ENROLLED
2023 Legislature SB 662, 2nd Engrossed
2023662er
1
2 An act relating to student online personal information
3 protection; providing a short title; creating s.
4 1006.1494, F.S.; defining terms; prohibiting operators
5 from knowingly engaging in specified activities
6 relating to students’ covered information; providing
7 an exception; specifying the duties of an operator;
8 providing circumstances under which an operator may
9 disclose students’ covered information; providing
10 construction; providing for enforcement under the
11 Florida Deceptive and Unfair Trade Practices Act;
12 providing that the Department of Legal Affairs is the
13 sole entity authorized to bring specified actions;
14 authorizing the State Board of Education to adopt
15 rules; providing an effective date.
16
17 Be It Enacted by the Legislature of the State of Florida:
18
19 Section 1. This act may be cited as the “Student Online
20 Personal Information Protection Act.”
21 Section 2. Section 1006.1494, Florida Statutes, is created
22 to read:
23 1006.1494 Student online personal information protection.—
24 (1) As used in this section, the term:
25 (a) “Covered information” means personal identifying
26 information or material of a student, or information linked to
27 personal identifying information or material of a student, in
28 any media or format that is not publicly available and is any of
29 the following:
30 1. Created by or provided to an operator by the student, or
31 the student’s parent or legal guardian, in the course of the
32 student’s, parent’s, or legal guardian’s use of the operator’s
33 site, service, or application for K–12 school purposes.
34 2. Created by or provided to an operator by an employee or
35 agent of a K-12 school or school district for K-12 school
36 purposes.
37 3. Gathered by an operator through the operation of its
38 site, service, or application for K-12 school purposes and
39 personally identifies a student, including, but not limited to,
40 information in the student’s educational record or electronic
41 mail, first and last name, home address, telephone number,
42 electronic mail address, or other information that allows
43 physical or online contact, discipline records, test results,
44 special education data, juvenile dependency records, grades,
45 evaluations, criminal records, medical records, health records,
46 social security number, biometric information, disabilities,
47 socioeconomic information, food purchases, political
48 affiliations, religious information, text messages, documents,
49 student identifiers, search activity, photos, voice recordings,
50 or geolocation information.
51 (b) “Interactive computer service” means any information
52 service, system, or access software provider that provides or
53 enables computer access by multiple users to a computer server,
54 including a service or system that provides access to the
55 Internet and such systems operated or services offered by
56 libraries or educational institutions.
57 (c) “K-12 school” has the same meaning as described in s.
58 1000.04(2).
59 (d) “K–12 school purposes” means purposes directed by or
60 that customarily take place at the direction of a K-12 school,
61 teacher, or school district or that aid in the administration of
62 school activities, including, but not limited to, instruction in
63 the classroom or at home, administrative activities, and
64 collaboration between students, school personnel, or parents, or
65 that are otherwise for the use and benefit of the school.
66 (e) “Operator” means, to the extent that it is operating in
67 this capacity, the operator of an Internet website, online
68 service, online application, or mobile application with actual
69 knowledge that the site, service, or application is used
70 primarily for K–12 school purposes, or the site, service, or
71 application was designed and marketed for K–12 school purposes.
72 (f) “School district” has the same meaning as in s.
73 595.402.
74 (g) “Targeted advertising” means presenting advertisements
75 to a student which are selected on the basis of information
76 obtained or inferred over time from that student’s online
77 behavior, usage of applications, or covered information. The
78 term does not include advertising to a student at an online
79 location based upon the student’s current visit to that
80 location, or advertising presented in response to a student’s
81 request for information or feedback, if the student’s online
82 activities or requests are not retained over time for the
83 purpose of targeting subsequent advertisements to that student.
84 (2) An operator may not knowingly do any of the following:
85 (a) Engage in targeted advertising on the operator’s site,
86 service, or application, or targeted advertising on any other
87 site, service, or application if the targeting of the
88 advertising is based on any information, including covered
89 information and persistent unique identifiers, which the
90 operator has acquired because of the use of that operator’s
91 site, service, or application for K-12 school purposes.
92 (b) Use covered information, including persistent unique
93 identifiers, created or gathered by the operator’s site,
94 service, or application to amass a profile of a student, except
95 in furtherance of K–12 school purposes. The term “amass a
96 profile” does not include the collection and retention of
97 account information that remains under the control of the
98 student or the student’s parent or guardian or K-12 school.
99 (c) Share, sell, or rent a student’s information, including
100 covered information. This paragraph does not apply to the
101 purchase, merger, or other acquisition of an operator by a third
102 party, if the third party complies with this section regarding
103 previously acquired student information, or to a national
104 assessment provider if the provider obtains the express written
105 consent of the parent or student, given in response to clear and
106 conspicuous notice, solely to provide access to employment,
107 educational scholarships or financial aid, or postsecondary
108 educational opportunities.
109 (d) Except as otherwise provided in subsection (4),
110 disclose covered information, unless the disclosure is made for
111 any of the following purposes:
112 1. In furtherance of the K–12 school purpose of the site,
113 service, or application, if the recipient of the covered
114 information disclosed under this subparagraph does not further
115 disclose the information.
116 2. Disclosure as required by state or federal law.
