Bill Text

Bill Information


Bill PDF |Add To My Favorites | print page

AB-801 Student privacy: online personal information.(2023-2024)

SHARE THIS: share this bill in Facebook share this bill in Twitter
Date Published: 09/30/2024 09:00 PM
AB801:v93#DOCUMENT

Assembly Bill No. 801
CHAPTER 935

An act to amend Sections 22584 and 22586 of, and to amend the heading of Chapter 22.2 (commencing with Section 22584) of Division 8 of, the Business and Professions Code, relating to privacy.

[ Approved by Governor  September 29, 2024. Filed with Secretary of State  September 29, 2024. ]

LEGISLATIVE COUNSEL'S DIGEST


AB 801, Joe Patterson. Student privacy: online personal information.
The California Consumer Privacy Act of 2018 (CCPA) grants to a consumer various rights with respect to personal information, as defined, that is collected by a business, as defined, including the right to request that a business delete personal information about the consumer that the business has collected from the consumer. The act establishes a variety of exceptions to the obligations imposed on a business under these provisions. The California Privacy Rights Act of 2020, approved by the voters as Proposition 24 at the November 3, 2020, statewide general election, amended, added to, and reenacted the CCPA.
The Early Learning Personal Information Protection Act and the Student Online Personal Information Protection Act prohibit the operator of specified internet websites, online services, online applications, or mobile applications from knowingly engaging in targeted advertising to amass a profile about a preschool or prekindergarten pupil or K–12 student, selling a pupil’s or student’s information, or disclosing covered information, except as otherwise provided. Existing law defines “covered information” as personally identifiable information or materials, in any media or format that, among other things, is gathered by an operator through the operation of a site, service, or application and is descriptive of a pupil or student or otherwise identifies a pupil or student.
This bill would instead refer to a K–12 student as a “pupil,” and make conforming changes.
Existing law requires an operator to take specified other actions relating to the protection of a pupil’s or student’s covered information, including implementing and maintaining reasonable security procedures and practices and deleting a pupil’s or student’s covered information if the school or district requests deletion of data under the control of the school or district.
This bill would except from that deletion requirement, with respect to K-12 pupils, pupil records held by a national assessment provider, as defined, and that only include standardized test results. The bill would additionally require, except as prescribed, an operator to delete a preschool, prekindergarten, or K–12 pupil’s covered information under the operator’s control that is not subject to the CCPA if the pupil’s parent or legal guardian, the pupil’s education rights holder, or the pupil, as prescribed, requests an operator to delete the covered information under the operator’s control if the pupil has been no longer enrolled in the local educational agency, preschool, prekindergarten, or district, as applicable, for at least 60 days and would require an operator to require documentation that the pupil is no longer enrolled. The bill would also specify that these provisions shall not be interpreted to limit or supersede any rights or requirements under specified federal law.
Vote: MAJORITY   Appropriation: NO   Fiscal Committee: NO   Local Program: NO  

The people of the State of California do enact as follows:


SECTION 1.

 The heading of Chapter 22.2 (commencing with Section 22584) of Division 8 of the Business and Professions Code is amended to read:
CHAPTER  22.2. K–12 Pupil Online Personal Information Protection Act

SEC. 2.

 Section 22584 of the Business and Professions Code is amended to read:

