Bill Text: CA AB1971 | 2023-2024 | Regular Session | Amended
NOTE: There are more recent revisions of this legislation. Read Latest Draft
Bill Title: Administration of standardized tests.
Spectrum: Partisan Bill (Democrat 1-0)
Status: (Passed) 2024-09-24 - Chaptered by Secretary of State - Chapter 508, Statutes of 2024. [AB1971 Detail]
Download: California-2023-AB1971-Amended.html
section, “operator” means the operator of an internet website, online service, online application, or mobile application with actual knowledge that the site, service, or application is used primarily for K–12 school purposes and was designed and marketed for K–12 school purposes. chapter:
Bill Title: Administration of standardized tests.
Spectrum: Partisan Bill (Democrat 1-0)
Status: (Passed) 2024-09-24 - Chaptered by Secretary of State - Chapter 508, Statutes of 2024. [AB1971 Detail]
Download: California-2023-AB1971-Amended.html
|
Amended
IN
Senate
August 19, 2024 |
|
Amended
IN
Senate
May 30, 2024 |
|
Amended
IN
Assembly
March 04, 2024 |
CALIFORNIA LEGISLATURE—
2023–2024 REGULAR SESSION
Assembly Bill
No. 1971
| Introduced by Assembly Member Addis |
January 30, 2024 |
An act to amend Section 22584 of of, and to add Chapter 22.2.3 (commencing with Section 22585.5) to Division 8 of, the Business and Professions Code, relating to personal information.
LEGISLATIVE COUNSEL'S DIGEST
AB 1971, as amended, Addis.
Student Online Personal Information Protection Act: administration of standardized tests.
The California Consumer Privacy Act of 2018 (CCPA) grants to a consumer various rights with respect to personal information, as defined, that is collected by a business, as defined, including the right to opt out of the selling or sharing of personal information about the consumer to third parties. Additionally, the CCPA prohibits a business from selling or sharing the personal information of a consumer if the business has actual knowledge that the consumer is less than 16 years of age, unless the consumer, in the case of a consumer at least 13 years of age and less than 16 years of age, or the consumer’s parent or guardian, in the case of consumers who are less than 13 years of age, has affirmatively authorized the sale or sharing of the consumer’s personal information.
The Student Online Personal Information Protection Act (SOPIPA) prohibits
an operator of an internet website, online service, online application, or mobile application with actual knowledge that the site, service, or application is used primarily for K–12 school purposes and was designed and marketed for K–12 school purposes from knowingly engaging in certain activities with respect to the operator’s site, service, or application, including selling a student’s information, including covered information, as defined, or using information, including persistent unique identifiers, created or gathered by the operator’s site, service, or application, to amass a profile about a K–12 student except in furtherance of K–12 school purposes. SOPIPA also prohibits an operator from disclosing covered information unless the disclosure is made for certain purposes, including to ensure legal and regulatory compliance. SOPIPA defines “K–12 school purposes” to mean purposes that customarily take place at the direction of the K–12 school, teacher, or school district or aid in the administration of
school activities, as specified.
The Student Test Taker Privacy Protection Act prohibits a business providing proctoring services in an educational setting from collecting, retaining, using, or disclosing personal information, as defined, except to the extent necessary to provide those proctoring services and in other specified circumstances.
This bill would additionally define “K–12 school purposes” to mean, among other things, the administration in the state of a standardized test taken by a K–12 student for the purpose of bolstering the K–12 student’s application for general admission to a postsecondary educational institution or a test used for preparation for a standardized test. The bill would additionally authorize an operator to disclose covered information if the disclosure is to a postsecondary institution for the purpose of facilitating a K–12 student’s admission to that institution or facilitating a K–12
student’s access to a scholarship only if the K–12 student, or the K–12 student’s legal guardian, expressly consented to the disclosure.
SOPIPA specifies that SOPIPA does not apply to general audience internet websites, general audience online services, general audience online applications, or general audience mobile applications, even if login credentials created for an operator’s site, service, or application may be used to access those general audience sites, services, or applications.
This bill would delete that provision.
This bill would instead, within SOPIPA, use the term “pupil” in place of “student” and would define “pupil” to mean a student enrolled in a K–12 course of instruction. The bill
would also make nonsubstantive changes to SOPIPA.
