general identifying data, records of attendance and of academic work completed, health data, disciplinary status, test protocols, individualized education programs, or pupil records held by a national assessment provider and that only include standardized test results.(4) (A) Subject to subparagraph (B), retain covered information only as long as reasonably necessary to fulfill the specific purpose for which the information was collected and delete the information using reasonable measures to protect against unauthorized access to, or use or disclosure of, the information in connection with its deletion when the specific purpose for which the information was collected is accomplished.(B) This paragraph does not require deletion of mandatory permanent pupil records, described in Section 430 of Title 5 of the California Code of Regulations, or any official records or files directly related to a pupil and maintained by the operator, school, or local educational agency, including, but not limited to, records of achievement and results of evaluative tests or records encompassing all of the material kept in the pupils cumulative folder that is maintained by the school or local educational agency, including, but not limited to, general identifying data, records of attendance and of academic work completed, health data, disciplinary status, test protocols, individualized education programs, or pupil records held by a national assessment provider that include only standardized test results.(5) Establish, implement, and maintain a written data retention policy, which shall be made available upon request to a pupil, parent, or K12 personnel that states the purposes for which covered information is collected, the purpose for retaining the information, and a timeframe for deleting the information pursuant to paragraph (4).(e) Notwithstanding paragraph (4) of subdivision (b), an operator may disclose covered information of a pupil, as long as paragraphs (1) to (3), inclusive, of subdivision (b) are not violated, under the following circumstances:(1) If other provisions of federal or state law require the operator to disclose the information, and the operator complies with the requirements of federal and state law in protecting and disclosing that information.(2) For legitimate research purposes: (A) as required by state or federal law and subject to the restrictions under applicable state and federal law or (B) as allowed by state or federal law and under the direction of a local educational agency or state department of education, if no covered information is used for any purpose in furtherance of advertising or to amass a profile on the pupil for purposes other than K12 school purposes.(3) To a state or local educational agency, including schools of local educational agencies, for K12 school purposes, as permitted by state or federal law.(f) This section does not prohibit an operator from using deidentified pupil covered information as follows:(1) Within the operators site, service, or application or other sites, services, or applications owned by the operator to improve educational products.(2) To demonstrate the effectiveness of the operators products or services, including in their marketing.(g) This section does not prohibit an operator from sharing aggregated deidentified pupil covered information for the development and improvement of educational sites, services, or applications.(h) This section does not limit the authority of a law enforcement agency to obtain any content or information from an operator as authorized by law or pursuant to an order of a court of competent jurisdiction.(i) This section does not limit the ability of an operator to use pupil data, including covered information, for adaptive learning or customized pupil learning purposes.(j) This section does not apply to general audience internet websites, general audience online services, general audience online applications, or general audience mobile applications, applications that are not designed or marketed for K12 school purposes, even if login credentials created for an operators site, service, or application may be used to access those general audience sites, services, or applications.(k) This section does not limit internet service providers from providing internet connectivity to schools or pupils and their families.(l) This section does not prohibit an operator of an internet website, online service, online application, or mobile application from marketing educational products directly to parents so long as the marketing did not result from the use of covered information obtained by the operator through the provision of services covered under this section.(m) This section does not impose a duty upon a provider of an electronic store, gateway, marketplace, or other means of purchasing or downloading software or applications to review or enforce compliance of this section on those applications or software.(n) This section does not impose a duty upon a provider of an interactive computer service, as defined in Section 230 of Title 47 of the United States Code, to review or enforce compliance with this section by third-party content providers.(o) This section does not impede the ability of pupils to download, export, or otherwise save or maintain their own pupil-created data or documents.(p) This section shall not be interpreted to limit or supersede any rights or requirements under the federal Individuals with Disabilities Education Act (20 U.S.C. Sec. 1400 et seq.), the Rehabilitation Act of 1973 (29 U.S.C. Sec. 701 et seq.), and any rules or regulations promulgated pursuant to those laws.SEC. 2. Section 22585 of the Business and Professions Code is repealed.22585.This chapter shall become operative on January 1, 2016.SEC. 3. Section 22585 is added to the Business and Professions Code, to read:22585. (a) A pupil, or the pupils parent or guardian, who suffers actual damages as a result of an operators failure to comply with this chapter may, subject to subdivisions (b) to (e), inclusive, bring an action on that persons behalf and on behalf of a similarly situated class of pupils against that operator to recover or obtain any of the following relief:(1) The greater of actual damages or five hundred dollars ($500) per plaintiff, per violation.(2) Injunctive relief.(3) Punitive damages.(4) Reasonable attorneys fees and costs.(b) (1) At least 45 days before bringing an action pursuant to this section, a pupil shall do both of the following:(A) Provide written notice to the operator alleged to have violated this chapter regarding the nature of the alleged violations.(B) Demand that the operator correct and remedy the alleged violations.(2) The notice required by this subdivision shall be sent by certified or registered mail, return receipt requested, to the operators address on file with the state or to the operators principal place of business within the state.(c) An action pursuant to this section brought by a pupil only on that pupils behalf shall not be maintained upon a showing by an operator that an appropriate correction and remedy has been made, or agreed to be made within a reasonable time, to the pupil within 30 days after receipt of the notice required by subdivision (b).(d) An action pursuant to this section brought by a pupil on both the pupils behalf and on behalf of a similarly situated class of pupils shall not be maintained upon a showing by an operator that all of the following are true:(1) Any pupil similarly situated has been identified, or a reasonable effort to identify the pupil has been made.(2) Any similarly situated pupil identified has been made, notified that, upon the pupils request, the operator shall make the appropriate correction and remedy.(3) The correction and remedy requested by the pupil has been made, or in a reasonable time will be made.(4) The operator has ceased, or will cease within a reasonable time, violating this chapter.(e) (1) Attempts to comply with a demand described in subdivision (b) by an operator shall be deemed an offer to compromise and shall be inadmissible under Section 1152 of the Evidence Code and shall not be deemed an admission of violating this chapter. (2) A defendant may introduce evidence of compliance or attempts to comply with this section for the purpose of establishing good faith or to show compliance with this chapter.SEC. 4. Section 22586 of the Business and Professions Code is amended to read:22586. (a) For purposes of this chapter:(1) Artificial intelligence has the same meaning as defined in Section 3110 of the Civil Code.(1)(2) California Consumer Privacy Act-excluded covered information or CCPA-excluded covered information means covered information that is not subject to the California Consumer Privacy Act of 2018 (Title 1.81.5 (commencing with Section 1798.100) of Part 4 of Division 3 of the Civil Code).(2)(3) Covered information means personally identifiable information or materials, in any media or format that meets any of the following:(A) Is created or provided by a pupil, or the pupils parent or legal guardian, to an operator in the course of the pupils, parents, or legal guardians use of the operators site, service, or application for preschool and prekindergarten purposes.(B) Is created or provided by an employee or agent of the preschool, prekindergarten, school district, local educational agency, or county office of education, to an operator.(C) Is gathered by an operator through the operation of a site, service, or application described in paragraph (4), and is descriptive of a pupil or otherwise identifies a pupil, including, but not limited to, information in the pupils educational record or email, first and last name, home address, telephone number, email address, or other information that allows physical or online contact, discipline records, test results, special education data, juvenile dependency records, grades, evaluations, criminal records, medical records, health records, social security number, biometric information, disabilities, socioeconomic information, food purchases, political affiliations, religious information, text messages, documents, pupil identifiers, search activity, photographs, voice recordings, or geolocation information.(4) Generative artificial intelligence has the same meaning as defined in Section 3110 of the Civil Code.(3)(5) Online service includes cloud computing services, which must comply with this section if they otherwise meet the definition of an operator.(4)(6) Operator means the operator of an internet website, online service, online application, or mobile application with actual knowledge that the site, service, or application is used primarily for preschool or prekindergarten purposes and was designed and marketed for preschool and prekindergarten purposes. purposes, including a provider of digital educational software or services, including digital course books.(5)(7) Preschool or prekindergarten purposes means purposes that customarily take place at the direction of the preschool, prekindergarten, teacher, or school district, or aid in the administration of preschool or prekindergarten activities, including, but not limited to, instruction in the classroom or at home, administrative activities, and collaboration between pupils, preschool or prekindergarten personnel, or parents, or are for the use and benefit of the preschool or prekindergarten.(6)(8) Pupil means a child enrolled in a preschool or prekindergarten course of instruction.(9) Train a generative artificial intelligence system or service has the same meaning as defined in Section 3110 of the Civil Code.(b) An operator shall not knowingly engage in any of the following activities with respect to their the operators site, service, or application:(1) (A) Engage in targeted advertising on the operators site, service, or application.(B) Target advertising on any other site, service, or application application, including via email or other direct communication to the pupil when the targeting of the advertising is based upon any information, including covered information and persistent unique identifiers, that the operator has acquired because of the use of that operators site, service, or application described in paragraph (4) of subdivision (a).(2) Use information, including persistent unique identifiers, created or gathered by the operators site, service, or application, to amass a profile about a pupil, except in furtherance of preschool or prekindergarten purposes.(3) Sell a pupils information, including covered information. This prohibition does not apply to the purchase, merger, or other type of acquisition of an operator by another entity, provided that the operator or successor entity continues to be subject to the provisions of this section with respect to previously acquired pupil information.(4) Disclose covered information unless the disclosure is made: meets any of the following criteria:(A) In The disclosure is in furtherance of the preschool and prekindergarten purposes of the site, service, or application, provided that and the recipient of the covered information disclosed pursuant to this subparagraph: subparagraph meets both of the following criteria:(i) Shall not The recipient does not further disclose the information unless done to allow or improve operability and functionality within that pupils preschool or prekindergarten.(ii) Is The recipient is legally required to comply with subdivision (d); (d).(B) To The disclosure is to ensure legal and regulatory compliance; compliance.(C) To The disclosure is to respond to or participate in a judicial process; process.(D) To The disclosure is to protect the safety of users or others or security of the site; or site.(E) To The disclosure is to a service provider, provided the operator contractually (i) prohibits the service provider from using any covered information for any purpose other than providing the contracted service to, or on behalf of, the operator, (ii) prohibits the service provider from disclosing any covered information provided by the operator with subsequent third parties, and (iii) requires the service provider to implement and maintain reasonable security procedures and practices as provided in subdivision (d).(5) Use information, including persistent unique identifiers, created or gathered by the operators site, service, or application to train a generative artificial intelligence system or service or develop an artificial intelligence system unless it is in the furtherance of preschool or prekindergarten purposes and for the use and benefit of the preschool or prekindergarten.(6) Collect, use, retain, or disclose covered information relating to a pupils reproductive or sexual health, immigration status, or sexual orientation or gender identity, except if both of the following are true:(A) The covered information is relevant and limited to what is necessary in relation to preschool or prekindergarten purposes and for the use and benefit of the preschool or prekindergarten.(B) In the case of disclosure to third parties, the disclosure is strictly necessary to further the purpose described in subparagraph (A).(c) Subdivision (b) does not prohibit the operators use of information for maintaining, developing, supporting, improving, or diagnosing the operators site, service, or application.(d) An operator shall do all of the following:(1) Implement and maintain reasonable security procedures and practices appropriate to the nature of the covered information, and protect that information from unauthorized access, destruction, use, modification, or disclosure.(2) Delete a pupils covered information if the preschool, prekindergarten, or district requests deletion of data under the control of the preschool, prekindergarten, or district.(3) (A) Delete a pupils CCPA-excluded covered information under the operators control if a pupils parent, guardian, or education rights holder or, in the case of a former pupil 18 years of age or older, the pupil requests an operator to delete the covered information under the operators control if the pupil has been no longer enrolled in the preschool, prekindergarten, or district for at least 60 days.(B) Before deleting any information described in subparagraph (A), the operator shall require documentation that the pupil is no longer enrolled in the preschool, prekindergarten, or district.(4) (A) Subject to subparagraph (B), retain covered information only as long as reasonably necessary to fulfill the specific purpose for which the information was collected and delete the information using reasonable measures to protect against unauthorized access to, or use or disclosure of, the information in connection with its deletion when the specific purpose for which the information was collected is accomplished.(B) This paragraph does not require deletion of mandatory permanent pupil records, described in Section 430 of Title 5 of the California Code of Regulations, or any official records or files directly related to a pupil and maintained by the operator, school, or local educational agency, including, but not limited to, records of achievement and results of evaluative tests or records encompassing all of the material kept in the pupils cumulative folder that is maintained by the school or local educational agency, including, but not limited to, general identifying data, records of attendance and of academic work completed, health data, disciplinary status, test protocols, individualized education programs, or pupil records held by a national assessment provider that include only standardized test results.(5) Establish, implement, and maintain a written data retention policy, which shall be made available upon request to a pupil, parent, or preschool or prekindergarten personnel that states the purposes for which covered information is collected, the purpose for retaining the information, and a timeframe for deleting the information pursuant to paragraph (4).(e) Notwithstanding paragraph (4) of subdivision (b), an operator may disclose covered information of a pupil, as long as paragraphs (1) to (3), inclusive, of subdivision (b) are not violated, under the following circumstances:(1) If other provisions of federal or state law require the operator to disclose the information, and the operator complies with the requirements of federal and state law in protecting and disclosing that information.(2) For legitimate research purposes: (A) as required by state or federal law and subject to the restrictions under applicable state and federal law or (B) as allowed by state or federal law and under the direction of a preschool, prekindergarten, school district, or state department of education, if no covered information is used for any purpose in furtherance of advertising or to amass a profile on the pupil for purposes other than preschool and prekindergarten purposes.(3) To a state or local educational agency, including preschools, prekindergartens, and school districts, for preschool and prekindergarten purposes, as permitted by state or federal law.(f) This section does not prohibit an operator from using deidentified pupil covered information as follows:(1) Within the operators site, service, or application or other sites, services, or applications owned by the operator to improve educational products.(2) To demonstrate the effectiveness of the operators products or services, including in their marketing.(g) This section does not prohibit an operator from sharing aggregated deidentified pupil covered information for the development and improvement of educational sites, services, or applications.(h) This section does not limit the authority of a law enforcement agency to obtain any content or information from an operator as authorized by law or pursuant to an order of a court of competent jurisdiction.(i) This section does not limit the ability of an operator to use a pupils data, including covered information, for adaptive learning or customized early learning purposes.(j) This section does not apply to general audience internet websites, general audience online services, general audience online applications, or general audience mobile applications, applications that are not designed or marketed for preschool or prekindergarten purposes, even if login credentials created for an operators site, service, or application may be used to access those general audience sites, services, or applications.(k) This section does not limit internet service providers from providing internet connectivity to preschools, prekindergartens, or pupils and their families.(l) This section does not prohibit an operator of an internet website, online service, online application, or mobile application from marketing educational products directly to parents so long as the marketing did not result from the use of covered information obtained by the operator through the provision of services covered under this section.(m) This section does not impose a duty upon a provider of an electronic store, gateway, marketplace, or other means of purchasing or downloading software or applications to review or enforce compliance of this section on those applications or software.(n) This section does not impose a duty upon a provider of an interactive computer service, as defined in Section 230 of Title 47 of the United States Code, to review or enforce compliance with this section by third-party content providers.(o) This section does not impede the ability of pupils to download, export, or otherwise save or maintain their own personally created data or documents.(p) This section shall not be interpreted to limit or supersede any rights or requirements under the federal Individuals with Disabilities Education Act (20 U.S.C. Sec. 1400 et seq.), the Rehabilitation Act of 1973 (29 U.S.C. Sec. 701 et seq.), and any rules or regulations promulgated pursuant to those laws.SEC. 5. Section 22586.1 is added to the Business and Professions Code, to read:22586.1. (a) A pupil, or the pupils parent or guardian, who suffers actual damages as a result of an operators failure to comply with this chapter may, subject to subdivisions (b) to (e), inclusive, bring an action on that persons behalf and on behalf of a similarly situated class of pupils against that operator to recover or obtain any of the following relief:(1) The greater of actual damages or five hundred dollars ($500) per plaintiff, per violation.(2) Injunctive relief.(3) Punitive damages.(4) Reasonable attorneys fees and costs.(b) (1) At least 45 days before bringing an action pursuant to this section, a pupil shall do both of the following:(A) Provide written notice to the operator alleged to have violated this chapter regarding the nature of the alleged violations.(B) Demand that the operator correct and remedy the alleged violations.(2) The notice required by this subdivision shall be sent by certified or registered mail, return receipt requested, to the operators address on file with the state or to the operators principal place of business within the state.(c) An action pursuant to this section brought by a pupil only on that pupils behalf shall not be maintained upon a showing by an operator that an appropriate correction and remedy has been made, or agreed to be made within a reasonable time, to the pupil within 30 days after receipt of the notice required by subdivision (b).(d) An action pursuant to this section brought by a pupil on both the pupils behalf and on behalf of a similarly situated class of pupils shall not be maintained upon a showing by an operator that all of the following are true:(1) Any pupil similarly situated has been identified, or a reasonable effort to identify the pupil has been made.(2) Any similarly situated pupil identified has been notified that, upon the pupils request, the operator shall make the appropriate correction and remedy.(3) The correction and remedy requested by the pupil has been made, or in a reasonable time will be made.(4) The operator has ceased, or will cease within a reasonable time, violating this chapter.(e) (1) Attempts to comply with a demand described in subdivision (b) by an operator shall be deemed an offer to compromise and shall be inadmissible under Section 1152 of the Evidence Code and shall not be deemed an admission of violating this chapter.(2) A defendant may introduce evidence of compliance or attempts to comply with this section for the purpose of establishing good faith or to show compliance with this chapter.SEC. 6. Section 22587 of the Business and Professions Code is repealed.22587.This chapter shall become operative on July 1, 2017.SEC. 7. Chapter 22.2.6 (commencing with Section 22587) is added to Division 8 of the Business and Professions Code, to read: CHAPTER 22.2.6. Higher Education Student Information Protection Act22587. (a) For purposes of this chapter:(1) Artificial intelligence has the same meaning as defined in Section 3110 of the Civil Code.(2) California Consumer Privacy Act-excluded covered information or CCPA-excluded covered information means covered information that is not subject to the California Consumer Privacy Act of 2018 (Title 1.81.5 (commencing with Section 1798.100) of Part 4 of Division 3 of the Civil Code).(3) Covered information means personally identifiable information or materials, in any media or format, that is any of the following:(A) Created or provided by a student to an operator in the course of the students use of the operators site, service, or application for higher education purposes.(B) Created or provided by an employee or agent of a higher education institution to an operator.(C) Gathered by an operator through the operation of a site, service, or application described in paragraph (8) and is descriptive of a student, or otherwise identifies a student, including, but not limited to, information in the students educational record or email, first and last name, home address, telephone number, or other information that allows physical or online contact, discipline records, test results, special education data, juvenile dependency records, grades, evaluations, criminal records, medical records, health records, social security number, biometric information, disabilities, socioeconomic information, food purchases, political affiliations, religious information, text messages, documents, student identifiers, online search activity, photographs, voice recordings, or geolocation information.(4) Generative artificial intelligence has the same meaning as defined in Section 3110 of the Civil Code.(5) Higher education institution means a postsecondary institution, vocational program, or postgraduate program that is accredited by an accrediting agency or organization recognized by the state or the United States Department of Education.(6) Higher education purposes means purposes that customarily take place at the direction of the instructor or higher education institution or aid in the administration of higher education institution activities, including, but not limited to, instruction in the classroom or at home, administrative activities, and collaboration between students and higher education institution personnel or are for the use and benefit of the higher education institution.(7) National assessment provider means a person that develops, sponsors, or administers standardized tests.(8) Online service includes a cloud computing service, which shall comply with this section if it is an operator.(9) Operator means the operator of an internet website, online service, online application, or mobile application with actual knowledge that the site, service, or application is used for higher educational purposes and was designed and marketed for higher educational purposes, including a provider of digital educational software or services, including digital course books.(10) Student means a student enrolled in a higher education institution.(11) Train a generative artificial intelligence system or service has the same meaning as defined in Section 3110 of the Civil Code.(b) An operator shall not knowingly engage in any of the following activities with respect to the operators site, service, or application:(1) (A) Engage in targeted advertising on the operators site, service, or application, or (B) target advertising on any other site, service, or application, including via email or other direct communication to the student, when the targeting of the advertising is based upon any information, including covered information and persistent unique identifiers, that the operator has acquired because of the use of that operators site, service, or application described in paragraph (6) of subdivision (a).(2) Use information, including persistent unique identifiers, created or gathered by the operators site, service, or application, to amass a profile about a student, unless it is in the furtherance of higher education purposes.(3) Use information, including persistent unique identifiers, created or gathered by the operators site, service, or application, to train a generative artificial intelligence system or service or develop an artificial intelligence system, unless it is in the furtherance of higher educational purposes and for the use and benefit of the higher education institution.(4) Sell a students information, including covered information, unless the sale meets either of the following criteria:(A) The sale is for the purchase, merger, or other type of acquisition of an operator by another entity, provided that the operator or successor entity continues to be subject to the provisions of this section with respect to previously acquired student information.(B) The sale is made by a national assessment provider to a K12 school, local educational agency, or higher education institution solely for assessment, admissions, or other K12 school purposes or higher education purposes for the benefit and use of the receiving institution.(5) Disclose covered information unless the disclosure meets any of the following criteria:(A) The disclosure is in furtherance of the higher education purposes of the site, service, or application, and the recipient of the covered information disclosed pursuant to this subparagraph meets both of the following criteria:(i) The recipient does not further disclose the information unless done to allow or improve operability and functionality within that students higher education institution.(ii) The recipient is legally required to comply with subdivision (d).(B) The disclosure is to ensure legal and regulatory compliance.(C) The disclosure is to respond to or participate in judicial process.(D) The disclosure is to protect the safety of users or others or security of the site.(E) The disclosure is to a service provider, provided the operator contractually (i) prohibits the service provider from using any covered information for any purpose other than providing the contracted service to, or on behalf of, the operator, (ii) prohibits the service provider from disclosing any covered information provided by the operator with subsequent third parties, and (iii) requires the service provider to implement and maintain reasonable security procedures and practices as provided in subdivision (d).(F) The disclosure is by a national assessment provider to a higher education institution, or K12 school or local educational agency, as defined in Section 22584, solely for assessment, admissions, or other higher education purposes or K12 school purposes, as defined in Section 22584, for the use and benefit of the receiving institution.(G) The disclosure is for legitimate research purposes under the direction of a higher education institution or state department of education and covered information is not used for advertising or to amass a profile on the student for purposes other than higher education purposes.(H) The disclosure is to a state agency or higher education institution, including schools of local educational agencies, for higher education purposes.(6) Use information, including persistent unique identifiers, created or gathered by the operators site, service, or application to train a generative artificial intelligence system or service or develop an artificial intelligence system unless it is in the furtherance of a K12 school purpose and for the use and benefit of a school.(c) Subdivision (b) does not prohibit the operators use of information for maintaining, developing, supporting, improving, or diagnosing the operators site, service, or application.(d) An operator shall do all of the following:(1) Implement and maintain reasonable security procedures and practices appropriate to the nature of the covered information, and protect that information from unauthorized access, destruction, use, modification, or disclosure.(2) Delete a students covered information if the higher education institution requests deletion of data under the control of the higher education institution.(3) (A) Delete a students CCPA-excluded covered information under the operators control if a student or, if the student is under 18 years of age, the students parent or guardian or education rights holder requests an operator to delete the covered information under the operators control if the student has been no longer enrolled in the higher education institution for at least 60 days.(B) Before deleting any information described in subparagraph (A), the operator shall require documentation that the student is no longer enrolled in the higher education institution.(4) (A) Subject to subparagraph (B), retain covered information only as long as reasonably necessary to fulfill the specific purpose for which the information was collected and delete the information using reasonable measures to protect against unauthorized access to, or use or disclosure of, the information in connection with its deletion when the specific purpose for which the information was collected is accomplished.(B) This paragraph does not require deletion of mandatory permanent student records, described in Section 430 of Title 5 of the California Code of Regulations, or any official records or files directly related to a student and maintained by the operator or higher education institution, including, but not limited to, records of achievement and results of evaluative tests or records encompassing all of the material kept in the pupils cumulative folder that is maintained by the higher education institution, including, but not limited to, general identifying data, records of attendance and of academic work completed, health data, disciplinary status, test protocols, individualized education programs, or student records held by a national assessment provider that include only standardized test results.(5) Establish, implement, and maintain a written data retention policy, which shall be made available upon request to a student or higher education personnel that states the purposes for which covered information is collected, the purpose for retaining the information, and a timeframe for deleting the information pursuant to paragraph (4).(e) This section does not prohibit an operator from using deidentified student covered information for either of the following purposes:(1) Within the operators site, service, or application or other sites, services, or applications owned by the operator to improve educational products.(2) To demonstrate the effectiveness of the operators products or services, including in the operators marketing.(f) This section does not prohibit an operator from sharing aggregated deidentified student covered information for the development and improvement of educational sites, services, or applications.(g) This section does not limit the authority of a law enforcement agency to obtain any content or information from an operator as authorized by law or pursuant to an order of a court of competent jurisdiction.(h) This section does not limit the ability of an operator to use student data, including covered information, for adaptive learning or customized student learning purposes.(i) This section does not apply to general audience internet websites, general audience online services, general audience online applications, or general audience mobile applications that are not designed or marketed for a higher education purpose, even if login credentials created for an operators site, service, or application may be used to access those general audience sites, services, or applications.(j) This section does not limit internet service providers from providing internet connectivity to higher education institutions or students.(k) This section does not impose a duty upon a provider of an electronic store, gateway, marketplace, or other means of purchasing or downloading software or applications to review or enforce compliance of this section on those applications or software.(l) This section does not impose a duty upon a provider of an interactive computer service, as defined in Section 230 of Title 47 of the United States Code, to review or enforce compliance with this section by third-party content providers.(m) This section does not impede the ability of students to download, export, or otherwise save or maintain their own student-created data or documents.(n) This section shall not be interpreted to limit or supersede any rights or requirements under the federal Individuals with Disabilities Education Act (20 U.S.C. Sec. 1400 et seq.), the Rehabilitation Act of 1973 (29 U.S.C. Sec. 701 et seq.), and any rules or regulations promulgated pursuant to those laws.22587.1. (a) A student, or the students parent or guardian, who suffers actual damages as a result of an operators failure to comply with this chapter may, subject to subdivisions (b) to (e), inclusive, bring an action on that persons behalf and on behalf of a similarly situated class of students against that operator to recover or obtain any of the following relief:(1) The greater of actual damages or five hundred dollars ($500) per plaintiff, per violation.(2) Injunctive relief.(3) Punitive damages.(4) Reasonable attorneys fees and costs.(b) (1) At least 45 days before bringing an action pursuant to this section, a student shall do both of the following:(A) Provide written notice to the operator alleged to have violated this chapter regarding the nature of the alleged violations.(B) Demand that the operator correct and remedy the alleged violations.(2) The notice required by this subdivision shall be sent by certified or registered mail, return receipt requested, to the operators address on file with the state or to the operators principal place of business within the state.(c) An action pursuant to this section brought by a student only on that students behalf shall not be maintained upon a showing by an operator that an appropriate correction and remedy has been made, or agreed to be made within a reasonable time, to the student within 30 days after receipt of the notice required by subdivision (b).(d) An action pursuant to this section brought by a student on both the students behalf and on behalf of a similarly situated class of students shall not be maintained upon a showing by an operator that all of the following are true:(1) Any student similarly situated has been identified, or a reasonable effort to identify the student has been made.(2) Any similarly situated student identified has been notified that, upon the students request, the operator shall make the appropriate correction and remedy.(3) The correction and remedy requested by the student has been made, or in a reasonable time will be made.(4) The operator has ceased, or will cease within a reasonable time, violating this chapter.(e) (1) Attempts to comply with a demand described in subdivision (b) by an operator shall be deemed an offer to compromise and shall be inadmissible under Section 1152 of the Evidence Code and shall not be deemed an admission of violating this chapter.(2) A defendant may introduce evidence of compliance or attempts to comply with this section for the purpose of establishing good faith or to show compliance with this chapter.22587.2. This chapter shall become operative on July 1, 2026.SECTION 1.Section 22575 of the Business and Professions Code is amended to read:22575.(a)An operator of a commercial internet website or online service that collects personally identifiable information through the internet about individual consumers residing in California who use or visit its commercial internet website or online service shall conspicuously post its privacy policy on its internet website, or in the case of an operator of an online service, make that policy available in accordance with paragraph (5) of subdivision (b) of Section 22577. An operator shall be in violation of this subdivision only if the operator fails to post its policy within 30 days after being notified of noncompliance.(b)The privacy policy required by subdivision (a) shall do all of the following:(1)Identify the categories of personally identifiable information that the operator collects through the internet website or online service about individual consumers who use or visit its commercial internet website or online service and the categories of third-party persons or entities with whom the operator may share that personally identifiable information.(2)If the operator maintains a process for an individual consumer who uses or visits its commercial internet website or online service to review and request changes to any of the consumers personally identifiable information that is collected through the internet website or online service, provide a description of that process.(3)Describe the process by which the operator notifies consumers who use or visit its commercial internet website or online service of material changes to the operators privacy policy for that internet website or online service.(4)Identify its effective date.(5)Disclose how the operator responds to web browser do not track signals or other mechanisms that provide consumers the ability to exercise choice regarding the collection of personally identifiable information about an individual consumers online activities over time and across third-party internet websites or online services, if the operator engages in that collection.(6)Disclose whether other parties may collect personally identifiable information about an individual consumers online activities over time and across different internet websites when a consumer uses the operators internet website or service.(7)An operator may satisfy the requirement of paragraph (5) by providing a clear and conspicuous hyperlink in the operators privacy policy to an online location containing a description, including the effects, of any program or protocol the operator follows that offers the consumer that choice.
