House File 2354 - Introduced HOUSE FILE BY COMMITTEE ON EDUCATION (SUCCESSOR TO HF 92) A BILL FOR 1 An Act relating to student personal information protection. 2 BE IT ENACTED BY THE GENERAL ASSEMBLY OF THE STATE OF IOWA: TLSB 1417HV (3) 87 kh/jh/rj PAG LIN 1 1 Section 1. NEW SECTION. 279.70 Student online personal 1 2 information protection. 1 3 1. As used in this section, unless the context otherwise 1 4 requires: 1 5 a. "Attendance center" means a school district building 1 6 that contains classrooms used for instructional purposes for 1 7 elementary, middle, or secondary school students. 1 8 b. "Covered information" means personally identifiable 1 9 information or material, or information that is linked to 1 10 personally identifiable information or material, in any media 1 11 or format that is not publicly available and is any of the 1 12 following: 1 13 (1) Created by or provided to an operator by a student, or 1 14 the student's parent or legal guardian, in the course of the 1 15 student's, parent's, or legal guardian's use of the operator's 1 16 site, service, or application for kindergarten through grade 1 17 twelve school purposes. 1 18 (2) Created by or provided to an operator by an employee 1 19 or agent of a school district or attendance center for 1 20 kindergarten through grade twelve school purposes. 1 21 (3) Gathered by an operator through the operation of its 1 22 site, service, or application for kindergarten through grade 1 23 twelve school purposes and personally identifies a student, 1 24 including but not limited to information in the student's 1 25 educational record or electronic mail, first and last name, 1 26 home address, telephone number, electronic mail address, or 1 27 other information that allows physical or online contact, 1 28 discipline records, test results, special education data, 1 29 juvenile dependency records, grades, evaluations, criminal 1 30 records, medical records, health records, social security 1 31 number, biometric information, disabilities, socioeconomic 1 32 information, food purchases, political affiliations, religious 1 33 information, text messages, documents, student identifiers, 1 34 search activity, photos, voice recordings, or geolocation 1 35 information. 2 1 c. "Interactive computer service" means that term as defined 2 2 in 47 U.S.C. {230. 2 3 d. "Kindergarten through grade twelve school purposes" means 2 4 purposes that are directed by or that customarily take place at 2 5 the direction of a kindergarten through grade twelve attendance 2 6 center, school district, or a practitioner employed by a school 2 7 district, in the administration of school activities, including 2 8 but not limited to instruction in the classroom or at home, 2 9 administrative activities, and collaboration between students, 2 10 school district or attendance center personnel, or parents, or 2 11 are otherwise for the use and benefit of the school district or 2 12 attendance center. 2 13 e. "Operator" means, to the extent that it is operating 2 14 in this capacity, the operator of an internet site, online 2 15 service, online application, or mobile application with actual 2 16 knowledge that the site, service, or application is used 2 17 primarily for kindergarten through grade twelve school purposes 2 18 and was designed and marketed for such purposes. 2 19 f. "School district" means a public school district 2 20 described in chapter 274. 2 21 g. "Targeted advertising" means presenting advertisements 2 22 to a student where the advertisement is selected based on 2 23 information obtained or inferred over time from that student's 2 24 online behavior, usage of applications, or covered information. 2 25 "Targeted advertising" does not include advertising to a student 2 26 at an online location based upon that student's current visit 2 27 to that location, or in response to that student's request 2 28 for information or feedback, without the retention of that 2 29 student's online activities or requests over time for the 2 30 purpose of targeting subsequent ads. 2 31 2. a. An operator shall not knowingly do any of the 2 32 following: 2 33 (1) Engage in targeted advertising on the operator's 2 34 internet site, service, or application, or target advertising 2 35 on any other internet site, service, or application if the 3 1 targeting of the advertising is based on any information, 3 2 including covered information and persistent unique 3 3 identifiers, that the operator has acquired because of the use 3 4 of that operator's internet site, service, or application for 3 5 kindergarten through grade twelve school purposes. 3 6 (2) Use information, including persistent unique 3 7 identifiers, created or gathered by the operator's internet 3 8 site, service, or application, to amass a profile about a 3 9 student except in furtherance of kindergarten through grade 3 10 twelve school purposes. "Amass a profile" does not include the 3 11 collection and retention of account information that remains 3 12 under the control of the student, the student's parent or 3 13 guardian, or kindergarten through grade twelve school. 3 14 (3) Sell or rent a student's information, including covered 3 15 information. This subparagraph does not apply to the purchase, 3 16 merger, or other type of acquisition of an operator by another 3 17 entity, if the operator or successor entity complies with this 3 18 section regarding previously acquired student information, or 3 19 to national assessment providers if the provider secures the 3 20 express written consent of the parent or student, given in 3 21 response to clear and conspicuous notice, solely to provide 3 22 access to employment, educational scholarships or financial 3 23 aid, or postsecondary educational opportunities. 3 24 (4) Except as otherwise provided in subsection 4, disclose 3 25 covered information unless the disclosure is made for the 3 26 following purposes: 3 27 (a) In furtherance of the kindergarten through grade twelve 3 28 school purpose of the internet site, service, or application, 3 29 if the recipient of the covered information disclosed under 3 30 this subparagraph division does not further disclose the 3 31 information unless done to allow or improve operability and 3 32 functionality of the operator's internet site, service, or 3 33 application. 3 34 (b) To ensure legal and regulatory compliance or protect 3 35 against liability. 4 1 (c) To respond to or participate in the judicial process. 