Florida Senate - 2015                                     SB 480
       By Senator Braynon
       36-00367-15                                            2015480__
    1                        A bill to be entitled                      
    2         An act relating to student data privacy; creating s.
    3         1002.223, F.S.; providing a short title; defining the
    4         terms “covered information,” “K-12 school purposes,”
    5         “operator,” and “targeted advertising”; prohibiting an
    6         operator from displaying targeted advertising, using
    7         certain information to amass student profiles for
    8         certain purposes, or selling or disclosing covered
    9         information; providing exceptions; authorizing an
   10         operator to use covered information for specified
   11         actions; requiring an operator to maintain security
   12         procedures for the protection of covered information
   13         and to delete covered information under certain
   14         circumstances; authorizing an operator to disclose
   15         covered information under certain circumstances;
   16         specifying certain actions by operators, law
   17         enforcement agencies, service providers, and students
   18         which are not prohibited by the act; providing an
   19         effective date.
   21  Be It Enacted by the Legislature of the State of Florida:
   23         Section 1. Section 1002.223, Florida Statutes, is created
   24  to read:
   25         1002.223 Student online personal information protection.—
   26         (1) This section may be cited as the “Student Online
   27  Personal Information Protection Act.”
   28         (2) As used in this section, the term:
   29         (a) “Covered information” means personally identifiable
   30  information or material, in any media or format, which is
   31  descriptive of a student or otherwise identifies a student,
   32  including, but not limited to, information in the student’s
   33  education record or e-mail, first and last name, home address,
   34  telephone number, e-mail address, information that allows
   35  physical or online contact, discipline records, test results,
   36  special education data, juvenile dependency records, grades,
   37  evaluations, criminal records, medical records, health records,
   38  social security number, biometric information, disabilities,
   39  socioeconomic information, food purchases, political
   40  affiliations, religious information, text messages, documents,
   41  student identifiers, search activity, photos, voice recordings,
   42  or geolocation information, and which meets at least one of the
   43  following:
   44         1. Is created or provided to an operator by a student or
   45  the student’s parent during the use of the operator’s website,
   46  service, or application for K–12 school purposes;
   47         2. Is created or provided to an operator by an employee or
   48  agent of a K–12 school, a school district, or a local education
   49  agency; or
   50         3. Is gathered by an operator through the operation of a
   51  website, service, or application described in paragraph (c).
   52         (b) “K–12 school purposes” means activities that
   53  customarily take place at the direction of a K–12 school or
   54  teacher or a school district, including, but not limited to,
   55  instruction in the classroom or at home, administrative
   56  activities, and collaboration between students, school
   57  personnel, or parents, or are for the use and benefit of the
   58  school.
   59         (c) “Operator” means a person who operates a website;
   60  online service, including a cloud computing service; online
   61  application; or mobile application and who knows that the
   62  website, service, or application is used primarily for K–12
   63  school purposes and is designed and marketed for K–12 school
   64  purposes.
   65         (d) “Targeted advertising” means an advertisement that is
   66  used based upon information, including covered information and
   67  unique identifiers, which the operator has acquired through the
   68  use of the operator’s website, service, or application described
   69  in paragraph (c).
   70         (3) An operator may not knowingly engage in the following
   71  activities:
   72         (a) Displaying targeted advertising on the operator’s
   73  website, service, or application, or target advertising on any
   74  other website, service, or application.
   75         (b) Using information, including covered information and
   76  unique identifiers, created or gathered by the operator’s
   77  website, service, or application to amass a profile about a K–12
   78  student, except in furtherance of K–12 school purposes.
   79         (c) Selling covered information. This prohibition does not
   80  apply to the purchase, merger, or other type of acquisition of
   81  an operator by another entity if the operator or successor
   82  entity continues to comply with the provisions of this section
   83  with respect to previously acquired covered information.
