ENROLLED 2023 Legislature SB 662, 2nd Engrossed 2023662er 1 2 An act relating to student online personal information 3 protection; providing a short title; creating s. 4 1006.1494, F.S.; defining terms; prohibiting operators 5 from knowingly engaging in specified activities 6 relating to students’ covered information; providing 7 an exception; specifying the duties of an operator; 8 providing circumstances under which an operator may 9 disclose students’ covered information; providing 10 construction; providing for enforcement under the 11 Florida Deceptive and Unfair Trade Practices Act; 12 providing that the Department of Legal Affairs is the 13 sole entity authorized to bring specified actions; 14 authorizing the State Board of Education to adopt 15 rules; providing an effective date. 16 17 Be It Enacted by the Legislature of the State of Florida: 18 19 Section 1. This act may be cited as the “Student Online 20 Personal Information Protection Act.” 21 Section 2. Section 1006.1494, Florida Statutes, is created 22 to read: 23 1006.1494 Student online personal information protection.— 24 (1) As used in this section, the term: 25 (a) “Covered information” means personal identifying 26 information or material of a student, or information linked to 27 personal identifying information or material of a student, in 28 any media or format that is not publicly available and is any of 29 the following: 30 1. Created by or provided to an operator by the student, or 31 the student’s parent or legal guardian, in the course of the 32 student’s, parent’s, or legal guardian’s use of the operator’s 33 site, service, or application for K–12 school purposes. 34 2. Created by or provided to an operator by an employee or 35 agent of a K-12 school or school district for K-12 school 36 purposes. 37 3. Gathered by an operator through the operation of its 38 site, service, or application for K-12 school purposes and 39 personally identifies a student, including, but not limited to, 40 information in the student’s educational record or electronic 41 mail, first and last name, home address, telephone number, 42 electronic mail address, or other information that allows 43 physical or online contact, discipline records, test results, 44 special education data, juvenile dependency records, grades, 45 evaluations, criminal records, medical records, health records, 46 social security number, biometric information, disabilities, 47 socioeconomic information, food purchases, political 48 affiliations, religious information, text messages, documents, 49 student identifiers, search activity, photos, voice recordings, 50 or geolocation information. 51 (b) “Interactive computer service” means any information 52 service, system, or access software provider that provides or 53 enables computer access by multiple users to a computer server, 54 including a service or system that provides access to the 55 Internet and such systems operated or services offered by 56 libraries or educational institutions. 57 (c) “K-12 school” has the same meaning as described in s. 58 1000.04(2). 59 (d) “K–12 school purposes” means purposes directed by or 60 that customarily take place at the direction of a K-12 school, 61 teacher, or school district or that aid in the administration of 62 school activities, including, but not limited to, instruction in 63 the classroom or at home, administrative activities, and 64 collaboration between students, school personnel, or parents, or 65 that are otherwise for the use and benefit of the school. 66 (e) “Operator” means, to the extent that it is operating in 67 this capacity, the operator of an Internet website, online 68 service, online application, or mobile application with actual 69 knowledge that the site, service, or application is used 70 primarily for K–12 school purposes, or the site, service, or 71 application was designed and marketed for K–12 school purposes. 72 (f) “School district” has the same meaning as in s. 73 595.402. 74 (g) “Targeted advertising” means presenting advertisements 75 to a student which are selected on the basis of information 76 obtained or inferred over time from that student’s online 77 behavior, usage of applications, or covered information. The 78 term does not include advertising to a student at an online 79 location based upon the student’s current visit to that 80 location, or advertising presented in response to a student’s 81 request for information or feedback, if the student’s online 82 activities or requests are not retained over time for the 83 purpose of targeting subsequent advertisements to that student. 84 (2) An operator may not knowingly do any of the following: 85 (a) Engage in targeted advertising on the operator’s site, 86 service, or application, or targeted advertising on any other 87 site, service, or application if the targeting of the 88 advertising is based on any information, including covered 89 information and persistent unique identifiers, which the 90 operator has acquired because of the use of that operator’s 91 site, service, or application for K-12 school purposes. 92 (b) Use covered information, including persistent unique 93 identifiers, created or gathered by the operator’s site, 94 service, or application to amass a profile of a student, except 95 in furtherance of K–12 school purposes. The term “amass a 96 profile” does not include the collection and retention of 97 account information that remains under the control of the 98 student or the student’s parent or guardian or K-12 school. 99 (c) Share, sell, or rent a student’s information, including 100 covered information. This paragraph does not apply to the 101 purchase, merger, or other acquisition of an operator by a third 102 party, if the third party complies with this section regarding 103 previously acquired student information, or to a national 104 assessment provider if the provider obtains the express written 105 consent of the parent or student, given in response to clear and 106 conspicuous notice, solely to provide access to employment, 107 educational scholarships or financial aid, or postsecondary 108 educational opportunities. 109 (d) Except as otherwise provided in subsection (4), 110 disclose covered information, unless the disclosure is made for 111 any of the following purposes: 112 1. In furtherance of the K–12 school purpose of the site, 113 service, or application, if the recipient of the covered 114 information disclosed under this subparagraph does not further 115 disclose the information. 116 2. Disclosure as required by state or federal law. 117 3. To comply with the order of a court or quasi-judicial 118 entity. 