STUDENT ONLINE PERSONAL PROTECTION S.B. 510:
SUMMARY OF INTRODUCED BILL
IN COMMITTEE
Senate Bill 510 (as introduced 9-24-15)
CONTENT
The bill would create the "Student Online Personal Protection Act" to establish certain prohibitions and requirements that would apply to an "operator", which would mean the operator of an internet website, online service, online application, or mobile application with actual knowledge that the site, service, or application is used primarily for K-12 purposes and was designed and marketed for K-12 purposes. Specifically, the proposed Act would do the following:
-- Prohibit an operator from knowingly engaging in certain targeted advertising, using information gathered by the operator to amass a student profile, or selling a student's information.
-- Prohibit an operator from knowingly disclosing covered information, unless the disclosure were made for certain purposes.
-- Require an operator to implement appropriate security procedures and practices, and protect covered information from unauthorized access, destruction, or use.
-- Allow an operator to disclose a student's covered information if required by law or for legitimate research purposes, or if the information were disclosed to a State or local educational agency for K-12 school purposes.
-- Specify that the Act would not prohibit an operator from using covered information to improve or demonstrate the effectiveness of its educational products or services.
-- Provide that the Act would not limit certain activities or abilities of various parties.
The Act would take effect 90 days after its enactment.
Definitions
"Covered information" would mean personally identifiable information or material in any media or format that is: a) created by or provided to an operator by a student, or the student's parent or legal guardian, in the course of the student's, parent's, or legal guardian's use of the operator's site, service, or application for K-12 school purposes; b) created by or provided to an operator by an employee or agent of a K-12 school or school district; or c) gathered by an operator through the operation of a site, service, or application for K-12 school purposes and is descriptive of a student or otherwise identifies a student, including, for example, information in the student's educational record or e-mail, first and last name, home address, telephone number, e-mail address, or other information that allows physical or online contact.
"K-12 school purposes" would mean purposes that customarily take place at the direction of a K-12 school, teacher, or school district or aid in the administration of school activities, including instruction in the classroom or at home, administrative activities, and collaboration between students, school personnel, or parents, or are for the use and benefit of the school.
Operator Restrictions & Requirements
An operator would be prohibited from knowingly doing any of the following:
-- Engaging in targeted advertising on the operator's site, service, or application, or target advertising on any other site, service, or application if the targeting were based on any information, including covered information and persistent unique identifiers, that the operator had acquired because of the use of its site, service or application for K-12 purposes.
-- Using information, including persistent unique identifiers, created or gathered by the operator's site, service, or application, to amass a profile about a student except in furtherance of K-12 purposes.
-- Selling a student's information, including covered information.
The prohibition against selling information would not apply to the purchase, merger, or other type of acquisition of an operator by another entity, if the operator or successor entity complied with the requirements of the proposed Act regarding previously acquired student information.
An operator also would be prohibited from knowingly disclosing covered information, except as otherwise provided, unless the disclosure were made for the following purposes: a) in furtherance of the K-12 school purpose of the site, service, or application, if the recipient of the covered information disclosed did not further disclose it except to allow or improve operability and functionality within that student's classroom or K-12 school; b) to ensure legal and regulatory compliance; c) to respond to or participate in the judicial process; or d) to protect the safety of users or the security of the site.
An operator also could disclose covered information to a service provider, if the operator contractually prohibited the provider from using any covered information for any purpose other than providing the contracted service to or on behalf of the operator, prohibited the service provider from disclosing covered information provided by the operator to subsequent third parties, and required the service provider to implement and maintain reasonable security procedures and practices. This provision would not prohibit the operator's use of information for maintaining, developing, supporting, improving, or diagnosing the operator's site, service, or application. ("Service provider" would mean a company that provides its subscribers with internet access.)
An operator would be required to implement and maintain reasonable security procedures and practices appropriate to the nature of the covered information, and protect that covered information from unauthorized access, destruction, use, modification, or disclosure. An operator also would have to delete a student's covered information if the K-12 school or school district requested deletion of data under the control of the K-12 school or school district.
Allowed Disclosure, Use of Covered Information
An operator would be permitted to disclose a
student's covered information if Federal or State law required the operator to
disclose the information, and the operator complied with Federal and State law
in protecting and disclosing that information. Disclosure also would be allowed
for legitimate research purposes as required by State or Federal law and
subject to the restrictions under applicable State and Federal laws or as
allowed by State or Federal law and under the direction of a K-12 school,
school district, or state Department of Education, if covered information were
not used for advertising or to amass a profile on the student for purposes other
than K-12 school purposes. In addition, an operator could disclose covered
information to a State or local educational agency, including K-12 schools and school districts, for K-12 school purposes, as permitted by State or Federal law.
These provisions would not prohibit an operator from: a) using covered information that was not associated with an identified student within the operator's site, service, or application or other sites, services, or applications owned by the operator to improve educational products; b) using covered information that was not associated with an identified student to demonstrate the effectiveness of the operator's products or services, including in their marketing; or c) sharing aggregated covered information that was not associated with an identified student for the development and improvement of educational sites, services, or applications.
Scope of the Act
The proposed Act would not do the following:
-- Limit the authority of a law enforcement agency to obtain any content or information from an operator as authorized by law or under a court order.
-- Limit the ability of an operator to use student data, including covered information, for adaptive learning or customized student learning purposes.
-- Apply to general audience internet websites, online services, online applications, or mobile applications, even if login credentials created for an operator's site, service, or application could be used to gain access to those general audience sites, services, or applications.
-- Limit service providers from providing internet connectivity to schools or students and their families.
-- Prohibit an operator of an internet website, online service, online application, or mobile application from marketing educational products directly to parents if the marketing did not result from the use of covered information obtained by the operator through the provision of services covered under the Act.
-- Impose a duty upon a provider of an electronic store, gateway, marketplace, or other means of purchasing or downloading software or applications to review or enforce compliance with the Act on those applications or software.
-- Impose a duty upon a provider of an interactive computer service to review or enforce compliance with the Act by third-party content providers.
-- Prohibit students from downloading, exporting, saving, or maintaining their own student-created data or documents.
Legislative Analyst: Jeff Mann
FISCAL IMPACT
The bill would have no fiscal impact on State or local government.
This analysis was prepared by nonpartisan Senate staff for use by the Senate in its deliberations and does not constitute an official statement of legislative intent.