Florida Senate - 2016                                    SB 1146
       By Senator Montford
       3-00149-16                                            20161146__
    1                        A bill to be entitled                      
    2         An act relating to student data privacy; creating s.
    3         1002.223, F.S.; providing a short title; defining
    4         terms; prohibiting an operator from displaying
    5         targeted advertising, using certain information to
    6         amass student profiles for certain purposes, or
    7         selling or disclosing covered information; providing
    8         exceptions; authorizing an operator to use covered
    9         information for specified actions; requiring an
   10         operator to maintain security procedures for the
   11         protection of covered information and to delete
   12         covered information under certain circumstances;
   13         authorizing an operator to disclose covered
   14         information under certain circumstances; providing
   15         that certain actions by operators, law enforcement
   16         agencies, service providers, and students are not
   17         prohibited; providing an effective date.
   19  Be It Enacted by the Legislature of the State of Florida:
   21         Section 1. Section 1002.223, Florida Statutes, is created
   22  to read:
   23         1002.223 Student online personal information protection.—
   24         (1) This section may be cited as the “Student Online
   25  Personal Information Protection Act.”
   26         (2) As used in this section, the term:
   27         (a) “Covered information” means personally identifiable
   28  information or material, in any media or format, which is
   29  descriptive of a student or otherwise identifies a student,
   30  including, but not limited to, information in the student’s
   31  education record or e-mail, first and last name, home address,
   32  telephone number, e-mail address, information that allows
   33  physical or online contact, discipline records, test results,
   34  special education data, juvenile dependency records, grades,
   35  evaluations, criminal records, medical records, health records,
   36  social security number, biometric information, disabilities,
   37  socioeconomic information, food purchases, political
   38  affiliations, religious information, text messages, documents,
   39  student identifiers, search activity, photos, voice recordings,
   40  or geolocation information, and which meets at least one of the
   41  following:
   42         1. Is created or provided to an operator by a student or
   43  the student’s parent during the use of the operator’s website,
   44  service, or application for K–12 school purposes;
   45         2. Is created or provided to an operator by an employee or
   46  agent of a K–12 school, a school district, or a local education
   47  agency; or
   48         3. Is gathered by an operator through the operation of a
   49  website, a service, or an application described in paragraph
   50  (c).
   51         (b) “K–12 school purposes” means activities that
   52  customarily take place at the direction of a K–12 school or
   53  teacher or a school district, including, but not limited to,
   54  instruction in the classroom or at home, administrative
   55  activities, and collaboration between students, school
   56  personnel, or parents, or are for the use and benefit of the
   57  school.
   58         (c) “Operator” means a person who operates a website;
   59  online service, including a cloud computing service; online
   60  application; or mobile application and who knows that the
   61  website, service, or application is used primarily for K–12
   62  school purposes and is designed and marketed for K–12 school
   63  purposes.
   64         (d) “Targeted advertising” means an advertisement that is
   65  used based upon information, including covered information and
   66  unique identifiers, which the operator has acquired through the
   67  use of the operator’s website, service, or application described
   68  in paragraph (c).
   69         (3) An operator may not knowingly engage in the following
   70  activities:
   71         (a) Displaying targeted advertising on the operator’s
   72  website, service, or application, or target advertising on any
   73  other website, service, or application.
   74         (b) Using information, including covered information and
   75  unique identifiers, created or gathered by the operator’s
   76  website, service, or application to amass a profile about a K–12
   77  student, except in furtherance of K–12 school purposes.
   78         (c) Selling covered information. This prohibition does not
   79  apply to the purchase, merger, or other type of acquisition of
   80  an operator by another entity if the operator or successor
   81  entity continues to comply with the provisions of this section
   82  with respect to previously acquired covered information.