The people of the State of California do enact as follows:
## The people of the State of California do enact as follows:
SECTION 1. Section 22584 of the Business and Professions Code is amended to read:22584. (a) For purposes of this chapter:(1) Artificial intelligence has the same meaning as defined in Section 3110 of the Civil Code.(1)(2) California Consumer Privacy Act-excluded covered information or CCPA-excluded covered information means covered information that is not subject to the California Consumer Privacy Act of 2018 (Title 1.81.5 (commencing with Section 1798.100) of Part 4 of Division 3 of the Civil Code).(2)(3) Covered information means personally identifiable information or materials, in any media or format that meets any of the following:(A) Is created or provided by a pupil, or the pupils parent or legal guardian, to an operator in the course of the pupils, parents, or legal guardians use of the operators site, service, or application for K12 school purposes.(B) Is created or provided by an employee or agent of the school or local educational agency to an operator.(C) Is gathered by an operator through the operation of a site, service, or application described in paragraph (6) and is descriptive of a pupil or otherwise identifies a pupil, including, but not limited to, information in the pupils educational record or email, first and last name, home address, telephone number, email address, or other information that allows physical or online contact, discipline records, test results, special education data, juvenile dependency records, grades, evaluations, criminal records, medical records, health records, social security number, biometric information, disabilities, socioeconomic information, food purchases, political affiliations, religious information, text messages, documents, pupil identifiers, search activity, photographs, voice recordings, or geolocation information.(4) Generative artificial intelligence has the same meaning as defined in Section 3110 of the Civil Code.(3)(5) K12 school purposes means purposes that customarily take place at the direction of the K12 school, teacher, or local educational agency or aid in the administration of school activities, including, but not limited to, instruction in the classroom or at home, administrative activities, and collaboration between pupils, school personnel, or parents, or are for the use and benefit of the school.(4)(6) Local educational agency means a school district, county office of education, charter school, or the state special schools for the blind and the deaf.(5)(7) National assessment provider means a person that develops, sponsors, or administers standardized tests.(6)(8) Online service includes cloud computing services, which must comply with this section if they otherwise meet the definition of an operator.(7)(9) Operator means the operator of an internet website, online service, online application, or mobile application with actual knowledge that the site, service, or application is usedprimarily for K12 school purposes and was designed and or marketed for K12 school purposes. purposes, including a provider of digital educational software or services, including digital course books.(8)(10) Pupil means a student enrolled in a K12 course of instruction.(9)(11) Standardized test means a test administered in California at the expense of the test subject that meets either of the following criteria:(A) The test is used for the purposes of admission to, or class placement in, postsecondary educational institutions or their programs.(B) The test is used for preliminary preparation for a test described in subparagraph (A).(12) Train a generative artificial intelligence system or service has the same meaning as defined in Section 3110 of the Civil Code.(b) An operator shall not knowingly engage in any of the following activities with respect to their the operators site, service, or application:(1) (A) Engage in targeted advertising on the operators site, service, or application, or (B) target advertising on any other site, service, or application application, including via email or other direct communication to the pupil, when the targeting of the advertising is based upon any information, including covered information and persistent unique identifiers, that the operator has acquired because of the use of that operators site, service, or application described in paragraph (6) of subdivision (a).(2) Use information, including persistent unique identifiers, created or gathered by the operators site, service, or application, to amass a profile about a pupil enrolled in a local educational agency, except in furtherance of K12 school purposes.(3) Sell a pupils information, including covered information. This prohibition does not apply to the purchase, merger, or other type of acquisition of an operator by another entity, provided that the operator or successor entity continues to be subject to the provisions of this section with respect to previously acquired pupil information. information, unless the sale meets either of the following criteria:(A) The sale is for the purchase, merger, or other type of acquisition of an operator by another entity, provided that the operator or successor entity continues to be subject to the provisions of this section with respect to previously acquired pupil information.(B) The sale is made by a national assessment provider to a K12 school, local educational agency, or higher education institution, as defined in Section 22587, solely for assessment, admissions, or other K12 school purposes or higher education purposes, as defined in Section 22587, for the benefit and use of the receiving institution.(4) Disclose covered information unless the disclosure is made: meets any of the following criteria:(A) In The disclosure is in furtherance of the K12 purpose of the site, service, or application, provided application and the recipient of the covered information disclosed pursuant to this subparagraph: subparagraph meets both of the following criteria:(i) Shall The recipient does not further disclose the information unless done to allow or improve operability and functionality within that pupils classroom or school; and school.(ii) Is The recipient is legally required to comply with subdivision (d); (d).(B) To The disclosure is to ensure legal and regulatory compliance; compliance.(C) To The disclosure is to respond to or participate in judicial process; process.(D) To The disclosure is to protect the safety of users or others or security of the site; or site.(E) To The disclosure is to a service provider, provided and the operator contractually (i) prohibits the service provider from using any covered information for any purpose other than providing the contracted service to, or on behalf of, the operator, (ii) prohibits the service provider from disclosing any covered information provided by the operator with subsequent third parties, and (iii) requires the service provider to implement and maintain reasonable security procedures and practices as provided in subdivision (d).(F) By a national assessment provider to a K12 school, local educational agency, or higher education institution, as defined in Section 22587, solely for assessment, admissions, or other K12 school purposes or higher education purposes, as defined in Section 22587, for the benefit and use of the receiving institution.(5) Use information, including persistent unique identifiers, created or gathered by the operators site, service, or application to train a generative artificial intelligence system or service or develop an artificial intelligence system unless it is in the furtherance of a K12 school purpose and for the use and benefit of the school.(6) Collect, use, retain, or disclose covered information relating to a pupils reproductive or sexual health, immigration status, or sexual orientation or gender identity, except if both of the following are true:(A) The covered information is relevant and limited to what is necessary in relation to a K12 school purpose and for the use and benefit of the school.(B) In the case of disclosure to third parties, the disclosure is strictly necessary to further the purpose described in subparagraph (A).(c) Subdivision (b) does not prohibit the operators use of information for maintaining, developing, supporting, improving, or diagnosing the operators site, service, or application.(d) An operator shall do all of the following:(1) Implement and maintain reasonable security procedures and practices appropriate to the nature of the covered information, and protect that information from unauthorized access, destruction, use, modification, or disclosure.(2) (A) Delete a pupils covered information if the school or local educational agency requests deletion of data under the control of the school or local educational agency.(B) This paragraph does not require the deletion of pupil records held by a national assessment provider and that only include standardized test results.(3) (A) Delete a pupils CCPA-excluded covered information under the operators control if a pupils parent or guardian or, in the case of a former pupil who is 18 years of age or older, the pupil requests an operator to delete the covered information under the operators control if the pupil has been no longer enrolled in the local educational agency for at least 60 days.(B) Before deleting any information described in subparagraph (A), the operator shall require documentation that the pupil is no longer enrolled in the local educational agency.(C) This paragraph does not require deletion of mandatory permanent pupil records, described in Section 430 of Title 5 of the California Code of Regulations, or any official records or files directly related to a pupil and maintained by the operator, school, or local educational agency, including, but not limited to, records of achievement and results of evaluative tests or records encompassing all of the material kept in the pupils cumulative folder that is maintained by the school or local educational agency, including, but not limited to, general identifying data, records of attendance and of academic work completed, health data, disciplinary status, test protocols, individualized education programs, or pupil records held by a national assessment provider and that only include standardized test results.(4) (A) Subject to subparagraph (B), retain covered information only as long as reasonably necessary to fulfill the specific purpose for which the information was collected and delete the information using reasonable measures to protect against unauthorized access to, or use or disclosure of, the information in connection with its deletion when the specific purpose for which the information was collected is accomplished.(B) This paragraph does not require deletion of mandatory permanent pupil records, described in Section 430 of Title 5 of the California Code of Regulations, or any official records or files directly related to a pupil and maintained by the operator, school, or local educational agency, including, but not limited to, records of achievement and results of evaluative tests or records encompassing all of the material kept in the pupils cumulative folder that is maintained by the school or local educational agency, including, but not limited to, general identifying data, records of attendance and of academic work completed, health data, disciplinary status, test protocols, individualized education programs, or pupil records held by a national assessment provider that include only standardized test results.(5) Establish, implement, and maintain a written data retention policy, which shall be made available upon request to a pupil, parent, or K12 personnel that states the purposes for which covered information is collected, the purpose for retaining the information, and a timeframe for deleting the information pursuant to paragraph (4).(e) Notwithstanding paragraph (4) of subdivision (b), an operator may disclose covered information of a pupil, as long as paragraphs (1) to (3), inclusive, of subdivision (b) are not violated, under the following circumstances:(1) If other provisions of federal or state law require the operator to disclose the information, and the operator complies with the requirements of federal and state law in protecting and disclosing that information.(2) For legitimate research purposes: (A) as required by state or federal law and subject to the restrictions under applicable state and federal law or (B) as allowed by state or federal law and under the direction of a local educational agency or state department of education, if no covered information is used for any purpose in furtherance of advertising or to amass a profile on the pupil for purposes other than K12 school purposes.(3) To a state or local educational agency, including schools of local educational agencies, for K12 school purposes, as permitted by state or federal law.(f) This section does not prohibit an operator from using deidentified pupil covered information as follows:(1) Within the operators site, service, or application or other sites, services, or applications owned by the operator to improve educational products.(2) To demonstrate the effectiveness of the operators products or services, including in their marketing.(g) This section does not prohibit an operator from sharing aggregated deidentified pupil covered information for the development and improvement of educational sites, services, or applications.(h) This section does not limit the authority of a law enforcement agency to obtain any content or information from an operator as authorized by law or pursuant to an order of a court of competent jurisdiction.(i) This section does not limit the ability of an operator to use pupil data, including covered information, for adaptive learning or customized pupil learning purposes.(j) This section does not apply to general audience internet websites, general audience online services, general audience online applications, or general audience mobile applications, applications that are not designed or marketed for K12 school purposes, even if login credentials created for an operators site, service, or application may be used to access those general audience sites, services, or applications.(k) This section does not limit internet service providers from providing internet connectivity to schools or pupils and their families.(l) This section does not prohibit an operator of an internet website, online service, online application, or mobile application from marketing educational products directly to parents so long as the marketing did not result from the use of covered information obtained by the operator through the provision of services covered under this section.(m) This section does not impose a duty upon a provider of an electronic store, gateway, marketplace, or other means of purchasing or downloading software or applications to review or enforce compliance of this section on those applications or software.(n) This section does not impose a duty upon a provider of an interactive computer service, as defined in Section 230 of Title 47 of the United States Code, to review or enforce compliance with this section by third-party content providers.(o) This section does not impede the ability of pupils to download, export, or otherwise save or maintain their own pupil-created data or documents.(p) This section shall not be interpreted to limit or supersede any rights or requirements under the federal Individuals with Disabilities Education Act (20 U.S.C. Sec. 1400 et seq.), the Rehabilitation Act of 1973 (29 U.S.C. Sec. 701 et seq.), and any rules or regulations promulgated pursuant to those laws.
SECTION 1. Section 22584 of the Business and Professions Code is amended to read:
### SECTION 1.
22584. (a) For purposes of this chapter:(1) Artificial intelligence has the same meaning as defined in Section 3110 of the Civil Code.(1)(2) California Consumer Privacy Act-excluded covered information or CCPA-excluded covered information means covered information that is not subject to the California Consumer Privacy Act of 2018 (Title 1.81.5 (commencing with Section 1798.100) of Part 4 of Division 3 of the Civil Code).(2)(3) Covered information means personally identifiable information or materials, in any media or format that meets any of the following:(A) Is created or provided by a pupil, or the pupils parent or legal guardian, to an operator in the course of the pupils, parents, or legal guardians use of the operators site, service, or application for K12 school purposes.(B) Is created or provided by an employee or agent of the school or local educational agency to an operator.(C) Is gathered by an operator through the operation of a site, service, or application described in paragraph (6) and is descriptive of a pupil or otherwise identifies a pupil, including, but not limited to, information in the pupils educational record or email, first and last name, home address, telephone number, email address, or other information that allows physical or online contact, discipline records, test results, special education data, juvenile dependency records, grades, evaluations, criminal records, medical records, health records, social security number, biometric information, disabilities, socioeconomic information, food purchases, political affiliations, religious information, text messages, documents, pupil identifiers, search activity, photographs, voice recordings, or geolocation information.(4) Generative artificial intelligence has the same meaning as defined in Section 3110 of the Civil Code.(3)(5) K12 school purposes means purposes that customarily take place at the direction of the K12 school, teacher, or local educational agency or aid in the administration of school activities, including, but not limited to, instruction in the classroom or at home, administrative activities, and collaboration between pupils, school personnel, or parents, or are for the use and benefit of the school.(4)(6) Local educational agency means a school district, county office of education, charter school, or the state special schools for the blind and the deaf.(5)(7) National assessment provider means a person that develops, sponsors, or administers standardized tests.(6)(8) Online service includes cloud computing services, which must comply with this section if they otherwise meet the definition of an operator.(7)(9) Operator means the operator of an internet website, online service, online application, or mobile application with actual knowledge that the site, service, or application is usedprimarily for K12 school purposes and was designed and or marketed for K12 school purposes. purposes, including a provider of digital educational software or services, including digital course books.(8)(10) Pupil means a student enrolled in a K12 course of instruction.(9)(11) Standardized test means a test administered in California at the expense of the test subject that meets either of the following criteria:(A) The test is used for the purposes of admission to, or class placement in, postsecondary educational institutions or their programs.(B) The test is used for preliminary preparation for a test described in subparagraph (A).(12) Train a generative artificial intelligence system or service has the same meaning as defined in Section 3110 of the Civil Code.(b) An operator shall not knowingly engage in any of the following activities with respect to their the operators site, service, or application:(1) (A) Engage in targeted advertising on the operators site, service, or application, or (B) target advertising on any other site, service, or application application, including via email or other direct communication to the pupil, when the targeting of the advertising is based upon any information, including covered information and persistent unique identifiers, that the operator has acquired because of the use of that operators site, service, or application described in paragraph (6) of subdivision (a).(2) Use information, including persistent unique identifiers, created or gathered by the operators site, service, or application, to amass a profile about a pupil enrolled in a local educational agency, except in furtherance of K12 school purposes.(3) Sell a pupils information, including covered information. This prohibition does not apply to the purchase, merger, or other type of acquisition of an operator by another entity, provided that the operator or successor entity continues to be subject to the provisions of this section with respect to previously acquired pupil information. information, unless the sale meets either of the following criteria:(A) The sale is for the purchase, merger, or other type of acquisition of an operator by another entity, provided that the operator or successor entity continues to be subject to the provisions of this section with respect to previously acquired pupil information.(B) The sale is made by a national assessment provider to a K12 school, local educational agency, or higher education institution, as defined in Section 22587, solely for assessment, admissions, or other K12 school purposes or higher education purposes, as defined in Section 22587, for the benefit and use of the receiving institution.(4) Disclose covered information unless the disclosure is made: meets any of the following criteria:(A) In The disclosure is in furtherance of the K12 purpose of the site, service, or application, provided application and the recipient of the covered information disclosed pursuant to this subparagraph: subparagraph meets both of the following criteria:(i) Shall The recipient does not further disclose the information unless done to allow or improve operability and functionality within that pupils classroom or school; and school.(ii) Is The recipient is legally required to comply with subdivision (d); (d).(B) To The disclosure is to ensure legal and regulatory compliance; compliance.(C) To The disclosure is to respond to or participate in judicial process; process.(D) To The disclosure is to protect the safety of users or others or security of the site; or site.(E) To The disclosure is to a service provider, provided and the operator contractually (i) prohibits the service provider from using any covered information for any purpose other than providing the contracted service to, or on behalf of, the operator, (ii) prohibits the service provider from disclosing any covered information provided by the operator with subsequent third parties, and (iii) requires the service provider to implement and maintain reasonable security procedures and practices as provided in subdivision (d).(F) By a national assessment provider to a K12 school, local educational agency, or higher education institution, as defined in Section 22587, solely for assessment, admissions, or other K12 school purposes or higher education purposes, as defined in Section 22587, for the benefit and use of the receiving institution.(5) Use information, including persistent unique identifiers, created or gathered by the operators site, service, or application to train a generative artificial intelligence system or service or develop an artificial intelligence system unless it is in the furtherance of a K12 school purpose and for the use and benefit of the school.(6) Collect, use, retain, or disclose covered information relating to a pupils reproductive or sexual health, immigration status, or sexual orientation or gender identity, except if both of the following are true:(A) The covered information is relevant and limited to what is necessary in relation to a K12 school purpose and for the use and benefit of the school.(B) In the case of disclosure to third parties, the disclosure is strictly necessary to further the purpose described in subparagraph (A).(c) Subdivision (b) does not prohibit the operators use of information for maintaining, developing, supporting, improving, or diagnosing the operators site, service, or application.(d) An operator shall do all of the following:(1) Implement and maintain reasonable security procedures and practices appropriate to the nature of the covered information, and protect that information from unauthorized access, destruction, use, modification, or disclosure.(2) (A) Delete a pupils covered information if the school or local educational agency requests deletion of data under the control of the school or local educational agency.(B) This paragraph does not require the deletion of pupil records held by a national assessment provider and that only include standardized test results.(3) (A) Delete a pupils CCPA-excluded covered information under the operators control if a pupils parent or guardian or, in the case of a former pupil who is 18 years of age or older, the pupil requests an operator to delete the covered information under the operators control if the pupil has been no longer enrolled in the local educational agency for at least 60 days.(B) Before deleting any information described in subparagraph (A), the operator shall require documentation that the pupil is no longer enrolled in the local educational agency.(C) This paragraph does not require deletion of mandatory permanent pupil records, described in Section 430 of Title 5 of the California Code of Regulations, or any official records or files directly related to a pupil and maintained by the operator, school, or local educational agency, including, but not limited to, records of achievement and results of evaluative tests or records encompassing all of the material kept in the pupils cumulative folder that is maintained by the school or local educational agency, including, but not limited to, general identifying data, records of attendance and of academic work completed, health data, disciplinary status, test protocols, individualized education programs, or pupil records held by a national assessment provider and that only include standardized test results.(4) (A) Subject to subparagraph (B), retain covered information only as long as reasonably necessary to fulfill the specific purpose for which the information was collected and delete the information using reasonable measures to protect against unauthorized access to, or use or disclosure of, the information in connection with its deletion when the specific purpose for which the information was collected is accomplished.(B) This paragraph does not require deletion of mandatory permanent pupil records, described in Section 430 of Title 5 of the California Code of Regulations, or any official records or files directly related to a pupil and maintained by the operator, school, or local educational agency, including, but not limited to, records of achievement and results of evaluative tests or records encompassing all of the material kept in the pupils cumulative folder that is maintained by the school or local educational agency, including, but not limited to, general identifying data, records of attendance and of academic work completed, health data, disciplinary status, test protocols, individualized education programs, or pupil records held by a national assessment provider that include only standardized test results.(5) Establish, implement, and maintain a written data retention policy, which shall be made available upon request to a pupil, parent, or K12 personnel that states the purposes for which covered information is collected, the purpose for retaining the information, and a timeframe for deleting the information pursuant to paragraph (4).(e) Notwithstanding paragraph (4) of subdivision (b), an operator may disclose covered information of a pupil, as long as paragraphs (1) to (3), inclusive, of subdivision (b) are not violated, under the following circumstances:(1) If other provisions of federal or state law require the operator to disclose the information, and the operator complies with the requirements of federal and state law in protecting and disclosing that information.(2) For legitimate research purposes: (A) as required by state or federal law and subject to the restrictions under applicable state and federal law or (B) as allowed by state or federal law and under the direction of a local educational agency or state department of education, if no covered information is used for any purpose in furtherance of advertising or to amass a profile on the pupil for purposes other than K12 school purposes.(3) To a state or local educational agency, including schools of local educational agencies, for K12 school purposes, as permitted by state or federal law.(f) This section does not prohibit an operator from using deidentified pupil covered information as follows:(1) Within the operators site, service, or application or other sites, services, or applications owned by the operator to improve educational products.(2) To demonstrate the effectiveness of the operators products or services, including in their marketing.(g) This section does not prohibit an operator from sharing aggregated deidentified pupil covered information for the development and improvement of educational sites, services, or applications.(h) This section does not limit the authority of a law enforcement agency to obtain any content or information from an operator as authorized by law or pursuant to an order of a court of competent jurisdiction.(i) This section does not limit the ability of an operator to use pupil data, including covered information, for adaptive learning or customized pupil learning purposes.(j) This section does not apply to general audience internet websites, general audience online services, general audience online applications, or general audience mobile applications, applications that are not designed or marketed for K12 school purposes, even if login credentials created for an operators site, service, or application may be used to access those general audience sites, services, or applications.(k) This section does not limit internet service providers from providing internet connectivity to schools or pupils and their families.(l) This section does not prohibit an operator of an internet website, online service, online application, or mobile application from marketing educational products directly to parents so long as the marketing did not result from the use of covered information obtained by the operator through the provision of services covered under this section.(m) This section does not impose a duty upon a provider of an electronic store, gateway, marketplace, or other means of purchasing or downloading software or applications to review or enforce compliance of this section on those applications or software.(n) This section does not impose a duty upon a provider of an interactive computer service, as defined in Section 230 of Title 47 of the United States Code, to review or enforce compliance with this section by third-party content providers.(o) This section does not impede the ability of pupils to download, export, or otherwise save or maintain their own pupil-created data or documents.(p) This section shall not be interpreted to limit or supersede any rights or requirements under the federal Individuals with Disabilities Education Act (20 U.S.C. Sec. 1400 et seq.), the Rehabilitation Act of 1973 (29 U.S.C. Sec. 701 et seq.), and any rules or regulations promulgated pursuant to those laws.
