Florida Senate - 2023 SB 662
By Senator Bradley
6-00348A-23 2023662__
1 A bill to be entitled
2 An act relating to student online personal information
3 protection; providing a short title; creating s.
4 1006.1494, F.S.; defining terms; prohibiting operators
5 from knowingly engaging in specified activities
6 relating to students’ covered information; providing
7 an exception; specifying the duties of an operator;
8 providing circumstances under which an operator may
9 disclose students’ covered information; providing
10 construction; providing an effective date.
11
12 Be It Enacted by the Legislature of the State of Florida:
13
14 Section 1. This act may be cited as the “Student Online
15 Personal Information Protection Act.”
16 Section 2. Section 1006.1494, Florida Statutes, is created
17 to read:
18 1006.1494 Student online personal information protection.—
19 (1) As used in this section, the term:
20 (a) “Covered information” means personal identifying
21 information or material of a student, or information linked to
22 personal identifying information or material of a student, in
23 any media or format that is not publicly available and is any of
24 the following:
25 1. Created by or provided to an operator by the student, or
26 the student’s parent or legal guardian, in the course of the
27 student’s, parent’s, or legal guardian’s use of the operator’s
28 site, service, or application for K–12 school purposes.
29 2. Created by or provided to an operator by an employee or
30 agent of a K-12 school or school district for K-12 school
31 purposes.
32 3. Gathered by an operator through the operation of its
33 site, service, or application for K-12 school purposes and
34 personally identifies a student, including, but not limited to,
35 information in the student’s educational record or electronic
36 mail, first and last name, home address, telephone number,
37 electronic mail address, or other information that allows
38 physical or online contact, discipline records, test results,
39 special education data, juvenile dependency records, grades,
40 evaluations, criminal records, medical records, health records,
41 social security number, biometric information, disabilities,
42 socioeconomic information, food purchases, political
43 affiliations, religious information, text messages, documents,
44 student identifiers, search activity, photos, voice recordings,
45 or geolocation information.
46 (b) “Interactive computer service” means any information
47 service, system, or access software provider that provides or
48 enables computer access by multiple users to a computer server,
49 including a service or system that provides access to the
50 Internet and such systems operated or services offered by
51 libraries or educational institutions.
52 (c) “K-12 school” has the same meaning as described in s.
53 1000.04(2).
54 (d) “K–12 school purposes” means purposes directed by or
55 that customarily take place at the direction of a K-12 school,
56 teacher, or school district or that aid in the administration of
57 school activities, including, but not limited to, instruction in
58 the classroom or at home, administrative activities, and
59 collaboration between students, school personnel, or parents, or
60 that are otherwise for the use and benefit of the school.
61 (e) “Operator” means, to the extent that it is operating in
62 this capacity, the operator of an Internet website, online
63 service, online application, or mobile application with actual
64 knowledge that the site, service, or application is used
65 primarily for K–12 school purposes and was designed and marketed
66 for K–12 school purposes.
67 (f) “School district” has the same meaning as in s.
68 595.402.
69 (g) “Targeted advertising” means presenting advertisements
70 to a student which are selected on the basis of information
71 obtained or inferred over time from that student’s online
72 behavior, usage of applications, or covered information. The
73 term does not include advertising to a student at an online
74 location based upon the student’s current visit to that
75 location, or advertising presented in response to a student’s
76 request for information or feedback, if the student’s online
77 activities or requests are not retained over time for the
78 purpose of targeting subsequent advertisements to that student.
79 (2) An operator may not knowingly do any of the following:
80 (a) Engage in targeted advertising on the operator’s site,
81 service, or application, or targeted advertising on any other
82 site, service, or application if the targeting of the
83 advertising is based on any information, including covered
84 information and persistent unique identifiers, which the
85 operator has acquired because of the use of that operator’s
86 site, service, or application for K-12 school purposes.
87 (b) Use information, including persistent unique
88 identifiers, created or gathered by the operator’s site,
89 service, or application to amass a profile of a student, except
90 in furtherance of K–12 school purposes. The term “amass a
91 profile” does not include the collection and retention of
92 account information that remains under the control of the
93 student or the student’s parent or guardian or K-12 school.
94 (c) Share, sell, or rent a student’s information, including
95 covered information. This paragraph does not apply to the
96 purchase, merger, or other acquisition of an operator by another
97 entity, if the operator or successor entity complies with this
98 section regarding previously acquired student information, or to
99 a national assessment provider if the provider obtains the
100 express written consent of the parent or student, given in
101 response to clear and conspicuous notice, solely to provide
102 access to employment, educational scholarships or financial aid,
103 or postsecondary educational opportunities.
104 (d) Except as otherwise provided in subsection (4),
105 disclose covered information, unless the disclosure is made for
106 any of the following purposes:
107 1. In furtherance of the K–12 school purpose of the site,
108 service, or application, if the recipient of the covered
109 information disclosed under this subparagraph does not further
110 disclose the information, unless such disclosure is made to
111 allow or improve operability and functionality of the operator’s
112 site, service, or application.
