Florida Senate - 2016 SB 1146 By Senator Montford 3-00149-16 20161146__ 1 A bill to be entitled 2 An act relating to student data privacy; creating s. 3 1002.223, F.S.; providing a short title; defining 4 terms; prohibiting an operator from displaying 5 targeted advertising, using certain information to 6 amass student profiles for certain purposes, or 7 selling or disclosing covered information; providing 8 exceptions; authorizing an operator to use covered 9 information for specified actions; requiring an 10 operator to maintain security procedures for the 11 protection of covered information and to delete 12 covered information under certain circumstances; 13 authorizing an operator to disclose covered 14 information under certain circumstances; providing 15 that certain actions by operators, law enforcement 16 agencies, service providers, and students are not 17 prohibited; providing an effective date. 18 19 Be It Enacted by the Legislature of the State of Florida: 20 21 Section 1. Section 1002.223, Florida Statutes, is created 22 to read: 23 1002.223 Student online personal information protection.— 24 (1) This section may be cited as the “Student Online 25 Personal Information Protection Act.” 26 (2) As used in this section, the term: 27 (a) “Covered information” means personally identifiable 28 information or material, in any media or format, which is 29 descriptive of a student or otherwise identifies a student, 30 including, but not limited to, information in the student’s 31 education record or e-mail, first and last name, home address, 32 telephone number, e-mail address, information that allows 33 physical or online contact, discipline records, test results, 34 special education data, juvenile dependency records, grades, 35 evaluations, criminal records, medical records, health records, 36 social security number, biometric information, disabilities, 37 socioeconomic information, food purchases, political 38 affiliations, religious information, text messages, documents, 39 student identifiers, search activity, photos, voice recordings, 40 or geolocation information, and which meets at least one of the 41 following: 42 1. Is created or provided to an operator by a student or 43 the student’s parent during the use of the operator’s website, 44 service, or application for K–12 school purposes; 45 2. Is created or provided to an operator by an employee or 46 agent of a K–12 school, a school district, or a local education 47 agency; or 48 3. Is gathered by an operator through the operation of a 49 website, a service, or an application described in paragraph 50 (c). 51 (b) “K–12 school purposes” means activities that 52 customarily take place at the direction of a K–12 school or 53 teacher or a school district, including, but not limited to, 54 instruction in the classroom or at home, administrative 55 activities, and collaboration between students, school 56 personnel, or parents, or are for the use and benefit of the 57 school. 58 (c) “Operator” means a person who operates a website; 59 online service, including a cloud computing service; online 60 application; or mobile application and who knows that the 61 website, service, or application is used primarily for K–12 62 school purposes and is designed and marketed for K–12 school 63 purposes. 64 (d) “Targeted advertising” means an advertisement that is 65 used based upon information, including covered information and 66 unique identifiers, which the operator has acquired through the 67 use of the operator’s website, service, or application described 68 in paragraph (c). 69 (3) An operator may not knowingly engage in the following 70 activities: 71 (a) Displaying targeted advertising on the operator’s 72 website, service, or application, or target advertising on any 73 other website, service, or application. 74 (b) Using information, including covered information and 75 unique identifiers, created or gathered by the operator’s 76 website, service, or application to amass a profile about a K–12 77 student, except in furtherance of K–12 school purposes. 78 (c) Selling covered information. This prohibition does not 79 apply to the purchase, merger, or other type of acquisition of 80 an operator by another entity if the operator or successor 81 entity continues to comply with the provisions of this section 82 with respect to previously acquired covered information. 83 (d) Disclosing covered information, unless the disclosure 84 is made: 85 1. In furtherance of the K–12 school purpose of the 86 website, service, or application, if the recipient of the 87 covered information does not further disclose the information, 88 unless the disclosure is made to allow or improve operability 89 and functionality within that student’s classroom or school and 90 complies with subsection (4); 91 2. To ensure legal and regulatory compliance; 92 3. To respond to or participate in a judicial process; 93 4. To protect the safety of users or others or the security 94 of the website, service, or application; or 95 5. To a service provider, if the operator contractually: 96 a. Prohibits the service provider from using covered 97 information for a purpose other than providing the contracted 98 service to, or on behalf of, the operator. 99 b. Prohibits the service provider from disclosing covered 100 information provided by the operator to subsequent third 101 parties. 102 c. Requires the service provider to implement and maintain 103 reasonable security procedures and practices as provided in 104 subsection (4). 105 106 This subsection does not prohibit an operator’s use of covered 107 information for maintaining, developing, supporting, improving, 108 or diagnosing the operator’s website, service, or application. 109 (4) An operator shall: 110 (a) Implement and maintain reasonable security procedures 111 and practices appropriate to the nature of the covered 112 information and protect that information from unauthorized 113 access, destruction, use, modification, or disclosure. 114 (b) Delete covered information if the school or school 115 district requests the deletion of such data under the control of 116 the school or school district. 117 (5) Notwithstanding paragraph (3)(d), an operator may 118 disclose covered information under the following circumstances 119 if he or she complies with the requirements in paragraphs 120 (3)(a), (b), and (c): 121 (a) If other provisions of state or federal law require the 122 operator to disclose the information and the operator complies 123 with the requirements of state and federal law in protecting and 124 disclosing that information; 125 (b) For legitimate research purposes, as required or 126 permitted by state or federal law, that are subject to the 127 restrictions under applicable state and federal law and are 128 under the direction of a school, school district, or state 129 department of education if the covered information is not used 130 for any purpose in the furtherance of advertising or to amass a 131 profile about a student for purposes other than K–12 school 132 purposes; or 133 (c) To a state or local education agency, including a 134 school or school district, for K–12 school purposes as permitted 135 by state or federal law. 136 (6) This section does not: 137 (a) Prohibit an operator from using de-identified covered 138 information to improve educational products within a website, 139 service, or application owned by the operator or to demonstrate 140 the effectiveness of the operator’s products or services, 141 including marketing. 142 (b) Prohibit an operator from sharing aggregated, de 143 identified covered information for the development or 144 improvement of educational websites, services, or applications. 145 (c) Prohibit an operator from marketing educational 146 products directly to parents if the marketing does not result 147 from the use of covered information obtained by the operator 148 through the provision of services under this section. 149 (d) Limit the authority of a law enforcement agency to 150 obtain any content or information from an operator as authorized 151 by law or pursuant to a court order. 152 (e) Limit the ability of an operator to use student data, 153 including covered information, for adaptive learning or 154 customized student learning purposes. 155 (f) Limit Internet service providers from providing 156 Internet connectivity to schools, students, and parents. 157 (g) Apply to general audience websites, general audience 158 online services, general audience online applications, or 159 general audience mobile applications, even if login credentials 160 created for an operator’s website, service, or application may 161 be used to access those general audience websites, services, or 162 applications. 163 (h) Impede the ability of a student to download, export, or 164 otherwise save or maintain his or her own created data or 165 documents. 166 (i) Impose a duty upon: 167 1. A provider of an electronic store, gateway, marketplace, 168 or other means of purchasing or downloading software or 169 applications to review or enforce compliance with this section 170 on the operators of the software or applications. 171 2. A provider of an interactive computer service, as that 172 term is defined in 47 U.S.C. s. 230, to review or enforce 173 compliance with this section by third-party content providers. 174 Section 2. This act shall take effect July 1, 2016.