22584. (a) For purposes of this chapter:(1) Artificial intelligence has the same meaning as defined in Section 3110 of the Civil Code.(1)(2) California Consumer Privacy Act-excluded covered information or CCPA-excluded covered information means covered information that is not subject to the California Consumer Privacy Act of 2018 (Title 1.81.5 (commencing with Section 1798.100) of Part 4 of Division 3 of the Civil Code).(2)(3) Covered information means personally identifiable information or materials, in any media or format that meets any of the following:(A) Is created or provided by a pupil, or the pupils parent or legal guardian, to an operator in the course of the pupils, parents, or legal guardians use of the operators site, service, or application for K12 school purposes.(B) Is created or provided by an employee or agent of the school or local educational agency to an operator.(C) Is gathered by an operator through the operation of a site, service, or application described in paragraph (6) and is descriptive of a pupil or otherwise identifies a pupil, including, but not limited to, information in the pupils educational record or email, first and last name, home address, telephone number, email address, or other information that allows physical or online contact, discipline records, test results, special education data, juvenile dependency records, grades, evaluations, criminal records, medical records, health records, social security number, biometric information, disabilities, socioeconomic information, food purchases, political affiliations, religious information, text messages, documents, pupil identifiers, search activity, photographs, voice recordings, or geolocation information.(4) Generative artificial intelligence has the same meaning as defined in Section 3110 of the Civil Code.(3)(5) K12 school purposes means purposes that customarily take place at the direction of the K12 school, teacher, or local educational agency or aid in the administration of school activities, including, but not limited to, instruction in the classroom or at home, administrative activities, and collaboration between pupils, school personnel, or parents, or are for the use and benefit of the school.(4)(6) Local educational agency means a school district, county office of education, charter school, or the state special schools for the blind and the deaf.(5)(7) National assessment provider means a person that develops, sponsors, or administers standardized tests.(6)(8) Online service includes cloud computing services, which must comply with this section if they otherwise meet the definition of an operator.(7)(9) Operator means the operator of an internet website, online service, online application, or mobile application with actual knowledge that the site, service, or application is usedprimarily for K12 school purposes and was designed and or marketed for K12 school purposes. purposes, including a provider of digital educational software or services, including digital course books.(8)(10) Pupil means a student enrolled in a K12 course of instruction.(9)(11) Standardized test means a test administered in California at the expense of the test subject that meets either of the following criteria:(A) The test is used for the purposes of admission to, or class placement in, postsecondary educational institutions or their programs.(B) The test is used for preliminary preparation for a test described in subparagraph (A).(12) Train a generative artificial intelligence system or service has the same meaning as defined in Section 3110 of the Civil Code.(b) An operator shall not knowingly engage in any of the following activities with respect to their the operators site, service, or application:(1) (A) Engage in targeted advertising on the operators site, service, or application, or (B) target advertising on any other site, service, or application application, including via email or other direct communication to the pupil, when the targeting of the advertising is based upon any information, including covered information and persistent unique identifiers, that the operator has acquired because of the use of that operators site, service, or application described in paragraph (6) of subdivision (a).(2) Use information, including persistent unique identifiers, created or gathered by the operators site, service, or application, to amass a profile about a pupil enrolled in a local educational agency, except in furtherance of K12 school purposes.(3) Sell a pupils information, including covered information. This prohibition does not apply to the purchase, merger, or other type of acquisition of an operator by another entity, provided that the operator or successor entity continues to be subject to the provisions of this section with respect to previously acquired pupil information. information, unless the sale meets either of the following criteria:(A) The sale is for the purchase, merger, or other type of acquisition of an operator by another entity, provided that the operator or successor entity continues to be subject to the provisions of this section with respect to previously acquired pupil information.(B) The sale is made by a national assessment provider to a K12 school, local educational agency, or higher education institution, as defined in Section 22587, solely for assessment, admissions, or other K12 school purposes or higher education purposes, as defined in Section 22587, for the benefit and use of the receiving institution.(4) Disclose covered information unless the disclosure is made: meets any of the following criteria:(A) In The disclosure is in furtherance of the K12 purpose of the site, service, or application, provided application and the recipient of the covered information disclosed pursuant to this subparagraph: subparagraph meets both of the following criteria:(i) Shall The recipient does not further disclose the information unless done to allow or improve operability and functionality within that pupils classroom or school; and school.(ii) Is The recipient is legally required to comply with subdivision (d); (d).(B) To The disclosure is to ensure legal and regulatory compliance; compliance.(C) To The disclosure is to respond to or participate in judicial process; process.(D) To The disclosure is to protect the safety of users or others or security of the site; or site.(E) To The disclosure is to a service provider, provided and the operator contractually (i) prohibits the service provider from using any covered information for any purpose other than providing the contracted service to, or on behalf of, the operator, (ii) prohibits the service provider from disclosing any covered information provided by the operator with subsequent third parties, and (iii) requires the service provider to implement and maintain reasonable security procedures and practices as provided in subdivision (d).(F) By a national assessment provider to a K12 school, local educational agency, or higher education institution, as defined in Section 22587, solely for assessment, admissions, or other K12 school purposes or higher education purposes, as defined in Section 22587, for the benefit and use of the receiving institution.(5) Use information, including persistent unique identifiers, created or gathered by the operators site, service, or application to train a generative artificial intelligence system or service or develop an artificial intelligence system unless it is in the furtherance of a K12 school purpose and for the use and benefit of the school.(6) Collect, use, retain, or disclose covered information relating to a pupils reproductive or sexual health, immigration status, or sexual orientation or gender identity, except if both of the following are true:(A) The covered information is relevant and limited to what is necessary in relation to a K12 school purpose and for the use and benefit of the school.(B) In the case of disclosure to third parties, the disclosure is strictly necessary to further the purpose described in subparagraph (A).(c) Subdivision (b) does not prohibit the operators use of information for maintaining, developing, supporting, improving, or diagnosing the operators site, service, or application.(d) An operator shall do all of the following:(1) Implement and maintain reasonable security procedures and practices appropriate to the nature of the covered information, and protect that information from unauthorized access, destruction, use, modification, or disclosure.(2) (A) Delete a pupils covered information if the school or local educational agency requests deletion of data under the control of the school or local educational agency.(B) This paragraph does not require the deletion of pupil records held by a national assessment provider and that only include standardized test results.(3) (A) Delete a pupils CCPA-excluded covered information under the operators control if a pupils parent or guardian or, in the case of a former pupil who is 18 years of age or older, the pupil requests an operator to delete the covered information under the operators control if the pupil has been no longer enrolled in the local educational agency for at least 60 days.(B) Before deleting any information described in subparagraph (A), the operator shall require documentation that the pupil is no longer enrolled in the local educational agency.(C) This paragraph does not require deletion of mandatory permanent pupil records, described in Section 430 of Title 5 of the California Code of Regulations, or any official records or files directly related to a pupil and maintained by the operator, school, or local educational agency, including, but not limited to, records of achievement and results of evaluative tests or records encompassing all of the material kept in the pupils cumulative folder that is maintained by the school or local educational agency, including, but not limited to, general identifying data, records of attendance and of academic work completed, health data, disciplinary status, test protocols, individualized education programs, or pupil records held by a national assessment provider and that only include standardized test results.(4) (A) Subject to subparagraph (B), retain covered information only as long as reasonably necessary to fulfill the specific purpose for which the information was collected and delete the information using reasonable measures to protect against unauthorized access to, or use or disclosure of, the information in connection with its deletion when the specific purpose for which the information was collected is accomplished.(B) This paragraph does not require deletion of mandatory permanent pupil records, described in Section 430 of Title 5 of the California Code of Regulations, or any official records or files directly related to a pupil and maintained by the operator, school, or local educational agency, including, but not limited to, records of achievement and results of evaluative tests or records encompassing all of the material kept in the pupils cumulative folder that is maintained by the school or local educational agency, including, but not limited to, general identifying data, records of attendance and of academic work completed, health data, disciplinary status, test protocols, individualized education programs, or pupil records held by a national assessment provider that include only standardized test results.(5) Establish, implement, and maintain a written data retention policy, which shall be made available upon request to a pupil, parent, or K12 personnel that states the purposes for which covered information is collected, the purpose for retaining the information, and a timeframe for deleting the information pursuant to paragraph (4).(e) Notwithstanding paragraph (4) of subdivision (b), an operator may disclose covered information of a pupil, as long as paragraphs (1) to (3), inclusive, of subdivision (b) are not violated, under the following circumstances:(1) If other provisions of federal or state law require the operator to disclose the information, and the operator complies with the requirements of federal and state law in protecting and disclosing that information.(2) For legitimate research purposes: (A) as required by state or federal law and subject to the restrictions under applicable state and federal law or (B) as allowed by state or federal law and under the direction of a local educational agency or state department of education, if no covered information is used for any purpose in furtherance of advertising or to amass a profile on the pupil for purposes other than K12 school purposes.(3) To a state or local educational agency, including schools of local educational agencies, for K12 school purposes, as permitted by state or federal law.(f) This section does not prohibit an operator from using deidentified pupil covered information as follows:(1) Within the operators site, service, or application or other sites, services, or applications owned by the operator to improve educational products.(2) To demonstrate the effectiveness of the operators products or services, including in their marketing.(g) This section does not prohibit an operator from sharing aggregated deidentified pupil covered information for the development and improvement of educational sites, services, or applications.(h) This section does not limit the authority of a law enforcement agency to obtain any content or information from an operator as authorized by law or pursuant to an order of a court of competent jurisdiction.(i) This section does not limit the ability of an operator to use pupil data, including covered information, for adaptive learning or customized pupil learning purposes.(j) This section does not apply to general audience internet websites, general audience online services, general audience online applications, or general audience mobile applications, applications that are not designed or marketed for K12 school purposes, even if login credentials created for an operators site, service, or application may be used to access those general audience sites, services, or applications.(k) This section does not limit internet service providers from providing internet connectivity to schools or pupils and their families.(l) This section does not prohibit an operator of an internet website, online service, online application, or mobile application from marketing educational products directly to parents so long as the marketing did not result from the use of covered information obtained by the operator through the provision of services covered under this section.(m) This section does not impose a duty upon a provider of an electronic store, gateway, marketplace, or other means of purchasing or downloading software or applications to review or enforce compliance of this section on those applications or software.(n) This section does not impose a duty upon a provider of an interactive computer service, as defined in Section 230 of Title 47 of the United States Code, to review or enforce compliance with this section by third-party content providers.(o) This section does not impede the ability of pupils to download, export, or otherwise save or maintain their own pupil-created data or documents.(p) This section shall not be interpreted to limit or supersede any rights or requirements under the federal Individuals with Disabilities Education Act (20 U.S.C. Sec. 1400 et seq.), the Rehabilitation Act of 1973 (29 U.S.C. Sec. 701 et seq.), and any rules or regulations promulgated pursuant to those laws.
22584. (a) For purposes of this chapter:(1) Artificial intelligence has the same meaning as defined in Section 3110 of the Civil Code.(1)(2) California Consumer Privacy Act-excluded covered information or CCPA-excluded covered information means covered information that is not subject to the California Consumer Privacy Act of 2018 (Title 1.81.5 (commencing with Section 1798.100) of Part 4 of Division 3 of the Civil Code).(2)(3) Covered information means personally identifiable information or materials, in any media or format that meets any of the following:(A) Is created or provided by a pupil, or the pupils parent or legal guardian, to an operator in the course of the pupils, parents, or legal guardians use of the operators site, service, or application for K12 school purposes.(B) Is created or provided by an employee or agent of the school or local educational agency to an operator.(C) Is gathered by an operator through the operation of a site, service, or application described in paragraph (6) and is descriptive of a pupil or otherwise identifies a pupil, including, but not limited to, information in the pupils educational record or email, first and last name, home address, telephone number, email address, or other information that allows physical or online contact, discipline records, test results, special education data, juvenile dependency records, grades, evaluations, criminal records, medical records, health records, social security number, biometric information, disabilities, socioeconomic information, food purchases, political affiliations, religious information, text messages, documents, pupil identifiers, search activity, photographs, voice recordings, or geolocation information.(4) Generative artificial intelligence has the same meaning as defined in Section 3110 of the Civil Code.(3)(5) K12 school purposes means purposes that customarily take place at the direction of the K12 school, teacher, or local educational agency or aid in the administration of school activities, including, but not limited to, instruction in the classroom or at home, administrative activities, and collaboration between pupils, school personnel, or parents, or are for the use and benefit of the school.(4)(6) Local educational agency means a school district, county office of education, charter school, or the state special schools for the blind and the deaf.(5)(7) National assessment provider means a person that develops, sponsors, or administers standardized tests.(6)(8) Online service includes cloud computing services, which must comply with this section if they otherwise meet the definition of an operator.(7)(9) Operator means the operator of an internet website, online service, online application, or mobile application with actual knowledge that the site, service, or application is usedprimarily for K12 school purposes and was designed and or marketed for K12 school purposes. purposes, including a provider of digital educational software or services, including digital course books.(8)(10) Pupil means a student enrolled in a K12 course of instruction.(9)(11) Standardized test means a test administered in California at the expense of the test subject that meets either of the following criteria:(A) The test is used for the purposes of admission to, or class placement in, postsecondary educational institutions or their programs.(B) The test is used for preliminary preparation for a test described in subparagraph (A).(12) Train a generative artificial intelligence system or service has the same meaning as defined in Section 3110 of the Civil Code.(b) An operator shall not knowingly engage in any of the following activities with respect to their the operators site, service, or application:(1) (A) Engage in targeted advertising on the operators site, service, or application, or (B) target advertising on any other site, service, or application application, including via email or other direct communication to the pupil, when the targeting of the advertising is based upon any information, including covered information and persistent unique identifiers, that the operator has acquired because of the use of that operators site, service, or application described in paragraph (6) of subdivision (a).(2) Use information, including persistent unique identifiers, created or gathered by the operators site, service, or application, to amass a profile about a pupil enrolled in a local educational agency, except in furtherance of K12 school purposes.(3) Sell a pupils information, including covered information. This prohibition does not apply to the purchase, merger, or other type of acquisition of an operator by another entity, provided that the operator or successor entity continues to be subject to the provisions of this section with respect to previously acquired pupil information. information, unless the sale meets either of the following criteria:(A) The sale is for the purchase, merger, or other type of acquisition of an operator by another entity, provided that the operator or successor entity continues to be subject to the provisions of this section with respect to previously acquired pupil information.(B) The sale is made by a national assessment provider to a K12 school, local educational agency, or higher education institution, as defined in Section 22587, solely for assessment, admissions, or other K12 school purposes or higher education purposes, as defined in Section 22587, for the benefit and use of the receiving institution.(4) Disclose covered information unless the disclosure is made: meets any of the following criteria:(A) In The disclosure is in furtherance of the K12 purpose of the site, service, or application, provided application and the recipient of the covered information disclosed pursuant to this subparagraph: subparagraph meets both of the following criteria:(i) Shall The recipient does not further disclose the information unless done to allow or improve operability and functionality within that pupils classroom or school; and school.(ii) Is The recipient is legally required to comply with subdivision (d); (d).(B) To The disclosure is to ensure legal and regulatory compliance; compliance.(C) To The disclosure is to respond to or participate in judicial process; process.(D) To The disclosure is to protect the safety of users or others or security of the site; or site.(E) To The disclosure is to a service provider, provided and the operator contractually (i) prohibits the service provider from using any covered information for any purpose other than providing the contracted service to, or on behalf of, the operator, (ii) prohibits the service provider from disclosing any covered information provided by the operator with subsequent third parties, and (iii) requires the service provider to implement and maintain reasonable security procedures and practices as provided in subdivision (d).(F) By a national assessment provider to a K12 school, local educational agency, or higher education institution, as defined in Section 22587, solely for assessment, admissions, or other K12 school purposes or higher education purposes, as defined in Section 22587, for the benefit and use of the receiving institution.(5) Use information, including persistent unique identifiers, created or gathered by the operators site, service, or application to train a generative artificial intelligence system or service or develop an artificial intelligence system unless it is in the furtherance of a K12 school purpose and for the use and benefit of the school.(6) Collect, use, retain, or disclose covered information relating to a pupils reproductive or sexual health, immigration status, or sexual orientation or gender identity, except if both of the following are true:(A) The covered information is relevant and limited to what is necessary in relation to a K12 school purpose and for the use and benefit of the school.(B) In the case of disclosure to third parties, the disclosure is strictly necessary to further the purpose described in subparagraph (A).(c) Subdivision (b) does not prohibit the operators use of information for maintaining, developing, supporting, improving, or diagnosing the operators site, service, or application.(d) An operator shall do all of the following:(1) Implement and maintain reasonable security procedures and practices appropriate to the nature of the covered information, and protect that information from unauthorized access, destruction, use, modification, or disclosure.(2) (A) Delete a pupils covered information if the school or local educational agency requests deletion of data under the control of the school or local educational agency.(B) This paragraph does not require the deletion of pupil records held by a national assessment provider and that only include standardized test results.(3) (A) Delete a pupils CCPA-excluded covered information under the operators control if a pupils parent or guardian or, in the case of a former pupil who is 18 years of age or older, the pupil requests an operator to delete the covered information under the operators control if the pupil has been no longer enrolled in the local educational agency for at least 60 days.(B) Before deleting any information described in subparagraph (A), the operator shall require documentation that the pupil is no longer enrolled in the local educational agency.(C) This paragraph does not require deletion of mandatory permanent pupil records, described in Section 430 of Title 5 of the California Code of Regulations, or any official records or files directly related to a pupil and maintained by the operator, school, or local educational agency, including, but not limited to, records of achievement and results of evaluative tests or records encompassing all of the material kept in the pupils cumulative folder that is maintained by the school or local educational agency, including, but not limited to, general identifying data, records of attendance and of academic work completed, health data, disciplinary status, test protocols, individualized education programs, or pupil records held by a national assessment provider and that only include standardized test results.(4) (A) Subject to subparagraph (B), retain covered information only as long as reasonably necessary to fulfill the specific purpose for which the information was collected and delete the information using reasonable measures to protect against unauthorized access to, or use or disclosure of, the information in connection with its deletion when the specific purpose for which the information was collected is accomplished.(B) This paragraph does not require deletion of mandatory permanent pupil records, described in Section 430 of Title 5 of the California Code of Regulations, or any official records or files directly related to a pupil and maintained by the operator, school, or local educational agency, including, but not limited to, records of achievement and results of evaluative tests or records encompassing all of the material kept in the pupils cumulative folder that is maintained by the school or local educational agency, including, but not limited to, general identifying data, records of attendance and of academic work completed, health data, disciplinary status, test protocols, individualized education programs, or pupil records held by a national assessment provider that include only standardized test results.(5) Establish, implement, and maintain a written data retention policy, which shall be made available upon request to a pupil, parent, or K12 personnel that states the purposes for which covered information is collected, the purpose for retaining the information, and a timeframe for deleting the information pursuant to paragraph (4).(e) Notwithstanding paragraph (4) of subdivision (b), an operator may disclose covered information of a pupil, as long as paragraphs (1) to (3), inclusive, of subdivision (b) are not violated, under the following circumstances:(1) If other provisions of federal or state law require the operator to disclose the information, and the operator complies with the requirements of federal and state law in protecting and disclosing that information.(2) For legitimate research purposes: (A) as required by state or federal law and subject to the restrictions under applicable state and federal law or (B) as allowed by state or federal law and under the direction of a local educational agency or state department of education, if no covered information is used for any purpose in furtherance of advertising or to amass a profile on the pupil for purposes other than K12 school purposes.(3) To a state or local educational agency, including schools of local educational agencies, for K12 school purposes, as permitted by state or federal law.(f) This section does not prohibit an operator from using deidentified pupil covered information as follows:(1) Within the operators site, service, or application or other sites, services, or applications owned by the operator to improve educational products.(2) To demonstrate the effectiveness of the operators products or services, including in their marketing.(g) This section does not prohibit an operator from sharing aggregated deidentified pupil covered information for the development and improvement of educational sites, services, or applications.(h) This section does not limit the authority of a law enforcement agency to obtain any content or information from an operator as authorized by law or pursuant to an order of a court of competent jurisdiction.(i) This section does not limit the ability of an operator to use pupil data, including covered information, for adaptive learning or customized pupil learning purposes.(j) This section does not apply to general audience internet websites, general audience online services, general audience online applications, or general audience mobile applications, applications that are not designed or marketed for K12 school purposes, even if login credentials created for an operators site, service, or application may be used to access those general audience sites, services, or applications.(k) This section does not limit internet service providers from providing internet connectivity to schools or pupils and their families.(l) This section does not prohibit an operator of an internet website, online service, online application, or mobile application from marketing educational products directly to parents so long as the marketing did not result from the use of covered information obtained by the operator through the provision of services covered under this section.(m) This section does not impose a duty upon a provider of an electronic store, gateway, marketplace, or other means of purchasing or downloading software or applications to review or enforce compliance of this section on those applications or software.(n) This section does not impose a duty upon a provider of an interactive computer service, as defined in Section 230 of Title 47 of the United States Code, to review or enforce compliance with this section by third-party content providers.(o) This section does not impede the ability of pupils to download, export, or otherwise save or maintain their own pupil-created data or documents.(p) This section shall not be interpreted to limit or supersede any rights or requirements under the federal Individuals with Disabilities Education Act (20 U.S.C. Sec. 1400 et seq.), the Rehabilitation Act of 1973 (29 U.S.C. Sec. 701 et seq.), and any rules or regulations promulgated pursuant to those laws.
22584. (a) For purposes of this chapter:
(1) Artificial intelligence has the same meaning as defined in Section 3110 of the Civil Code.
(1)
(2) California Consumer Privacy Act-excluded covered information or CCPA-excluded covered information means covered information that is not subject to the California Consumer Privacy Act of 2018 (Title 1.81.5 (commencing with Section 1798.100) of Part 4 of Division 3 of the Civil Code).
(2)
(3) Covered information means personally identifiable information or materials, in any media or format that meets any of the following:
(A) Is created or provided by a pupil, or the pupils parent or legal guardian, to an operator in the course of the pupils, parents, or legal guardians use of the operators site, service, or application for K12 school purposes.
(B) Is created or provided by an employee or agent of the school or local educational agency to an operator.
(C) Is gathered by an operator through the operation of a site, service, or application described in paragraph (6) and is descriptive of a pupil or otherwise identifies a pupil, including, but not limited to, information in the pupils educational record or email, first and last name, home address, telephone number, email address, or other information that allows physical or online contact, discipline records, test results, special education data, juvenile dependency records, grades, evaluations, criminal records, medical records, health records, social security number, biometric information, disabilities, socioeconomic information, food purchases, political affiliations, religious information, text messages, documents, pupil identifiers, search activity, photographs, voice recordings, or geolocation information.
(4) Generative artificial intelligence has the same meaning as defined in Section 3110 of the Civil Code.
(3)
(5) K12 school purposes means purposes that customarily take place at the direction of the K12 school, teacher, or local educational agency or aid in the administration of school activities, including, but not limited to, instruction in the classroom or at home, administrative activities, and collaboration between pupils, school personnel, or parents, or are for the use and benefit of the school.
(4)
(6) Local educational agency means a school district, county office of education, charter school, or the state special schools for the blind and the deaf.
(5)
(7) National assessment provider means a person that develops, sponsors, or administers standardized tests.
(6)
(8) Online service includes cloud computing services, which must comply with this section if they otherwise meet the definition of an operator.
(7)
(9) Operator means the operator of an internet website, online service, online application, or mobile application with actual knowledge that the site, service, or application is usedprimarily for K12 school purposes and was designed and or marketed for K12 school purposes. purposes, including a provider of digital educational software or services, including digital course books.
(8)
(10) Pupil means a student enrolled in a K12 course of instruction.
(9)
(11) Standardized test means a test administered in California at the expense of the test subject that meets either of the following criteria:
(A) The test is used for the purposes of admission to, or class placement in, postsecondary educational institutions or their programs.
(B) The test is used for preliminary preparation for a test described in subparagraph (A).
(12) Train a generative artificial intelligence system or service has the same meaning as defined in Section 3110 of the Civil Code.
(b) An operator shall not knowingly engage in any of the following activities with respect to their the operators site, service, or application:
(1) (A) Engage in targeted advertising on the operators site, service, or application, or (B) target advertising on any other site, service, or application application, including via email or other direct communication to the pupil, when the targeting of the advertising is based upon any information, including covered information and persistent unique identifiers, that the operator has acquired because of the use of that operators site, service, or application described in paragraph (6) of subdivision (a).
(2) Use information, including persistent unique identifiers, created or gathered by the operators site, service, or application, to amass a profile about a pupil enrolled in a local educational agency, except in furtherance of K12 school purposes.
(3) Sell a pupils information, including covered information. This prohibition does not apply to the purchase, merger, or other type of acquisition of an operator by another entity, provided that the operator or successor entity continues to be subject to the provisions of this section with respect to previously acquired pupil information. information, unless the sale meets either of the following criteria:
(A) The sale is for the purchase, merger, or other type of acquisition of an operator by another entity, provided that the operator or successor entity continues to be subject to the provisions of this section with respect to previously acquired pupil information.
(B) The sale is made by a national assessment provider to a K12 school, local educational agency, or higher education institution, as defined in Section 22587, solely for assessment, admissions, or other K12 school purposes or higher education purposes, as defined in Section 22587, for the benefit and use of the receiving institution.
(4) Disclose covered information unless the disclosure is made: meets any of the following criteria:
(A) In The disclosure is in furtherance of the K12 purpose of the site, service, or application, provided application and the recipient of the covered information disclosed pursuant to this subparagraph: subparagraph meets both of the following criteria:
(i) Shall The recipient does not further disclose the information unless done to allow or improve operability and functionality within that pupils classroom or school; and school.
(ii) Is The recipient is legally required to comply with subdivision (d); (d).