This bill would also prohibit a national assessment provider, as defined, from knowingly doing certain things with respect to its administration of, or publishing or distributing the scores with respect to, a standardized test, including selling personal information provided by an individual, or the individual’s parent or legal guardian, to a national assessment provider for the purposes of administering, or publishing or distributing the scores with respect to, a standardized test, except as prescribed. The bill would define “standardized test” to mean a test administered in California at the expense of the test subject that is, among other things, not a test administered for K–12 purposes, as described above.
Digest Key
Vote: MAJORITY Appropriation: NO Fiscal Committee: NO Local Program: NOBill Text
The people of the State of California do enact as follows:
SECTION 1.
Section 22584 of the Business and Professions Code is amended to read:22584.
(a) For purposes of this(1) “Covered information” means personally identifiable information or materials in any media or format that meets any of the
following:
(A) Is created or provided by a pupil, or the pupil’s parent or legal guardian, to an operator in the course of the pupil’s, parent’s, or legal guardian’s use of the operator’s site, service, or application for K–12 school purposes.
(B) Is created or provided by an employee or agent of the school or local educational agency to an operator.
(C) Is gathered by an operator through the operation of a site, service, or application described in paragraph (4) and is descriptive of a pupil or otherwise identifies a pupil, including, but not limited to, information in the pupil’s educational record or email, first and last name, home address, telephone number, email address, or other information that allows physical or online contact, discipline records, test results, special education data, juvenile dependency
records, grades, evaluations, criminal records, medical records, health records, social security number, biometric information, disabilities, socioeconomic information, food purchases, political affiliations, religious information, text messages, documents, pupil identifiers, search activity, photographs, voice recordings, or geolocation information.
(2) “K–12 school purposes” means purposes that customarily take place at the direction of the K–12 school, teacher, or school district or aid in the administration of school activities, including, but not limited to, instruction in the classroom or at home, administrative activities, and collaboration between pupils, school personnel, or parents, or are for the use and benefit of the school.
(3) “Online service” includes cloud computing services, which must comply with this section if they otherwise meet the definition of an
operator.
(4) “Operator” means the operator of an internet website, online service, online application, or mobile application with actual knowledge that the site, service, or application is used primarily for K–12 school purposes and was designed and marketed for K–12 school purposes.
(5) “Pupil” means a student enrolled in a K–12 course of instruction.
(b) An operator shall not knowingly engage in any of the following activities with respect to the operator’s site, service, or application:
(1) Engage in targeted advertising on the operator’s site, service, or application or target advertising on any other site, service, or application when the targeting of the advertising is based
upon any information, including covered information and persistent unique identifiers, that the operator has acquired because of the use of that operator’s site, service, or application described in subdivision (a).
(2) Use information, including persistent unique identifiers, created or gathered by the operator’s site, service, or application to amass a profile about a K–12 student pupil except in furtherance of K–12 school purposes.
(3) Sell a student’s
pupil’s information, including covered information. This prohibition does not apply to the purchase, merger, or other type of acquisition of an operator by another entity if the operator or successor entity continues to be subject to the provisions of this section with respect to previously acquired student pupil
information.
(4) Disclose covered information unless any of the following is true:
(A) The disclosure is made in furtherance of the K–12 purpose of the site, service, or application, if the recipient of the covered information disclosed pursuant to this subparagraph meets both of the following criteria:
(i) The recipient does not further disclose the information unless done to allow or improve operability and functionality within that student’s pupil’s classroom or school.
(ii) The recipient is legally required to comply with subdivision (d).
(B) The disclosure is made to ensure legal and regulatory compliance.
(C) The disclosure is made to respond to or participate in judicial process.
(D) The disclosure is made to protect the safety of users or others or security of the site.
(E) The disclosure is made to a service provider, provided the operator contractually (i) prohibits the service provider from using any covered information for any purpose other than providing the contracted service to, or on behalf of, the operator, (ii) prohibits the service provider from disclosing any covered information provided by
the operator with subsequent third parties, and (iii) requires the service provider to implement and maintain reasonable security procedures and practices as provided in subdivision (d).
(F)The disclosure is made to postsecondary institutions for the purpose of facilitating a K–12 student’s admission to an institution or facilitating a K–12 student’s access to a scholarship only if the K–12 student, or the K–12 student’s legal guardian, expressly consented to the disclosure.
