Current through the 2024 Legislative Session
Section 1006.1494 - Student online personal information protection(1) As used in this section, the term: (a) "Covered information" means personal identifying information or material of a student, or information linked to personal identifying information or material of a student, in any media or format that is not publicly available and is any of the following: 1. Created by or provided to an operator by the student, or the student's parent or legal guardian, in the course of the student's, parent's, or legal guardian's use of the operator's site, service, or application for K-12 school purposes.2. Created by or provided to an operator by an employee or agent of a K-12 school or school district for K-12 school purposes.3. Gathered by an operator through the operation of its site, service, or application for K-12 school purposes and personally identifies a student, including, but not limited to, information in the student's educational record or electronic mail, first and last name, home address, telephone number, electronic mail address, or other information that allows physical or online contact, discipline records, test results, special education data, juvenile dependency records, grades, evaluations, criminal records, medical records, health records, social security number, biometric information, disabilities, socioeconomic information, food purchases, political affiliations, religious information, text messages, documents, student identifiers, search activity, photos, voice recordings, or geolocation information.(b) "Interactive computer service" means any information service, system, or access software provider that provides or enables computer access by multiple users to a computer server, including a service or system that provides access to the Internet and such systems operated or services offered by libraries or educational institutions.(c) "K-12 school" has the same meaning as described in s. 1000.04(2).(d) "K-12 school purposes" means purposes directed by or that customarily take place at the direction of a K-12 school, teacher, or school district or that aid in the administration of school activities, including, but not limited to, instruction in the classroom or at home, administrative activities, and collaboration between students, school personnel, or parents, or that are otherwise for the use and benefit of the school.(e) "Operator" means, to the extent that it is operating in this capacity, the operator of an Internet website, online service, online application, or mobile application with actual knowledge that the site, service, or application is used primarily for K-12 school purposes, or the site, service, or application was designed and marketed for K-12 school purposes.(f) "School district" has the same meaning as in s. 595.402.(g) "Targeted advertising" means presenting advertisements to a student which are selected on the basis of information obtained or inferred over time from that student's online behavior, usage of applications, or covered information. The term does not include advertising to a student at an online location based upon the student's current visit to that location, or advertising presented in response to a student's request for information or feedback, if the student's online activities or requests are not retained over time for the purpose of targeting subsequent advertisements to that student.(2) An operator may not knowingly do any of the following: (a) Engage in targeted advertising on the operator's site, service, or application, or targeted advertising on any other site, service, or application if the targeting of the advertising is based on any information, including covered information and persistent unique identifiers, which the operator has acquired because of the use of that operator's site, service, or application for K-12 school purposes.(b) Use covered information, including persistent unique identifiers, created or gathered by the operator's site, service, or application to amass a profile of a student, except in furtherance of K-12 school purposes. The term "amass a profile" does not include the collection and retention of account information that remains under the control of the student or the student's parent or guardian or K-12 school.(c) Share, sell, or rent a student's information, including covered information. This paragraph does not apply to the purchase, merger, or other acquisition of an operator by a third party, if the third party complies with this section regarding previously acquired student information, or to a national assessment provider if the provider obtains the express written consent of the parent or student, given in response to clear and conspicuous notice, solely to provide access to employment, educational scholarships or financial aid, or postsecondary educational opportunities.(d) Except as otherwise provided in subsection (4), disclose covered information, unless the disclosure is made for any of the following purposes: 1. In furtherance of the K-12 school purpose of the site, service, or application, if the recipient of the covered information disclosed under this subparagraph does not further disclose the information.2. Disclosure as required by state or federal law.3. To comply with the order of a court or quasi-judicial entity.4. To protect the safety or integrity of users of the site or others or the security of the site, service, or application.5. For a school, educational, or employment purpose requested by the student or the student's parent or guardian, provided that the information is not used or further disclosed for any other purpose.6. To a third party, if the operator contractually prohibits the third party from using any covered information for any purpose other than providing the contracted service to or on behalf of the operator, prohibits the third party from disclosing any covered information provided by the operator with subsequent third parties, and requires the third party to implement and maintain reasonable security procedures and practices. An operator may not disclose covered information relating to any contracted services provided in paragraph (a), paragraph (b), or paragraph (c).