(B) To The disclosure is to ensure legal and regulatory compliance; compliance.
(C) To The disclosure is to respond to or participate in judicial process; process.
(D) To The disclosure is to protect the safety of users or others or security of the site; or site.
(E) To The disclosure is to a service provider, provided and the operator contractually (i) prohibits the service provider from using any covered information for any purpose other than providing the contracted service to, or on behalf of, the operator, (ii) prohibits the service provider from disclosing any covered information provided by the operator with subsequent third parties, and (iii) requires the service provider to implement and maintain reasonable security procedures and practices as provided in subdivision (d).
(F) By a national assessment provider to a K12 school, local educational agency, or higher education institution, as defined in Section 22587, solely for assessment, admissions, or other K12 school purposes or higher education purposes, as defined in Section 22587, for the benefit and use of the receiving institution.
(5) Use information, including persistent unique identifiers, created or gathered by the operators site, service, or application to train a generative artificial intelligence system or service or develop an artificial intelligence system unless it is in the furtherance of a K12 school purpose and for the use and benefit of the school.
(6) Collect, use, retain, or disclose covered information relating to a pupils reproductive or sexual health, immigration status, or sexual orientation or gender identity, except if both of the following are true:
(A) The covered information is relevant and limited to what is necessary in relation to a K12 school purpose and for the use and benefit of the school.
(B) In the case of disclosure to third parties, the disclosure is strictly necessary to further the purpose described in subparagraph (A).
(c) Subdivision (b) does not prohibit the operators use of information for maintaining, developing, supporting, improving, or diagnosing the operators site, service, or application.
(d) An operator shall do all of the following:
(1) Implement and maintain reasonable security procedures and practices appropriate to the nature of the covered information, and protect that information from unauthorized access, destruction, use, modification, or disclosure.
(2) (A) Delete a pupils covered information if the school or local educational agency requests deletion of data under the control of the school or local educational agency.
(B) This paragraph does not require the deletion of pupil records held by a national assessment provider and that only include standardized test results.
(3) (A) Delete a pupils CCPA-excluded covered information under the operators control if a pupils parent or guardian or, in the case of a former pupil who is 18 years of age or older, the pupil requests an operator to delete the covered information under the operators control if the pupil has been no longer enrolled in the local educational agency for at least 60 days.
(B) Before deleting any information described in subparagraph (A), the operator shall require documentation that the pupil is no longer enrolled in the local educational agency.
(C) This paragraph does not require deletion of mandatory permanent pupil records, described in Section 430 of Title 5 of the California Code of Regulations, or any official records or files directly related to a pupil and maintained by the operator, school, or local educational agency, including, but not limited to, records of achievement and results of evaluative tests or records encompassing all of the material kept in the pupils cumulative folder that is maintained by the school or local educational agency, including, but not limited to, general identifying data, records of attendance and of academic work completed, health data, disciplinary status, test protocols, individualized education programs, or pupil records held by a national assessment provider and that only include standardized test results.
(4) (A) Subject to subparagraph (B), retain covered information only as long as reasonably necessary to fulfill the specific purpose for which the information was collected and delete the information using reasonable measures to protect against unauthorized access to, or use or disclosure of, the information in connection with its deletion when the specific purpose for which the information was collected is accomplished.
(B) This paragraph does not require deletion of mandatory permanent pupil records, described in Section 430 of Title 5 of the California Code of Regulations, or any official records or files directly related to a pupil and maintained by the operator, school, or local educational agency, including, but not limited to, records of achievement and results of evaluative tests or records encompassing all of the material kept in the pupils cumulative folder that is maintained by the school or local educational agency, including, but not limited to, general identifying data, records of attendance and of academic work completed, health data, disciplinary status, test protocols, individualized education programs, or pupil records held by a national assessment provider that include only standardized test results.
(5) Establish, implement, and maintain a written data retention policy, which shall be made available upon request to a pupil, parent, or K12 personnel that states the purposes for which covered information is collected, the purpose for retaining the information, and a timeframe for deleting the information pursuant to paragraph (4).
(e) Notwithstanding paragraph (4) of subdivision (b), an operator may disclose covered information of a pupil, as long as paragraphs (1) to (3), inclusive, of subdivision (b) are not violated, under the following circumstances:
(1) If other provisions of federal or state law require the operator to disclose the information, and the operator complies with the requirements of federal and state law in protecting and disclosing that information.
(2) For legitimate research purposes: (A) as required by state or federal law and subject to the restrictions under applicable state and federal law or (B) as allowed by state or federal law and under the direction of a local educational agency or state department of education, if no covered information is used for any purpose in furtherance of advertising or to amass a profile on the pupil for purposes other than K12 school purposes.
(3) To a state or local educational agency, including schools of local educational agencies, for K12 school purposes, as permitted by state or federal law.
(f) This section does not prohibit an operator from using deidentified pupil covered information as follows:
(1) Within the operators site, service, or application or other sites, services, or applications owned by the operator to improve educational products.
(2) To demonstrate the effectiveness of the operators products or services, including in their marketing.
(g) This section does not prohibit an operator from sharing aggregated deidentified pupil covered information for the development and improvement of educational sites, services, or applications.
(h) This section does not limit the authority of a law enforcement agency to obtain any content or information from an operator as authorized by law or pursuant to an order of a court of competent jurisdiction.
(i) This section does not limit the ability of an operator to use pupil data, including covered information, for adaptive learning or customized pupil learning purposes.
(j) This section does not apply to general audience internet websites, general audience online services, general audience online applications, or general audience mobile applications, applications that are not designed or marketed for K12 school purposes, even if login credentials created for an operators site, service, or application may be used to access those general audience sites, services, or applications.
(k) This section does not limit internet service providers from providing internet connectivity to schools or pupils and their families.
(l) This section does not prohibit an operator of an internet website, online service, online application, or mobile application from marketing educational products directly to parents so long as the marketing did not result from the use of covered information obtained by the operator through the provision of services covered under this section.
(m) This section does not impose a duty upon a provider of an electronic store, gateway, marketplace, or other means of purchasing or downloading software or applications to review or enforce compliance of this section on those applications or software.
(n) This section does not impose a duty upon a provider of an interactive computer service, as defined in Section 230 of Title 47 of the United States Code, to review or enforce compliance with this section by third-party content providers.
(o) This section does not impede the ability of pupils to download, export, or otherwise save or maintain their own pupil-created data or documents.
(p) This section shall not be interpreted to limit or supersede any rights or requirements under the federal Individuals with Disabilities Education Act (20 U.S.C. Sec. 1400 et seq.), the Rehabilitation Act of 1973 (29 U.S.C. Sec. 701 et seq.), and any rules or regulations promulgated pursuant to those laws.
SEC. 2. Section 22585 of the Business and Professions Code is repealed.22585.This chapter shall become operative on January 1, 2016.
SEC. 2. Section 22585 of the Business and Professions Code is repealed.
### SEC. 2.
22585.This chapter shall become operative on January 1, 2016.
This chapter shall become operative on January 1, 2016.
SEC. 3. Section 22585 is added to the Business and Professions Code, to read:22585. (a) A pupil, or the pupils parent or guardian, who suffers actual damages as a result of an operators failure to comply with this chapter may, subject to subdivisions (b) to (e), inclusive, bring an action on that persons behalf and on behalf of a similarly situated class of pupils against that operator to recover or obtain any of the following relief:(1) The greater of actual damages or five hundred dollars ($500) per plaintiff, per violation.(2) Injunctive relief.(3) Punitive damages.(4) Reasonable attorneys fees and costs.(b) (1) At least 45 days before bringing an action pursuant to this section, a pupil shall do both of the following:(A) Provide written notice to the operator alleged to have violated this chapter regarding the nature of the alleged violations.(B) Demand that the operator correct and remedy the alleged violations.(2) The notice required by this subdivision shall be sent by certified or registered mail, return receipt requested, to the operators address on file with the state or to the operators principal place of business within the state.(c) An action pursuant to this section brought by a pupil only on that pupils behalf shall not be maintained upon a showing by an operator that an appropriate correction and remedy has been made, or agreed to be made within a reasonable time, to the pupil within 30 days after receipt of the notice required by subdivision (b).(d) An action pursuant to this section brought by a pupil on both the pupils behalf and on behalf of a similarly situated class of pupils shall not be maintained upon a showing by an operator that all of the following are true:(1) Any pupil similarly situated has been identified, or a reasonable effort to identify the pupil has been made.(2) Any similarly situated pupil identified has been made, notified that, upon the pupils request, the operator shall make the appropriate correction and remedy.(3) The correction and remedy requested by the pupil has been made, or in a reasonable time will be made.(4) The operator has ceased, or will cease within a reasonable time, violating this chapter.(e) (1) Attempts to comply with a demand described in subdivision (b) by an operator shall be deemed an offer to compromise and shall be inadmissible under Section 1152 of the Evidence Code and shall not be deemed an admission of violating this chapter. (2) A defendant may introduce evidence of compliance or attempts to comply with this section for the purpose of establishing good faith or to show compliance with this chapter.
SEC. 3. Section 22585 is added to the Business and Professions Code, to read:
### SEC. 3.
22585. (a) A pupil, or the pupils parent or guardian, who suffers actual damages as a result of an operators failure to comply with this chapter may, subject to subdivisions (b) to (e), inclusive, bring an action on that persons behalf and on behalf of a similarly situated class of pupils against that operator to recover or obtain any of the following relief:(1) The greater of actual damages or five hundred dollars ($500) per plaintiff, per violation.(2) Injunctive relief.(3) Punitive damages.(4) Reasonable attorneys fees and costs.(b) (1) At least 45 days before bringing an action pursuant to this section, a pupil shall do both of the following:(A) Provide written notice to the operator alleged to have violated this chapter regarding the nature of the alleged violations.(B) Demand that the operator correct and remedy the alleged violations.(2) The notice required by this subdivision shall be sent by certified or registered mail, return receipt requested, to the operators address on file with the state or to the operators principal place of business within the state.(c) An action pursuant to this section brought by a pupil only on that pupils behalf shall not be maintained upon a showing by an operator that an appropriate correction and remedy has been made, or agreed to be made within a reasonable time, to the pupil within 30 days after receipt of the notice required by subdivision (b).(d) An action pursuant to this section brought by a pupil on both the pupils behalf and on behalf of a similarly situated class of pupils shall not be maintained upon a showing by an operator that all of the following are true:(1) Any pupil similarly situated has been identified, or a reasonable effort to identify the pupil has been made.(2) Any similarly situated pupil identified has been made, notified that, upon the pupils request, the operator shall make the appropriate correction and remedy.(3) The correction and remedy requested by the pupil has been made, or in a reasonable time will be made.(4) The operator has ceased, or will cease within a reasonable time, violating this chapter.(e) (1) Attempts to comply with a demand described in subdivision (b) by an operator shall be deemed an offer to compromise and shall be inadmissible under Section 1152 of the Evidence Code and shall not be deemed an admission of violating this chapter. (2) A defendant may introduce evidence of compliance or attempts to comply with this section for the purpose of establishing good faith or to show compliance with this chapter.
22585. (a) A pupil, or the pupils parent or guardian, who suffers actual damages as a result of an operators failure to comply with this chapter may, subject to subdivisions (b) to (e), inclusive, bring an action on that persons behalf and on behalf of a similarly situated class of pupils against that operator to recover or obtain any of the following relief:(1) The greater of actual damages or five hundred dollars ($500) per plaintiff, per violation.(2) Injunctive relief.(3) Punitive damages.(4) Reasonable attorneys fees and costs.(b) (1) At least 45 days before bringing an action pursuant to this section, a pupil shall do both of the following:(A) Provide written notice to the operator alleged to have violated this chapter regarding the nature of the alleged violations.(B) Demand that the operator correct and remedy the alleged violations.(2) The notice required by this subdivision shall be sent by certified or registered mail, return receipt requested, to the operators address on file with the state or to the operators principal place of business within the state.(c) An action pursuant to this section brought by a pupil only on that pupils behalf shall not be maintained upon a showing by an operator that an appropriate correction and remedy has been made, or agreed to be made within a reasonable time, to the pupil within 30 days after receipt of the notice required by subdivision (b).(d) An action pursuant to this section brought by a pupil on both the pupils behalf and on behalf of a similarly situated class of pupils shall not be maintained upon a showing by an operator that all of the following are true:(1) Any pupil similarly situated has been identified, or a reasonable effort to identify the pupil has been made.(2) Any similarly situated pupil identified has been made, notified that, upon the pupils request, the operator shall make the appropriate correction and remedy.(3) The correction and remedy requested by the pupil has been made, or in a reasonable time will be made.(4) The operator has ceased, or will cease within a reasonable time, violating this chapter.(e) (1) Attempts to comply with a demand described in subdivision (b) by an operator shall be deemed an offer to compromise and shall be inadmissible under Section 1152 of the Evidence Code and shall not be deemed an admission of violating this chapter. (2) A defendant may introduce evidence of compliance or attempts to comply with this section for the purpose of establishing good faith or to show compliance with this chapter.
22585. (a) A pupil, or the pupils parent or guardian, who suffers actual damages as a result of an operators failure to comply with this chapter may, subject to subdivisions (b) to (e), inclusive, bring an action on that persons behalf and on behalf of a similarly situated class of pupils against that operator to recover or obtain any of the following relief:(1) The greater of actual damages or five hundred dollars ($500) per plaintiff, per violation.(2) Injunctive relief.(3) Punitive damages.(4) Reasonable attorneys fees and costs.(b) (1) At least 45 days before bringing an action pursuant to this section, a pupil shall do both of the following:(A) Provide written notice to the operator alleged to have violated this chapter regarding the nature of the alleged violations.(B) Demand that the operator correct and remedy the alleged violations.(2) The notice required by this subdivision shall be sent by certified or registered mail, return receipt requested, to the operators address on file with the state or to the operators principal place of business within the state.(c) An action pursuant to this section brought by a pupil only on that pupils behalf shall not be maintained upon a showing by an operator that an appropriate correction and remedy has been made, or agreed to be made within a reasonable time, to the pupil within 30 days after receipt of the notice required by subdivision (b).(d) An action pursuant to this section brought by a pupil on both the pupils behalf and on behalf of a similarly situated class of pupils shall not be maintained upon a showing by an operator that all of the following are true:(1) Any pupil similarly situated has been identified, or a reasonable effort to identify the pupil has been made.(2) Any similarly situated pupil identified has been made, notified that, upon the pupils request, the operator shall make the appropriate correction and remedy.(3) The correction and remedy requested by the pupil has been made, or in a reasonable time will be made.(4) The operator has ceased, or will cease within a reasonable time, violating this chapter.(e) (1) Attempts to comply with a demand described in subdivision (b) by an operator shall be deemed an offer to compromise and shall be inadmissible under Section 1152 of the Evidence Code and shall not be deemed an admission of violating this chapter. (2) A defendant may introduce evidence of compliance or attempts to comply with this section for the purpose of establishing good faith or to show compliance with this chapter.
22585. (a) A pupil, or the pupils parent or guardian, who suffers actual damages as a result of an operators failure to comply with this chapter may, subject to subdivisions (b) to (e), inclusive, bring an action on that persons behalf and on behalf of a similarly situated class of pupils against that operator to recover or obtain any of the following relief:
(1) The greater of actual damages or five hundred dollars ($500) per plaintiff, per violation.
(2) Injunctive relief.
(3) Punitive damages.
(4) Reasonable attorneys fees and costs.
(b) (1) At least 45 days before bringing an action pursuant to this section, a pupil shall do both of the following:
(A) Provide written notice to the operator alleged to have violated this chapter regarding the nature of the alleged violations.
(B) Demand that the operator correct and remedy the alleged violations.
(2) The notice required by this subdivision shall be sent by certified or registered mail, return receipt requested, to the operators address on file with the state or to the operators principal place of business within the state.
(c) An action pursuant to this section brought by a pupil only on that pupils behalf shall not be maintained upon a showing by an operator that an appropriate correction and remedy has been made, or agreed to be made within a reasonable time, to the pupil within 30 days after receipt of the notice required by subdivision (b).
(d) An action pursuant to this section brought by a pupil on both the pupils behalf and on behalf of a similarly situated class of pupils shall not be maintained upon a showing by an operator that all of the following are true:
(1) Any pupil similarly situated has been identified, or a reasonable effort to identify the pupil has been made.
(2) Any similarly situated pupil identified has been made, notified that, upon the pupils request, the operator shall make the appropriate correction and remedy.
(3) The correction and remedy requested by the pupil has been made, or in a reasonable time will be made.
(4) The operator has ceased, or will cease within a reasonable time, violating this chapter.
(e) (1) Attempts to comply with a demand described in subdivision (b) by an operator shall be deemed an offer to compromise and shall be inadmissible under Section 1152 of the Evidence Code and shall not be deemed an admission of violating this chapter.
(2) A defendant may introduce evidence of compliance or attempts to comply with this section for the purpose of establishing good faith or to show compliance with this chapter.
SEC. 4. Section 22586 of the Business and Professions Code is amended to read:22586. (a) For purposes of this chapter:(1) Artificial intelligence has the same meaning as defined in Section 3110 of the Civil Code.(1)(2) California Consumer Privacy Act-excluded covered information or CCPA-excluded covered information means covered information that is not subject to the California Consumer Privacy Act of 2018 (Title 1.81.5 (commencing with Section 1798.100) of Part 4 of Division 3 of the Civil Code).(2)(3) Covered information means personally identifiable information or materials, in any media or format that meets any of the following:(A) Is created or provided by a pupil, or the pupils parent or legal guardian, to an operator in the course of the pupils, parents, or legal guardians use of the operators site, service, or application for preschool and prekindergarten purposes.(B) Is created or provided by an employee or agent of the preschool, prekindergarten, school district, local educational agency, or county office of education, to an operator.(C) Is gathered by an operator through the operation of a site, service, or application described in paragraph (4), and is descriptive of a pupil or otherwise identifies a pupil, including, but not limited to, information in the pupils educational record or email, first and last name, home address, telephone number, email address, or other information that allows physical or online contact, discipline records, test results, special education data, juvenile dependency records, grades, evaluations, criminal records, medical records, health records, social security number, biometric information, disabilities, socioeconomic information, food purchases, political affiliations, religious information, text messages, documents, pupil identifiers, search activity, photographs, voice recordings, or geolocation information.(4) Generative artificial intelligence has the same meaning as defined in Section 3110 of the Civil Code.(3)(5) Online service includes cloud computing services, which must comply with this section if they otherwise meet the definition of an operator.(4)(6) Operator means the operator of an internet website, online service, online application, or mobile application with actual knowledge that the site, service, or application is used primarily for preschool or prekindergarten purposes and was designed and marketed for preschool and prekindergarten purposes. purposes, including a provider of digital educational software or services, including digital course books.(5)(7) Preschool or prekindergarten purposes means purposes that customarily take place at the direction of the preschool, prekindergarten, teacher, or school district, or aid in the administration of preschool or prekindergarten activities, including, but not limited to, instruction in the classroom or at home, administrative activities, and collaboration between pupils, preschool or prekindergarten personnel, or parents, or are for the use and benefit of the preschool or prekindergarten.(6)(8) Pupil means a child enrolled in a preschool or prekindergarten course of instruction.(9) Train a generative artificial intelligence system or service has the same meaning as defined in Section 3110 of the Civil Code.(b) An operator shall not knowingly engage in any of the following activities with respect to their the operators site, service, or application:(1) (A) Engage in targeted advertising on the operators site, service, or application.(B) Target advertising on any other site, service, or application application, including via email or other direct communication to the pupil when the targeting of the advertising is based upon any information, including covered information and persistent unique identifiers, that the operator has acquired because of the use of that operators site, service, or application described in paragraph (4) of subdivision (a).(2) Use information, including persistent unique identifiers, created or gathered by the operators site, service, or application, to amass a profile about a pupil, except in furtherance of preschool or prekindergarten purposes.(3) Sell a pupils information, including covered information. This prohibition does not apply to the purchase, merger, or other type of acquisition of an operator by another entity, provided that the operator or successor entity continues to be subject to the provisions of this section with respect to previously acquired pupil information.(4) Disclose covered information unless the disclosure is made: meets any of the following criteria:(A) In The disclosure is in furtherance of the preschool and prekindergarten purposes of the site, service, or application, provided that and the recipient of the covered information disclosed pursuant to this subparagraph: subparagraph meets both of the following criteria:(i) Shall not The recipient does not further disclose the information unless done to allow or improve operability and functionality within that pupils preschool or prekindergarten.(ii) Is The recipient is legally required to comply with subdivision (d); (d).(B) To The disclosure is to ensure legal and regulatory compliance; compliance.(C) To The disclosure is to respond to or participate in a judicial process; process.(D) To The disclosure is to protect the safety of users or others or security of the site; or site.(E) To The disclosure is to a service provider, provided the operator contractually (i) prohibits the service provider from using any covered information for any purpose other than providing the contracted service to, or on behalf of, the operator, (ii) prohibits the service provider from disclosing any covered information provided by the operator with subsequent third parties, and (iii) requires the service provider to implement and maintain reasonable security procedures and practices as provided in subdivision (d).(5) Use information, including persistent unique identifiers, created or gathered by the operators site, service, or application to train a generative artificial intelligence system or service or develop an artificial intelligence system unless it is in the furtherance of preschool or prekindergarten purposes and for the use and benefit of the preschool or prekindergarten.(6) Collect, use, retain, or disclose covered information relating to a pupils reproductive or sexual health, immigration status, or sexual orientation or gender identity, except if both of the following are true:(A) The covered information is relevant and limited to what is necessary in relation to preschool or prekindergarten purposes and for the use and benefit of the preschool or prekindergarten.(B) In the case of disclosure to third parties, the disclosure is strictly necessary to further the purpose described in subparagraph (A).(c) Subdivision (b) does not prohibit the operators use of information for maintaining, developing, supporting, improving, or diagnosing the operators site, service, or application.(d) An operator shall do all of the following:(1) Implement and maintain reasonable security procedures and practices appropriate to the nature of the covered information, and protect that information from unauthorized access, destruction, use, modification, or disclosure.(2) Delete a pupils covered information if the preschool, prekindergarten, or district requests deletion of data under the control of the preschool, prekindergarten, or district.(3) (A) Delete a pupils CCPA-excluded covered information under the operators control if a pupils parent, guardian, or education rights holder or, in the case of a former pupil 18 years of age or older, the pupil requests an operator to delete the covered information under the operators control if the pupil has been no longer enrolled in the preschool, prekindergarten, or district for at least 60 days.(B) Before deleting any information described in subparagraph (A), the operator shall require documentation that the pupil is no longer enrolled in the preschool, prekindergarten, or district.(4) (A) Subject to subparagraph (B), retain covered information only as long as reasonably necessary to fulfill the specific purpose for which the information was collected and delete the information using reasonable measures to protect against unauthorized access to, or use or disclosure of, the information in connection with its deletion when the specific purpose for which the information was collected is accomplished.(B) This paragraph does not require deletion of mandatory permanent pupil records, described in Section 430 of Title 5 of the California Code of Regulations, or any official records or files directly related to a pupil and maintained by the operator, school, or local educational agency, including, but not limited to, records of achievement and results of evaluative tests or records encompassing all of the material kept in the pupils cumulative folder that is maintained by the school or local educational agency, including, but not limited to, general identifying data, records of attendance and of academic work completed, health data, disciplinary status, test protocols, individualized education programs, or pupil records held by a national assessment provider that include only standardized test results.(5) Establish, implement, and maintain a written data retention policy, which shall be made available upon request to a pupil, parent, or preschool or prekindergarten personnel that states the purposes for which covered information is collected, the purpose for retaining the information, and a timeframe for deleting the information pursuant to paragraph (4).(e) Notwithstanding paragraph (4) of subdivision (b), an operator may disclose covered information of a pupil, as long as paragraphs (1) to (3), inclusive, of subdivision (b) are not violated, under the following circumstances:(1) If other provisions of federal or state law require the operator to disclose the information, and the operator complies with the requirements of federal and state law in protecting and disclosing that information.(2) For legitimate research purposes: (A) as required by state or federal law and subject to the restrictions under applicable state and federal law or (B) as allowed by state or federal law and under the direction of a preschool, prekindergarten, school district, or state department of education, if no covered information is used for any purpose in furtherance of advertising or to amass a profile on the pupil for purposes other than preschool and prekindergarten purposes.(3) To a state or local educational agency, including preschools, prekindergartens, and school districts, for preschool and prekindergarten purposes, as permitted by state or federal law.(f) This section does not prohibit an operator from using deidentified pupil covered information as follows:(1) Within the operators site, service, or application or other sites, services, or applications owned by the operator to improve educational products.(2) To demonstrate the effectiveness of the operators products or services, including in their marketing.(g) This section does not prohibit an operator from sharing aggregated deidentified pupil covered information for the development and improvement of educational sites, services, or applications.(h) This section does not limit the authority of a law enforcement agency to obtain any content or information from an operator as authorized by law or pursuant to an order of a court of competent jurisdiction.(i) This section does not limit the ability of an operator to use a pupils data, including covered information, for adaptive learning or customized early learning purposes.(j) This section does not apply to general audience internet websites, general audience online services, general audience online applications, or general audience mobile applications, applications that are not designed or marketed for preschool or prekindergarten purposes, even if login credentials created for an operators site, service, or application may be used to access those general audience sites, services, or applications.(k) This section does not limit internet service providers from providing internet connectivity to preschools, prekindergartens, or pupils and their families.(l) This section does not prohibit an operator of an internet website, online service, online application, or mobile application from marketing educational products directly to parents so long as the marketing did not result from the use of covered information obtained by the operator through the provision of services covered under this section.(m) This section does not impose a duty upon a provider of an electronic store, gateway, marketplace, or other means of purchasing or downloading software or applications to review or enforce compliance of this section on those applications or software.(n) This section does not impose a duty upon a provider of an interactive computer service, as defined in Section 230 of Title 47 of the United States Code, to review or enforce compliance with this section by third-party content providers.(o) This section does not impede the ability of pupils to download, export, or otherwise save or maintain their own personally created data or documents.(p) This section shall not be interpreted to limit or supersede any rights or requirements under the federal Individuals with Disabilities Education Act (20 U.S.C. Sec. 1400 et seq.), the Rehabilitation Act of 1973 (29 U.S.C. Sec. 701 et seq.), and any rules or regulations promulgated pursuant to those laws.