(c) Nothing in subdivision (b) shall be construed to prohibit the operator’s use of information for maintaining, developing, supporting, improving, or diagnosing the operator’s site, service, or application.
(d) An operator shall do both of the following:
(1) Implement and maintain reasonable security procedures and practices appropriate to the nature of the covered information, and protect that information from unauthorized access, destruction, use,
modification, or disclosure.
(2) Delete a student’s
pupil’s covered information if the school or district requests deletion of data under the control of the school or district.
(e) Notwithstanding paragraph (4) of subdivision (b), an operator may disclose covered information of a student, as long as pupil, if paragraphs (1) to (3), inclusive, of subdivision (b) are not violated, under all of the following circumstances:
(1) If other provisions of federal or state law require the operator to disclose the information, and the operator complies with the requirements of federal and state law in protecting and disclosing that
information.
(2) For legitimate research purposes as required by state or federal law and subject to the restrictions under applicable state and federal law or as allowed by state or federal law and under the direction of a school, school district, or state department of education, if no covered information is used for any purpose in furtherance of advertising or to amass a profile on the student pupil for purposes other than K–12 school purposes.
(3) To a state or local educational agency, including schools and school districts, for K–12 school purposes, as permitted by state or federal law.
(f) Nothing in this section prohibits This section does not prohibit an operator from using deidentified student pupil covered information as follows:
(1) Within the operator’s site, service, or application or other sites, services, or applications owned by the operator to improve educational products.
(2) To demonstrate the effectiveness of the operator’s products or services, including
in their marketing.
(g) Nothing in this section prohibits This section does not prohibit an operator from sharing aggregated deidentified student pupil covered information for the development and improvement of educational sites, services, or applications.
(h)“Online service” includes cloud computing services, which must comply with this section if they otherwise meet the definition of an
operator.
(i)“Covered information” means personally identifiable information or materials in any media or format that meets any of the following:
(1)Is created or provided by a student, or the student’s parent or legal guardian, to an operator in the course of the student’s, parent’s, or legal guardian’s use of the operator’s site, service, or application for K–12 school purposes.
(2)Is created or provided by an employee or agent of the K–12 school, school district, local education agency, or county office of education, to an operator.
(3)Is gathered by an operator through the operation of a site, service, or application described in subdivision (a) and is descriptive of a student or otherwise identifies a student, including, but not limited to, information in the student’s educational record or email, first and last name, home address, telephone number, email address, or other information that allows physical or online contact, discipline records, test results, special education data, juvenile dependency records, grades, evaluations, criminal records, medical records, health records, social security number, biometric information, disabilities, socioeconomic information, food purchases, political affiliations, religious information, text messages, documents, student identifiers, persistent unique identifiers, search activity, photos, voice recordings, or geolocation information.
(j)“K–12 school purposes” means any of the following:
(1)Purposes that customarily take place at the direction of the K–12 school, teacher, or school district or aid in the administration of school activities, including, but not limited to, instruction in the classroom or at home, administrative activities, and collaboration between students, school personnel, or parents, or are for the use and benefit of the school.
(2)The administration in the state of either of the following:
(A)A standardized test taken by a K–12 student for the purpose of bolstering the K–12 student’s application for general admission to a postsecondary educational institution.
(B)A test used for preparation for a standardized test described in subparagraph (A).
(3)The registration for, or reporting of scores with respect to, a test described in paragraph (2).
(k)
(h) This section shall not be construed to does not limit the authority of a law enforcement agency to obtain any content or
information from an operator as authorized by law or pursuant to an order of a court of competent jurisdiction.
(l)
(i) This section does not limit the ability of an operator to use student pupil data, including covered information, for adaptive learning or customized student
pupil learning purposes.
(j) This section does not apply to general audience internet websites, general audience online services, general audience online applications, or general audience mobile applications, even if login credentials created for an operator’s site, service, or application may be used to access those general audience internet websites, services, or applications.
(m)
(k) This section does not limit internet service
providers from providing internet connectivity to schools or students
pupils and their families.
(n)
(l) This section shall not be construed to prohibit an operator of an internet website, online service, online application, or mobile application from marketing educational products directly to parents so long as the marketing did not result from the use of covered information obtained by the operator through the provision of services covered under this section.
(o)
(m) This section does not impose a duty upon a provider of an electronic store, gateway, marketplace, or other means of purchasing or downloading software or applications to review or enforce compliance of this section on those applications or software.
