• The Student Online Personal Information Protection Act was signed into law this week, introducing new restrictions on education websites and applications to prevent data harvesting and targeted advertising.
• The legislation limits the collection, disclosure, and sale of student data and prohibits targeted advertising based on student information.
• Operators of educational technology platforms can still collect necessary information, implement security measures, delete student data upon request, and disclose information for research or educational purposes, according to the legislation.

The ‘Student Online Personal Information Protection Act‘ was signed into law this week, introducing new restrictions on education websites and applications to prevent data harvesting and targeted advertising.

The legislation significantly limits the collection, disclosure, and sale of student data by websites, online services, and applications used for K-12 school purposes.

Under the bill, operators of educational technology platforms are prohibited from engaging in targeted advertising based on any information acquired through their platforms, including unique identifiers. They are also restricted from creating student profiles, sharing or selling student information to third parties, and disclosing covered information, except under specific circumstances.

To ensure compliance, operators are required to collect only the necessary information for the operation of their educational technology platforms. They must implement and maintain reasonable security measures to protect student data. Additionally, operators must delete a student’s information upon request from the K-12 school or district, unless explicit consent for data retention is given by the student or their parent/guardian.

The bill allows for the disclosure of covered information under certain circumstances, such as when required by federal or state law, for legitimate research purposes that do not involve targeted advertising or profiling, or when shared with educational agencies for K-12 school purposes.

The measure’s passage comes one month after the Board of Governors for the State University System (SUS) of Florida amended preexisting regulations to grant universities across the state the right to prohibit the use of TikTok and other cyber threats of concern on SUS devices and wireless infrastructure.

Security concerns regarding TikTok in particular heightened across the recently-closed Legislative Session, with members of the Florida Senate Fiscal Policy Committee approving a measure to would ban the Chinese-owned social media platform on state government devices and Wi-Fi networks.

Several state colleges — including the University of Florida — advised its students to abandon using TikTok earlier this year, citing growing security concerns. The university referred to the platform as a “national security risk,” pointing to the possibility that foreign governments may use TikTok to control data collection and compromise personal devices.”

With the approved amendment, state universities are permitted to adopt measures to safeguard their networks from cyber threats by adhering to a list of prohibited technologies endorsed by the state. This directive is based upon a consolidated list sourced from various threat intelligence providers, such as the Federal Department of Homeland Security, the Federal Bureau of Investigations, and the Florida Fusion Center.

The move aims to protect universities from potential threats, such as malware, unauthorized data access, and network breaches, that could lead to substantial reputational and financial damage. Consequently, the list will mandate institutions to implement a protection protocol to prevent the installation and use of banned technologies within their networks, both in hardware and software.

“This regulation requires that the institutions look at a prohibitive technologies list that will be developed and published, and prevent those technologies from being put on university devices, be transported across certain networks, or be installed in their infrastructure,” said Board member Gene Kovacs.