22584.
 (a) For purposes of this chapter:
(1) “California Consumer Privacy Act-excluded covered information” or “CCPA-excluded covered information” means covered information that is not subject to the California Consumer Privacy Act of 2018 (Title 1.81.5 (commencing with Section 1798.100) of Part 4 of Division 3 of the Civil Code).
(2) “Covered information” means personally identifiable information or materials, in any media or format that meets any of the following:
(A) Is created or provided by a pupil, or the pupil’s parent or legal guardian, to an operator in the course of the pupil’s, parent’s, or legal guardian’s use of the operator’s site, service, or application for K–12 school purposes.
(B) Is created or provided by an employee or agent of the school or local educational agency to an operator.
(C) Is gathered by an operator through the operation of a site, service, or application described in paragraph (6) and is descriptive of a pupil or otherwise identifies a pupil, including, but not limited to, information in the pupil’s educational record or email, first and last name, home address, telephone number, email address, or other information that allows physical or online contact, discipline records, test results, special education data, juvenile dependency records, grades, evaluations, criminal records, medical records, health records, social security number, biometric information, disabilities, socioeconomic information, food purchases, political affiliations, religious information, text messages, documents, pupil identifiers, search activity, photographs, voice recordings, or geolocation information.
(3) “K–12 school purposes” means purposes that customarily take place at the direction of the K–12 school, teacher, or local educational agency or aid in the administration of school activities, including, but not limited to, instruction in the classroom or at home, administrative activities, and collaboration between pupils, school personnel, or parents, or are for the use and benefit of the school.
(4) “Local educational agency” means a school district, county office of education, charter school, or the state special schools for the blind and the deaf.
(5) “National assessment provider” means a person that develops, sponsors, or administers standardized tests.
(6) “Online service” includes cloud computing services, which must comply with this section if they otherwise meet the definition of an operator.
(7) “Operator” means the operator of an internet website, online service, online application, or mobile application with actual knowledge that the site, service, or application is used primarily for K–12 school purposes and was designed and marketed for K–12 school purposes.
(8) “Pupil” means a student enrolled in a K–12 course of instruction.
(9) “Standardized test” means a test administered in California at the expense of the test subject that meets either of the following criteria:
(A) The test is used for the purposes of admission to, or class placement in, postsecondary educational institutions or their programs.
(B) The test is used for preliminary preparation for a test described in subparagraph (A).
(b) An operator shall not knowingly engage in any of the following activities with respect to their site, service, or application:
(1) (A) Engage in targeted advertising on the operator’s site, service, or application, or (B) target advertising on any other site, service, or application when the targeting of the advertising is based upon any information, including covered information and persistent unique identifiers, that the operator has acquired because of the use of that operator’s site, service, or application described in paragraph (6) of subdivision (a).
(2) Use information, including persistent unique identifiers, created or gathered by the operator’s site, service, or application, to amass a profile about a pupil enrolled in a local educational agency, except in furtherance of K–12 school purposes.
(3) Sell a pupil’s information, including covered information. This prohibition does not apply to the purchase, merger, or other type of acquisition of an operator by another entity, provided that the operator or successor entity continues to be subject to the provisions of this section with respect to previously acquired pupil information.
(4) Disclose covered information unless the disclosure is made:
(A) In furtherance of the K–12 purpose of the site, service, or application, provided the recipient of the covered information disclosed pursuant to this subparagraph:
(i) Shall not further disclose the information unless done to allow or improve operability and functionality within that pupil’s classroom or school; and
(ii) Is legally required to comply with subdivision (d);
(B) To ensure legal and regulatory compliance;
(C) To respond to or participate in judicial process;
(D) To protect the safety of users or others or security of the site; or
(E) To a service provider, provided the operator contractually (i) prohibits the service provider from using any covered information for any purpose other than providing the contracted service to, or on behalf of, the operator, (ii) prohibits the service provider from disclosing any covered information provided by the operator with subsequent third parties, and (iii) requires the service provider to implement and maintain reasonable security procedures and practices as provided in subdivision (d).
(c) Subdivision (b) does not prohibit the operator’s use of information for maintaining, developing, supporting, improving, or diagnosing the operator’s site, service, or application.
(d) An operator shall do all of the following:
