Florida Enacts Student Online Personal Information Protection Act | Practical Law

Florida Enacts Student Online Personal Information Protection Act | Practical Law

Florida has enacted SB 662, a statute that limits student data collection, use, and disclosure by operators of educational websites, services, and apps and imposes data security and deletion requirements.

Florida Enacts Student Online Personal Information Protection Act

Practical Law Legal Update w-039-6741 (Approx. 4 pages)

Florida Enacts Student Online Personal Information Protection Act

by Practical Law Data Privacy & Cybersecurity
Published on 01 Jun 2023Florida
Florida has enacted SB 662, a statute that limits student data collection, use, and disclosure by operators of educational websites, services, and apps and imposes data security and deletion requirements.
On May 31, 2023, Florida Governor Ron DeSantis signed SB 662, the Student Online Personal Information Protection Act (Florida SOPIPA) into law. The Act:
  • Creates requirements and limits for operators of websites, online services, and apps used primarily for or designed and marketed for K-12 school purposes.
  • Explicitly excludes general audience websites, services, and apps, including where login credentials created for a covered product or service can be used to access them.
Florida SOPIPA protects covered information, in any format, that is not publicly available and is:
  • Information created by or provided to the operator by:
    • the student or their legal guardian when using the operator's product or service; or
    • an employee or agent of a K-12 school or district for school purposes.
  • Students' personal identifying information, students' materials, or linked information collected by the operator through its product or service, including:
    • first and last name;
    • phone number, email or home address, or other information allowing physical or online contact;
    • Social Security number;
    • student identifier;
    • biometric or geolocation information;
    • voice recording, text messages, documents, photos, or search activity;
    • student educational, disciplinary, performance, assessment, criminal, health, juvenile dependency, food purchase, or special education records; and
    • socioeconomic, political, disability, or religious information.
The Act prohibits operators from knowingly:
  • Engaging in targeted advertising on any site, service, or app based on any information, including covered information and persistent unique identifiers, collected through the use of their products or services for K-12 school purposes.
  • Using covered information, including persistent unique identifiers, created or collected through the operator's product or service to build a profile of a student except for K-12 school purposes.
  • Sharing, selling, or renting a student's covered information, with certain narrowly defined exceptions for:
    • business mergers and acquisitions; and
    • national assessment providers that obtain express written parental or student consent and use the covered information only to provide access to employment, financial aid, or postsecondary educational opportunities.
  • Disclosing covered information, except to:
    • further the K-12 purposes of the operator's site, app, or service;
    • comply with a court or quasi-judicial order or state or federal legal requirement;
    • protect the safety or integrity of users or the security of its product or service;
    • fulfill a school, educational, or employment purpose requested by a student or legal guardian; or
    • engage a third-party service provider under a contract that prohibits further disclosures or unauthorized processing and requires the third party to implement reasonable security practices.
Under Florida SOPIPA, operators must:
  • Limit covered information collection to what is reasonably necessary to operate their products or services.
  • Implement and maintain reasonable security procedures and practices appropriate to the nature of the covered information they hold.
  • Delete covered information at the end of the course using the product or service and within 90 days of a school's notice that a student has unenrolled from the district unless a parent or guardian expressly consents to retention. However, the Act allows operators to retain covered information for purposes of assessments and college and career planning in accordance with other laws.
Florida SOPIPA explicitly states that it does not prohibit operators from engaging in certain activities, including:
  • Using or sharing covered information to improve their products or services or demonstrate their efficacy if the information is not associated with an identified student.
  • If the recommendation is not based on payment or other consideration from a third party:
    • using recommendation engines to recommend education, employment, or learning opportunity content or services to students; or
    • responding to a student's request for information or feedback.
  • Marketing educational products directly to parents if the marketing is not based on covered information collected through the operator's product or service.
A violation of Florida SOPIPA is a deceptive and unfair trade practice under Florida's Deceptive and Unfair Trade Practices Act enforceable by the Florida Department of Legal Affairs. The State Board of Education has rulemaking authority.
Florida SOPIPA takes effect July 1, 2023.