Florida Senate - 2015 SB 480
By Senator Braynon
36-00367-15 2015480__
1 A bill to be entitled
2 An act relating to student data privacy; creating s.
3 1002.223, F.S.; providing a short title; defining the
4 terms “covered information,” “K-12 school purposes,”
5 “operator,” and “targeted advertising”; prohibiting an
6 operator from displaying targeted advertising, using
7 certain information to amass student profiles for
8 certain purposes, or selling or disclosing covered
9 information; providing exceptions; authorizing an
10 operator to use covered information for specified
11 actions; requiring an operator to maintain security
12 procedures for the protection of covered information
13 and to delete covered information under certain
14 circumstances; authorizing an operator to disclose
15 covered information under certain circumstances;
16 specifying certain actions by operators, law
17 enforcement agencies, service providers, and students
18 which are not prohibited by the act; providing an
19 effective date.
20
21 Be It Enacted by the Legislature of the State of Florida:
22
23 Section 1. Section 1002.223, Florida Statutes, is created
24 to read:
25 1002.223 Student online personal information protection.—
26 (1) This section may be cited as the “Student Online
27 Personal Information Protection Act.”
28 (2) As used in this section, the term:
29 (a) “Covered information” means personally identifiable
30 information or material, in any media or format, which is
31 descriptive of a student or otherwise identifies a student,
32 including, but not limited to, information in the student’s
33 education record or e-mail, first and last name, home address,
34 telephone number, e-mail address, information that allows
35 physical or online contact, discipline records, test results,
36 special education data, juvenile dependency records, grades,
37 evaluations, criminal records, medical records, health records,
38 social security number, biometric information, disabilities,
39 socioeconomic information, food purchases, political
40 affiliations, religious information, text messages, documents,
41 student identifiers, search activity, photos, voice recordings,
42 or geolocation information, and which meets at least one of the
43 following:
44 1. Is created or provided to an operator by a student or
45 the student’s parent during the use of the operator’s website,
46 service, or application for K–12 school purposes;
47 2. Is created or provided to an operator by an employee or
48 agent of a K–12 school, a school district, or a local education
49 agency; or
50 3. Is gathered by an operator through the operation of a
51 website, service, or application described in paragraph (c).
52 (b) “K–12 school purposes” means activities that
53 customarily take place at the direction of a K–12 school or
54 teacher or a school district, including, but not limited to,
55 instruction in the classroom or at home, administrative
56 activities, and collaboration between students, school
57 personnel, or parents, or are for the use and benefit of the
58 school.
59 (c) “Operator” means a person who operates a website;
60 online service, including a cloud computing service; online
61 application; or mobile application and who knows that the
62 website, service, or application is used primarily for K–12
63 school purposes and is designed and marketed for K–12 school
64 purposes.
65 (d) “Targeted advertising” means an advertisement that is
66 used based upon information, including covered information and
67 unique identifiers, which the operator has acquired through the
68 use of the operator’s website, service, or application described
69 in paragraph (c).
70 (3) An operator may not knowingly engage in the following
71 activities:
72 (a) Displaying targeted advertising on the operator’s
73 website, service, or application, or target advertising on any
74 other website, service, or application.
75 (b) Using information, including covered information and
76 unique identifiers, created or gathered by the operator’s
77 website, service, or application to amass a profile about a K–12
78 student, except in furtherance of K–12 school purposes.
79 (c) Selling covered information. This prohibition does not
80 apply to the purchase, merger, or other type of acquisition of
81 an operator by another entity if the operator or successor
82 entity continues to comply with the provisions of this section
83 with respect to previously acquired covered information.
84 (d) Disclosing covered information, unless the disclosure
85 is made:
86 1. In furtherance of the K–12 school purpose of the
87 website, service, or application, if the recipient of the
88 covered information does not further disclose the information,
89 unless the disclosure is made to allow or improve operability
90 and functionality within that student’s classroom or school and
91 complies with subsection (4);
92 2. To ensure legal and regulatory compliance;
93 3. To respond to or participate in a judicial process;
94 4. To protect the safety of users or others or the security
95 of the website, service, or application; or
96 5. To a service provider, if the operator contractually:
97 a. Prohibits the service provider from using covered
98 information for a purpose other than providing the contracted
99 service to, or on behalf of, the operator.
100 b. Prohibits the service provider from disclosing covered
101 information provided by the operator to subsequent third
102 parties.
103 c. Requires the service provider to implement and maintain
104 reasonable security procedures and practices as provided in
105 subsection (4).
106
107 This subsection does not prohibit an operator’s use of covered
108 information for maintaining, developing, supporting, improving,
109 or diagnosing the operator’s website, service, or application.
110 (4) An operator shall:
111 (a) Implement and maintain reasonable security procedures
112 and practices appropriate to the nature of the covered
113 information and protect that information from unauthorized
114 access, destruction, use, modification, or disclosure.
115 (b) Delete covered information if the school or school
116 district requests the deletion of such data under the control of
117 the school or school district.
118 (5) Notwithstanding paragraph (3)(d), an operator may
119 disclose covered information under the following circumstances
120 if he or she complies with the requirements in paragraphs
121 (3)(a)-(c):
122 (a) If other provisions of state or federal law require the
123 operator to disclose the information and the operator complies
124 with the requirements of state and federal law in protecting and
125 disclosing that information;
126 (b) For legitimate research purposes, as required or
127 permitted by state or federal law, that are subject to the
128 restrictions under applicable state and federal law and are
129 under the direction of a school, school district, or state
130 department of education if the covered information is not used
131 for any purpose in the furtherance of advertising or to amass a
132 profile about a student for purposes other than K–12 school
133 purposes; or
134 (c) To a state or local education agency, including a
135 school or school district, for K–12 school purposes as permitted
136 by state or federal law.
137 (6) This section does not:
138 (a) Prohibit an operator from using deidentified covered
139 information to improve educational products within a website,
140 service, or application owned by the operator or to demonstrate
141 the effectiveness of the operator’s products or services,
142 including marketing.
143 (b) Prohibit an operator from sharing aggregated
144 deidentified covered information for the development or
145 improvement of educational websites, services, or applications.
146 (c) Prohibit an operator from marketing educational
147 products directly to parents if the marketing does not result
148 from the use of covered information obtained by the operator
149 through the provision of services under this section.
150 (d) Limit the authority of a law enforcement agency to
151 obtain any content or information from an operator as authorized
152 by law or pursuant to an order of a court of competent
153 jurisdiction.
154 (e) Limit the ability of an operator to use student data,
155 including covered information, for adaptive learning or
156 customized student learning purposes.
157 (f) Limit Internet service providers from providing
158 Internet connectivity to schools, students, and parents.
159 (g) Apply to general audience websites, general audience
160 online services, general audience online applications, or
161 general audience mobile applications, even if login credentials
162 created for an operator’s website, service, or application may
163 be used to access those general audience websites, services, or
164 applications.
165 (h) Impede the ability of a student to download, export, or
166 otherwise save or maintain his or her own created data or
167 documents.
168 (i) Impose a duty upon:
169 1. A provider of an electronic store, gateway, marketplace,
170 or other means of purchasing or downloading software or
171 applications to review or enforce compliance with this section
172 on the operators of the software or applications.
173 2. A provider of an interactive computer service, as that
174 term is defined in 47 U.S.C. s. 230, to review or enforce
175 compliance with this section by third-party content providers.
176 Section 2. This act shall take effect July 1, 2015.