(1) Implement and maintain reasonable security procedures and practices appropriate to the nature of the covered information, and protect that information from unauthorized access, destruction, use, modification, or disclosure.
(2) (A) Delete a pupil’s covered information if the school or local educational agency requests deletion of data under the control of the school or local educational agency.
(B) This paragraph does not require the deletion of pupil records held by a national assessment provider and that only include standardized test results.
(3) (A) Delete a pupil’s CCPA-excluded covered information under the operator’s control if a pupil’s parent or guardian or, in the case of a former pupil who is 18 years of age or older, the pupil requests an operator to delete the covered information under the operator’s control if the pupil has been no longer enrolled in the local educational agency for at least 60 days.
(B) Before deleting any information described in subparagraph (A), the operator shall require documentation that the pupil is no longer enrolled in the local educational agency.
(C) This paragraph does not require deletion of mandatory permanent pupil records, described in Section 430 of Title 5 of the California Code of Regulations, or any official records or files directly related to a pupil and maintained by the operator, school, or local educational agency, including, but not limited to, records of achievement and results of evaluative tests or records encompassing all the material kept in the pupil’s cumulative folder that is maintained by the school or local educational agency, including, but not limited to, general identifying data, records of attendance and of academic work completed, health data, disciplinary status, test protocols, individualized education programs, or pupil records held by a national assessment provider and that only include standardized test results.
(e) Notwithstanding paragraph (4) of subdivision (b), an operator may disclose covered information of a pupil, as long as paragraphs (1) to (3), inclusive, of subdivision (b) are not violated, under the following circumstances:
(1) If other provisions of federal or state law require the operator to disclose the information, and the operator complies with the requirements of federal and state law in protecting and disclosing that information.
(2) For legitimate research purposes: (A) as required by state or federal law and subject to the restrictions under applicable state and federal law or (B) as allowed by state or federal law and under the direction of a local educational agency or state department of education, if no covered information is used for any purpose in furtherance of advertising or to amass a profile on the pupil for purposes other than K–12 school purposes.
(3) To a state or local educational agency, including schools of local educational agencies, for K–12 school purposes, as permitted by state or federal law.
(f) This section does not prohibit an operator from using deidentified pupil covered information as follows:
(1) Within the operator’s site, service, or application or other sites, services, or applications owned by the operator to improve educational products.
(2) To demonstrate the effectiveness of the operator’s products or services, including in their marketing.
(g) This section does not prohibit an operator from sharing aggregated deidentified pupil covered information for the development and improvement of educational sites, services, or applications.
(h) This section does not limit the authority of a law enforcement agency to obtain any content or information from an operator as authorized by law or pursuant to an order of a court of competent jurisdiction.
(i) This section does not limit the ability of an operator to use pupil data, including covered information, for adaptive learning or customized pupil learning purposes.
(j) This section does not apply to general audience internet websites, general audience online services, general audience online applications, or general audience mobile applications, even if login credentials created for an operator’s site, service, or application may be used to access those general audience sites, services, or applications.
(k) This section does not limit internet service providers from providing internet connectivity to schools or pupils and their families.
(l) This section does not prohibit an operator of an internet website, online service, online application, or mobile application from marketing educational products directly to parents so long as the marketing did not result from the use of covered information obtained by the operator through the provision of services covered under this section.
(m) This section does not impose a duty upon a provider of an electronic store, gateway, marketplace, or other means of purchasing or downloading software or applications to review or enforce compliance of this section on those applications or software.
(n) This section does not impose a duty upon a provider of an interactive computer service, as defined in Section 230 of Title 47 of the United States Code, to review or enforce compliance with this section by third-party content providers.
(o) This section does not impede the ability of pupils to download, export, or otherwise save or maintain their own pupil-created data or documents.
(p) This section shall not be interpreted to limit or supersede any rights or requirements under the federal Individuals with Disabilities Education Act (20 U.S.C. Sec. 1400 et seq.), the Rehabilitation Act of 1973 (29 U.S.C. Sec. 701 et seq.), and any rules or regulations promulgated pursuant to those laws.

