ENROLLED
       2023 Legislature                           SB 662, 2nd Engrossed
       
       
       
       
       
       
                                                              2023662er
    1  
    2         An act relating to student online personal information
    3         protection; providing a short title; creating s.
    4         1006.1494, F.S.; defining terms; prohibiting operators
    5         from knowingly engaging in specified activities
    6         relating to students’ covered information; providing
    7         an exception; specifying the duties of an operator;
    8         providing circumstances under which an operator may
    9         disclose students’ covered information; providing
   10         construction; providing for enforcement under the
   11         Florida Deceptive and Unfair Trade Practices Act;
   12         providing that the Department of Legal Affairs is the
   13         sole entity authorized to bring specified actions;
   14         authorizing the State Board of Education to adopt
   15         rules; providing an effective date.
   16          
   17  Be It Enacted by the Legislature of the State of Florida:
   18  
   19         Section 1. This act may be cited as the “Student Online
   20  Personal Information Protection Act.”
   21         Section 2. Section 1006.1494, Florida Statutes, is created
   22  to read:
   23         1006.1494 Student online personal information protection.—
   24         (1) As used in this section, the term:
   25         (a) “Covered information” means personal identifying
   26  information or material of a student, or information linked to
   27  personal identifying information or material of a student, in
   28  any media or format that is not publicly available and is any of
   29  the following:
   30         1. Created by or provided to an operator by the student, or
   31  the student’s parent or legal guardian, in the course of the
   32  student’s, parent’s, or legal guardian’s use of the operator’s
   33  site, service, or application for K–12 school purposes.
   34         2. Created by or provided to an operator by an employee or
   35  agent of a K-12 school or school district for K-12 school
   36  purposes.
   37         3. Gathered by an operator through the operation of its
   38  site, service, or application for K-12 school purposes and
   39  personally identifies a student, including, but not limited to,
   40  information in the student’s educational record or electronic
   41  mail, first and last name, home address, telephone number,
   42  electronic mail address, or other information that allows
   43  physical or online contact, discipline records, test results,
   44  special education data, juvenile dependency records, grades,
   45  evaluations, criminal records, medical records, health records,
   46  social security number, biometric information, disabilities,
   47  socioeconomic information, food purchases, political
   48  affiliations, religious information, text messages, documents,
   49  student identifiers, search activity, photos, voice recordings,
   50  or geolocation information.
   51         (b) “Interactive computer service” means any information
   52  service, system, or access software provider that provides or
   53  enables computer access by multiple users to a computer server,
   54  including a service or system that provides access to the
   55  Internet and such systems operated or services offered by
   56  libraries or educational institutions.
   57         (c)“K-12 school” has the same meaning as described in s.
   58  1000.04(2).
   59         (d) “K–12 school purposes” means purposes directed by or
   60  that customarily take place at the direction of a K-12 school,
   61  teacher, or school district or that aid in the administration of
   62  school activities, including, but not limited to, instruction in
   63  the classroom or at home, administrative activities, and
   64  collaboration between students, school personnel, or parents, or
   65  that are otherwise for the use and benefit of the school.
   66         (e) “Operator” means, to the extent that it is operating in
   67  this capacity, the operator of an Internet website, online
   68  service, online application, or mobile application with actual
   69  knowledge that the site, service, or application is used
   70  primarily for K–12 school purposes, or the site, service, or
   71  application was designed and marketed for K–12 school purposes.
   72         (f) School district has the same meaning as in s.
   73  595.402.
   74         (g) “Targeted advertising” means presenting advertisements
   75  to a student which are selected on the basis of information
   76  obtained or inferred over time from that student’s online
   77  behavior, usage of applications, or covered information. The
   78  term does not include advertising to a student at an online
   79  location based upon the student’s current visit to that
   80  location, or advertising presented in response to a student’s
   81  request for information or feedback, if the student’s online
   82  activities or requests are not retained over time for the
   83  purpose of targeting subsequent advertisements to that student.
   84         (2) An operator may not knowingly do any of the following:
   85         (a) Engage in targeted advertising on the operator’s site,
   86  service, or application, or targeted advertising on any other
   87  site, service, or application if the targeting of the
   88  advertising is based on any information, including covered
   89  information and persistent unique identifiers, which the
   90  operator has acquired because of the use of that operator’s
   91  site, service, or application for K-12 school purposes.
   92         (b) Use covered information, including persistent unique
   93  identifiers, created or gathered by the operator’s site,
   94  service, or application to amass a profile of a student, except
   95  in furtherance of K–12 school purposes. The term amass a
   96  profile” does not include the collection and retention of
   97  account information that remains under the control of the
   98  student or the student’s parent or guardian or K-12 school.
   99         (c) Share, sell, or rent a student’s information, including
  100  covered information. This paragraph does not apply to the
  101  purchase, merger, or other acquisition of an operator by a third
  102  party, if the third party complies with this section regarding
  103  previously acquired student information, or to a national
  104  assessment provider if the provider obtains the express written
  105  consent of the parent or student, given in response to clear and
  106  conspicuous notice, solely to provide access to employment,
  107  educational scholarships or financial aid, or postsecondary
  108  educational opportunities.
  109         (d) Except as otherwise provided in subsection (4),
  110  disclose covered information, unless the disclosure is made for
  111  any of the following purposes:
  112         1. In furtherance of the K–12 school purpose of the site,
  113  service, or application, if the recipient of the covered
  114  information disclosed under this subparagraph does not further
  115  disclose the information.
  116         2. Disclosure as required by state or federal law.