113 2. To ensure legal and regulatory compliance or protect
114 against liability.
115 3. To respond to or participate in the judicial process.
116 4. To protect the safety or integrity of users of the site
117 or others or the security of the site, service, or application.
118 5. For a school, educational, or employment purpose
119 requested by the student or the student’s parent or guardian,
120 provided that the information is not used or further disclosed
121 for any other purpose.
122 6. To a third party, if the operator contractually
123 prohibits the third party from using any covered information for
124 any purpose other than providing the contracted service to or on
125 behalf of the operator, prohibits the third party from
126 disclosing any covered information provided by the operator with
127 subsequent third parties, and requires the third party to
128 implement and maintain reasonable security procedures and
129 practices.
130 (e) This subsection does not prohibit an operator’s use of
131 information for maintaining, developing, supporting, improving,
132 or diagnosing the operator’s site, service, or application.
133 (3) An operator shall do all of the following:
134 (a) Collect no more covered information than is reasonably
135 necessary to operate an Internet website, online service, online
136 application, or mobile application with actual knowledge that
137 the site, service, or application is used primarily for K–12
138 school purposes and was designed and marketed for K–12 school
139 purposes.
140 (b) Implement and maintain reasonable security procedures
141 and practices appropriate to the nature of the covered
142 information which are designed to protect it from unauthorized
143 access, destruction, use, modification, or disclosure.
144 (c) Within a reasonable timeframe, delete a student’s
145 covered information if the K-12 school or school district
146 requests deletion of covered information under the control of
147 the K-12 school or school district, unless a student or a parent
148 or guardian consents to the maintenance of the covered
149 information.
150 (4) An operator may use or disclose covered information of
151 a student under any of the following circumstances:
152 (a) If federal or state law requires the operator to
153 disclose the information, and the operator complies with federal
154 or state law, as applicable, in protecting and disclosing that
155 information.
156 (b) If covered information is not used for advertising or
157 to amass a profile of the student for purposes other than K-12
158 school purposes, legitimate research purposes, as required by
159 state or federal law and subject to restrictions imposed
160 thereunder; or as allowed by state or federal law and in
161 furtherance of K–12 school purposes or postsecondary educational
162 purposes.
163 (c) If the covered information is disclosed to a state or
164 local educational agency, including K-12 schools and school
165 districts, for K–12 school purposes, as allowed under state or
166 federal law.
167 (5) This section does not prohibit an operator from doing
168 any of the following:
169 (a) Using covered information to improve educational
170 products, if that information is not associated with an
171 identified student within the operator’s site, service, or
172 application, or other sites, services, or applications owned by
173 the operator.
174 (b) Using covered information that is not associated with
175 an identified student to demonstrate the effectiveness of the
176 operator’s products or services, including use in their
177 marketing.
178 (c) Sharing covered information that is not associated with
179 an identified student for the development and improvement of
180 educational sites, services, or applications.
181 (d) Using recommendation engines to recommend to a student
182 any of the following:
183 1. Additional content relating to an educational, an
184 employment, or any other learning opportunity purpose within an
185 online site, service, or application, if the recommendation is
186 not determined in whole or in part by payment or other
187 consideration from a third party.
188 2. Additional services relating to an educational, an
189 employment, or any other learning opportunity purpose within an
190 online site, service, or application, if the recommendation is
191 not determined in whole or in part by payment or other
192 consideration from a third party.
193 (e) Responding to a student’s request for information or
194 feedback without the information or response being determined in
195 whole or in part by payment or other consideration from a third
196 party.
197 (6) This section does not do any of the following:
198 (a) Limit the authority of a law enforcement agency to
199 obtain any content or information from an operator as authorized
200 by law or under a court order.
201 (b) Limit the ability of an operator to use student data,
202 including covered information, for adaptive learning or
203 customized student learning purposes.
204 (c) Apply to general audience Internet websites, general
205 audience online services, general audience online applications,
206 or general audience mobile applications, even if login
207 credentials created for an operator’s site, service, or
208 application may be used to access those general audience sites,
209 services, or applications.
210 (d) Limit service providers from providing Internet
211 connectivity to schools or students and their families.
212 (e) Prohibit an operator of an Internet website, online
213 service, online application, or mobile application from
214 marketing educational products directly to parents, if such
215 marketing did not result from the use of covered information
216 obtained by the operator through the provision of services
217 covered under this section.
218 (f) Impose a duty upon a provider of an electronic store,
219 gateway, marketplace, or other means of purchasing or
220 downloading software or applications to review or enforce
221 compliance with this section on such software or applications.
222 (g) Impose a duty upon a provider of an interactive
223 computer service to review or enforce compliance with this
224 section by third-party content providers.
225 (h) Prohibit students from downloading, exporting,
226 transferring, saving, or maintaining their own student data or
227 documents.
228 Section 3. This act shall take effect July 1, 2023.