SEC. 3.

 Section 22586 of the Business and Professions Code is amended to read:

22586.
 (a) For purposes of this chapter:
(1) “California Consumer Privacy Act-excluded covered information” or “CCPA-excluded covered information” means covered information that is not subject to the California Consumer Privacy Act of 2018 (Title 1.81.5 (commencing with Section 1798.100) of Part 4 of Division 3 of the Civil Code).
(2) “Covered information” means personally identifiable information or materials, in any media or format that meets any of the following:
(A) Is created or provided by a pupil, or the pupil’s parent or legal guardian, to an operator in the course of the pupil’s, parent’s, or legal guardian’s use of the operator’s site, service, or application for preschool and prekindergarten purposes.
(B) Is created or provided by an employee or agent of the preschool, prekindergarten, school district, local educational agency, or county office of education, to an operator.
(C) Is gathered by an operator through the operation of a site, service, or application described in paragraph (4), and is descriptive of a pupil or otherwise identifies a pupil, including, but not limited to, information in the pupil’s educational record or email, first and last name, home address, telephone number, email address, or other information that allows physical or online contact, discipline records, test results, special education data, juvenile dependency records, grades, evaluations, criminal records, medical records, health records, social security number, biometric information, disabilities, socioeconomic information, food purchases, political affiliations, religious information, text messages, documents, pupil identifiers, search activity, photographs, voice recordings, or geolocation information.
(3) “Online service” includes cloud computing services, which must comply with this section if they otherwise meet the definition of an operator.
(4) “Operator” means the operator of an internet website, online service, online application, or mobile application with actual knowledge that the site, service, or application is used primarily for preschool or prekindergarten purposes and was designed and marketed for preschool and prekindergarten purposes.
(5) “Preschool or prekindergarten purposes” means purposes that customarily take place at the direction of the preschool, prekindergarten, teacher, or school district, or aid in the administration of preschool or prekindergarten activities, including, but not limited to, instruction in the classroom or at home, administrative activities, and collaboration between pupils, preschool or prekindergarten personnel, or parents, or are for the use and benefit of the preschool or prekindergarten.
(6) “Pupil” means a child enrolled in a preschool or prekindergarten course of instruction.
(b) An operator shall not knowingly engage in any of the following activities with respect to their site, service, or application:
(1) (A) Engage in targeted advertising on the operator’s site, service, or application.
(B) Target advertising on any other site, service, or application when the targeting of the advertising is based upon any information, including covered information and persistent unique identifiers, that the operator has acquired because of the use of that operator’s site, service, or application described in paragraph (4) of subdivision (a).
(2) Use information, including persistent unique identifiers, created or gathered by the operator’s site, service, or application, to amass a profile about a pupil, except in furtherance of preschool or prekindergarten purposes.
(3) Sell a pupil’s information, including covered information. This prohibition does not apply to the purchase, merger, or other type of acquisition of an operator by another entity, provided that the operator or successor entity continues to be subject to the provisions of this section with respect to previously acquired pupil information.
(4) Disclose covered information unless the disclosure is made:
(A) In furtherance of the preschool and prekindergarten purposes of the site, service, or application, provided that the recipient of the covered information disclosed pursuant to this subparagraph:
(i) Shall not further disclose the information unless done to allow or improve operability and functionality within that pupil’s preschool or prekindergarten.
(ii) Is legally required to comply with subdivision (d);
(B) To ensure legal and regulatory compliance;
(C) To respond to or participate in a judicial process;
(D) To protect the safety of users or others or security of the site; or
(E) To a service provider, provided the operator contractually (i) prohibits the service provider from using any covered information for any purpose other than providing the contracted service to, or on behalf of, the operator, (ii) prohibits the service provider from disclosing any covered information provided by the operator with subsequent third parties, and (iii) requires the service provider to implement and maintain reasonable security procedures and practices as provided in subdivision (d).
(c) Subdivision (b) does not prohibit the operator’s use of information for maintaining, developing, supporting, improving, or diagnosing the operator’s site, service, or application.
(d) An operator shall do all of the following:
(1) Implement and maintain reasonable security procedures and practices appropriate to the nature of the covered information, and protect that information from unauthorized access, destruction, use, modification, or disclosure.
(2) Delete a pupil’s covered information if the preschool, prekindergarten, or district requests deletion of data under the control of the preschool, prekindergarten, or district.
(3) (A) Delete a pupil’s CCPA-excluded covered information under the operator’s control if a pupil’s parent, guardian, or education rights holder or, in the case of a former pupil 18 years of age or older, the pupil requests an operator to delete the covered information under the operator’s control if the pupil has been no longer enrolled in the preschool, prekindergarten, or district for at least 60 days.
(B) Before deleting any information described in subparagraph (A), the operator shall require documentation that the pupil is no longer enrolled in the preschool, prekindergarten, or district.
(e) Notwithstanding paragraph (4) of subdivision (b), an operator may disclose covered information of a pupil, as long as paragraphs (1) to (3), inclusive, of subdivision (b) are not violated, under the following circumstances:
(1) If other provisions of federal or state law require the operator to disclose the information, and the operator complies with the requirements of federal and state law in protecting and disclosing that information.
(2) For legitimate research purposes: (A) as required by state or federal law and subject to the restrictions under applicable state and federal law or (B) as allowed by state or federal law and under the direction of a preschool, prekindergarten, school district, or state department of education, if no covered information is used for any purpose in furtherance of advertising or to amass a profile on the pupil for purposes other than preschool and prekindergarten purposes.
(3) To a state or local educational agency, including preschools, prekindergartens, and school districts, for preschool and prekindergarten purposes, as permitted by state or federal law.
(f) This section does not prohibit an operator from using deidentified pupil covered information as follows:
(1) Within the operator’s site, service, or application or other sites, services, or applications owned by the operator to improve educational products.
(2) To demonstrate the effectiveness of the operator’s products or services, including in their marketing.
(g) This section does not prohibit an operator from sharing aggregated deidentified pupil covered information for the development and improvement of educational sites, services, or applications.
(h) This section does not limit the authority of a law enforcement agency to obtain any content or information from an operator as authorized by law or pursuant to an order of a court of competent jurisdiction.
(i) This section does not limit the ability of an operator to use a pupil’s data, including covered information, for adaptive learning or customized early learning purposes.
(j) This section does not apply to general audience internet websites, general audience online services, general audience online applications, or general audience mobile applications, even if login credentials created for an operator’s site, service, or application may be used to access those general audience sites, services, or applications.
(k) This section does not limit internet service providers from providing internet connectivity to preschools, prekindergartens, or pupils and their families.
(l) This section does not prohibit an operator of an internet website, online service, online application, or mobile application from marketing educational products directly to parents so long as the marketing did not result from the use of covered information obtained by the operator through the provision of services covered under this section.
(m) This section does not impose a duty upon a provider of an electronic store, gateway, marketplace, or other means of purchasing or downloading software or applications to review or enforce compliance of this section on those applications or software.
(n) This section does not impose a duty upon a provider of an interactive computer service, as defined in Section 230 of Title 47 of the United States Code, to review or enforce compliance with this section by third-party content providers.
(o) This section does not impede the ability of pupils to download, export, or otherwise save or maintain their own personally created data or documents.
(p) This section shall not be interpreted to limit or supersede any rights or requirements under the federal Individuals with Disabilities Education Act (20 U.S.C. Sec. 1400 et seq.), the Rehabilitation Act of 1973 (29 U.S.C. Sec. 701 et seq.), and any rules or regulations promulgated pursuant to those laws.