Florida Administrative Code
6 - DEPARTMENT OF EDUCATION
6A - State Board of Education
Chapter 6A-1 - FINANCE AND ADMINISTRATION
Section 6A-1.09550 - Student Online Personal Information Protection

Universal Citation: FL Admin Code R 6A-1.09550

Current through Reg. 50, No. 187; September 24, 2024

(1) Purpose. This rule sets forth requirements for policies that must be adopted by school districts and charter school governing boards to protect personally identifiable information of students when using required online educational services. The rule also provides minimum requirements for contracts or agreements where student information will be disclosed to or used by third-party vendors or service providers.

(2) Definitions.

(a) "Education records" means records that are directly related to a student and that are maintained by an educational agency or institution or a party acting for or on behalf of the agency or institution, as defined in 20 U.S.C. s. 1232g(a)(4).

(b) "Eligible student" means a student who has reached eighteen (18) years of age or is attending a postsecondary institution, at any age.

(c) "Institution" means any public school, center, or other entity that is part of Florida's education system under Sections 1000.04(2), (4), and (5), F.S.

(d) "Online educational service" means computer software, mobile applications (apps), and web-based tools that students or parents are required to use and access through the internet and as part of a school activity or function. Examples include online services that students or parents use to access class readings, assignments, or videos, to view learning progression, or to complete assignments. This does not include online services that students or parents may use in their personal capacity or to online services that districts or schools may use to which students or parents do not have access, such as a district student information system.

(e) "Parent" includes parents or guardians of students who are or have been in attendance at a school or institution as defined in paragraph (2)(c).

(f) "Personally identifiable information" or "PII" means information that can be used to distinguish or trace a student's identity either directly or indirectly through linkages with other information, as defined in 34 CFR § 99.3. PII includes, but is not limited to direct identifiers (such as a student's or other family member's name), indirect identifiers (such as a student's date of birth, place of birth, or mother's maiden name), and other personal identifiers (such as a student's social security number or Florida Education Identifier (FLEID) number). PII also includes information that, alone or in combination, is linked or linkable to a specific student that would allow a reasonable person in the school community, who does not have personal knowledge of the relevant circumstances, to identify the student with reasonable certainty.

(g) "School Board or School District" means a Florida school district or district school board, charter school governing board, the Florida Virtual School (Section 1002.37, F.S.), the Florida School for the Deaf and the Blind (Section 1002.36, F.S.), and Developmental Research (Laboratory) Schools (Section 1002.32, F.S.).

(h) "Student" means any individual who is or has been in attendance at an educational agency or institution and regarding whom the agency or institution maintains education records.

(i) "Third-party vendor" or "Third-party service provider" means any entity, whether public or private, that provides services to a school board or institution through a contract or agreement. The term does not include the Florida Department of Education, the Department's contractors and subcontractors, or School Boards and School Districts as defined in paragraph (2)(g).

(3) Review and Approval of Online Educational Services.

(a) For online educational services that students and parents are required to use, school districts and charter school governing boards must adopt policies to protect student PII from potential misuse and to protect students from data mining and targeted advertising. These policies must include, at a minimum, review and approval of any online educational service that students or their parents are required to use as part of a school activity or function. These policies must also include:
1. Review and approval of the online educational service's terms of service and privacy policy to ensure compliance with state and federal privacy laws, including FERPA and its implementing regulations, the Children's Online Privacy Protection Act (COPPA), 15 U.S.C. ss. 6501-6506, Section 1002.22, F.S., and the Student Online Personal Information Protection Act, Section 1006.1494, F.S.

2. Designation of a person or persons responsible for the review and approval of online educational services that will be required for students or parents to use and the procedure for seeking such approval.

3. Procedures for notifying parents and eligible students if student PII will be collected by the online educational service.

4. Where student PII will be collected by the online educational service, procedures for notifying parents and eligible students of information that will be collected, how it will be used, when and how it will be destroyed, and the terms of re-disclosure, if any; and

5. An explicit prohibition against using any online educational service that will share or sell a student's PII for commercial purposes, including but not limited to targeted advertising, without providing parents a means to either consent or disapprove. This disclosure prohibition does not prevent the purchase, merger, or other type of acquisition of a third-party provider or online educational service by another entity, provided that the successor entity continues to be subject to the provisions of this rule with respect to previously acquired PII.

6. For any online educational service that a student or parent is required to use, a district must provide notice on its website of the PII information that may be collected, how it will be used, when it will be destroyed and the terms of re-disclosure. This notice must include a link to the online educational service's terms of service and privacy policy, if publicly available.

(b) For online educational services that students and parents are referred to as part of a school activity or function, but are not required to use, school districts and charter school governing boards must provide notice to parents and eligible students if such online services have not been reviewed and approved in accordance with paragraph (3)(a).

(4) Contracts or Agreements with Third-Party Vendors.

(a) All contracts or agreements executed by or on behalf of a school district or charter school with a third-party vendor or a third-party service provider must protect the privacy of education records and student PII contained therein. Any agreement that provides for the disclosure or use of student PII must:
1. Require compliance with FERPA, its implementing regulations, and Section 1002.22, F.S..

2. Where applicable, require compliance with COPPA, 15 U.S.C. ss. 6501-6506, and its implementing regulations.

3. Where applicable, require vendors to ensure compliance with the Student Online Personal Information Protection Act, Section 1006.1494, F.S.

4. Ensure that only the PII necessary for the service being provided will be disclosed to the third party; and

5. Prohibit disclosure or re-disclosure of student PII unless one of the conditions set forth in paragraph (4)(b) has been met.

(b) Contracts or agreements with a third-party vendor or third-party service provider may permit the disclosure of PII to the third party only where one or more of the following conditions has been met:
1. The disclosure is authorized by FERPA and 34 CFR § 99.31.

2. The disclosure is authorized by the school board or charter governing board's directory information policy implemented in accordance with FERPA and 34 CFR § 99.37. or

3. The disclosure is authorized by written consent of an eligible student or parent. Consent must include, at a minimum, an explanation of who the PII would be disclosed to, how it would be used, and whether re-disclosure is permitted. Any re-disclosure must meet the requirements of paragraph (4)(b) and must be authorized by the school board or charter school governing board.

Rulemaking Authority 1001.02(1), (2)(n), 1002.22(3), 1006.1494 FS. Law Implemented 1002.22(2), (3), 1002.221, 1006.1494 FS.

New 9-26-23.

Disclaimer: These regulations may not be the most recent version. Florida may have more current or accurate information. We make no warranties or guarantees about the accuracy, completeness, or adequacy of the information contained on this site or the information linked to on the state site. Please check official sources.
This site is protected by reCAPTCHA and the Google Privacy Policy and Terms of Service apply.