SEC. 4. Section 22586 of the Business and Professions Code is amended to read:
### SEC. 4.
22586. (a) For purposes of this chapter:(1) Artificial intelligence has the same meaning as defined in Section 3110 of the Civil Code.(1)(2) California Consumer Privacy Act-excluded covered information or CCPA-excluded covered information means covered information that is not subject to the California Consumer Privacy Act of 2018 (Title 1.81.5 (commencing with Section 1798.100) of Part 4 of Division 3 of the Civil Code).(2)(3) Covered information means personally identifiable information or materials, in any media or format that meets any of the following:(A) Is created or provided by a pupil, or the pupils parent or legal guardian, to an operator in the course of the pupils, parents, or legal guardians use of the operators site, service, or application for preschool and prekindergarten purposes.(B) Is created or provided by an employee or agent of the preschool, prekindergarten, school district, local educational agency, or county office of education, to an operator.(C) Is gathered by an operator through the operation of a site, service, or application described in paragraph (4), and is descriptive of a pupil or otherwise identifies a pupil, including, but not limited to, information in the pupils educational record or email, first and last name, home address, telephone number, email address, or other information that allows physical or online contact, discipline records, test results, special education data, juvenile dependency records, grades, evaluations, criminal records, medical records, health records, social security number, biometric information, disabilities, socioeconomic information, food purchases, political affiliations, religious information, text messages, documents, pupil identifiers, search activity, photographs, voice recordings, or geolocation information.(4) Generative artificial intelligence has the same meaning as defined in Section 3110 of the Civil Code.(3)(5) Online service includes cloud computing services, which must comply with this section if they otherwise meet the definition of an operator.(4)(6) Operator means the operator of an internet website, online service, online application, or mobile application with actual knowledge that the site, service, or application is used primarily for preschool or prekindergarten purposes and was designed and marketed for preschool and prekindergarten purposes. purposes, including a provider of digital educational software or services, including digital course books.(5)(7) Preschool or prekindergarten purposes means purposes that customarily take place at the direction of the preschool, prekindergarten, teacher, or school district, or aid in the administration of preschool or prekindergarten activities, including, but not limited to, instruction in the classroom or at home, administrative activities, and collaboration between pupils, preschool or prekindergarten personnel, or parents, or are for the use and benefit of the preschool or prekindergarten.(6)(8) Pupil means a child enrolled in a preschool or prekindergarten course of instruction.(9) Train a generative artificial intelligence system or service has the same meaning as defined in Section 3110 of the Civil Code.(b) An operator shall not knowingly engage in any of the following activities with respect to their the operators site, service, or application:(1) (A) Engage in targeted advertising on the operators site, service, or application.(B) Target advertising on any other site, service, or application application, including via email or other direct communication to the pupil when the targeting of the advertising is based upon any information, including covered information and persistent unique identifiers, that the operator has acquired because of the use of that operators site, service, or application described in paragraph (4) of subdivision (a).(2) Use information, including persistent unique identifiers, created or gathered by the operators site, service, or application, to amass a profile about a pupil, except in furtherance of preschool or prekindergarten purposes.(3) Sell a pupils information, including covered information. This prohibition does not apply to the purchase, merger, or other type of acquisition of an operator by another entity, provided that the operator or successor entity continues to be subject to the provisions of this section with respect to previously acquired pupil information.(4) Disclose covered information unless the disclosure is made: meets any of the following criteria:(A) In The disclosure is in furtherance of the preschool and prekindergarten purposes of the site, service, or application, provided that and the recipient of the covered information disclosed pursuant to this subparagraph: subparagraph meets both of the following criteria:(i) Shall not The recipient does not further disclose the information unless done to allow or improve operability and functionality within that pupils preschool or prekindergarten.(ii) Is The recipient is legally required to comply with subdivision (d); (d).(B) To The disclosure is to ensure legal and regulatory compliance; compliance.(C) To The disclosure is to respond to or participate in a judicial process; process.(D) To The disclosure is to protect the safety of users or others or security of the site; or site.(E) To The disclosure is to a service provider, provided the operator contractually (i) prohibits the service provider from using any covered information for any purpose other than providing the contracted service to, or on behalf of, the operator, (ii) prohibits the service provider from disclosing any covered information provided by the operator with subsequent third parties, and (iii) requires the service provider to implement and maintain reasonable security procedures and practices as provided in subdivision (d).(5) Use information, including persistent unique identifiers, created or gathered by the operators site, service, or application to train a generative artificial intelligence system or service or develop an artificial intelligence system unless it is in the furtherance of preschool or prekindergarten purposes and for the use and benefit of the preschool or prekindergarten.(6) Collect, use, retain, or disclose covered information relating to a pupils reproductive or sexual health, immigration status, or sexual orientation or gender identity, except if both of the following are true:(A) The covered information is relevant and limited to what is necessary in relation to preschool or prekindergarten purposes and for the use and benefit of the preschool or prekindergarten.(B) In the case of disclosure to third parties, the disclosure is strictly necessary to further the purpose described in subparagraph (A).(c) Subdivision (b) does not prohibit the operators use of information for maintaining, developing, supporting, improving, or diagnosing the operators site, service, or application.(d) An operator shall do all of the following:(1) Implement and maintain reasonable security procedures and practices appropriate to the nature of the covered information, and protect that information from unauthorized access, destruction, use, modification, or disclosure.(2) Delete a pupils covered information if the preschool, prekindergarten, or district requests deletion of data under the control of the preschool, prekindergarten, or district.(3) (A) Delete a pupils CCPA-excluded covered information under the operators control if a pupils parent, guardian, or education rights holder or, in the case of a former pupil 18 years of age or older, the pupil requests an operator to delete the covered information under the operators control if the pupil has been no longer enrolled in the preschool, prekindergarten, or district for at least 60 days.(B) Before deleting any information described in subparagraph (A), the operator shall require documentation that the pupil is no longer enrolled in the preschool, prekindergarten, or district.(4) (A) Subject to subparagraph (B), retain covered information only as long as reasonably necessary to fulfill the specific purpose for which the information was collected and delete the information using reasonable measures to protect against unauthorized access to, or use or disclosure of, the information in connection with its deletion when the specific purpose for which the information was collected is accomplished.(B) This paragraph does not require deletion of mandatory permanent pupil records, described in Section 430 of Title 5 of the California Code of Regulations, or any official records or files directly related to a pupil and maintained by the operator, school, or local educational agency, including, but not limited to, records of achievement and results of evaluative tests or records encompassing all of the material kept in the pupils cumulative folder that is maintained by the school or local educational agency, including, but not limited to, general identifying data, records of attendance and of academic work completed, health data, disciplinary status, test protocols, individualized education programs, or pupil records held by a national assessment provider that include only standardized test results.(5) Establish, implement, and maintain a written data retention policy, which shall be made available upon request to a pupil, parent, or preschool or prekindergarten personnel that states the purposes for which covered information is collected, the purpose for retaining the information, and a timeframe for deleting the information pursuant to paragraph (4).(e) Notwithstanding paragraph (4) of subdivision (b), an operator may disclose covered information of a pupil, as long as paragraphs (1) to (3), inclusive, of subdivision (b) are not violated, under the following circumstances:(1) If other provisions of federal or state law require the operator to disclose the information, and the operator complies with the requirements of federal and state law in protecting and disclosing that information.(2) For legitimate research purposes: (A) as required by state or federal law and subject to the restrictions under applicable state and federal law or (B) as allowed by state or federal law and under the direction of a preschool, prekindergarten, school district, or state department of education, if no covered information is used for any purpose in furtherance of advertising or to amass a profile on the pupil for purposes other than preschool and prekindergarten purposes.(3) To a state or local educational agency, including preschools, prekindergartens, and school districts, for preschool and prekindergarten purposes, as permitted by state or federal law.(f) This section does not prohibit an operator from using deidentified pupil covered information as follows:(1) Within the operators site, service, or application or other sites, services, or applications owned by the operator to improve educational products.(2) To demonstrate the effectiveness of the operators products or services, including in their marketing.(g) This section does not prohibit an operator from sharing aggregated deidentified pupil covered information for the development and improvement of educational sites, services, or applications.(h) This section does not limit the authority of a law enforcement agency to obtain any content or information from an operator as authorized by law or pursuant to an order of a court of competent jurisdiction.(i) This section does not limit the ability of an operator to use a pupils data, including covered information, for adaptive learning or customized early learning purposes.(j) This section does not apply to general audience internet websites, general audience online services, general audience online applications, or general audience mobile applications, applications that are not designed or marketed for preschool or prekindergarten purposes, even if login credentials created for an operators site, service, or application may be used to access those general audience sites, services, or applications.(k) This section does not limit internet service providers from providing internet connectivity to preschools, prekindergartens, or pupils and their families.(l) This section does not prohibit an operator of an internet website, online service, online application, or mobile application from marketing educational products directly to parents so long as the marketing did not result from the use of covered information obtained by the operator through the provision of services covered under this section.(m) This section does not impose a duty upon a provider of an electronic store, gateway, marketplace, or other means of purchasing or downloading software or applications to review or enforce compliance of this section on those applications or software.(n) This section does not impose a duty upon a provider of an interactive computer service, as defined in Section 230 of Title 47 of the United States Code, to review or enforce compliance with this section by third-party content providers.(o) This section does not impede the ability of pupils to download, export, or otherwise save or maintain their own personally created data or documents.(p) This section shall not be interpreted to limit or supersede any rights or requirements under the federal Individuals with Disabilities Education Act (20 U.S.C. Sec. 1400 et seq.), the Rehabilitation Act of 1973 (29 U.S.C. Sec. 701 et seq.), and any rules or regulations promulgated pursuant to those laws.
22586. (a) For purposes of this chapter:(1) Artificial intelligence has the same meaning as defined in Section 3110 of the Civil Code.(1)(2) California Consumer Privacy Act-excluded covered information or CCPA-excluded covered information means covered information that is not subject to the California Consumer Privacy Act of 2018 (Title 1.81.5 (commencing with Section 1798.100) of Part 4 of Division 3 of the Civil Code).(2)(3) Covered information means personally identifiable information or materials, in any media or format that meets any of the following:(A) Is created or provided by a pupil, or the pupils parent or legal guardian, to an operator in the course of the pupils, parents, or legal guardians use of the operators site, service, or application for preschool and prekindergarten purposes.(B) Is created or provided by an employee or agent of the preschool, prekindergarten, school district, local educational agency, or county office of education, to an operator.(C) Is gathered by an operator through the operation of a site, service, or application described in paragraph (4), and is descriptive of a pupil or otherwise identifies a pupil, including, but not limited to, information in the pupils educational record or email, first and last name, home address, telephone number, email address, or other information that allows physical or online contact, discipline records, test results, special education data, juvenile dependency records, grades, evaluations, criminal records, medical records, health records, social security number, biometric information, disabilities, socioeconomic information, food purchases, political affiliations, religious information, text messages, documents, pupil identifiers, search activity, photographs, voice recordings, or geolocation information.(4) Generative artificial intelligence has the same meaning as defined in Section 3110 of the Civil Code.(3)(5) Online service includes cloud computing services, which must comply with this section if they otherwise meet the definition of an operator.(4)(6) Operator means the operator of an internet website, online service, online application, or mobile application with actual knowledge that the site, service, or application is used primarily for preschool or prekindergarten purposes and was designed and marketed for preschool and prekindergarten purposes. purposes, including a provider of digital educational software or services, including digital course books.(5)(7) Preschool or prekindergarten purposes means purposes that customarily take place at the direction of the preschool, prekindergarten, teacher, or school district, or aid in the administration of preschool or prekindergarten activities, including, but not limited to, instruction in the classroom or at home, administrative activities, and collaboration between pupils, preschool or prekindergarten personnel, or parents, or are for the use and benefit of the preschool or prekindergarten.(6)(8) Pupil means a child enrolled in a preschool or prekindergarten course of instruction.(9) Train a generative artificial intelligence system or service has the same meaning as defined in Section 3110 of the Civil Code.(b) An operator shall not knowingly engage in any of the following activities with respect to their the operators site, service, or application:(1) (A) Engage in targeted advertising on the operators site, service, or application.(B) Target advertising on any other site, service, or application application, including via email or other direct communication to the pupil when the targeting of the advertising is based upon any information, including covered information and persistent unique identifiers, that the operator has acquired because of the use of that operators site, service, or application described in paragraph (4) of subdivision (a).(2) Use information, including persistent unique identifiers, created or gathered by the operators site, service, or application, to amass a profile about a pupil, except in furtherance of preschool or prekindergarten purposes.(3) Sell a pupils information, including covered information. This prohibition does not apply to the purchase, merger, or other type of acquisition of an operator by another entity, provided that the operator or successor entity continues to be subject to the provisions of this section with respect to previously acquired pupil information.(4) Disclose covered information unless the disclosure is made: meets any of the following criteria:(A) In The disclosure is in furtherance of the preschool and prekindergarten purposes of the site, service, or application, provided that and the recipient of the covered information disclosed pursuant to this subparagraph: subparagraph meets both of the following criteria:(i) Shall not The recipient does not further disclose the information unless done to allow or improve operability and functionality within that pupils preschool or prekindergarten.(ii) Is The recipient is legally required to comply with subdivision (d); (d).(B) To The disclosure is to ensure legal and regulatory compliance; compliance.(C) To The disclosure is to respond to or participate in a judicial process; process.(D) To The disclosure is to protect the safety of users or others or security of the site; or site.(E) To The disclosure is to a service provider, provided the operator contractually (i) prohibits the service provider from using any covered information for any purpose other than providing the contracted service to, or on behalf of, the operator, (ii) prohibits the service provider from disclosing any covered information provided by the operator with subsequent third parties, and (iii) requires the service provider to implement and maintain reasonable security procedures and practices as provided in subdivision (d).(5) Use information, including persistent unique identifiers, created or gathered by the operators site, service, or application to train a generative artificial intelligence system or service or develop an artificial intelligence system unless it is in the furtherance of preschool or prekindergarten purposes and for the use and benefit of the preschool or prekindergarten.(6) Collect, use, retain, or disclose covered information relating to a pupils reproductive or sexual health, immigration status, or sexual orientation or gender identity, except if both of the following are true:(A) The covered information is relevant and limited to what is necessary in relation to preschool or prekindergarten purposes and for the use and benefit of the preschool or prekindergarten.(B) In the case of disclosure to third parties, the disclosure is strictly necessary to further the purpose described in subparagraph (A).(c) Subdivision (b) does not prohibit the operators use of information for maintaining, developing, supporting, improving, or diagnosing the operators site, service, or application.(d) An operator shall do all of the following:(1) Implement and maintain reasonable security procedures and practices appropriate to the nature of the covered information, and protect that information from unauthorized access, destruction, use, modification, or disclosure.(2) Delete a pupils covered information if the preschool, prekindergarten, or district requests deletion of data under the control of the preschool, prekindergarten, or district.(3) (A) Delete a pupils CCPA-excluded covered information under the operators control if a pupils parent, guardian, or education rights holder or, in the case of a former pupil 18 years of age or older, the pupil requests an operator to delete the covered information under the operators control if the pupil has been no longer enrolled in the preschool, prekindergarten, or district for at least 60 days.(B) Before deleting any information described in subparagraph (A), the operator shall require documentation that the pupil is no longer enrolled in the preschool, prekindergarten, or district.(4) (A) Subject to subparagraph (B), retain covered information only as long as reasonably necessary to fulfill the specific purpose for which the information was collected and delete the information using reasonable measures to protect against unauthorized access to, or use or disclosure of, the information in connection with its deletion when the specific purpose for which the information was collected is accomplished.(B) This paragraph does not require deletion of mandatory permanent pupil records, described in Section 430 of Title 5 of the California Code of Regulations, or any official records or files directly related to a pupil and maintained by the operator, school, or local educational agency, including, but not limited to, records of achievement and results of evaluative tests or records encompassing all of the material kept in the pupils cumulative folder that is maintained by the school or local educational agency, including, but not limited to, general identifying data, records of attendance and of academic work completed, health data, disciplinary status, test protocols, individualized education programs, or pupil records held by a national assessment provider that include only standardized test results.(5) Establish, implement, and maintain a written data retention policy, which shall be made available upon request to a pupil, parent, or preschool or prekindergarten personnel that states the purposes for which covered information is collected, the purpose for retaining the information, and a timeframe for deleting the information pursuant to paragraph (4).(e) Notwithstanding paragraph (4) of subdivision (b), an operator may disclose covered information of a pupil, as long as paragraphs (1) to (3), inclusive, of subdivision (b) are not violated, under the following circumstances:(1) If other provisions of federal or state law require the operator to disclose the information, and the operator complies with the requirements of federal and state law in protecting and disclosing that information.(2) For legitimate research purposes: (A) as required by state or federal law and subject to the restrictions under applicable state and federal law or (B) as allowed by state or federal law and under the direction of a preschool, prekindergarten, school district, or state department of education, if no covered information is used for any purpose in furtherance of advertising or to amass a profile on the pupil for purposes other than preschool and prekindergarten purposes.(3) To a state or local educational agency, including preschools, prekindergartens, and school districts, for preschool and prekindergarten purposes, as permitted by state or federal law.(f) This section does not prohibit an operator from using deidentified pupil covered information as follows:(1) Within the operators site, service, or application or other sites, services, or applications owned by the operator to improve educational products.(2) To demonstrate the effectiveness of the operators products or services, including in their marketing.(g) This section does not prohibit an operator from sharing aggregated deidentified pupil covered information for the development and improvement of educational sites, services, or applications.(h) This section does not limit the authority of a law enforcement agency to obtain any content or information from an operator as authorized by law or pursuant to an order of a court of competent jurisdiction.(i) This section does not limit the ability of an operator to use a pupils data, including covered information, for adaptive learning or customized early learning purposes.(j) This section does not apply to general audience internet websites, general audience online services, general audience online applications, or general audience mobile applications, applications that are not designed or marketed for preschool or prekindergarten purposes, even if login credentials created for an operators site, service, or application may be used to access those general audience sites, services, or applications.(k) This section does not limit internet service providers from providing internet connectivity to preschools, prekindergartens, or pupils and their families.(l) This section does not prohibit an operator of an internet website, online service, online application, or mobile application from marketing educational products directly to parents so long as the marketing did not result from the use of covered information obtained by the operator through the provision of services covered under this section.(m) This section does not impose a duty upon a provider of an electronic store, gateway, marketplace, or other means of purchasing or downloading software or applications to review or enforce compliance of this section on those applications or software.(n) This section does not impose a duty upon a provider of an interactive computer service, as defined in Section 230 of Title 47 of the United States Code, to review or enforce compliance with this section by third-party content providers.(o) This section does not impede the ability of pupils to download, export, or otherwise save or maintain their own personally created data or documents.(p) This section shall not be interpreted to limit or supersede any rights or requirements under the federal Individuals with Disabilities Education Act (20 U.S.C. Sec. 1400 et seq.), the Rehabilitation Act of 1973 (29 U.S.C. Sec. 701 et seq.), and any rules or regulations promulgated pursuant to those laws.
22586. (a) For purposes of this chapter:(1) Artificial intelligence has the same meaning as defined in Section 3110 of the Civil Code.(1)(2) California Consumer Privacy Act-excluded covered information or CCPA-excluded covered information means covered information that is not subject to the California Consumer Privacy Act of 2018 (Title 1.81.5 (commencing with Section 1798.100) of Part 4 of Division 3 of the Civil Code).(2)(3) Covered information means personally identifiable information or materials, in any media or format that meets any of the following:(A) Is created or provided by a pupil, or the pupils parent or legal guardian, to an operator in the course of the pupils, parents, or legal guardians use of the operators site, service, or application for preschool and prekindergarten purposes.(B) Is created or provided by an employee or agent of the preschool, prekindergarten, school district, local educational agency, or county office of education, to an operator.(C) Is gathered by an operator through the operation of a site, service, or application described in paragraph (4), and is descriptive of a pupil or otherwise identifies a pupil, including, but not limited to, information in the pupils educational record or email, first and last name, home address, telephone number, email address, or other information that allows physical or online contact, discipline records, test results, special education data, juvenile dependency records, grades, evaluations, criminal records, medical records, health records, social security number, biometric information, disabilities, socioeconomic information, food purchases, political affiliations, religious information, text messages, documents, pupil identifiers, search activity, photographs, voice recordings, or geolocation information.(4) Generative artificial intelligence has the same meaning as defined in Section 3110 of the Civil Code.(3)(5) Online service includes cloud computing services, which must comply with this section if they otherwise meet the definition of an operator.(4)(6) Operator means the operator of an internet website, online service, online application, or mobile application with actual knowledge that the site, service, or application is used primarily for preschool or prekindergarten purposes and was designed and marketed for preschool and prekindergarten purposes. purposes, including a provider of digital educational software or services, including digital course books.(5)(7) Preschool or prekindergarten purposes means purposes that customarily take place at the direction of the preschool, prekindergarten, teacher, or school district, or aid in the administration of preschool or prekindergarten activities, including, but not limited to, instruction in the classroom or at home, administrative activities, and collaboration between pupils, preschool or prekindergarten personnel, or parents, or are for the use and benefit of the preschool or prekindergarten.(6)(8) Pupil means a child enrolled in a preschool or prekindergarten course of instruction.(9) Train a generative artificial intelligence system or service has the same meaning as defined in Section 3110 of the Civil Code.(b) An operator shall not knowingly engage in any of the following activities with respect to their the operators site, service, or application:(1) (A) Engage in targeted advertising on the operators site, service, or application.(B) Target advertising on any other site, service, or application application, including via email or other direct communication to the pupil when the targeting of the advertising is based upon any information, including covered information and persistent unique identifiers, that the operator has acquired because of the use of that operators site, service, or application described in paragraph (4) of subdivision (a).(2) Use information, including persistent unique identifiers, created or gathered by the operators site, service, or application, to amass a profile about a pupil, except in furtherance of preschool or prekindergarten purposes.(3) Sell a pupils information, including covered information. This prohibition does not apply to the purchase, merger, or other type of acquisition of an operator by another entity, provided that the operator or successor entity continues to be subject to the provisions of this section with respect to previously acquired pupil information.(4) Disclose covered information unless the disclosure is made: meets any of the following criteria:(A) In The disclosure is in furtherance of the preschool and prekindergarten purposes of the site, service, or application, provided that and the recipient of the covered information disclosed pursuant to this subparagraph: subparagraph meets both of the following criteria:(i) Shall not The recipient does not further disclose the information unless done to allow or improve operability and functionality within that pupils preschool or prekindergarten.(ii) Is The recipient is legally required to comply with subdivision (d); (d).(B) To The disclosure is to ensure legal and regulatory compliance; compliance.(C) To The disclosure is to respond to or participate in a judicial process; process.(D) To The disclosure is to protect the safety of users or others or security of the site; or site.(E) To The disclosure is to a service provider, provided the operator contractually (i) prohibits the service provider from using any covered information for any purpose other than providing the contracted service to, or on behalf of, the operator, (ii) prohibits the service provider from disclosing any covered information provided by the operator with subsequent third parties, and (iii) requires the service provider to implement and maintain reasonable security procedures and practices as provided in subdivision (d).(5) Use information, including persistent unique identifiers, created or gathered by the operators site, service, or application to train a generative artificial intelligence system or service or develop an artificial intelligence system unless it is in the furtherance of preschool or prekindergarten purposes and for the use and benefit of the preschool or prekindergarten.(6) Collect, use, retain, or disclose covered information relating to a pupils reproductive or sexual health, immigration status, or sexual orientation or gender identity, except if both of the following are true:(A) The covered information is relevant and limited to what is necessary in relation to preschool or prekindergarten purposes and for the use and benefit of the preschool or prekindergarten.(B) In the case of disclosure to third parties, the disclosure is strictly necessary to further the purpose described in subparagraph (A).(c) Subdivision (b) does not prohibit the operators use of information for maintaining, developing, supporting, improving, or diagnosing the operators site, service, or application.(d) An operator shall do all of the following:(1) Implement and maintain reasonable security procedures and practices appropriate to the nature of the covered information, and protect that information from unauthorized access, destruction, use, modification, or disclosure.(2) Delete a pupils covered information if the preschool, prekindergarten, or district requests deletion of data under the control of the preschool, prekindergarten, or district.(3) (A) Delete a pupils CCPA-excluded covered information under the operators control if a pupils parent, guardian, or education rights holder or, in the case of a former pupil 18 years of age or older, the pupil requests an operator to delete the covered information under the operators control if the pupil has been no longer enrolled in the preschool, prekindergarten, or district for at least 60 days.(B) Before deleting any information described in subparagraph (A), the operator shall require documentation that the pupil is no longer enrolled in the preschool, prekindergarten, or district.(4) (A) Subject to subparagraph (B), retain covered information only as long as reasonably necessary to fulfill the specific purpose for which the information was collected and delete the information using reasonable measures to protect against unauthorized access to, or use or disclosure of, the information in connection with its deletion when the specific purpose for which the information was collected is accomplished.(B) This paragraph does not require deletion of mandatory permanent pupil records, described in Section 430 of Title 5 of the California Code of Regulations, or any official records or files directly related to a pupil and maintained by the operator, school, or local educational agency, including, but not limited to, records of achievement and results of evaluative tests or records encompassing all of the material kept in the pupils cumulative folder that is maintained by the school or local educational agency, including, but not limited to, general identifying data, records of attendance and of academic work completed, health data, disciplinary status, test protocols, individualized education programs, or pupil records held by a national assessment provider that include only standardized test results.(5) Establish, implement, and maintain a written data retention policy, which shall be made available upon request to a pupil, parent, or preschool or prekindergarten personnel that states the purposes for which covered information is collected, the purpose for retaining the information, and a timeframe for deleting the information pursuant to paragraph (4).(e) Notwithstanding paragraph (4) of subdivision (b), an operator may disclose covered information of a pupil, as long as paragraphs (1) to (3), inclusive, of subdivision (b) are not violated, under the following circumstances:(1) If other provisions of federal or state law require the operator to disclose the information, and the operator complies with the requirements of federal and state law in protecting and disclosing that information.(2) For legitimate research purposes: (A) as required by state or federal law and subject to the restrictions under applicable state and federal law or (B) as allowed by state or federal law and under the direction of a preschool, prekindergarten, school district, or state department of education, if no covered information is used for any purpose in furtherance of advertising or to amass a profile on the pupil for purposes other than preschool and prekindergarten purposes.(3) To a state or local educational agency, including preschools, prekindergartens, and school districts, for preschool and prekindergarten purposes, as permitted by state or federal law.(f) This section does not prohibit an operator from using deidentified pupil covered information as follows:(1) Within the operators site, service, or application or other sites, services, or applications owned by the operator to improve educational products.(2) To demonstrate the effectiveness of the operators products or services, including in their marketing.(g) This section does not prohibit an operator from sharing aggregated deidentified pupil covered information for the development and improvement of educational sites, services, or applications.(h) This section does not limit the authority of a law enforcement agency to obtain any content or information from an operator as authorized by law or pursuant to an order of a court of competent jurisdiction.(i) This section does not limit the ability of an operator to use a pupils data, including covered information, for adaptive learning or customized early learning purposes.(j) This section does not apply to general audience internet websites, general audience online services, general audience online applications, or general audience mobile applications, applications that are not designed or marketed for preschool or prekindergarten purposes, even if login credentials created for an operators site, service, or application may be used to access those general audience sites, services, or applications.(k) This section does not limit internet service providers from providing internet connectivity to preschools, prekindergartens, or pupils and their families.(l) This section does not prohibit an operator of an internet website, online service, online application, or mobile application from marketing educational products directly to parents so long as the marketing did not result from the use of covered information obtained by the operator through the provision of services covered under this section.(m) This section does not impose a duty upon a provider of an electronic store, gateway, marketplace, or other means of purchasing or downloading software or applications to review or enforce compliance of this section on those applications or software.(n) This section does not impose a duty upon a provider of an interactive computer service, as defined in Section 230 of Title 47 of the United States Code, to review or enforce compliance with this section by third-party content providers.(o) This section does not impede the ability of pupils to download, export, or otherwise save or maintain their own personally created data or documents.(p) This section shall not be interpreted to limit or supersede any rights or requirements under the federal Individuals with Disabilities Education Act (20 U.S.C. Sec. 1400 et seq.), the Rehabilitation Act of 1973 (29 U.S.C. Sec. 701 et seq.), and any rules or regulations promulgated pursuant to those laws.