(p)
(n) This section does not impose a duty upon a provider of an interactive computer service, as defined in Section 230 of Title 47 of the United States Code, to review or enforce compliance with
this section by third-party content providers.
(q)
(o) This section does not impede the ability of students pupils
to download, export, or otherwise save or maintain their own student pupil created data or documents.
SEC. 2.
Chapter 22.2.3 (commencing with Section 22585.5) is added to Division 8 of the Business and Professions Code, to read:CHAPTER 22.2.3. National Assessment Providers
22585.5.
For purposes of this chapter:(a) “Covered information” means personal information provided by an individual, or the individual’s parent or legal guardian, to a national assessment provider for the purposes of administering, or publishing or distributing the scores with respect to, a standardized test.
(b) “National assessment provider” means a person that develops, sponsors, or administers standardized tests.
(c) “Personal information” has the same meaning as defined in Section 1798.140 of the Civil Code.
(d) (1) “Standardized test” means a test
administered in California at the expense of the test subject that meets either of the following criteria:
(A) The test is used for the purposes of admission to, or class placement in, postsecondary educational institutions or their programs.
(B) The test is used for preliminary preparation for a test described in subparagraph (A).
(2) “Standardized test” does not mean a test administered for K–12 purposes, as defined in Section 22584.
22585.6.
(a) A national assessment provider shall not knowingly do any of the following with respect to its administration of, or publishing or distributing the scores with respect to, a standardized test:(1) (A) Except as provided in subparagraph (B), sell covered information.
(B) A national assessment provider may sell covered information if either of the following apply:
(i) The sale is incident to the purchase, merger, or other type of acquisition of a national assessment provider by another entity, if that entity complies with this chapter as if it were a national assessment provider.
(ii) (I) The sale is to colleges, universities, financial aid and scholarship agencies, government agencies, and organizations that offer educational, community involvement, extracurricular, and career opportunities products and services solely to provide access to employment, educational scholarships or financial aid, or educational opportunities.
(II) This clause applies only if the individual, or the individual’s parent or legal guardian, identified by the covered information expressly consented to the sale of the covered information.
(2) Disclose covered information to a third party, including, but not limited to, social media providers through cookies, pixels, or similar tracking technologies on the national assessment provider’s internet website.
(3) Disclose covered information unless any of the following is true:
(A) (i) The disclosure is made in furtherance of the purposes of the standardized test, including, but not limited to, disclosure to postsecondary institutions, scholarship providers, or government agencies for the purpose of an individual’s admission, course credit, or placement in an institution or facilitating an individual’s eligibility for recognition, a scholarship, or financial aid.
(ii) This subparagraph applies only if the individual identified by the covered information expressly consented to the disclosure, and the recipient of the covered information agreed not to further disclose the information without the consent of the individual or as required by law.
(B) The disclosure is made to ensure legal and regulatory compliance.
(C) The disclosure is made to respond to, or participate in, judicial process.
(D) The disclosure is made to protect personal safety or the safety of others.
(E) The disclosure is made to a service provider if a national assessment provider contractually does all of the following:
(i) Prohibits the service provider from using any covered information for a purpose other than providing the contracted service to, or on behalf of, the national assessment provider.
(ii) Prohibits the service provider from disclosing any covered information provided by the national assessment provider to other third parties.
(iii) Requires the service provider to implement and maintain reasonable security procedures and practices appropriate to the nature of the covered information, and protect that information from unauthorized access, destruction, use, modification, or disclosure.
(F) The disclosure is made for legitimate research purposes required by state or federal law.
(G) The disclosure is made to a state or local educational agency, including a school or school district.
(H) The disclosure is made to a parent or legal guardian of the individual identified by the covered information if that individual is under the age of 18.
(b) This section does not prohibit a national assessment provider from using
covered information for maintaining, developing, supporting, improving, or diagnosing the national assessment provider’s programs and services.
(c) A national assessment provider shall implement and maintain reasonable security procedures and practices appropriate to the nature of the covered information, and protect that information from unauthorized access, destruction, use, modification, or disclosure.
(d) If there is a conflict between any other law, including the California Consumer Privacy Act of 2018 (Title 1.81.5 (commencing with Section 1798.100) of Part 4 of Division 3 of the Civil Code) and this chapter, the law that affords the greatest protection of the right of privacy shall control.