   84         (d) Disclosing covered information, unless the disclosure
   85  is made:
   86         1. In furtherance of the K–12 school purpose of the
   87  website, service, or application, if the recipient of the
   88  covered information does not further disclose the information,
   89  unless the disclosure is made to allow or improve operability
   90  and functionality within that student’s classroom or school and
   91  complies with subsection (4);
   92         2. To ensure legal and regulatory compliance;
   93         3. To respond to or participate in a judicial process;
   94         4. To protect the safety of users or others or the security
   95  of the website, service, or application; or
   96         5. To a service provider, if the operator contractually:
   97         a. Prohibits the service provider from using covered
   98  information for a purpose other than providing the contracted
   99  service to, or on behalf of, the operator.
  100         b. Prohibits the service provider from disclosing covered
  101  information provided by the operator to subsequent third
  102  parties.
  103         c. Requires the service provider to implement and maintain
  104  reasonable security procedures and practices as provided in
  105  subsection (4).
  107  This subsection does not prohibit an operator’s use of covered
  108  information for maintaining, developing, supporting, improving,
  109  or diagnosing the operator’s website, service, or application.
  110         (4) An operator shall:
  111         (a) Implement and maintain reasonable security procedures
  112  and practices appropriate to the nature of the covered
  113  information and protect that information from unauthorized
  114  access, destruction, use, modification, or disclosure.
  115         (b) Delete covered information if the school or school
  116  district requests the deletion of such data under the control of
  117  the school or school district.
  118         (5) Notwithstanding paragraph (3)(d), an operator may
  119  disclose covered information under the following circumstances
  120  if he or she complies with the requirements in paragraphs
  121  (3)(a)-(c):
  122         (a) If other provisions of state or federal law require the
  123  operator to disclose the information and the operator complies
  124  with the requirements of state and federal law in protecting and
  125  disclosing that information;
  126         (b) For legitimate research purposes, as required or
  127  permitted by state or federal law, that are subject to the
  128  restrictions under applicable state and federal law and are
  129  under the direction of a school, school district, or state
  130  department of education if the covered information is not used
  131  for any purpose in the furtherance of advertising or to amass a
  132  profile about a student for purposes other than K–12 school
  133  purposes; or
  134         (c) To a state or local education agency, including a
  135  school or school district, for K–12 school purposes as permitted
  136  by state or federal law.
  137         (6) This section does not:
  138         (a) Prohibit an operator from using deidentified covered
  139  information to improve educational products within a website,
  140  service, or application owned by the operator or to demonstrate
  141  the effectiveness of the operator’s products or services,
  142  including marketing.
  143         (b) Prohibit an operator from sharing aggregated
  144  deidentified covered information for the development or
  145  improvement of educational websites, services, or applications.
  146         (c) Prohibit an operator from marketing educational
  147  products directly to parents if the marketing does not result
  148  from the use of covered information obtained by the operator
  149  through the provision of services under this section.
  150         (d) Limit the authority of a law enforcement agency to
  151  obtain any content or information from an operator as authorized
  152  by law or pursuant to an order of a court of competent
  153  jurisdiction.
  154         (e) Limit the ability of an operator to use student data,
  155  including covered information, for adaptive learning or
  156  customized student learning purposes.
  157         (f) Limit Internet service providers from providing
  158  Internet connectivity to schools, students, and parents.
  159         (g) Apply to general audience websites, general audience
  160  online services, general audience online applications, or
  161  general audience mobile applications, even if login credentials
  162  created for an operator’s website, service, or application may
  163  be used to access those general audience websites, services, or
  164  applications.
  165         (h) Impede the ability of a student to download, export, or
  166  otherwise save or maintain his or her own created data or
  167  documents.
  168         (i) Impose a duty upon:
  169         1. A provider of an electronic store, gateway, marketplace,
  170  or other means of purchasing or downloading software or
  171  applications to review or enforce compliance with this section
  172  on the operators of the software or applications.
  173         2. A provider of an interactive computer service, as that
  174  term is defined in 47 U.S.C. s. 230, to review or enforce
  175  compliance with this section by third-party content providers.
  176         Section 2. This act shall take effect July 1, 2015.