HOUSE OF REPRESENTATIVES STAFF ANALYSIS
BILL #: CS/HB 699 Student Online Personal Information Protection
SPONSOR(S): Education & Employment Committee, Koster and others
TIED BILLS: None. IDEN./SIM. BILLS: SB 662
REFERENCE ACTION ANALYST STAFF DIRECTOR or
BUDGET/POLICY CHIEF
1) Education Quality Subcommittee 17 Y, 0 N Wolff Sanchez
2) PreK-12 Appropriations Subcommittee 14 Y, 0 N Bailey Potvin
3) Education & Employment Committee 19 Y, 0 N, As CS Wolff Hassell
SUMMARY ANALYSIS
To protect the private information of Florida’s students, especially given the increased reliance on online
platforms in schools, the bill creates the Student Online Personal Information Protection Act (SOPIPA), which
substantially restricts the operator of a website, online service, or online application that is used for K-12 school
purposes from collecting, disclosing, or selling student data, or from using student data to engage in targeted
advertising.
The bill prohibits operators using any information acquired through the use of their education technology to
create profiles of students, except for K-12 school purposes, or knowingly engaging in targeted advertising.
Additionally, the bill prohibits an operator from sharing, selling, or renting student information to third parties or
disclosing certain covered information, except when authorized by federal or state law.
The bill requires operators to collect no more covered information than reasonably necessary to operate the
educational technology and implement and maintain reasonable security procedures and practices to protect
covered information. Operators must delete a student’s covered information if requested by the K-12 school or
school district, unless a student or a parent or guardian consents to its maintenance.
Any violation of the SOPIPA is deemed a deceptive and unfair trade practice and constitutes a violation of
Florida’s Deceptive and Unfair Trade Practices Act. The bill clarifies that there is no private cause of action for
violations of SOPIPA by expressly limiting enforcement authority to the Department of Legal Affairs.
There is no fiscal impact to state or local expenditures. The bill has an indeterminate fiscal impact on the
private sector.
The bill takes effect July 1, 2023.
This docum ent does not reflect the intent or official position of the bill sponsor or House of Representatives .
STORAGE NAME: h0699e.EEC
DATE: 4/20/2023
� FULL ANALYSIS
I. SUBSTANTIVE ANALYSIS
A. EFFECT OF PROPOSED CHANGES:
Present Situation
Privacy of Student Information
Since the pandemic, schools have significantly increased their reliance upon Internet and online-based
software and educational technologies. Classroom assignments and assessments are often delivered
online via laptops or tablets, and teachers make regular use of social media platforms, websites, and
“free” apps in class.1 In fact, a single educator will use, on average, 148 apps in a school year. 2 This
increased reliance on Internet-based apps in schools risks compromising student privacy because it
exposes students to online profiling and targeted advertising.
Profiling is the automated process of compiling personal data to evaluate certain personal aspects
relating to a specific student.3 The operators of Internet-based apps can use persistent unique
identifiers or third-party scripts to recognize and track students across third-party websites, then use
this information to analyze or predict student interests for marketing or advertising purposes. Tracking
students in this manner can result in unintended consequences such as the disclosure of sensitive data
through unknown tracking processes.4
Targeted advertising collects generalized information about students from various sources, including
information on race, location, gender, age, school, and interests.5 This information is then interpreted in
order to display products and services that may be more relevant (i.e. targeted) to students. Targeted
advertising can also include the collection of specific information about individual students using
cookies, beacons, tracking pixels, persistent unique identifiers, or other tracking technologies that
provide more specific information about a student’s online behavior or activity over time. This
information can then be sold to, or shared with, third-party advertisers, who are able to display even
more targeted products and services to students than general targeted advertisements based on the
highly-specific information they collect from the student’s behavior while using the application or
service.6
Targeted advertising is different than contextual advertising, which displays products and services to
students based only on the content or webpage that they are currently viewing, and which does not
collect any specific information about the student to determine which advertisements to display.7
There is significant unease about the privacy implications associated with the online collection and use
of data.8 One international, pre-pandemic poll found that 71% of individuals worried about how tech
1 Parent Coalition for Student Privacy and the Network for Public Education, The State Student Privacy Report Card: Grading the
States on Protecting Student Data Privacy, 1 (Jan. 2019), https://studentprivacymatters.org/wp-content/uploads/2019/01/The-2019-
State-Student-Privacy-Report-Card.pdf.
2 Rebecca Torchia, What is Third-Party Risk, and What Do Schools Need to Know? (Feb. 24, 2023), EdTech Focus On K-12,
https://edtechmagazine.com/k12/article/2023/ 02/ what-third-party-risk-and-what-do-schools-need-know-perfcon (citing
LearnPlatform, EdTech Top 40: Fall Report (Sept. 2022), https://learnplatform.com/top40).