  117         3. To comply with the order of a court or quasi-judicial
  118  entity.
  119         4. To protect the safety or integrity of users of the site
  120  or others or the security of the site, service, or application.
  121         5. For a school, educational, or employment purpose
  122  requested by the student or the student’s parent or guardian,
  123  provided that the information is not used or further disclosed
  124  for any other purpose.
  125         6. To a third party, if the operator contractually
  126  prohibits the third party from using any covered information for
  127  any purpose other than providing the contracted service to or on
  128  behalf of the operator, prohibits the third party from
  129  disclosing any covered information provided by the operator with
  130  subsequent third parties, and requires the third party to
  131  implement and maintain reasonable security procedures and
  132  practices. An operator may not disclose covered information
  133  relating to any contracted services provided in paragraph (a),
  134  paragraph (b), or paragraph (c).
  135         (3) An operator shall do all of the following:
  136         (a) Collect no more covered information than is reasonably
  137  necessary to operate an Internet website, online service, online
  138  application, or mobile application with actual knowledge that
  139  the site, service, or application is used primarily for K–12
  140  school purposes, or the site, service, or application was
  141  designed and marketed for K–12 school purposes.
  142         (b) Implement and maintain reasonable security procedures
  143  and practices appropriate to the nature of the covered
  144  information which are designed to protect it from unauthorized
  145  access, destruction, use, modification, or disclosure.
  146         (c)Unless a parent or guardian expressly consents to the
  147  operator retaining a student’s covered information, delete the
  148  covered information at the conclusion of the course or
  149  corresponding program and no later than 90 days after a student
  150  is no longer enrolled in a school within the district, upon
  151  notice by the school district.
  152         (4) An operator may use or disclose covered information of
  153  a student under any of the following circumstances:
  154         (a) If federal or state law requires the operator to
  155  disclose the information, and the operator complies with federal
  156  or state law, as applicable, in protecting and disclosing that
  157  information.
  158         (b) If the covered information is disclosed to a state
  159  educational agency or the student’s local educational agency for
  160  K-12 school purposes, as allowed under state or federal law.
  161         (c) If the covered information is disclosed to a state or
  162  local educational agency, including K-12 schools and school
  163  districts, for K–12 school purposes, as allowed under state or
  164  federal law.
  165         (5) This section does not prohibit an operator from doing
  166  any of the following:
  167         (a) Using covered information to improve educational
  168  products, if that information is not associated with an
  169  identified student within the operator’s site, service, or
  170  application, or other sites, services, or applications owned by
  171  the operator.
  172         (b) Using covered information that is not associated with
  173  an identified student to demonstrate the effectiveness of the
  174  operator’s products or services, including use in their
  175  marketing.
  176         (c) Sharing covered information that is not associated with
  177  an identified student for the development and improvement of
  178  educational sites, services, or applications.
  179         (d) Using recommendation engines to recommend to a student
  180  any of the following:
  181         1. Additional content relating to an educational, an
  182  employment, or any other learning opportunity purpose within an
  183  online site, service, or application, if the recommendation is
  184  not determined in whole or in part by payment or other
  185  consideration from a third party.
  186         2. Additional services relating to an educational, an
  187  employment, or any other learning opportunity purpose within an
  188  online site, service, or application, if the recommendation is
  189  not determined in whole or in part by payment or other
  190  consideration from a third party.
  191         (e) Responding to a student’s request for information or
  192  feedback without the information or response being determined in
  193  whole or in part by payment or other consideration from a third
  194  party.
  195         (6) This section does not do any of the following:
  196         (a) Limit the authority of a law enforcement agency to
  197  obtain any content or information from an operator as authorized
  198  by law or under a court order.
  199         (b) Limit the ability of an operator to use student data,
  200  including covered information, for adaptive learning or
  201  customized student learning purposes.
  202         (c) Apply to general audience Internet websites, general
  203  audience online services, general audience online applications,
  204  or general audience mobile applications, even if login
  205  credentials created for an operator’s site, service, or
  206  application may be used to access those general audience sites,
  207  services, or applications.
  208         (d) Limit service providers from providing Internet
  209  connectivity to schools or students and their families.
  210         (e) Prohibit an operator of an Internet website, online
  211  service, online application, or mobile application from
  212  marketing educational products directly to parents, if such
  213  marketing did not result from the use of covered information
  214  obtained by the operator through the provision of services
  215  covered under this section.
  216         (f) Impose a duty upon a provider of an electronic store,
  217  gateway, marketplace, or other means of purchasing or
  218  downloading software or applications to review or enforce
  219  compliance with this section on such software or applications.
  220         (g) Impose a duty upon a provider of an interactive
  221  computer service to review or enforce compliance with this
  222  section by third-party content providers.
  223         (h) Prohibit students from downloading, exporting,
  224  transferring, saving, or maintaining their own student data or
  225  documents.
  226         (i) Limit the retention of covered information by an
  227  operator for the purposes of assessments and college and career
  228  planning in accordance with general law.
  229         (7) Any violation of this section is a deceptive and unfair
  230  trade practice and constitutes a violation of the Florida
  231  Deceptive and Unfair Trade Practices Act, part II of chapter
  232  501. Notwithstanding the provisions of part II of chapter 501,
  233  the Department of Legal Affairs is the sole entity authorized to
  234  bring an enforcement action against an entity that violates this
  235  section.
  236  
  237  The State Board of Education may adopt rules to implement this
  238  section.
  239         Section 3. This act shall take effect July 1, 2023.