SB 662 First Engrossed
2023662e1
1 A bill to be entitled
2 An act relating to student online personal information
3 protection; providing a short title; creating s.
4 1006.1494, F.S.; defining terms; prohibiting operators
5 from knowingly engaging in specified activities
6 relating to students’ covered information; providing
7 an exception; specifying the duties of an operator;
8 providing circumstances under which an operator may
9 disclose students’ covered information; providing
10 construction; providing for enforcement under the
11 Florida Deceptive and Unfair Trade Practices Act;
12 authorizing the State Board of Education to adopt
13 rules; providing an effective date.
14
15 Be It Enacted by the Legislature of the State of Florida:
16
17 Section 1. This act may be cited as the “Student Online
18 Personal Information Protection Act.”
19 Section 2. Section 1006.1494, Florida Statutes, is created
20 to read:
21 1006.1494 Student online personal information protection.—
22 (1) As used in this section, the term:
23 (a) “Covered information” means personal identifying
24 information or material of a student, or information linked to
25 personal identifying information or material of a student, in
26 any media or format that is not publicly available and is any of
27 the following:
28 1. Created by or provided to an operator by the student, or
29 the student’s parent or legal guardian, in the course of the
30 student’s, parent’s, or legal guardian’s use of the operator’s
31 site, service, or application for K–12 school purposes.
32 2. Created by or provided to an operator by an employee or
33 agent of a K-12 school or school district for K-12 school
34 purposes.
35 3. Gathered by an operator through the operation of its
36 site, service, or application for K-12 school purposes and
37 personally identifies a student, including, but not limited to,
38 information in the student’s educational record or electronic
39 mail, first and last name, home address, telephone number,
40 electronic mail address, or other information that allows
41 physical or online contact, discipline records, test results,
42 special education data, juvenile dependency records, grades,
43 evaluations, criminal records, medical records, health records,
44 social security number, biometric information, disabilities,
45 socioeconomic information, food purchases, political
46 affiliations, religious information, text messages, documents,
47 student identifiers, search activity, photos, voice recordings,
48 or geolocation information.
49 (b) “Interactive computer service” means any information
50 service, system, or access software provider that provides or
51 enables computer access by multiple users to a computer server,
52 including a service or system that provides access to the
53 Internet and such systems operated or services offered by
54 libraries or educational institutions.
55 (c) “K-12 school” has the same meaning as described in s.
56 1000.04(2).
57 (d) “K–12 school purposes” means purposes directed by or
58 that customarily take place at the direction of a K-12 school,
59 teacher, or school district or that aid in the administration of
60 school activities, including, but not limited to, instruction in
61 the classroom or at home, administrative activities, and
62 collaboration between students, school personnel, or parents, or
63 that are otherwise for the use and benefit of the school.
64 (e) “Operator” means, to the extent that it is operating in
65 this capacity, the operator of an Internet website, online
66 service, online application, or mobile application with actual
67 knowledge that the site, service, or application is used
68 primarily for K–12 school purposes, or the site, service, or
69 application was designed and marketed for K–12 school purposes.
70 (f) “School district” has the same meaning as in s.
71 595.402.
72 (g) “Targeted advertising” means presenting advertisements
73 to a student which are selected on the basis of information
74 obtained or inferred over time from that student’s online
75 behavior, usage of applications, or covered information. The
76 term does not include advertising to a student at an online
77 location based upon the student’s current visit to that
78 location, or advertising presented in response to a student’s
79 request for information or feedback, if the student’s online
80 activities or requests are not retained over time for the
81 purpose of targeting subsequent advertisements to that student.
82 (2) An operator may not knowingly do any of the following:
83 (a) Engage in targeted advertising on the operator’s site,
84 service, or application, or targeted advertising on any other
85 site, service, or application if the targeting of the
86 advertising is based on any information, including covered
87 information and persistent unique identifiers, which the
88 operator has acquired because of the use of that operator’s
89 site, service, or application for K-12 school purposes.
90 (b) Use covered information, including persistent unique
91 identifiers, created or gathered by the operator’s site,
92 service, or application to amass a profile of a student, except
93 in furtherance of K–12 school purposes. The term “amass a
94 profile” does not include the collection and retention of
95 account information that remains under the control of the
96 student or the student’s parent or guardian or K-12 school.
97 (c) Share, sell, or rent a student’s information, including
98 covered information. This paragraph does not apply to the
99 purchase, merger, or other acquisition of an operator by a third
100 party, if the third party complies with this section regarding
101 previously acquired student information, or to a national
102 assessment provider if the provider obtains the express written
103 consent of the parent or student, given in response to clear and
104 conspicuous notice, solely to provide access to employment,
105 educational scholarships or financial aid, or postsecondary
106 educational opportunities.
107 (d) Except as otherwise provided in subsection (4),
108 disclose covered information, unless the disclosure is made for
109 any of the following purposes:
110 1. In furtherance of the K–12 school purpose of the site,
111 service, or application, if the recipient of the covered
112 information disclosed under this subparagraph does not further
113 disclose the information.