(3) An operator shall do all of the following:(a) Collect no more covered information than is reasonably necessary to operate an Internet website, online service, online application, or mobile application with actual knowledge that the site, service, or application is used primarily for K-12 school purposes, or the site, service, or application was designed and marketed for K-12 school purposes.(b) Implement and maintain reasonable security procedures and practices appropriate to the nature of the covered information which are designed to protect it from unauthorized access, destruction, use, modification, or disclosure.(c) Unless a parent or guardian expressly consents to the operator retaining a student's covered information, delete the covered information at the conclusion of the course or corresponding program and no later than 90 days after a student is no longer enrolled in a school within the district, upon notice by the school district.(4) An operator may use or disclose covered information of a student under any of the following circumstances: (a) If federal or state law requires the operator to disclose the information, and the operator complies with federal or state law, as applicable, in protecting and disclosing that information.(b) If the covered information is disclosed to a state educational agency or the student's local educational agency for K-12 school purposes, as allowed under state or federal law.(c) If the covered information is disclosed to a state or local educational agency, including K-12 schools and school districts, for K-12 school purposes, as allowed under state or federal law.(5) This section does not prohibit an operator from doing any of the following: (a) Using covered information to improve educational products, if that information is not associated with an identified student within the operator's site, service, or application, or other sites, services, or applications owned by the operator.(b) Using covered information that is not associated with an identified student to demonstrate the effectiveness of the operator's products or services, including use in their marketing.(c) Sharing covered information that is not associated with an identified student for the development and improvement of educational sites, services, or applications.(d) Using recommendation engines to recommend to a student any of the following:1. Additional content relating to an educational, an employment, or any other learning opportunity purpose within an online site, service, or application, if the recommendation is not determined in whole or in part by payment or other consideration from a third party.2. Additional services relating to an educational, an employment, or any other learning opportunity purpose within an online site, service, or application, if the recommendation is not determined in whole or in part by payment or other consideration from a third party.(e) Responding to a student's request for information or feedback without the information or response being determined in whole or in part by payment or other consideration from a third party.(6) This section does not do any of the following: (a) Limit the authority of a law enforcement agency to obtain any content or information from an operator as authorized by law or under a court order.(b) Limit the ability of an operator to use student data, including covered information, for adaptive learning or customized student learning purposes.(c) Apply to general audience Internet websites, general audience online services, general audience online applications, or general audience mobile applications, even if login credentials created for an operator's site, service, or application may be used to access those general audience sites, services, or applications.(d) Limit service providers from providing Internet connectivity to schools or students and their families.(e) Prohibit an operator of an Internet website, online service, online application, or mobile application from marketing educational products directly to parents, if such marketing did not result from the use of covered information obtained by the operator through the provision of services covered under this section.(f) Impose a duty upon a provider of an electronic store, gateway, marketplace, or other means of purchasing or downloading software or applications to review or enforce compliance with this section on such software or applications.(g) Impose a duty upon a provider of an interactive computer service to review or enforce compliance with this section by third-party content providers.(h) Prohibit students from downloading, exporting, transferring, saving, or maintaining their own student data or documents.(i) Limit the retention of covered information by an operator for the purposes of assessments and college and career planning in accordance with general law.(7) Any violation of this section is a deceptive and unfair trade practice and constitutes a violation of the Florida Deceptive and Unfair Trade Practices Act, part II of chapter 501. Notwithstanding the provisions of part II of chapter 501, the Department of Legal Affairs is the sole entity authorized to bring an enforcement action against an entity that violates this section. The State Board of Education may adopt rules to implement this section.
Added by 2023 Fla. Laws, ch. 170,s 2, eff. 7/1/2023.