3 Girard Kelly, How California’s Student Privacy Law Protects Against Targeted Advertising (Apr. 26, 2018), The Journal,
https://thejournal.com/articles/2018/04/26/how-california -student-privacy-law-protects-against-targeted-advertising.aspx.
4 Id.
5 Id.
6 Id.; see also Wharton School, University of Penns ylvania, Your Data Is Shared and Sold… What’s Being Done About It? (Oct. 28,
2019), Knowledge at Wharton, https://knowledge.wharton.upenn.edu/article/data-shared-sold-whats-done/.
7 Kelly, supra at note 3.
8 See University of Texas at Austin, Center for Media Engagement, Privacy versus Products in Targeted Digital Advertising,
https://mediaengagement.org/research/privacy-versus-products-in-targeted-digital-advertising/ (last visited Apr. 19, 2023).
STORAGE NAME: h0699e.EEC PAGE: 2
DATE: 4/20/2023
� companies collect and use their personal data.9 And in another poll, specifically with respect to the
collection and use of K-12 student data, 93% of parents of K-12 students said it was important for
schools to engage with them about the use of student data, but only 44% said that they had been
asked for their input.10
Federal Student Privacy Legislation
At the federal level, there are three laws that are most often referenced when it comes to student
privacy and local schools or school districts:11 the Family Educational Rights and Privacy Act
(FERPA),12 the Protection of Pupil Rights Amendment (PPRA),13 and the Children’s Online Privacy
Protection Act (COPPA).14
Family Educational Rights and Privacy Act
FERPA protects the privacy of students’ education records. 15 The law applies to any school that
receives applicable funds from the U.S. Department of Education. FERPA grants parents certain rights
respecting their child’s education records, and these rights transfer to the student when he or she
reaches the age of 18 or attends a post-secondary school (at which point he or she is known as an
“eligible student”).16
Parents or eligible students have the right to inspect and review the student’s education records
maintained by the school. They also have the right to request that a school correct records that they
believe to be inaccurate or misleading. If the school decides not to amend the record, the parent or
eligible student then has the right to a formal hearing. After the hearing, if the school still decides not to
amend the record, the parent or eligible student has the right to place a statement with the record
setting forth his or her view about the contested information. 17
Generally, schools must have written permission from the parent or eligible student in order to release
any information from a student's education record. However, FERPA allows schools to disclose those
records, without consent, to the following parties or under the following conditions:
School officials having a legitimate educational interest;
Other schools to which a student is transferring;
Specified officials for audit or evaluation purposes;
Appropriate parties in connection with financial aid to a student;
Organizations conducting certain studies for or on behalf of the school;
Accrediting organizations;
Persons authorized to receive the records pursuant to a judicial order or lawfully issued
subpoena;
Appropriate officials in cases of health and safety emergencies; and
State and local authorities, within a juvenile justice system, pursuant to specific state law.18
9 Amnesty International, New poll reveals 7 in 10 people want governments to regulate Big Tech over personal data fears (Dec. 4,
2019), https://www.amnesty.org/en/latest/press-release/2019/12/big-tech-privacy-poll-shows-people-worried/.
10 Adam Stone, Understanding FERPA, CIPA, and Other K-12 Student Data Privacy Laws (Apr. 28, 2022), EdTech Focus On K-12,
https://edtechmagazine.com/k12/article/2022/ 04/understanding-ferpa-cipa-and-other-k-12-student-data-privacy-laws-perfcon (citing
the Center for Democracy and Technology, Sharing Student Data Across Public Sectors (Dec. 2021), available at https://cdt.org/wp-
content/uploads/2021/12/12-01-2021-Civic-Tech-Co mmunity-Engagement-Fu ll-Report-final.pdf).
11 LearnPlatform, supra note 2.
12 20 U.S.C. s. 1232g; 34 C.F.R. pt. 99.
13 20 U.S.C. s. 1232h; 34 C.F.R. pt. 98.
14 15 U.S.C. ss. 6501-06; 16 C.F.R. pt. 312.
15 U.S. Department of Education, Family Educational Rights and Privacy Act (FERPA) (Aug. 25, 2021), https://www2.ed.
gov/policy/gen/guid/fpco/ferpa/index.html.
16 Id.
17 Id.
18 Id.
STORAGE NAME: h0699e.EEC PAGE: 3
DATE: 4/20/2023
� Schools may disclose, without consent, directory information, such as a student’s name, address,
telephone number, date and place of birth, honors and awards, and dates of attendance. However,
schools must allow parents and students to opt out of the disclosure of their directory information.