22586. (a) For purposes of this chapter:
(1) Artificial intelligence has the same meaning as defined in Section 3110 of the Civil Code.
(1)
(2) California Consumer Privacy Act-excluded covered information or CCPA-excluded covered information means covered information that is not subject to the California Consumer Privacy Act of 2018 (Title 1.81.5 (commencing with Section 1798.100) of Part 4 of Division 3 of the Civil Code).
(2)
(3) Covered information means personally identifiable information or materials, in any media or format that meets any of the following:
(A) Is created or provided by a pupil, or the pupils parent or legal guardian, to an operator in the course of the pupils, parents, or legal guardians use of the operators site, service, or application for preschool and prekindergarten purposes.
(B) Is created or provided by an employee or agent of the preschool, prekindergarten, school district, local educational agency, or county office of education, to an operator.
(C) Is gathered by an operator through the operation of a site, service, or application described in paragraph (4), and is descriptive of a pupil or otherwise identifies a pupil, including, but not limited to, information in the pupils educational record or email, first and last name, home address, telephone number, email address, or other information that allows physical or online contact, discipline records, test results, special education data, juvenile dependency records, grades, evaluations, criminal records, medical records, health records, social security number, biometric information, disabilities, socioeconomic information, food purchases, political affiliations, religious information, text messages, documents, pupil identifiers, search activity, photographs, voice recordings, or geolocation information.
(4) Generative artificial intelligence has the same meaning as defined in Section 3110 of the Civil Code.
(3)
(5) Online service includes cloud computing services, which must comply with this section if they otherwise meet the definition of an operator.
(4)
(6) Operator means the operator of an internet website, online service, online application, or mobile application with actual knowledge that the site, service, or application is used primarily for preschool or prekindergarten purposes and was designed and marketed for preschool and prekindergarten purposes. purposes, including a provider of digital educational software or services, including digital course books.
(5)
(7) Preschool or prekindergarten purposes means purposes that customarily take place at the direction of the preschool, prekindergarten, teacher, or school district, or aid in the administration of preschool or prekindergarten activities, including, but not limited to, instruction in the classroom or at home, administrative activities, and collaboration between pupils, preschool or prekindergarten personnel, or parents, or are for the use and benefit of the preschool or prekindergarten.
(6)
(8) Pupil means a child enrolled in a preschool or prekindergarten course of instruction.
(9) Train a generative artificial intelligence system or service has the same meaning as defined in Section 3110 of the Civil Code.
(b) An operator shall not knowingly engage in any of the following activities with respect to their the operators site, service, or application:
(1) (A) Engage in targeted advertising on the operators site, service, or application.
(B) Target advertising on any other site, service, or application application, including via email or other direct communication to the pupil when the targeting of the advertising is based upon any information, including covered information and persistent unique identifiers, that the operator has acquired because of the use of that operators site, service, or application described in paragraph (4) of subdivision (a).
(2) Use information, including persistent unique identifiers, created or gathered by the operators site, service, or application, to amass a profile about a pupil, except in furtherance of preschool or prekindergarten purposes.
(3) Sell a pupils information, including covered information. This prohibition does not apply to the purchase, merger, or other type of acquisition of an operator by another entity, provided that the operator or successor entity continues to be subject to the provisions of this section with respect to previously acquired pupil information.
(4) Disclose covered information unless the disclosure is made: meets any of the following criteria:
(A) In The disclosure is in furtherance of the preschool and prekindergarten purposes of the site, service, or application, provided that and the recipient of the covered information disclosed pursuant to this subparagraph: subparagraph meets both of the following criteria:
(i) Shall not The recipient does not further disclose the information unless done to allow or improve operability and functionality within that pupils preschool or prekindergarten.
(ii) Is The recipient is legally required to comply with subdivision (d); (d).
(B) To The disclosure is to ensure legal and regulatory compliance; compliance.
(C) To The disclosure is to respond to or participate in a judicial process; process.
(D) To The disclosure is to protect the safety of users or others or security of the site; or site.
(E) To The disclosure is to a service provider, provided the operator contractually (i) prohibits the service provider from using any covered information for any purpose other than providing the contracted service to, or on behalf of, the operator, (ii) prohibits the service provider from disclosing any covered information provided by the operator with subsequent third parties, and (iii) requires the service provider to implement and maintain reasonable security procedures and practices as provided in subdivision (d).
(5) Use information, including persistent unique identifiers, created or gathered by the operators site, service, or application to train a generative artificial intelligence system or service or develop an artificial intelligence system unless it is in the furtherance of preschool or prekindergarten purposes and for the use and benefit of the preschool or prekindergarten.
(6) Collect, use, retain, or disclose covered information relating to a pupils reproductive or sexual health, immigration status, or sexual orientation or gender identity, except if both of the following are true:
(A) The covered information is relevant and limited to what is necessary in relation to preschool or prekindergarten purposes and for the use and benefit of the preschool or prekindergarten.
(B) In the case of disclosure to third parties, the disclosure is strictly necessary to further the purpose described in subparagraph (A).
(c) Subdivision (b) does not prohibit the operators use of information for maintaining, developing, supporting, improving, or diagnosing the operators site, service, or application.
(d) An operator shall do all of the following:
(1) Implement and maintain reasonable security procedures and practices appropriate to the nature of the covered information, and protect that information from unauthorized access, destruction, use, modification, or disclosure.
(2) Delete a pupils covered information if the preschool, prekindergarten, or district requests deletion of data under the control of the preschool, prekindergarten, or district.
(3) (A) Delete a pupils CCPA-excluded covered information under the operators control if a pupils parent, guardian, or education rights holder or, in the case of a former pupil 18 years of age or older, the pupil requests an operator to delete the covered information under the operators control if the pupil has been no longer enrolled in the preschool, prekindergarten, or district for at least 60 days.
(B) Before deleting any information described in subparagraph (A), the operator shall require documentation that the pupil is no longer enrolled in the preschool, prekindergarten, or district.
(4) (A) Subject to subparagraph (B), retain covered information only as long as reasonably necessary to fulfill the specific purpose for which the information was collected and delete the information using reasonable measures to protect against unauthorized access to, or use or disclosure of, the information in connection with its deletion when the specific purpose for which the information was collected is accomplished.
(B) This paragraph does not require deletion of mandatory permanent pupil records, described in Section 430 of Title 5 of the California Code of Regulations, or any official records or files directly related to a pupil and maintained by the operator, school, or local educational agency, including, but not limited to, records of achievement and results of evaluative tests or records encompassing all of the material kept in the pupils cumulative folder that is maintained by the school or local educational agency, including, but not limited to, general identifying data, records of attendance and of academic work completed, health data, disciplinary status, test protocols, individualized education programs, or pupil records held by a national assessment provider that include only standardized test results.
(5) Establish, implement, and maintain a written data retention policy, which shall be made available upon request to a pupil, parent, or preschool or prekindergarten personnel that states the purposes for which covered information is collected, the purpose for retaining the information, and a timeframe for deleting the information pursuant to paragraph (4).
(e) Notwithstanding paragraph (4) of subdivision (b), an operator may disclose covered information of a pupil, as long as paragraphs (1) to (3), inclusive, of subdivision (b) are not violated, under the following circumstances:
(1) If other provisions of federal or state law require the operator to disclose the information, and the operator complies with the requirements of federal and state law in protecting and disclosing that information.
(2) For legitimate research purposes: (A) as required by state or federal law and subject to the restrictions under applicable state and federal law or (B) as allowed by state or federal law and under the direction of a preschool, prekindergarten, school district, or state department of education, if no covered information is used for any purpose in furtherance of advertising or to amass a profile on the pupil for purposes other than preschool and prekindergarten purposes.
(3) To a state or local educational agency, including preschools, prekindergartens, and school districts, for preschool and prekindergarten purposes, as permitted by state or federal law.
(f) This section does not prohibit an operator from using deidentified pupil covered information as follows:
(1) Within the operators site, service, or application or other sites, services, or applications owned by the operator to improve educational products.
(2) To demonstrate the effectiveness of the operators products or services, including in their marketing.
(g) This section does not prohibit an operator from sharing aggregated deidentified pupil covered information for the development and improvement of educational sites, services, or applications.
(h) This section does not limit the authority of a law enforcement agency to obtain any content or information from an operator as authorized by law or pursuant to an order of a court of competent jurisdiction.
(i) This section does not limit the ability of an operator to use a pupils data, including covered information, for adaptive learning or customized early learning purposes.
(j) This section does not apply to general audience internet websites, general audience online services, general audience online applications, or general audience mobile applications, applications that are not designed or marketed for preschool or prekindergarten purposes, even if login credentials created for an operators site, service, or application may be used to access those general audience sites, services, or applications.
(k) This section does not limit internet service providers from providing internet connectivity to preschools, prekindergartens, or pupils and their families.
(l) This section does not prohibit an operator of an internet website, online service, online application, or mobile application from marketing educational products directly to parents so long as the marketing did not result from the use of covered information obtained by the operator through the provision of services covered under this section.
(m) This section does not impose a duty upon a provider of an electronic store, gateway, marketplace, or other means of purchasing or downloading software or applications to review or enforce compliance of this section on those applications or software.
(n) This section does not impose a duty upon a provider of an interactive computer service, as defined in Section 230 of Title 47 of the United States Code, to review or enforce compliance with this section by third-party content providers.
(o) This section does not impede the ability of pupils to download, export, or otherwise save or maintain their own personally created data or documents.
(p) This section shall not be interpreted to limit or supersede any rights or requirements under the federal Individuals with Disabilities Education Act (20 U.S.C. Sec. 1400 et seq.), the Rehabilitation Act of 1973 (29 U.S.C. Sec. 701 et seq.), and any rules or regulations promulgated pursuant to those laws.
SEC. 5. Section 22586.1 is added to the Business and Professions Code, to read:22586.1. (a) A pupil, or the pupils parent or guardian, who suffers actual damages as a result of an operators failure to comply with this chapter may, subject to subdivisions (b) to (e), inclusive, bring an action on that persons behalf and on behalf of a similarly situated class of pupils against that operator to recover or obtain any of the following relief:(1) The greater of actual damages or five hundred dollars ($500) per plaintiff, per violation.(2) Injunctive relief.(3) Punitive damages.(4) Reasonable attorneys fees and costs.(b) (1) At least 45 days before bringing an action pursuant to this section, a pupil shall do both of the following:(A) Provide written notice to the operator alleged to have violated this chapter regarding the nature of the alleged violations.(B) Demand that the operator correct and remedy the alleged violations.(2) The notice required by this subdivision shall be sent by certified or registered mail, return receipt requested, to the operators address on file with the state or to the operators principal place of business within the state.(c) An action pursuant to this section brought by a pupil only on that pupils behalf shall not be maintained upon a showing by an operator that an appropriate correction and remedy has been made, or agreed to be made within a reasonable time, to the pupil within 30 days after receipt of the notice required by subdivision (b).(d) An action pursuant to this section brought by a pupil on both the pupils behalf and on behalf of a similarly situated class of pupils shall not be maintained upon a showing by an operator that all of the following are true:(1) Any pupil similarly situated has been identified, or a reasonable effort to identify the pupil has been made.(2) Any similarly situated pupil identified has been notified that, upon the pupils request, the operator shall make the appropriate correction and remedy.(3) The correction and remedy requested by the pupil has been made, or in a reasonable time will be made.(4) The operator has ceased, or will cease within a reasonable time, violating this chapter.(e) (1) Attempts to comply with a demand described in subdivision (b) by an operator shall be deemed an offer to compromise and shall be inadmissible under Section 1152 of the Evidence Code and shall not be deemed an admission of violating this chapter.(2) A defendant may introduce evidence of compliance or attempts to comply with this section for the purpose of establishing good faith or to show compliance with this chapter.
SEC. 5. Section 22586.1 is added to the Business and Professions Code, to read:
### SEC. 5.
22586.1. (a) A pupil, or the pupils parent or guardian, who suffers actual damages as a result of an operators failure to comply with this chapter may, subject to subdivisions (b) to (e), inclusive, bring an action on that persons behalf and on behalf of a similarly situated class of pupils against that operator to recover or obtain any of the following relief:(1) The greater of actual damages or five hundred dollars ($500) per plaintiff, per violation.(2) Injunctive relief.(3) Punitive damages.(4) Reasonable attorneys fees and costs.(b) (1) At least 45 days before bringing an action pursuant to this section, a pupil shall do both of the following:(A) Provide written notice to the operator alleged to have violated this chapter regarding the nature of the alleged violations.(B) Demand that the operator correct and remedy the alleged violations.(2) The notice required by this subdivision shall be sent by certified or registered mail, return receipt requested, to the operators address on file with the state or to the operators principal place of business within the state.(c) An action pursuant to this section brought by a pupil only on that pupils behalf shall not be maintained upon a showing by an operator that an appropriate correction and remedy has been made, or agreed to be made within a reasonable time, to the pupil within 30 days after receipt of the notice required by subdivision (b).(d) An action pursuant to this section brought by a pupil on both the pupils behalf and on behalf of a similarly situated class of pupils shall not be maintained upon a showing by an operator that all of the following are true:(1) Any pupil similarly situated has been identified, or a reasonable effort to identify the pupil has been made.(2) Any similarly situated pupil identified has been notified that, upon the pupils request, the operator shall make the appropriate correction and remedy.(3) The correction and remedy requested by the pupil has been made, or in a reasonable time will be made.(4) The operator has ceased, or will cease within a reasonable time, violating this chapter.(e) (1) Attempts to comply with a demand described in subdivision (b) by an operator shall be deemed an offer to compromise and shall be inadmissible under Section 1152 of the Evidence Code and shall not be deemed an admission of violating this chapter.(2) A defendant may introduce evidence of compliance or attempts to comply with this section for the purpose of establishing good faith or to show compliance with this chapter.
22586.1. (a) A pupil, or the pupils parent or guardian, who suffers actual damages as a result of an operators failure to comply with this chapter may, subject to subdivisions (b) to (e), inclusive, bring an action on that persons behalf and on behalf of a similarly situated class of pupils against that operator to recover or obtain any of the following relief:(1) The greater of actual damages or five hundred dollars ($500) per plaintiff, per violation.(2) Injunctive relief.(3) Punitive damages.(4) Reasonable attorneys fees and costs.(b) (1) At least 45 days before bringing an action pursuant to this section, a pupil shall do both of the following:(A) Provide written notice to the operator alleged to have violated this chapter regarding the nature of the alleged violations.(B) Demand that the operator correct and remedy the alleged violations.(2) The notice required by this subdivision shall be sent by certified or registered mail, return receipt requested, to the operators address on file with the state or to the operators principal place of business within the state.(c) An action pursuant to this section brought by a pupil only on that pupils behalf shall not be maintained upon a showing by an operator that an appropriate correction and remedy has been made, or agreed to be made within a reasonable time, to the pupil within 30 days after receipt of the notice required by subdivision (b).(d) An action pursuant to this section brought by a pupil on both the pupils behalf and on behalf of a similarly situated class of pupils shall not be maintained upon a showing by an operator that all of the following are true:(1) Any pupil similarly situated has been identified, or a reasonable effort to identify the pupil has been made.(2) Any similarly situated pupil identified has been notified that, upon the pupils request, the operator shall make the appropriate correction and remedy.(3) The correction and remedy requested by the pupil has been made, or in a reasonable time will be made.(4) The operator has ceased, or will cease within a reasonable time, violating this chapter.(e) (1) Attempts to comply with a demand described in subdivision (b) by an operator shall be deemed an offer to compromise and shall be inadmissible under Section 1152 of the Evidence Code and shall not be deemed an admission of violating this chapter.(2) A defendant may introduce evidence of compliance or attempts to comply with this section for the purpose of establishing good faith or to show compliance with this chapter.
22586.1. (a) A pupil, or the pupils parent or guardian, who suffers actual damages as a result of an operators failure to comply with this chapter may, subject to subdivisions (b) to (e), inclusive, bring an action on that persons behalf and on behalf of a similarly situated class of pupils against that operator to recover or obtain any of the following relief:(1) The greater of actual damages or five hundred dollars ($500) per plaintiff, per violation.(2) Injunctive relief.(3) Punitive damages.(4) Reasonable attorneys fees and costs.(b) (1) At least 45 days before bringing an action pursuant to this section, a pupil shall do both of the following:(A) Provide written notice to the operator alleged to have violated this chapter regarding the nature of the alleged violations.(B) Demand that the operator correct and remedy the alleged violations.(2) The notice required by this subdivision shall be sent by certified or registered mail, return receipt requested, to the operators address on file with the state or to the operators principal place of business within the state.(c) An action pursuant to this section brought by a pupil only on that pupils behalf shall not be maintained upon a showing by an operator that an appropriate correction and remedy has been made, or agreed to be made within a reasonable time, to the pupil within 30 days after receipt of the notice required by subdivision (b).(d) An action pursuant to this section brought by a pupil on both the pupils behalf and on behalf of a similarly situated class of pupils shall not be maintained upon a showing by an operator that all of the following are true:(1) Any pupil similarly situated has been identified, or a reasonable effort to identify the pupil has been made.(2) Any similarly situated pupil identified has been notified that, upon the pupils request, the operator shall make the appropriate correction and remedy.(3) The correction and remedy requested by the pupil has been made, or in a reasonable time will be made.(4) The operator has ceased, or will cease within a reasonable time, violating this chapter.(e) (1) Attempts to comply with a demand described in subdivision (b) by an operator shall be deemed an offer to compromise and shall be inadmissible under Section 1152 of the Evidence Code and shall not be deemed an admission of violating this chapter.(2) A defendant may introduce evidence of compliance or attempts to comply with this section for the purpose of establishing good faith or to show compliance with this chapter.
22586.1. (a) A pupil, or the pupils parent or guardian, who suffers actual damages as a result of an operators failure to comply with this chapter may, subject to subdivisions (b) to (e), inclusive, bring an action on that persons behalf and on behalf of a similarly situated class of pupils against that operator to recover or obtain any of the following relief:
(1) The greater of actual damages or five hundred dollars ($500) per plaintiff, per violation.
(2) Injunctive relief.
(3) Punitive damages.
(4) Reasonable attorneys fees and costs.
(b) (1) At least 45 days before bringing an action pursuant to this section, a pupil shall do both of the following:
(A) Provide written notice to the operator alleged to have violated this chapter regarding the nature of the alleged violations.
(B) Demand that the operator correct and remedy the alleged violations.
(2) The notice required by this subdivision shall be sent by certified or registered mail, return receipt requested, to the operators address on file with the state or to the operators principal place of business within the state.
(c) An action pursuant to this section brought by a pupil only on that pupils behalf shall not be maintained upon a showing by an operator that an appropriate correction and remedy has been made, or agreed to be made within a reasonable time, to the pupil within 30 days after receipt of the notice required by subdivision (b).
(d) An action pursuant to this section brought by a pupil on both the pupils behalf and on behalf of a similarly situated class of pupils shall not be maintained upon a showing by an operator that all of the following are true:
(1) Any pupil similarly situated has been identified, or a reasonable effort to identify the pupil has been made.
(2) Any similarly situated pupil identified has been notified that, upon the pupils request, the operator shall make the appropriate correction and remedy.
(3) The correction and remedy requested by the pupil has been made, or in a reasonable time will be made.
(4) The operator has ceased, or will cease within a reasonable time, violating this chapter.
(e) (1) Attempts to comply with a demand described in subdivision (b) by an operator shall be deemed an offer to compromise and shall be inadmissible under Section 1152 of the Evidence Code and shall not be deemed an admission of violating this chapter.
(2) A defendant may introduce evidence of compliance or attempts to comply with this section for the purpose of establishing good faith or to show compliance with this chapter.
SEC. 6. Section 22587 of the Business and Professions Code is repealed.22587.This chapter shall become operative on July 1, 2017.
SEC. 6. Section 22587 of the Business and Professions Code is repealed.
### SEC. 6.
22587.This chapter shall become operative on July 1, 2017.
This chapter shall become operative on July 1, 2017.