117 3. To comply with the order of a court or quasi-judicial
118 entity.
119 4. To protect the safety or integrity of users of the site
120 or others or the security of the site, service, or application.
121 5. For a school, educational, or employment purpose
122 requested by the student or the student’s parent or guardian,
123 provided that the information is not used or further disclosed
124 for any other purpose.
125 6. To a third party, if the operator contractually
126 prohibits the third party from using any covered information for
127 any purpose other than providing the contracted service to or on
128 behalf of the operator, prohibits the third party from
129 disclosing any covered information provided by the operator with
130 subsequent third parties, and requires the third party to
131 implement and maintain reasonable security procedures and
132 practices. An operator may not disclose covered information
133 relating to any contracted services provided in paragraph (a),
134 paragraph (b), or paragraph (c).
135 (3) An operator shall do all of the following:
136 (a) Collect no more covered information than is reasonably
137 necessary to operate an Internet website, online service, online
138 application, or mobile application with actual knowledge that
139 the site, service, or application is used primarily for K–12
140 school purposes, or the site, service, or application was
141 designed and marketed for K–12 school purposes.
142 (b) Implement and maintain reasonable security procedures
143 and practices appropriate to the nature of the covered
144 information which are designed to protect it from unauthorized
145 access, destruction, use, modification, or disclosure.
146 (c) Unless a parent or guardian expressly consents to the
147 operator retaining a student’s covered information, delete the
148 covered information at the conclusion of the course or
149 corresponding program and no later than 90 days after a student
150 is no longer enrolled in a school within the district, upon
151 notice by the school district.
152 (4) An operator may use or disclose covered information of
153 a student under any of the following circumstances:
154 (a) If federal or state law requires the operator to
155 disclose the information, and the operator complies with federal
156 or state law, as applicable, in protecting and disclosing that
157 information.
158 (b) If the covered information is disclosed to a state
159 educational agency or the student’s local educational agency for
160 K-12 school purposes, as allowed under state or federal law.
161 (c) If the covered information is disclosed to a state or
162 local educational agency, including K-12 schools and school
163 districts, for K–12 school purposes, as allowed under state or
164 federal law.
165 (5) This section does not prohibit an operator from doing
166 any of the following:
167 (a) Using covered information to improve educational
168 products, if that information is not associated with an
169 identified student within the operator’s site, service, or
170 application, or other sites, services, or applications owned by
171 the operator.
172 (b) Using covered information that is not associated with
173 an identified student to demonstrate the effectiveness of the
174 operator’s products or services, including use in their
175 marketing.
176 (c) Sharing covered information that is not associated with
177 an identified student for the development and improvement of
178 educational sites, services, or applications.
179 (d) Using recommendation engines to recommend to a student
180 any of the following:
181 1. Additional content relating to an educational, an
182 employment, or any other learning opportunity purpose within an
183 online site, service, or application, if the recommendation is
184 not determined in whole or in part by payment or other
185 consideration from a third party.
186 2. Additional services relating to an educational, an
187 employment, or any other learning opportunity purpose within an
188 online site, service, or application, if the recommendation is
189 not determined in whole or in part by payment or other
190 consideration from a third party.
191 (e) Responding to a student’s request for information or
192 feedback without the information or response being determined in
193 whole or in part by payment or other consideration from a third
194 party.
195 (6) This section does not do any of the following:
196 (a) Limit the authority of a law enforcement agency to
197 obtain any content or information from an operator as authorized
198 by law or under a court order.
199 (b) Limit the ability of an operator to use student data,
200 including covered information, for adaptive learning or
201 customized student learning purposes.
202 (c) Apply to general audience Internet websites, general
203 audience online services, general audience online applications,
204 or general audience mobile applications, even if login
205 credentials created for an operator’s site, service, or
206 application may be used to access those general audience sites,
207 services, or applications.
208 (d) Limit service providers from providing Internet
209 connectivity to schools or students and their families.
210 (e) Prohibit an operator of an Internet website, online
211 service, online application, or mobile application from
212 marketing educational products directly to parents, if such
213 marketing did not result from the use of covered information
214 obtained by the operator through the provision of services
215 covered under this section.
216 (f) Impose a duty upon a provider of an electronic store,
217 gateway, marketplace, or other means of purchasing or
218 downloading software or applications to review or enforce
219 compliance with this section on such software or applications.
220 (g) Impose a duty upon a provider of an interactive
221 computer service to review or enforce compliance with this
222 section by third-party content providers.
223 (h) Prohibit students from downloading, exporting,
224 transferring, saving, or maintaining their own student data or
225 documents.
226 (i) Limit the retention of covered information by an
227 operator for the purposes of assessments and college and career
228 planning in accordance with general law.
229 (7) Any violation of this section is a deceptive and unfair
230 trade practice and constitutes a violation of the Florida
231 Deceptive and Unfair Trade Practices Act, part II of chapter
232 501. Notwithstanding the provisions of part II of chapter 501,
233 the Department of Legal Affairs is the sole entity authorized to
234 bring an enforcement action against an entity that violates this
235 section.
236
237 The State Board of Education may adopt rules to implement this
238 section.
239 Section 3. This act shall take effect July 1, 2023.