Schools must give an annual notice about rights granted by FERPA to affected parties. 19
Protection of Pupil Rights Amendment
PPRA applies to programs and activities that get their funding from the U.S. Department of Education.20
It governs the administration to students of a survey, analysis, or evaluation that concerns one or more
of the following eight protected areas:
Political affiliations or beliefs of the student or the student’s parent;
Mental or psychological problems of the student or the student’s family;
Sex behavior or attitudes;
Illegal, anti-social, self-incriminating, or demeaning behavior;
Critical appraisals of other individuals with whom respondents have close family relationships;
Legally recognized privileged or analogous relationships, such as those of lawyers, physicians,
and ministers;
Religious practices, affiliations, or beliefs of the student or student’s parent; or
Income (other than that required by law to determine eligibility for participation in a program or
for receiving financial assistance under such program). 21
PPRA also governs marketing surveys and other areas of student privacy, parental access to
information, and the administration of certain physical examinations to minors. The rights under PPRA
transfer from the parents to a student who is 18 years old or an emancipated minor under state law. 22
Children’s Online Privacy Protection Act
COPPA and its related rules regulate websites’ collection and use of children’s information.23 The
operator of a website or online service that is directed to children, or that has actual knowledge that it
collects children’s personal information (covered entities), must comply with requirements regarding
data collection and use, privacy policy notifications, and data security. For purposes of COPPA,
children are individuals under the age of 13.24
COPPA defines personal information as individually identifiable information about an individual that is
collected online, including:
First and last name;
A home or other physical address including street name and name of a city or town;
Online contact information;
A screen or user name that functions as online contact information;
A telephone number;
A social security number;
A persistent identifier that can be used to recognize a user over time and across different
websites or online services;
A photograph, video, or audio file, where such file contains a child’s image or voice;
Geolocation information sufficient to identify street name and name of a city or town; or
Information concerning the child or the parents of that child that the operator collects online from
the child and combines with an identifier described above. 25
19 Id.
20 U.S. Department of Education, What is the Protection of Pupil Rights Amendment (PPRA)?, https://studentprivacy.ed.gov/
faq/what-protection-pupil-rights-amendment-ppra (last visited Apr. 19, 2023).
21 Id.
22 Id.
23 Federal Trade Commission, Complying with COPPA: Frequently Asked Questions, https://www.ftc.gov/business -
guidance/resources/complying-coppa-frequently-asked-questions (last visited Apr. 19, 2023).
24 Id.
25 Id.
STORAGE NAME: h0699e.EEC PAGE: 4
DATE: 4/20/2023
� Covered entities must:
Post a clear and comprehensive online privacy policy describing their information practices for
personal information collected online from children;
Provide direct notice to parents and obtain verifiable parental consent, with limited exceptions,
before collecting personal information online from children;
Give parents the choice of consenting to the operator’s collection and internal use of a child’s
information, but prohibiting the operator from disclosing that information to third parties (unless
disclosure is integral to the site or service, in which case, this must be made clear to parents);
Provide parents access to their child’s personal information to review or have the information
deleted;
Give parents the opportunity to prevent further use or online collection of a child’s personal
information;
Maintain the confidentiality, security, and integrity of information they collect from children,
including by taking reasonable steps to release such information only to parties capable of
maintaining its confidentiality and security;
Retain personal information collected online from a child for only as long as is necessary to fulfill
the purpose for which it was collected and delete the information using reasonable measures to
protect against its unauthorized access or use; and
Not condition a child’s participation in an online activity on the child providing more information
than is reasonably necessary to participate in that activity. 26
Violations of COPPA are deemed an unfair or deceptive act or practice and are therefore prosecuted
by the Federal Trade Commission.27
State Student Privacy Legislation
At the state level, 42 states and the District of Columbia have passed more than 128 student privacy
laws.28 Indeed, most states have passed more than one student privacy law. 29
States have generally approached the regulation of student data use in three ways:
By regulating schools and state-level education agencies;
By regulating companies that collect and use student data; and
By combining the first two models.30
An example of the first approach is Oklahoma’s Student Data Accessibility, Transparency, and
Accountability Act of 2013 (the Student DATA Act), which addressed the permissible state-level
collection, security, access, and uses of student data. Legislation following the Oklahoma model has
limited data collection and use and defined how holders of student data can collect, safeguard, use,
and grant access to data.31
26 Id.
27 See id.; see also 15 U.S.C. s. 6502(c); 16 C.F.R. s. 312.9.
28 Adam Stone, Understanding FERPA, CIPA, and Other K-12 Student Data Privacy Laws (Apr. 28, 2022), EdTech Focus On K-12,
https://edt