119 4. To protect the safety or integrity of users of the site 120 or others or the security of the site, service, or application. 121 5. For a school, educational, or employment purpose 122 requested by the student or the student’s parent or guardian, 123 provided that the information is not used or further disclosed 124 for any other purpose. 125 6. To a third party, if the operator contractually 126 prohibits the third party from using any covered information for 127 any purpose other than providing the contracted service to or on 128 behalf of the operator, prohibits the third party from 129 disclosing any covered information provided by the operator with 130 subsequent third parties, and requires the third party to 131 implement and maintain reasonable security procedures and 132 practices. An operator may not disclose covered information 133 relating to any contracted services provided in paragraph (a), 134 paragraph (b), or paragraph (c). 135 (3) An operator shall do all of the following: 136 (a) Collect no more covered information than is reasonably 137 necessary to operate an Internet website, online service, online 138 application, or mobile application with actual knowledge that 139 the site, service, or application is used primarily for K–12 140 school purposes, or the site, service, or application was 141 designed and marketed for K–12 school purposes. 142 (b) Implement and maintain reasonable security procedures 143 and practices appropriate to the nature of the covered 144 information which are designed to protect it from unauthorized 145 access, destruction, use, modification, or disclosure. 146 (c) Unless a parent or guardian expressly consents to the 147 operator retaining a student’s covered information, delete the 148 covered information at the conclusion of the course or 149 corresponding program and no later than 90 days after a student 150 is no longer enrolled in a school within the district, upon 151 notice by the school district. 152 (4) An operator may use or disclose covered information of 153 a student under any of the following circumstances: 154 (a) If federal or state law requires the operator to 155 disclose the information, and the operator complies with federal 156 or state law, as applicable, in protecting and disclosing that 157 information. 158 (b) If the covered information is disclosed to a state 159 educational agency or the student’s local educational agency for 160 K-12 school purposes, as allowed under state or federal law. 161 (c) If the covered information is disclosed to a state or 162 local educational agency, including K-12 schools and school 163 districts, for K–12 school purposes, as allowed under state or 164 federal law. 165 (5) This section does not prohibit an operator from doing 166 any of the following: 167 (a) Using covered information to improve educational 168 products, if that information is not associated with an 169 identified student within the operator’s site, service, or 170 application, or other sites, services, or applications owned by 171 the operator. 172 (b) Using covered information that is not associated with 173 an identified student to demonstrate the effectiveness of the 174 operator’s products or services, including use in their 175 marketing. 176 (c) Sharing covered information that is not associated with 177 an identified student for the development and improvement of 178 educational sites, services, or applications. 179 (d) Using recommendation engines to recommend to a student 180 any of the following: 181 1. Additional content relating to an educational, an 182 employment, or any other learning opportunity purpose within an 183 online site, service, or application, if the recommendation is 184 not determined in whole or in part by payment or other 185 consideration from a third party. 186 2. Additional services relating to an educational, an 187 employment, or any other learning opportunity purpose within an 188 online site, service, or application, if the recommendation is 189 not determined in whole or in part by payment or other 190 consideration from a third party. 191 (e) Responding to a student’s request for information or 192 feedback without the information or response being determined in 193 whole or in part by payment or other consideration from a third 194 party. 195 (6) This section does not do any of the following: 196 (a) Limit the authority of a law enforcement agency to 197 obtain any content or information from an operator as authorized 198 by law or under a court order. 199 (b) Limit the ability of an operator to use student data, 200 including covered information, for adaptive learning or 201 customized student learning purposes. 202 (c) Apply to general audience Internet websites, general 203 audience online services, general audience online applications, 204 or general audience mobile applications, even if login 205 credentials created for an operator’s site, service, or 206 application may be used to access those general audience sites, 207 services, or applications. 208 (d) Limit service providers from providing Internet 209 connectivity to schools or students and their families. 210 (e) Prohibit an operator of an Internet website, online 211 service, online application, or mobile application from 212 marketing educational products directly to parents, if such 213 marketing did not result from the use of covered information 214 obtained by the operator through the provision of services 215 covered under this section. 216 (f) Impose a duty upon a provider of an electronic store, 217 gateway, marketplace, or other means of purchasing or 218 downloading software or applications to review or enforce 219 compliance with this section on such software or applications. 220 (g) Impose a duty upon a provider of an interactive 221 computer service to review or enforce compliance with this 222 section by third-party content providers. 223 (h) Prohibit students from downloading, exporting, 224 transferring, saving, or maintaining their own student data or 225 documents. 226 (i) Limit the retention of covered information by an 227 operator for the purposes of assessments and college and career 228 planning in accordance with general law. 229 (7) Any violation of this section is a deceptive and unfair 230 trade practice and constitutes a violation of the Florida 231 Deceptive and Unfair Trade Practices Act, part II of chapter 232 501. Notwithstanding the provisions of part II of chapter 501, 233 the Department of Legal Affairs is the sole entity authorized to 234 bring an enforcement action against an entity that violates this 235 section. 236 237 The State Board of Education may adopt rules to implement this 238 section. 239 Section 3. This act shall take effect July 1, 2023.