   83         (d) Disclosing covered information, unless the disclosure
   84  is made:
   85         1. In furtherance of the K–12 school purpose of the
   86  website, service, or application, if the recipient of the
   87  covered information does not further disclose the information,
   88  unless the disclosure is made to allow or improve operability
   89  and functionality within that student’s classroom or school and
   90  complies with subsection (4);
   91         2. To ensure legal and regulatory compliance;
   92         3. To respond to or participate in a judicial process;
   93         4. To protect the safety of users or others or the security
   94  of the website, service, or application; or
   95         5. To a service provider, if the operator contractually:
   96         a. Prohibits the service provider from using covered
   97  information for a purpose other than providing the contracted
   98  service to, or on behalf of, the operator.
   99         b. Prohibits the service provider from disclosing covered
  100  information provided by the operator to subsequent third
  101  parties.
  102         c. Requires the service provider to implement and maintain
  103  reasonable security procedures and practices as provided in
  104  subsection (4).
  106  This subsection does not prohibit an operator’s use of covered
  107  information for maintaining, developing, supporting, improving,
  108  or diagnosing the operator’s website, service, or application.
  109         (4) An operator shall:
  110         (a) Implement and maintain reasonable security procedures
  111  and practices appropriate to the nature of the covered
  112  information and protect that information from unauthorized
  113  access, destruction, use, modification, or disclosure.
  114         (b) Delete covered information if the school or school
  115  district requests the deletion of such data under the control of
  116  the school or school district.
  117         (5) Notwithstanding paragraph (3)(d), an operator may
  118  disclose covered information under the following circumstances
  119  if he or she complies with the requirements in paragraphs
  120  (3)(a), (b), and (c):
  121         (a) If other provisions of state or federal law require the
  122  operator to disclose the information and the operator complies
  123  with the requirements of state and federal law in protecting and
  124  disclosing that information;
  125         (b) For legitimate research purposes, as required or
  126  permitted by state or federal law, that are subject to the
  127  restrictions under applicable state and federal law and are
  128  under the direction of a school, school district, or state
  129  department of education if the covered information is not used
  130  for any purpose in the furtherance of advertising or to amass a
  131  profile about a student for purposes other than K–12 school
  132  purposes; or
  133         (c) To a state or local education agency, including a
  134  school or school district, for K–12 school purposes as permitted
  135  by state or federal law.
  136         (6) This section does not:
  137         (a) Prohibit an operator from using de-identified covered
  138  information to improve educational products within a website,
  139  service, or application owned by the operator or to demonstrate
  140  the effectiveness of the operator’s products or services,
  141  including marketing.
  142         (b) Prohibit an operator from sharing aggregated, de
  143  identified covered information for the development or
  144  improvement of educational websites, services, or applications.
  145         (c) Prohibit an operator from marketing educational
  146  products directly to parents if the marketing does not result
  147  from the use of covered information obtained by the operator
  148  through the provision of services under this section.
  149         (d) Limit the authority of a law enforcement agency to
  150  obtain any content or information from an operator as authorized
  151  by law or pursuant to a court order.
  152         (e) Limit the ability of an operator to use student data,
  153  including covered information, for adaptive learning or
  154  customized student learning purposes.
  155         (f) Limit Internet service providers from providing
  156  Internet connectivity to schools, students, and parents.
  157         (g) Apply to general audience websites, general audience
  158  online services, general audience online applications, or
  159  general audience mobile applications, even if login credentials
  160  created for an operator’s website, service, or application may
  161  be used to access those general audience websites, services, or
  162  applications.
  163         (h) Impede the ability of a student to download, export, or
  164  otherwise save or maintain his or her own created data or
  165  documents.
  166         (i) Impose a duty upon:
  167         1. A provider of an electronic store, gateway, marketplace,
  168  or other means of purchasing or downloading software or
  169  applications to review or enforce compliance with this section
  170  on the operators of the software or applications.
  171         2. A provider of an interactive computer service, as that
  172  term is defined in 47 U.S.C. s. 230, to review or enforce
  173  compliance with this section by third-party content providers.
  174         Section 2. This act shall take effect July 1, 2016.