SEC. 7. Chapter 22.2.6 (commencing with Section 22587) is added to Division 8 of the Business and Professions Code, to read: CHAPTER 22.2.6. Higher Education Student Information Protection Act22587. (a) For purposes of this chapter:(1) Artificial intelligence has the same meaning as defined in Section 3110 of the Civil Code.(2) California Consumer Privacy Act-excluded covered information or CCPA-excluded covered information means covered information that is not subject to the California Consumer Privacy Act of 2018 (Title 1.81.5 (commencing with Section 1798.100) of Part 4 of Division 3 of the Civil Code).(3) Covered information means personally identifiable information or materials, in any media or format, that is any of the following:(A) Created or provided by a student to an operator in the course of the students use of the operators site, service, or application for higher education purposes.(B) Created or provided by an employee or agent of a higher education institution to an operator.(C) Gathered by an operator through the operation of a site, service, or application described in paragraph (8) and is descriptive of a student, or otherwise identifies a student, including, but not limited to, information in the students educational record or email, first and last name, home address, telephone number, or other information that allows physical or online contact, discipline records, test results, special education data, juvenile dependency records, grades, evaluations, criminal records, medical records, health records, social security number, biometric information, disabilities, socioeconomic information, food purchases, political affiliations, religious information, text messages, documents, student identifiers, online search activity, photographs, voice recordings, or geolocation information.(4) Generative artificial intelligence has the same meaning as defined in Section 3110 of the Civil Code.(5) Higher education institution means a postsecondary institution, vocational program, or postgraduate program that is accredited by an accrediting agency or organization recognized by the state or the United States Department of Education.(6) Higher education purposes means purposes that customarily take place at the direction of the instructor or higher education institution or aid in the administration of higher education institution activities, including, but not limited to, instruction in the classroom or at home, administrative activities, and collaboration between students and higher education institution personnel or are for the use and benefit of the higher education institution.(7) National assessment provider means a person that develops, sponsors, or administers standardized tests.(8) Online service includes a cloud computing service, which shall comply with this section if it is an operator.(9) Operator means the operator of an internet website, online service, online application, or mobile application with actual knowledge that the site, service, or application is used for higher educational purposes and was designed and marketed for higher educational purposes, including a provider of digital educational software or services, including digital course books.(10) Student means a student enrolled in a higher education institution.(11) Train a generative artificial intelligence system or service has the same meaning as defined in Section 3110 of the Civil Code.(b) An operator shall not knowingly engage in any of the following activities with respect to the operators site, service, or application:(1) (A) Engage in targeted advertising on the operators site, service, or application, or (B) target advertising on any other site, service, or application, including via email or other direct communication to the student, when the targeting of the advertising is based upon any information, including covered information and persistent unique identifiers, that the operator has acquired because of the use of that operators site, service, or application described in paragraph (6) of subdivision (a).(2) Use information, including persistent unique identifiers, created or gathered by the operators site, service, or application, to amass a profile about a student, unless it is in the furtherance of higher education purposes.(3) Use information, including persistent unique identifiers, created or gathered by the operators site, service, or application, to train a generative artificial intelligence system or service or develop an artificial intelligence system, unless it is in the furtherance of higher educational purposes and for the use and benefit of the higher education institution.(4) Sell a students information, including covered information, unless the sale meets either of the following criteria:(A) The sale is for the purchase, merger, or other type of acquisition of an operator by another entity, provided that the operator or successor entity continues to be subject to the provisions of this section with respect to previously acquired student information.(B) The sale is made by a national assessment provider to a K12 school, local educational agency, or higher education institution solely for assessment, admissions, or other K12 school purposes or higher education purposes for the benefit and use of the receiving institution.(5) Disclose covered information unless the disclosure meets any of the following criteria:(A) The disclosure is in furtherance of the higher education purposes of the site, service, or application, and the recipient of the covered information disclosed pursuant to this subparagraph meets both of the following criteria:(i) The recipient does not further disclose the information unless done to allow or improve operability and functionality within that students higher education institution.(ii) The recipient is legally required to comply with subdivision (d).(B) The disclosure is to ensure legal and regulatory compliance.(C) The disclosure is to respond to or participate in judicial process.(D) The disclosure is to protect the safety of users or others or security of the site.(E) The disclosure is to a service provider, provided the operator contractually (i) prohibits the service provider from using any covered information for any purpose other than providing the contracted service to, or on behalf of, the operator, (ii) prohibits the service provider from disclosing any covered information provided by the operator with subsequent third parties, and (iii) requires the service provider to implement and maintain reasonable security procedures and practices as provided in subdivision (d).(F) The disclosure is by a national assessment provider to a higher education institution, or K12 school or local educational agency, as defined in Section 22584, solely for assessment, admissions, or other higher education purposes or K12 school purposes, as defined in Section 22584, for the use and benefit of the receiving institution.(G) The disclosure is for legitimate research purposes under the direction of a higher education institution or state department of education and covered information is not used for advertising or to amass a profile on the student for purposes other than higher education purposes.(H) The disclosure is to a state agency or higher education institution, including schools of local educational agencies, for higher education purposes.(6) Use information, including persistent unique identifiers, created or gathered by the operators site, service, or application to train a generative artificial intelligence system or service or develop an artificial intelligence system unless it is in the furtherance of a K12 school purpose and for the use and benefit of a school.(c) Subdivision (b) does not prohibit the operators use of information for maintaining, developing, supporting, improving, or diagnosing the operators site, service, or application.(d) An operator shall do all of the following:(1) Implement and maintain reasonable security procedures and practices appropriate to the nature of the covered information, and protect that information from unauthorized access, destruction, use, modification, or disclosure.(2) Delete a students covered information if the higher education institution requests deletion of data under the control of the higher education institution.(3) (A) Delete a students CCPA-excluded covered information under the operators control if a student or, if the student is under 18 years of age, the students parent or guardian or education rights holder requests an operator to delete the covered information under the operators control if the student has been no longer enrolled in the higher education institution for at least 60 days.(B) Before deleting any information described in subparagraph (A), the operator shall require documentation that the student is no longer enrolled in the higher education institution.(4) (A) Subject to subparagraph (B), retain covered information only as long as reasonably necessary to fulfill the specific purpose for which the information was collected and delete the information using reasonable measures to protect against unauthorized access to, or use or disclosure of, the information in connection with its deletion when the specific purpose for which the information was collected is accomplished.(B) This paragraph does not require deletion of mandatory permanent student records, described in Section 430 of Title 5 of the California Code of Regulations, or any official records or files directly related to a student and maintained by the operator or higher education institution, including, but not limited to, records of achievement and results of evaluative tests or records encompassing all of the material kept in the pupils cumulative folder that is maintained by the higher education institution, including, but not limited to, general identifying data, records of attendance and of academic work completed, health data, disciplinary status, test protocols, individualized education programs, or student records held by a national assessment provider that include only standardized test results.(5) Establish, implement, and maintain a written data retention policy, which shall be made available upon request to a student or higher education personnel that states the purposes for which covered information is collected, the purpose for retaining the information, and a timeframe for deleting the information pursuant to paragraph (4).(e) This section does not prohibit an operator from using deidentified student covered information for either of the following purposes:(1) Within the operators site, service, or application or other sites, services, or applications owned by the operator to improve educational products.(2) To demonstrate the effectiveness of the operators products or services, including in the operators marketing.(f) This section does not prohibit an operator from sharing aggregated deidentified student covered information for the development and improvement of educational sites, services, or applications.(g) This section does not limit the authority of a law enforcement agency to obtain any content or information from an operator as authorized by law or pursuant to an order of a court of competent jurisdiction.(h) This section does not limit the ability of an operator to use student data, including covered information, for adaptive learning or customized student learning purposes.(i) This section does not apply to general audience internet websites, general audience online services, general audience online applications, or general audience mobile applications that are not designed or marketed for a higher education purpose, even if login credentials created for an operators site, service, or application may be used to access those general audience sites, services, or applications.(j) This section does not limit internet service providers from providing internet connectivity to higher education institutions or students.(k) This section does not impose a duty upon a provider of an electronic store, gateway, marketplace, or other means of purchasing or downloading software or applications to review or enforce compliance of this section on those applications or software.(l) This section does not impose a duty upon a provider of an interactive computer service, as defined in Section 230 of Title 47 of the United States Code, to review or enforce compliance with this section by third-party content providers.(m) This section does not impede the ability of students to download, export, or otherwise save or maintain their own student-created data or documents.(n) This section shall not be interpreted to limit or supersede any rights or requirements under the federal Individuals with Disabilities Education Act (20 U.S.C. Sec. 1400 et seq.), the Rehabilitation Act of 1973 (29 U.S.C. Sec. 701 et seq.), and any rules or regulations promulgated pursuant to those laws.22587.1. (a) A student, or the students parent or guardian, who suffers actual damages as a result of an operators failure to comply with this chapter may, subject to subdivisions (b) to (e), inclusive, bring an action on that persons behalf and on behalf of a similarly situated class of students against that operator to recover or obtain any of the following relief:(1) The greater of actual damages or five hundred dollars ($500) per plaintiff, per violation.(2) Injunctive relief.(3) Punitive damages.(4) Reasonable attorneys fees and costs.(b) (1) At least 45 days before bringing an action pursuant to this section, a student shall do both of the following:(A) Provide written notice to the operator alleged to have violated this chapter regarding the nature of the alleged violations.(B) Demand that the operator correct and remedy the alleged violations.(2) The notice required by this subdivision shall be sent by certified or registered mail, return receipt requested, to the operators address on file with the state or to the operators principal place of business within the state.(c) An action pursuant to this section brought by a student only on that students behalf shall not be maintained upon a showing by an operator that an appropriate correction and remedy has been made, or agreed to be made within a reasonable time, to the student within 30 days after receipt of the notice required by subdivision (b).(d) An action pursuant to this section brought by a student on both the students behalf and on behalf of a similarly situated class of students shall not be maintained upon a showing by an operator that all of the following are true:(1) Any student similarly situated has been identified, or a reasonable effort to identify the student has been made.(2) Any similarly situated student identified has been notified that, upon the students request, the operator shall make the appropriate correction and remedy.(3) The correction and remedy requested by the student has been made, or in a reasonable time will be made.(4) The operator has ceased, or will cease within a reasonable time, violating this chapter.(e) (1) Attempts to comply with a demand described in subdivision (b) by an operator shall be deemed an offer to compromise and shall be inadmissible under Section 1152 of the Evidence Code and shall not be deemed an admission of violating this chapter.(2) A defendant may introduce evidence of compliance or attempts to comply with this section for the purpose of establishing good faith or to show compliance with this chapter.22587.2. This chapter shall become operative on July 1, 2026.
SEC. 7. Chapter 22.2.6 (commencing with Section 22587) is added to Division 8 of the Business and Professions Code, to read:
### SEC. 7.
CHAPTER 22.2.6. Higher Education Student Information Protection Act22587. (a) For purposes of this chapter:(1) Artificial intelligence has the same meaning as defined in Section 3110 of the Civil Code.(2) California Consumer Privacy Act-excluded covered information or CCPA-excluded covered information means covered information that is not subject to the California Consumer Privacy Act of 2018 (Title 1.81.5 (commencing with Section 1798.100) of Part 4 of Division 3 of the Civil Code).(3) Covered information means personally identifiable information or materials, in any media or format, that is any of the following:(A) Created or provided by a student to an operator in the course of the students use of the operators site, service, or application for higher education purposes.(B) Created or provided by an employee or agent of a higher education institution to an operator.(C) Gathered by an operator through the operation of a site, service, or application described in paragraph (8) and is descriptive of a student, or otherwise identifies a student, including, but not limited to, information in the students educational record or email, first and last name, home address, telephone number, or other information that allows physical or online contact, discipline records, test results, special education data, juvenile dependency records, grades, evaluations, criminal records, medical records, health records, social security number, biometric information, disabilities, socioeconomic information, food purchases, political affiliations, religious information, text messages, documents, student identifiers, online search activity, photographs, voice recordings, or geolocation information.(4) Generative artificial intelligence has the same meaning as defined in Section 3110 of the Civil Code.(5) Higher education institution means a postsecondary institution, vocational program, or postgraduate program that is accredited by an accrediting agency or organization recognized by the state or the United States Department of Education.(6) Higher education purposes means purposes that customarily take place at the direction of the instructor or higher education institution or aid in the administration of higher education institution activities, including, but not limited to, instruction in the classroom or at home, administrative activities, and collaboration between students and higher education institution personnel or are for the use and benefit of the higher education institution.(7) National assessment provider means a person that develops, sponsors, or administers standardized tests.(8) Online service includes a cloud computing service, which shall comply with this section if it is an operator.(9) Operator means the operator of an internet website, online service, online application, or mobile application with actual knowledge that the site, service, or application is used for higher educational purposes and was designed and marketed for higher educational purposes, including a provider of digital educational software or services, including digital course books.(10) Student means a student enrolled in a higher education institution.(11) Train a generative artificial intelligence system or service has the same meaning as defined in Section 3110 of the Civil Code.(b) An operator shall not knowingly engage in any of the following activities with respect to the operators site, service, or application:(1) (A) Engage in targeted advertising on the operators site, service, or application, or (B) target advertising on any other site, service, or application, including via email or other direct communication to the student, when the targeting of the advertising is based upon any information, including covered information and persistent unique identifiers, that the operator has acquired because of the use of that operators site, service, or application described in paragraph (6) of subdivision (a).(2) Use information, including persistent unique identifiers, created or gathered by the operators site, service, or application, to amass a profile about a student, unless it is in the furtherance of higher education purposes.(3) Use information, including persistent unique identifiers, created or gathered by the operators site, service, or application, to train a generative artificial intelligence system or service or develop an artificial intelligence system, unless it is in the furtherance of higher educational purposes and for the use and benefit of the higher education institution.(4) Sell a students information, including covered information, unless the sale meets either of the following criteria:(A) The sale is for the purchase, merger, or other type of acquisition of an operator by another entity, provided that the operator or successor entity continues to be subject to the provisions of this section with respect to previously acquired student information.(B) The sale is made by a national assessment provider to a K12 school, local educational agency, or higher education institution solely for assessment, admissions, or other K12 school purposes or higher education purposes for the benefit and use of the receiving institution.(5) Disclose covered information unless the disclosure meets any of the following criteria:(A) The disclosure is in furtherance of the higher education purposes of the site, service, or application, and the recipient of the covered information disclosed pursuant to this subparagraph meets both of the following criteria:(i) The recipient does not further disclose the information unless done to allow or improve operability and functionality within that students higher education institution.(ii) The recipient is legally required to comply with subdivision (d).(B) The disclosure is to ensure legal and regulatory compliance.(C) The disclosure is to respond to or participate in judicial process.(D) The disclosure is to protect the safety of users or others or security of the site.(E) The disclosure is to a service provider, provided the operator contractually (i) prohibits the service provider from using any covered information for any purpose other than providing the contracted service to, or on behalf of, the operator, (ii) prohibits the service provider from disclosing any covered information provided by the operator with subsequent third parties, and (iii) requires the service provider to implement and maintain reasonable security procedures and practices as provided in subdivision (d).(F) The disclosure is by a national assessment provider to a higher education institution, or K12 school or local educational agency, as defined in Section 22584, solely for assessment, admissions, or other higher education purposes or K12 school purposes, as defined in Section 22584, for the use and benefit of the receiving institution.(G) The disclosure is for legitimate research purposes under the direction of a higher education institution or state department of education and covered information is not used for advertising or to amass a profile on the student for purposes other than higher education purposes.(H) The disclosure is to a state agency or higher education institution, including schools of local educational agencies, for higher education purposes.(6) Use information, including persistent unique identifiers, created or gathered by the operators site, service, or application to train a generative artificial intelligence system or service or develop an artificial intelligence system unless it is in the furtherance of a K12 school purpose and for the use and benefit of a school.(c) Subdivision (b) does not prohibit the operators use of information for maintaining, developing, supporting, improving, or diagnosing the operators site, service, or application.(d) An operator shall do all of the following:(1) Implement and maintain reasonable security procedures and practices appropriate to the nature of the covered information, and protect that information from unauthorized access, destruction, use, modification, or disclosure.(2) Delete a students covered information if the higher education institution requests deletion of data under the control of the higher education institution.(3) (A) Delete a students CCPA-excluded covered information under the operators control if a student or, if the student is under 18 years of age, the students parent or guardian or education rights holder requests an operator to delete the covered information under the operators control if the student has been no longer enrolled in the higher education institution for at least 60 days.(B) Before deleting any information described in subparagraph (A), the operator shall require documentation that the student is no longer enrolled in the higher education institution.(4) (A) Subject to subparagraph (B), retain covered information only as long as reasonably necessary to fulfill the specific purpose for which the information was collected and delete the information using reasonable measures to protect against unauthorized access to, or use or disclosure of, the information in connection with its deletion when the specific purpose for which the information was collected is accomplished.(B) This paragraph does not require deletion of mandatory permanent student records, described in Section 430 of Title 5 of the California Code of Regulations, or any official records or files directly related to a student and maintained by the operator or higher education institution, including, but not limited to, records of achievement and results of evaluative tests or records encompassing all of the material kept in the pupils cumulative folder that is maintained by the higher education institution, including, but not limited to, general identifying data, records of attendance and of academic work completed, health data, disciplinary status, test protocols, individualized education programs, or student records held by a national assessment provider that include only standardized test results.(5) Establish, implement, and maintain a written data retention policy, which shall be made available upon request to a student or higher education personnel that states the purposes for which covered information is collected, the purpose for retaining the information, and a timeframe for deleting the information pursuant to paragraph (4).(e) This section does not prohibit an operator from using deidentified student covered information for either of the following purposes:(1) Within the operators site, service, or application or other sites, services, or applications owned by the operator to improve educational products.(2) To demonstrate the effectiveness of the operators products or services, including in the operators marketing.(f) This section does not prohibit an operator from sharing aggregated deidentified student covered information for the development and improvement of educational sites, services, or applications.(g) This section does not limit the authority of a law enforcement agency to obtain any content or information from an operator as authorized by law or pursuant to an order of a court of competent jurisdiction.(h) This section does not limit the ability of an operator to use student data, including covered information, for adaptive learning or customized student learning purposes.(i) This section does not apply to general audience internet websites, general audience online services, general audience online applications, or general audience mobile applications that are not designed or marketed for a higher education purpose, even if login credentials created for an operators site, service, or application may be used to access those general audience sites, services, or applications.(j) This section does not limit internet service providers from providing internet connectivity to higher education institutions or students.(k) This section does not impose a duty upon a provider of an electronic store, gateway, marketplace, or other means of purchasing or downloading software or applications to review or enforce compliance of this section on those applications or software.(l) This section does not impose a duty upon a provider of an interactive computer service, as defined in Section 230 of Title 47 of the United States Code, to review or enforce compliance with this section by third-party content providers.(m) This section does not impede the ability of students to download, export, or otherwise save or maintain their own student-created data or documents.(n) This section shall not be interpreted to limit or supersede any rights or requirements under the federal Individuals with Disabilities Education Act (20 U.S.C. Sec. 1400 et seq.), the Rehabilitation Act of 1973 (29 U.S.C. Sec. 701 et seq.), and any rules or regulations promulgated pursuant to those laws.22587.1. (a) A student, or the students parent or guardian, who suffers actual damages as a result of an operators failure to comply with this chapter may, subject to subdivisions (b) to (e), inclusive, bring an action on that persons behalf and on behalf of a similarly situated class of students against that operator to recover or obtain any of the following relief:(1) The greater of actual damages or five hundred dollars ($500) per plaintiff, per violation.(2) Injunctive relief.(3) Punitive damages.(4) Reasonable attorneys fees and costs.(b) (1) At least 45 days before bringing an action pursuant to this section, a student shall do both of the following:(A) Provide written notice to the operator alleged to have violated this chapter regarding the nature of the alleged violations.(B) Demand that the operator correct and remedy the alleged violations.(2) The notice required by this subdivision shall be sent by certified or registered mail, return receipt requested, to the operators address on file with the state or to the operators principal place of business within the state.(c) An action pursuant to this section brought by a student only on that students behalf shall not be maintained upon a showing by an operator that an appropriate correction and remedy has been made, or agreed to be made within a reasonable time, to the student within 30 days after receipt of the notice required by subdivision (b).(d) An action pursuant to this section brought by a student on both the students behalf and on behalf of a similarly situated class of students shall not be maintained upon a showing by an operator that all of the following are true:(1) Any student similarly situated has been identified, or a reasonable effort to identify the student has been made.(2) Any similarly situated student identified has been notified that, upon the students request, the operator shall make the appropriate correction and remedy.(3) The correction and remedy requested by the student has been made, or in a reasonable time will be made.(4) The operator has ceased, or will cease within a reasonable time, violating this chapter.(e) (1) Attempts to comply with a demand described in subdivision (b) by an operator shall be deemed an offer to compromise and shall be inadmissible under Section 1152 of the Evidence Code and shall not be deemed an admission of violating this chapter.(2) A defendant may introduce evidence of compliance or attempts to comply with this section for the purpose of establishing good faith or to show compliance with this chapter.22587.2. This chapter shall become operative on July 1, 2026.
CHAPTER 22.2.6. Higher Education Student Information Protection Act22587. (a) For purposes of this chapter:(1) Artificial intelligence has the same meaning as defined in Section 3110 of the Civil Code.(2) California Consumer Privacy Act-excluded covered information or CCPA-excluded covered information means covered information that is not subject to the California Consumer Privacy Act of 2018 (Title 1.81.5 (commencing with Section 1798.100) of Part 4 of Division 3 of the Civil Code).(3) Covered information means personally identifiable information or materials, in any media or format, that is any of the following:(A) Created or provided by a student to an operator in the course of the students use of the operators site, service, or application for higher education purposes.(B) Created or provided by an employee or agent of a higher education institution to an operator.(C) Gathered by an operator through the operation of a site, service, or application described in paragraph (8) and is descriptive of a student, or otherwise identifies a student, including, but not limited to, information in the students educational record or email, first and last name, home address, telephone number, or other information that allows physical or online contact, discipline records, test results, special education data, juvenile dependency records, grades, evaluations, criminal records, medical records, health records, social security number, biometric information, disabilities, socioeconomic information, food purchases, political affiliations, religious information, text messages, documents, student identifiers, online search activity, photographs, voice recordings, or geolocation information.(4) Generative artificial intelligence has the same meaning as defined in Section 3110 of the Civil Code.(5) Higher education institution means a postsecondary institution, vocational program, or postgraduate program that is accredited by an accrediting agency or organization recognized by the state or the United States Department of Education.(6) Higher education purposes means purposes that customarily take place at the direction of the instructor or higher education institution or aid in the administration of higher education institution activities, including, but not limited to, instruction in the classroom or at home, administrative activities, and collaboration between students and higher education institution personnel or are for the use and benefit of the higher education institution.(7) National assessment provider means a person that develops, sponsors, or administers standardized tests.(8) Online service includes a cloud computing service, which shall comply with this section if it is an operator.(9) Operator means the operator of an internet website, online service, online application, or mobile application with actual knowledge that the site, service, or application is used for higher educational purposes and was designed and marketed for higher educational purposes, including a provider of digital educational software or services, including digital course books.(10) Student means a student enrolled in a higher education institution.(11) Train a generative artificial intelligence system or service has the same meaning as defined in Section 3110 of the Civil Code.(b) An operator shall not knowingly engage in any of the following activities with respect to the operators site, service, or application:(1) (A) Engage in targeted advertising on the operators site, service, or application, or (B) target advertising on any other site, service, or application, including via email or other direct communication to the student, when the targeting of the advertising is based upon any information, including covered information and persistent unique identifiers, that the operator has acquired because of the use of that operators site, service, or application described in paragraph (6) of subdivision (a).(2) Use information, including persistent unique identifiers, created or gathered by the operators site, service, or application, to amass a profile about a student, unless it is in the furtherance of higher education purposes.(3) Use information, including persistent unique identifiers, created or gathered by the operators site, service, or application, to train a generative artificial intelligence system or service or develop an artificial intelligence system, unless it is in the furtherance of higher educational purposes and for the use and benefit of the higher education institution.(4) Sell a students information, including covered information, unless the sale meets either of the following criteria:(A) The sale is for the purchase, merger, or other type of acquisition of an operator by another entity, provided that the operator or successor entity continues to be subject to the provisions of this section with respect to previously acquired student information.(B) The sale is made by a national assessment provider to a K12 school, local educational agency, or higher education institution solely for assessment, admissions, or other K12 school purposes or higher education purposes for the benefit and use of the receiving institution.(5) Disclose covered information unless the disclosure meets any of the following criteria:(A) The disclosure is in furtherance of the higher education purposes of the site, service, or application, and the recipient of the covered information disclosed pursuant to this subparagraph meets both of the following criteria:(i) The recipient does not further disclose the information unless done to allow or improve operability and functionality within that students higher education institution.(ii) The recipient is legally required to comply with subdivision (d).(B) The disclosure is to ensure legal and regulatory compliance.(C) The disclosure is to respond to or participate in judicial process.(D) The disclosure is to protect the safety of users or others or security of the site.(E) The disclosure is to a service provider, provided the operator contractually (i) prohibits the service provider from using any covered information for any purpose other than providing the contracted service to, or on behalf of, the operator, (ii) prohibits the service provider from disclosing any covered information provided by the operator with subsequent third parties, and (iii) requires the service provider to implement and maintain reasonable security procedures and practices as provided in subdivision (d).(F) The disclosure is by a national assessment provider to a higher education institution, or K12 school or local educational agency, as defined in Section 22584, solely for assessment, admissions, or other higher education purposes or K12 school purposes, as defined in Section 22584, for the use and benefit of the receiving institution.(G) The disclosure is for legitimate research purposes under the direction of a higher education institution or state department of education and covered information is not used for advertising or to amass a profile on the student for purposes other than higher education purposes.(H) The disclosure is to a state agency or higher education institution, including schools of local educational agencies, for higher education purposes.(6) Use information, including persistent unique identifiers, created or gathered by the operators site, service, or application to train a generative artificial intelligence system or service or develop an artificial intelligence system unless it is in the furtherance of a K12 school purpose and for the use and benefit of a school.(c) Subdivision (b) does not prohibit the operators use of information for maintaining, developing, supporting, improving, or diagnosing the operators site, service, or application.(d) An operator shall do all of the following:(1) Implement and maintain reasonable security procedures and practices appropriate to the nature of the covered information, and protect that information from unauthorized access, destruction, use, modification, or disclosure.(2) Delete a students covered information if the higher education institution requests deletion of data under the control of the higher education institution.(3) (A) Delete a students CCPA-excluded covered information under the operators control if a student or, if the student is under 18 years of age, the students parent or guardian or education rights holder requests an operator to delete the covered information under the operators control if the student has been no longer enrolled in the higher education institution for at least 60 days.(B) Before deleting any information described in subparagraph (A), the operator shall require documentation that the student is no longer enrolled in the higher education institution.(4) (A) Subject to subparagraph (B), retain covered information only as long as reasonably necessary to fulfill the specific purpose for which the information was collected and delete the information using reasonable measures to protect against unauthorized access to, or use or disclosure of, the information in connection with its deletion when the specific purpose for which the information was collected is accomplished.(B) This paragraph does not require deletion of mandatory permanent student records, described in Section 430 of Title 5 of the California Code of Regulations, or any official records or files directly related to a student and maintained by the operator or higher education institution, including, but not limited to, records of achievement and results of evaluative tests or records encompassing all of the material kept in the pupils cumulative folder that is maintained by the higher education institution, including, but not limited to, general identifying data, records of attendance and of academic work completed, health data, disciplinary status, test protocols, individualized education programs, or student records held by a national assessment provider that include only standardized test results.(5) Establish, implement, and maintain a written data retention policy, which shall be made available upon request to a student or higher education personnel that states the purposes for which covered information is collected, the purpose for retaining the information, and a timeframe for deleting the information pursuant to paragraph (4).(e) This section does not prohibit an operator from using deidentified student covered information for either of the following purposes:(1) Within the operators site, service, or application or other sites, services, or applications owned by the operator to improve educational products.(2) To demonstrate the effectiveness of the operators products or services, including in the operators marketing.(f) This section does not prohibit an operator from sharing aggregated deidentified student covered information for the development and improvement of educational sites, services, or applications.(g) This section does not limit the authority of a law enforcement agency to obtain any content or information from an operator as authorized by law or pursuant to an order of a court of competent jurisdiction.(h) This section does not limit the ability of an operator to use student data, including covered information, for adaptive learning or customized student learning purposes.(i) This section does not apply to general audience internet websites, general audience online services, general audience online applications, or general audience mobile applications that are not designed or marketed for a higher education purpose, even if login credentials created for an operators site, service, or application may be used to access those general audience sites, services, or applications.(j) This section does not limit internet service providers from providing internet connectivity to higher education institutions or students.(k) This section does not impose a duty upon a provider of an electronic store, gateway, marketplace, or other means of purchasing or downloading software or applications to review or enforce compliance of this section on those applications or software.(l) This section does not impose a duty upon a provider of an interactive computer service, as defined in Section 230 of Title 47 of the United States Code, to review or enforce compliance with this section by third-party content providers.(m) This section does not impede the ability of students to download, export, or otherwise save or maintain their own student-created data or documents.(n) This section shall not be interpreted to limit or supersede any rights or requirements under the federal Individuals with Disabilities Education Act (20 U.S.C. Sec. 1400 et seq.), the Rehabilitation Act of 1973 (29 U.S.C. Sec. 701 et seq.), and any rules or regulations promulgated pursuant to those laws.22587.1. (a) A student, or the students parent or guardian, who suffers actual damages as a result of an operators failure to comply with this chapter may, subject to subdivisions (b) to (e), inclusive, bring an action on that persons behalf and on behalf of a similarly situated class of students against that operator to recover or obtain any of the following relief:(1) The greater of actual damages or five hundred dollars ($500) per plaintiff, per violation.(2) Injunctive relief.(3) Punitive damages.(4) Reasonable attorneys fees and costs.(b) (1) At least 45 days before bringing an action pursuant to this section, a student shall do both of the following:(A) Provide written notice to the operator alleged to have violated this chapter regarding the nature of the alleged violations.(B) Demand that the operator correct and remedy the alleged violations.(2) The notice required by this subdivision shall be sent by certified or registered mail, return receipt requested, to the operators address on file with the state or to the operators principal place of business within the state.(c) An action pursuant to this section brought by a student only on that students behalf shall not be maintained upon a showing by an operator that an appropriate correction and remedy has been made, or agreed to be made within a reasonable time, to the student within 30 days after receipt of the notice required by subdivision (b).(d) An action pursuant to this section brought by a student on both the students behalf and on behalf of a similarly situated class of students shall not be maintained upon a showing by an operator that all of the following are true:(1) Any student similarly situated has been identified, or a reasonable effort to identify the student has been made.(2) Any similarly situated student identified has been notified that, upon the students request, the operator shall make the appropriate correction and remedy.(3) The correction and remedy requested by the student has been made, or in a reasonable time will be made.(4) The operator has ceased, or will cease within a reasonable time, violating this chapter.(e) (1) Attempts to comply with a demand described in subdivision (b) by an operator shall be deemed an offer to compromise and shall be inadmissible under Section 1152 of the Evidence Code and shall not be deemed an admission of violating this chapter.(2) A defendant may introduce evidence of compliance or attempts to comply with this section for the purpose of establishing good faith or to show compliance with this chapter.22587.2. This chapter shall become operative on July 1, 2026.
