Florida Senate - 2016 SB 1146
By Senator Montford
3-00149-16 20161146__
1 A bill to be entitled
2 An act relating to student data privacy; creating s.
3 1002.223, F.S.; providing a short title; defining
4 terms; prohibiting an operator from displaying
5 targeted advertising, using certain information to
6 amass student profiles for certain purposes, or
7 selling or disclosing covered information; providing
8 exceptions; authorizing an operator to use covered
9 information for specified actions; requiring an
10 operator to maintain security procedures for the
11 protection of covered information and to delete
12 covered information under certain circumstances;
13 authorizing an operator to disclose covered
14 information under certain circumstances; providing
15 that certain actions by operators, law enforcement
16 agencies, service providers, and students are not
17 prohibited; providing an effective date.
18
19 Be It Enacted by the Legislature of the State of Florida:
20
21 Section 1. Section 1002.223, Florida Statutes, is created
22 to read:
23 1002.223 Student online personal information protection.—
24 (1) This section may be cited as the “Student Online
25 Personal Information Protection Act.”
26 (2) As used in this section, the term:
27 (a) “Covered information” means personally identifiable
28 information or material, in any media or format, which is
29 descriptive of a student or otherwise identifies a student,
30 including, but not limited to, information in the student’s
31 education record or e-mail, first and last name, home address,
32 telephone number, e-mail address, information that allows
33 physical or online contact, discipline records, test results,
34 special education data, juvenile dependency records, grades,
35 evaluations, criminal records, medical records, health records,
36 social security number, biometric information, disabilities,
37 socioeconomic information, food purchases, political
38 affiliations, religious information, text messages, documents,
39 student identifiers, search activity, photos, voice recordings,
40 or geolocation information, and which meets at least one of the
41 following:
42 1. Is created or provided to an operator by a student or
43 the student’s parent during the use of the operator’s website,
44 service, or application for K–12 school purposes;
45 2. Is created or provided to an operator by an employee or
46 agent of a K–12 school, a school district, or a local education
47 agency; or
48 3. Is gathered by an operator through the operation of a
49 website, a service, or an application described in paragraph
50 (c).
51 (b) “K–12 school purposes” means activities that
52 customarily take place at the direction of a K–12 school or
53 teacher or a school district, including, but not limited to,
54 instruction in the classroom or at home, administrative
55 activities, and collaboration between students, school
56 personnel, or parents, or are for the use and benefit of the
57 school.
58 (c) “Operator” means a person who operates a website;
59 online service, including a cloud computing service; online
60 application; or mobile application and who knows that the
61 website, service, or application is used primarily for K–12
62 school purposes and is designed and marketed for K–12 school
63 purposes.
64 (d) “Targeted advertising” means an advertisement that is
65 used based upon information, including covered information and
66 unique identifiers, which the operator has acquired through the
67 use of the operator’s website, service, or application described
68 in paragraph (c).
69 (3) An operator may not knowingly engage in the following
70 activities:
71 (a) Displaying targeted advertising on the operator’s
72 website, service, or application, or target advertising on any
73 other website, service, or application.
74 (b) Using information, including covered information and
75 unique identifiers, created or gathered by the operator’s
76 website, service, or application to amass a profile about a K–12
77 student, except in furtherance of K–12 school purposes.
78 (c) Selling covered information. This prohibition does not
79 apply to the purchase, merger, or other type of acquisition of
80 an operator by another entity if the operator or successor
81 entity continues to comply with the provisions of this section
82 with respect to previously acquired covered information.
83 (d) Disclosing covered information, unless the disclosure
84 is made:
85 1. In furtherance of the K–12 school purpose of the
86 website, service, or application, if the recipient of the
87 covered information does not further disclose the information,
88 unless the disclosure is made to allow or improve operability
89 and functionality within that student’s classroom or school and
90 complies with subsection (4);
91 2. To ensure legal and regulatory compliance;
92 3. To respond to or participate in a judicial process;
93 4. To protect the safety of users or others or the security
94 of the website, service, or application; or
95 5. To a service provider, if the operator contractually:
96 a. Prohibits the service provider from using covered
97 information for a purpose other than providing the contracted
98 service to, or on behalf of, the operator.
99 b. Prohibits the service provider from disclosing covered
100 information provided by the operator to subsequent third
101 parties.
102 c. Requires the service provider to implement and maintain
103 reasonable security procedures and practices as provided in
104 subsection (4).
105
106 This subsection does not prohibit an operator’s use of covered
107 information for maintaining, developing, supporting, improving,
108 or diagnosing the operator’s website, service, or application.
109 (4) An operator shall:
110 (a) Implement and maintain reasonable security procedures
111 and practices appropriate to the nature of the covered
112 information and protect that information from unauthorized
113 access, destruction, use, modification, or disclosure.
114 (b) Delete covered information if the school or school
115 district requests the deletion of such data under the control of
116 the school or school district.
117 (5) Notwithstanding paragraph (3)(d), an operator may
118 disclose covered information under the following circumstances
119 if he or she complies with the requirements in paragraphs
120 (3)(a), (b), and (c):
121 (a) If other provisions of state or federal law require the
122 operator to disclose the information and the operator complies
123 with the requirements of state and federal law in protecting and
124 disclosing that information;
125 (b) For legitimate research purposes, as required or
126 permitted by state or federal law, that are subject to the
127 restrictions under applicable state and federal law and are
128 under the direction of a school, school district, or state
129 department of education if the covered information is not used
130 for any purpose in the furtherance of advertising or to amass a
131 profile about a student for purposes other than K–12 school
132 purposes; or
133 (c) To a state or local education agency, including a
134 school or school district, for K–12 school purposes as permitted
135 by state or federal law.
136 (6) This section does not:
137 (a) Prohibit an operator from using de-identified covered
138 information to improve educational products within a website,
139 service, or application owned by the operator or to demonstrate
140 the effectiveness of the operator’s products or services,
141 including marketing.
142 (b) Prohibit an operator from sharing aggregated, de
143 identified covered information for the development or
144 improvement of educational websites, services, or applications.
145 (c) Prohibit an operator from marketing educational
146 products directly to parents if the marketing does not result
147 from the use of covered information obtained by the operator
148 through the provision of services under this section.
149 (d) Limit the authority of a law enforcement agency to
150 obtain any content or information from an operator as authorized
151 by law or pursuant to a court order.
152 (e) Limit the ability of an operator to use student data,
153 including covered information, for adaptive learning or
154 customized student learning purposes.
155 (f) Limit Internet service providers from providing
156 Internet connectivity to schools, students, and parents.
157 (g) Apply to general audience websites, general audience
158 online services, general audience online applications, or
159 general audience mobile applications, even if login credentials
160 created for an operator’s website, service, or application may
161 be used to access those general audience websites, services, or
162 applications.
163 (h) Impede the ability of a student to download, export, or
164 otherwise save or maintain his or her own created data or
165 documents.
166 (i) Impose a duty upon:
167 1. A provider of an electronic store, gateway, marketplace,
168 or other means of purchasing or downloading software or
169 applications to review or enforce compliance with this section
170 on the operators of the software or applications.
171 2. A provider of an interactive computer service, as that
172 term is defined in 47 U.S.C. s. 230, to review or enforce
173 compliance with this section by third-party content providers.
174 Section 2. This act shall take effect July 1, 2016.