114 2. Disclosure as required by state or federal law.
115 3. To comply with the order of a court or quasi-judicial
116 entity.
117 4. To protect the safety or integrity of users of the site
118 or others or the security of the site, service, or application.
119 5. For a school, educational, or employment purpose
120 requested by the student or the student’s parent or guardian,
121 provided that the information is not used or further disclosed
122 for any other purpose.
123 6. To a third party, if the operator contractually
124 prohibits the third party from using any covered information for
125 any purpose other than providing the contracted service to or on
126 behalf of the operator, prohibits the third party from
127 disclosing any covered information provided by the operator with
128 subsequent third parties, and requires the third party to
129 implement and maintain reasonable security procedures and
130 practices. An operator may not disclose covered information
131 relating to any contracted services provided in paragraph (a),
132 paragraph (b), or paragraph (c).
133 (3) An operator shall do all of the following:
134 (a) Collect no more covered information than is reasonably
135 necessary to operate an Internet website, online service, online
136 application, or mobile application with actual knowledge that
137 the site, service, or application is used primarily for K–12
138 school purposes, or the site, service, or application was
139 designed and marketed for K–12 school purposes.
140 (b) Implement and maintain reasonable security procedures
141 and practices appropriate to the nature of the covered
142 information which are designed to protect it from unauthorized
143 access, destruction, use, modification, or disclosure.
144 (c) Unless a parent or guardian expressly consents to the
145 operator retaining a student’s covered information, delete the
146 covered information at the conclusion of the course or
147 corresponding program and no later than 90 days after a student
148 is no longer enrolled in a school within the district.
149 (4) An operator may use or disclose covered information of
150 a student under any of the following circumstances:
151 (a) If federal or state law requires the operator to
152 disclose the information, and the operator complies with federal
153 or state law, as applicable, in protecting and disclosing that
154 information.
155 (b) If the covered information is disclosed to a state
156 educational agency or the student’s local educational agency for
157 K-12 school purposes, as allowed under state or federal law.
158 (c) If the covered information is disclosed to a state or
159 local educational agency, including K-12 schools and school
160 districts, for K–12 school purposes, as allowed under state or
161 federal law.
162 (5) This section does not prohibit an operator from doing
163 any of the following:
164 (a) Using covered information to improve educational
165 products, if that information is not associated with an
166 identified student within the operator’s site, service, or
167 application, or other sites, services, or applications owned by
168 the operator.
169 (b) Using covered information that is not associated with
170 an identified student to demonstrate the effectiveness of the
171 operator’s products or services, including use in their
172 marketing.
173 (c) Sharing covered information that is not associated with
174 an identified student for the development and improvement of
175 educational sites, services, or applications.
176 (d) Using recommendation engines to recommend to a student
177 any of the following:
178 1. Additional content relating to an educational, an
179 employment, or any other learning opportunity purpose within an
180 online site, service, or application, if the recommendation is
181 not determined in whole or in part by payment or other
182 consideration from a third party.
183 2. Additional services relating to an educational, an
184 employment, or any other learning opportunity purpose within an
185 online site, service, or application, if the recommendation is
186 not determined in whole or in part by payment or other
187 consideration from a third party.
188 (e) Responding to a student’s request for information or
189 feedback without the information or response being determined in
190 whole or in part by payment or other consideration from a third
191 party.
192 (6) This section does not do any of the following:
193 (a) Limit the authority of a law enforcement agency to
194 obtain any content or information from an operator as authorized
195 by law or under a court order.
196 (b) Limit the ability of an operator to use student data,
197 including covered information, for adaptive learning or
198 customized student learning purposes.
199 (c) Apply to general audience Internet websites, general
200 audience online services, general audience online applications,
201 or general audience mobile applications, even if login
202 credentials created for an operator’s site, service, or
203 application may be used to access those general audience sites,
204 services, or applications.
205 (d) Limit service providers from providing Internet
206 connectivity to schools or students and their families.
207 (e) Prohibit an operator of an Internet website, online
208 service, online application, or mobile application from
209 marketing educational products directly to parents, if such
210 marketing did not result from the use of covered information
211 obtained by the operator through the provision of services
212 covered under this section.
213 (f) Impose a duty upon a provider of an electronic store,
214 gateway, marketplace, or other means of purchasing or
215 downloading software or applications to review or enforce
216 compliance with this section on such software or applications.
217 (g) Impose a duty upon a provider of an interactive
218 computer service to review or enforce compliance with this
219 section by third-party content providers.
220 (h) Prohibit students from downloading, exporting,
221 transferring, saving, or maintaining their own student data or
222 documents.
223 (7) Any violation of this section is a deceptive and unfair
224 trade practice and constitutes a violation of the Florida
225 Deceptive and Unfair Trade Practices Act, part II of chapter
226 501.
227
228 The State Board of Education may adopt rules to implement this
229 section.
230 Section 3. This act shall take effect July 1, 2023.