CHAPTER 22.2.6. Higher Education Student Information Protection Act
CHAPTER 22.2.6. Higher Education Student Information Protection Act
22587. (a) For purposes of this chapter:(1) Artificial intelligence has the same meaning as defined in Section 3110 of the Civil Code.(2) California Consumer Privacy Act-excluded covered information or CCPA-excluded covered information means covered information that is not subject to the California Consumer Privacy Act of 2018 (Title 1.81.5 (commencing with Section 1798.100) of Part 4 of Division 3 of the Civil Code).(3) Covered information means personally identifiable information or materials, in any media or format, that is any of the following:(A) Created or provided by a student to an operator in the course of the students use of the operators site, service, or application for higher education purposes.(B) Created or provided by an employee or agent of a higher education institution to an operator.(C) Gathered by an operator through the operation of a site, service, or application described in paragraph (8) and is descriptive of a student, or otherwise identifies a student, including, but not limited to, information in the students educational record or email, first and last name, home address, telephone number, or other information that allows physical or online contact, discipline records, test results, special education data, juvenile dependency records, grades, evaluations, criminal records, medical records, health records, social security number, biometric information, disabilities, socioeconomic information, food purchases, political affiliations, religious information, text messages, documents, student identifiers, online search activity, photographs, voice recordings, or geolocation information.(4) Generative artificial intelligence has the same meaning as defined in Section 3110 of the Civil Code.(5) Higher education institution means a postsecondary institution, vocational program, or postgraduate program that is accredited by an accrediting agency or organization recognized by the state or the United States Department of Education.(6) Higher education purposes means purposes that customarily take place at the direction of the instructor or higher education institution or aid in the administration of higher education institution activities, including, but not limited to, instruction in the classroom or at home, administrative activities, and collaboration between students and higher education institution personnel or are for the use and benefit of the higher education institution.(7) National assessment provider means a person that develops, sponsors, or administers standardized tests.(8) Online service includes a cloud computing service, which shall comply with this section if it is an operator.(9) Operator means the operator of an internet website, online service, online application, or mobile application with actual knowledge that the site, service, or application is used for higher educational purposes and was designed and marketed for higher educational purposes, including a provider of digital educational software or services, including digital course books.(10) Student means a student enrolled in a higher education institution.(11) Train a generative artificial intelligence system or service has the same meaning as defined in Section 3110 of the Civil Code.(b) An operator shall not knowingly engage in any of the following activities with respect to the operators site, service, or application:(1) (A) Engage in targeted advertising on the operators site, service, or application, or (B) target advertising on any other site, service, or application, including via email or other direct communication to the student, when the targeting of the advertising is based upon any information, including covered information and persistent unique identifiers, that the operator has acquired because of the use of that operators site, service, or application described in paragraph (6) of subdivision (a).(2) Use information, including persistent unique identifiers, created or gathered by the operators site, service, or application, to amass a profile about a student, unless it is in the furtherance of higher education purposes.(3) Use information, including persistent unique identifiers, created or gathered by the operators site, service, or application, to train a generative artificial intelligence system or service or develop an artificial intelligence system, unless it is in the furtherance of higher educational purposes and for the use and benefit of the higher education institution.(4) Sell a students information, including covered information, unless the sale meets either of the following criteria:(A) The sale is for the purchase, merger, or other type of acquisition of an operator by another entity, provided that the operator or successor entity continues to be subject to the provisions of this section with respect to previously acquired student information.(B) The sale is made by a national assessment provider to a K12 school, local educational agency, or higher education institution solely for assessment, admissions, or other K12 school purposes or higher education purposes for the benefit and use of the receiving institution.(5) Disclose covered information unless the disclosure meets any of the following criteria:(A) The disclosure is in furtherance of the higher education purposes of the site, service, or application, and the recipient of the covered information disclosed pursuant to this subparagraph meets both of the following criteria:(i) The recipient does not further disclose the information unless done to allow or improve operability and functionality within that students higher education institution.(ii) The recipient is legally required to comply with subdivision (d).(B) The disclosure is to ensure legal and regulatory compliance.(C) The disclosure is to respond to or participate in judicial process.(D) The disclosure is to protect the safety of users or others or security of the site.(E) The disclosure is to a service provider, provided the operator contractually (i) prohibits the service provider from using any covered information for any purpose other than providing the contracted service to, or on behalf of, the operator, (ii) prohibits the service provider from disclosing any covered information provided by the operator with subsequent third parties, and (iii) requires the service provider to implement and maintain reasonable security procedures and practices as provided in subdivision (d).(F) The disclosure is by a national assessment provider to a higher education institution, or K12 school or local educational agency, as defined in Section 22584, solely for assessment, admissions, or other higher education purposes or K12 school purposes, as defined in Section 22584, for the use and benefit of the receiving institution.(G) The disclosure is for legitimate research purposes under the direction of a higher education institution or state department of education and covered information is not used for advertising or to amass a profile on the student for purposes other than higher education purposes.(H) The disclosure is to a state agency or higher education institution, including schools of local educational agencies, for higher education purposes.(6) Use information, including persistent unique identifiers, created or gathered by the operators site, service, or application to train a generative artificial intelligence system or service or develop an artificial intelligence system unless it is in the furtherance of a K12 school purpose and for the use and benefit of a school.(c) Subdivision (b) does not prohibit the operators use of information for maintaining, developing, supporting, improving, or diagnosing the operators site, service, or application.(d) An operator shall do all of the following:(1) Implement and maintain reasonable security procedures and practices appropriate to the nature of the covered information, and protect that information from unauthorized access, destruction, use, modification, or disclosure.(2) Delete a students covered information if the higher education institution requests deletion of data under the control of the higher education institution.(3) (A) Delete a students CCPA-excluded covered information under the operators control if a student or, if the student is under 18 years of age, the students parent or guardian or education rights holder requests an operator to delete the covered information under the operators control if the student has been no longer enrolled in the higher education institution for at least 60 days.(B) Before deleting any information described in subparagraph (A), the operator shall require documentation that the student is no longer enrolled in the higher education institution.(4) (A) Subject to subparagraph (B), retain covered information only as long as reasonably necessary to fulfill the specific purpose for which the information was collected and delete the information using reasonable measures to protect against unauthorized access to, or use or disclosure of, the information in connection with its deletion when the specific purpose for which the information was collected is accomplished.(B) This paragraph does not require deletion of mandatory permanent student records, described in Section 430 of Title 5 of the California Code of Regulations, or any official records or files directly related to a student and maintained by the operator or higher education institution, including, but not limited to, records of achievement and results of evaluative tests or records encompassing all of the material kept in the pupils cumulative folder that is maintained by the higher education institution, including, but not limited to, general identifying data, records of attendance and of academic work completed, health data, disciplinary status, test protocols, individualized education programs, or student records held by a national assessment provider that include only standardized test results.(5) Establish, implement, and maintain a written data retention policy, which shall be made available upon request to a student or higher education personnel that states the purposes for which covered information is collected, the purpose for retaining the information, and a timeframe for deleting the information pursuant to paragraph (4).(e) This section does not prohibit an operator from using deidentified student covered information for either of the following purposes:(1) Within the operators site, service, or application or other sites, services, or applications owned by the operator to improve educational products.(2) To demonstrate the effectiveness of the operators products or services, including in the operators marketing.(f) This section does not prohibit an operator from sharing aggregated deidentified student covered information for the development and improvement of educational sites, services, or applications.(g) This section does not limit the authority of a law enforcement agency to obtain any content or information from an operator as authorized by law or pursuant to an order of a court of competent jurisdiction.(h) This section does not limit the ability of an operator to use student data, including covered information, for adaptive learning or customized student learning purposes.(i) This section does not apply to general audience internet websites, general audience online services, general audience online applications, or general audience mobile applications that are not designed or marketed for a higher education purpose, even if login credentials created for an operators site, service, or application may be used to access those general audience sites, services, or applications.(j) This section does not limit internet service providers from providing internet connectivity to higher education institutions or students.(k) This section does not impose a duty upon a provider of an electronic store, gateway, marketplace, or other means of purchasing or downloading software or applications to review or enforce compliance of this section on those applications or software.(l) This section does not impose a duty upon a provider of an interactive computer service, as defined in Section 230 of Title 47 of the United States Code, to review or enforce compliance with this section by third-party content providers.(m) This section does not impede the ability of students to download, export, or otherwise save or maintain their own student-created data or documents.(n) This section shall not be interpreted to limit or supersede any rights or requirements under the federal Individuals with Disabilities Education Act (20 U.S.C. Sec. 1400 et seq.), the Rehabilitation Act of 1973 (29 U.S.C. Sec. 701 et seq.), and any rules or regulations promulgated pursuant to those laws.
22587. (a) For purposes of this chapter:
(1) Artificial intelligence has the same meaning as defined in Section 3110 of the Civil Code.
(2) California Consumer Privacy Act-excluded covered information or CCPA-excluded covered information means covered information that is not subject to the California Consumer Privacy Act of 2018 (Title 1.81.5 (commencing with Section 1798.100) of Part 4 of Division 3 of the Civil Code).
(3) Covered information means personally identifiable information or materials, in any media or format, that is any of the following:
(A) Created or provided by a student to an operator in the course of the students use of the operators site, service, or application for higher education purposes.
(B) Created or provided by an employee or agent of a higher education institution to an operator.
(C) Gathered by an operator through the operation of a site, service, or application described in paragraph (8) and is descriptive of a student, or otherwise identifies a student, including, but not limited to, information in the students educational record or email, first and last name, home address, telephone number, or other information that allows physical or online contact, discipline records, test results, special education data, juvenile dependency records, grades, evaluations, criminal records, medical records, health records, social security number, biometric information, disabilities, socioeconomic information, food purchases, political affiliations, religious information, text messages, documents, student identifiers, online search activity, photographs, voice recordings, or geolocation information.
(4) Generative artificial intelligence has the same meaning as defined in Section 3110 of the Civil Code.
(5) Higher education institution means a postsecondary institution, vocational program, or postgraduate program that is accredited by an accrediting agency or organization recognized by the state or the United States Department of Education.
(6) Higher education purposes means purposes that customarily take place at the direction of the instructor or higher education institution or aid in the administration of higher education institution activities, including, but not limited to, instruction in the classroom or at home, administrative activities, and collaboration between students and higher education institution personnel or are for the use and benefit of the higher education institution.
(7) National assessment provider means a person that develops, sponsors, or administers standardized tests.
(8) Online service includes a cloud computing service, which shall comply with this section if it is an operator.
(9) Operator means the operator of an internet website, online service, online application, or mobile application with actual knowledge that the site, service, or application is used for higher educational purposes and was designed and marketed for higher educational purposes, including a provider of digital educational software or services, including digital course books.
(10) Student means a student enrolled in a higher education institution.
(11) Train a generative artificial intelligence system or service has the same meaning as defined in Section 3110 of the Civil Code.
(b) An operator shall not knowingly engage in any of the following activities with respect to the operators site, service, or application:
(1) (A) Engage in targeted advertising on the operators site, service, or application, or (B) target advertising on any other site, service, or application, including via email or other direct communication to the student, when the targeting of the advertising is based upon any information, including covered information and persistent unique identifiers, that the operator has acquired because of the use of that operators site, service, or application described in paragraph (6) of subdivision (a).
(2) Use information, including persistent unique identifiers, created or gathered by the operators site, service, or application, to amass a profile about a student, unless it is in the furtherance of higher education purposes.
(3) Use information, including persistent unique identifiers, created or gathered by the operators site, service, or application, to train a generative artificial intelligence system or service or develop an artificial intelligence system, unless it is in the furtherance of higher educational purposes and for the use and benefit of the higher education institution.
(4) Sell a students information, including covered information, unless the sale meets either of the following criteria:
(A) The sale is for the purchase, merger, or other type of acquisition of an operator by another entity, provided that the operator or successor entity continues to be subject to the provisions of this section with respect to previously acquired student information.
(B) The sale is made by a national assessment provider to a K12 school, local educational agency, or higher education institution solely for assessment, admissions, or other K12 school purposes or higher education purposes for the benefit and use of the receiving institution.
(5) Disclose covered information unless the disclosure meets any of the following criteria:
(A) The disclosure is in furtherance of the higher education purposes of the site, service, or application, and the recipient of the covered information disclosed pursuant to this subparagraph meets both of the following criteria:
(i) The recipient does not further disclose the information unless done to allow or improve operability and functionality within that students higher education institution.
(ii) The recipient is legally required to comply with subdivision (d).
(B) The disclosure is to ensure legal and regulatory compliance.
(C) The disclosure is to respond to or participate in judicial process.
(D) The disclosure is to protect the safety of users or others or security of the site.
(E) The disclosure is to a service provider, provided the operator contractually (i) prohibits the service provider from using any covered information for any purpose other than providing the contracted service to, or on behalf of, the operator, (ii) prohibits the service provider from disclosing any covered information provided by the operator with subsequent third parties, and (iii) requires the service provider to implement and maintain reasonable security procedures and practices as provided in subdivision (d).
(F) The disclosure is by a national assessment provider to a higher education institution, or K12 school or local educational agency, as defined in Section 22584, solely for assessment, admissions, or other higher education purposes or K12 school purposes, as defined in Section 22584, for the use and benefit of the receiving institution.
(G) The disclosure is for legitimate research purposes under the direction of a higher education institution or state department of education and covered information is not used for advertising or to amass a profile on the student for purposes other than higher education purposes.
(H) The disclosure is to a state agency or higher education institution, including schools of local educational agencies, for higher education purposes.
(6) Use information, including persistent unique identifiers, created or gathered by the operators site, service, or application to train a generative artificial intelligence system or service or develop an artificial intelligence system unless it is in the furtherance of a K12 school purpose and for the use and benefit of a school.
(c) Subdivision (b) does not prohibit the operators use of information for maintaining, developing, supporting, improving, or diagnosing the operators site, service, or application.
(d) An operator shall do all of the following:
(1) Implement and maintain reasonable security procedures and practices appropriate to the nature of the covered information, and protect that information from unauthorized access, destruction, use, modification, or disclosure.
(2) Delete a students covered information if the higher education institution requests deletion of data under the control of the higher education institution.
(3) (A) Delete a students CCPA-excluded covered information under the operators control if a student or, if the student is under 18 years of age, the students parent or guardian or education rights holder requests an operator to delete the covered information under the operators control if the student has been no longer enrolled in the higher education institution for at least 60 days.
(B) Before deleting any information described in subparagraph (A), the operator shall require documentation that the student is no longer enrolled in the higher education institution.
(4) (A) Subject to subparagraph (B), retain covered information only as long as reasonably necessary to fulfill the specific purpose for which the information was collected and delete the information using reasonable measures to protect against unauthorized access to, or use or disclosure of, the information in connection with its deletion when the specific purpose for which the information was collected is accomplished.
(B) This paragraph does not require deletion of mandatory permanent student records, described in Section 430 of Title 5 of the California Code of Regulations, or any official records or files directly related to a student and maintained by the operator or higher education institution, including, but not limited to, records of achievement and results of evaluative tests or records encompassing all of the material kept in the pupils cumulative folder that is maintained by the higher education institution, including, but not limited to, general identifying data, records of attendance and of academic work completed, health data, disciplinary status, test protocols, individualized education programs, or student records held by a national assessment provider that include only standardized test results.
(5) Establish, implement, and maintain a written data retention policy, which shall be made available upon request to a student or higher education personnel that states the purposes for which covered information is collected, the purpose for retaining the information, and a timeframe for deleting the information pursuant to paragraph (4).
(e) This section does not prohibit an operator from using deidentified student covered information for either of the following purposes:
(1) Within the operators site, service, or application or other sites, services, or applications owned by the operator to improve educational products.
(2) To demonstrate the effectiveness of the operators products or services, including in the operators marketing.
(f) This section does not prohibit an operator from sharing aggregated deidentified student covered information for the development and improvement of educational sites, services, or applications.
(g) This section does not limit the authority of a law enforcement agency to obtain any content or information from an operator as authorized by law or pursuant to an order of a court of competent jurisdiction.
(h) This section does not limit the ability of an operator to use student data, including covered information, for adaptive learning or customized student learning purposes.
(i) This section does not apply to general audience internet websites, general audience online services, general audience online applications, or general audience mobile applications that are not designed or marketed for a higher education purpose, even if login credentials created for an operators site, service, or application may be used to access those general audience sites, services, or applications.
(j) This section does not limit internet service providers from providing internet connectivity to higher education institutions or students.
(k) This section does not impose a duty upon a provider of an electronic store, gateway, marketplace, or other means of purchasing or downloading software or applications to review or enforce compliance of this section on those applications or software.
(l) This section does not impose a duty upon a provider of an interactive computer service, as defined in Section 230 of Title 47 of the United States Code, to review or enforce compliance with this section by third-party content providers.
(m) This section does not impede the ability of students to download, export, or otherwise save or maintain their own student-created data or documents.
(n) This section shall not be interpreted to limit or supersede any rights or requirements under the federal Individuals with Disabilities Education Act (20 U.S.C. Sec. 1400 et seq.), the Rehabilitation Act of 1973 (29 U.S.C. Sec. 701 et seq.), and any rules or regulations promulgated pursuant to those laws.
22587.1. (a) A student, or the students parent or guardian, who suffers actual damages as a result of an operators failure to comply with this chapter may, subject to subdivisions (b) to (e), inclusive, bring an action on that persons behalf and on behalf of a similarly situated class of students against that operator to recover or obtain any of the following relief:(1) The greater of actual damages or five hundred dollars ($500) per plaintiff, per violation.(2) Injunctive relief.(3) Punitive damages.(4) Reasonable attorneys fees and costs.(b) (1) At least 45 days before bringing an action pursuant to this section, a student shall do both of the following:(A) Provide written notice to the operator alleged to have violated this chapter regarding the nature of the alleged violations.(B) Demand that the operator correct and remedy the alleged violations.(2) The notice required by this subdivision shall be sent by certified or registered mail, return receipt requested, to the operators address on file with the state or to the operators principal place of business within the state.(c) An action pursuant to this section brought by a student only on that students behalf shall not be maintained upon a showing by an operator that an appropriate correction and remedy has been made, or agreed to be made within a reasonable time, to the student within 30 days after receipt of the notice required by subdivision (b).(d) An action pursuant to this section brought by a student on both the students behalf and on behalf of a similarly situated class of students shall not be maintained upon a showing by an operator that all of the following are true:(1) Any student similarly situated has been identified, or a reasonable effort to identify the student has been made.(2) Any similarly situated student identified has been notified that, upon the students request, the operator shall make the appropriate correction and remedy.(3) The correction and remedy requested by the student has been made, or in a reasonable time will be made.(4) The operator has ceased, or will cease within a reasonable time, violating this chapter.(e) (1) Attempts to comply with a demand described in subdivision (b) by an operator shall be deemed an offer to compromise and shall be inadmissible under Section 1152 of the Evidence Code and shall not be deemed an admission of violating this chapter.(2) A defendant may introduce evidence of compliance or attempts to comply with this section for the purpose of establishing good faith or to show compliance with this chapter.
22587.1. (a) A student, or the students parent or guardian, who suffers actual damages as a result of an operators failure to comply with this chapter may, subject to subdivisions (b) to (e), inclusive, bring an action on that persons behalf and on behalf of a similarly situated class of students against that operator to recover or obtain any of the following relief:
(1) The greater of actual damages or five hundred dollars ($500) per plaintiff, per violation.
(2) Injunctive relief.
(3) Punitive damages.
(4) Reasonable attorneys fees and costs.
(b) (1) At least 45 days before bringing an action pursuant to this section, a student shall do both of the following:
(A) Provide written notice to the operator alleged to have violated this chapter regarding the nature of the alleged violations.
(B) Demand that the operator correct and remedy the alleged violations.
(2) The notice required by this subdivision shall be sent by certified or registered mail, return receipt requested, to the operators address on file with the state or to the operators principal place of business within the state.
(c) An action pursuant to this section brought by a student only on that students behalf shall not be maintained upon a showing by an operator that an appropriate correction and remedy has been made, or agreed to be made within a reasonable time, to the student within 30 days after receipt of the notice required by subdivision (b).
(d) An action pursuant to this section brought by a student on both the students behalf and on behalf of a similarly situated class of students shall not be maintained upon a showing by an operator that all of the following are true:
(1) Any student similarly situated has been identified, or a reasonable effort to identify the student has been made.
(2) Any similarly situated student identified has been notified that, upon the students request, the operator shall make the appropriate correction and remedy.
(3) The correction and remedy requested by the student has been made, or in a reasonable time will be made.
(4) The operator has ceased, or will cease within a reasonable time, violating this chapter.
(e) (1) Attempts to comply with a demand described in subdivision (b) by an operator shall be deemed an offer to compromise and shall be inadmissible under Section 1152 of the Evidence Code and shall not be deemed an admission of violating this chapter.
(2) A defendant may introduce evidence of compliance or attempts to comply with this section for the purpose of establishing good faith or to show compliance with this chapter.
22587.2. This chapter shall become operative on July 1, 2026.
22587.2. This chapter shall become operative on July 1, 2026.
(a)An operator of a commercial internet website or online service that collects personally identifiable information through the internet about individual consumers residing in California who use or visit its commercial internet website or online service shall conspicuously post its privacy policy on its internet website, or in the case of an operator of an online service, make that policy available in accordance with paragraph (5) of subdivision (b) of Section 22577. An operator shall be in violation of this subdivision only if the operator fails to post its policy within 30 days after being notified of noncompliance.
(b)The privacy policy required by subdivision (a) shall do all of the following:
(1)Identify the categories of personally identifiable information that the operator collects through the internet website or online service about individual consumers who use or visit its commercial internet website or online service and the categories of third-party persons or entities with whom the operator may share that personally identifiable information.
(2)If the operator maintains a process for an individual consumer who uses or visits its commercial internet website or online service to review and request changes to any of the consumers personally identifiable information that is collected through the internet website or online service, provide a description of that process.
(3)Describe the process by which the operator notifies consumers who use or visit its commercial internet website or online service of material changes to the operators privacy policy for that internet website or online service.
(4)Identify its effective date.
(5)Disclose how the operator responds to web browser do not track signals or other mechanisms that provide consumers the ability to exercise choice regarding the collection of personally identifiable information about an individual consumers online activities over time and across third-party internet websites or online services, if the operator engages in that collection.
(6)Disclose whether other parties may collect personally identifiable information about an individual consumers online activities over time and across different internet websites when a consumer uses the operators internet website or service.
(7)An operator may satisfy the requirement of paragraph (5) by providing a clear and conspicuous hyperlink in the operators privacy policy to an online location containing a description, including the effects, of any program or protocol the operator follows that offers the consumer that choice.