4 2 (d) To protect the safety or integrity of users of the 4 3 internet site or others or the security of the internet site, 4 4 service, or application. 4 5 (e) For a kindergarten through grade twelve school, 4 6 educational, or employment purpose requested by the student or 4 7 the student's parent or guardian, provided that the information 4 8 is not used or further disclosed for any other purpose. 4 9 (f) To a third party, if the operator contractually 4 10 prohibits the third party from using any covered information 4 11 for any purpose other than providing the contracted service 4 12 to or on behalf of the operator and requires the third party 4 13 to protect student information to the same extent that the 4 14 operator is required to do pursuant to this section, prohibits 4 15 the third party from disclosing any covered information 4 16 provided by the operator with subsequent third parties, and 4 17 requires the third party to implement and maintain security 4 18 procedures and practices consistent with current industry 4 19 standards and all applicable state and federal laws, rules, and 4 20 regulations. 4 21 b. Nothing in paragraph "a" shall prohibit the operator's 4 22 use of information for maintaining, developing, supporting, 4 23 improving, or diagnosing the operator's internet site, service, 4 24 or application. 4 25 3. An operator shall do all of the following: 4 26 a. Implement and maintain security procedures and practices 4 27 consistent with current industry standards and all applicable 4 28 state and federal laws, rules, and regulations appropriate to 4 29 the nature of the covered information designed to protect that 4 30 covered information from unauthorized access, destruction, use, 4 31 modification, or disclosure. 4 32 b. Delete as soon as reasonably practicable, a student's 4 33 covered information if the school district or attendance center 4 34 requests deletion of covered information under the control of 4 35 the school district or attendance center, unless a student or 5 1 parent or guardian consents to the maintenance of the covered 5 2 information. 5 3 4. An operator may use or disclose covered information of a 5 4 student under all of the following circumstances: 5 5 a. If other provisions of federal or state law require the 5 6 operator to disclose the information, and the operator complies 5 7 with the requirements of federal and state law in protecting 5 8 and disclosing that information. 5 9 b. If no covered information is used for advertising or 5 10 to amass a profile on the student for purposes other than 5 11 elementary, middle school, or high school purposes; for 5 12 legitimate research purposes, as required by state or federal 5 13 law and subject to the restrictions under applicable state 5 14 and federal law; or as allowed by state or federal law and 5 15 in furtherance of kindergarten through grade twelve school 5 16 purposes or postsecondary educational purposes. 5 17 c. To a state or local educational agency, including 5 18 kindergarten through grade twelve attendance centers and 5 19 school districts, for kindergarten through grade twelve school 5 20 purposes, as permitted by state or federal law. 5 21 5. This section does not prohibit an operator from doing any 5 22 of the following: 5 23 a. Using covered information to improve educational products 5 24 if that information is not associated with an identified 5 25 student within the operator's internet site, service, or 5 26 application or other internet sites, services, or applications 5 27 owned by the operator. 5 28 b. Using covered information that is not associated with 5 29 an identified student to demonstrate the effectiveness of the 5 30 operator's products or services, including in the operator's 5 31 marketing. 5 32 c. Sharing covered information that is not associated with 5 33 an identified student for the development and improvement of 5 34 educational internet sites, services, or applications. 5 35 d. Using recommendation engines to recommend to a student 6 1 either of the following: 6 2 (1) Additional content relating to an educational, 6 3 other learning, or employment opportunity purpose within an 6 4 online site, service, or application if the recommendation 6 5 is not determined in whole or in part by payment or other 6 6 consideration from a third party. 6 7 (2) Additional services relating to an educational, 6 8 other learning, or employment opportunity purpose within an 6 9 online site, service, or application if the recommendation 6 10 is not determined in whole or in part by payment or other 6 11 consideration from a third party. 6 12 e. Responding to a student's request for information or for 6 13 feedback without the information or response being determined 6 14 in whole or in part by payment or other consideration from a 6 15 third party. 6 16 6. This section does not do any of the following: 6 17 a. Limit the authority of a law enforcement agency to obtain 6 18 any content or information from an operator as authorized by 6 19 law or under a court order. 6 20 b. Limit the ability of an operator to use student data, 6 21 including covered information, for adaptive learning or 6 22 customized student learning purposes. 6 23 c. Apply to general audience internet sites, general 6 24 audience online services, general audience online applications, 6 25 or general audience mobile applications, even if login 6 26 credentials created for an operator's internet site, service, 6 27 or application may be used to access those general audience 6 28 internet sites, services, or applications. 6 29 d. Limit service providers from providing internet 6 30 connectivity to attendance centers or students and students' 6 31 families. 6 32 e. Prohibit an operator of an internet site, online service, 6 33 online application, or mobile application from marketing 6 34 educational products directly to parents if the marketing did 6 35 not result from the use of covered information obtained by the 7 1 operator through the provision of services covered under this 7 2 section. 7 3 f. Impose a duty upon a provider of an electronic store, 7 4 gateway, marketplace, or other means of purchasing or 7 5 downloading software or applications to review or enforce 7 6 compliance with this section on those applications or software. 7 7 g. Impose a duty on a provider of an interactive computer 7 8 service to review or enforce compliance with this section by 7 9 third=party content providers. 7 10 h. Prohibit students from downloading, exporting, 7 11 transferring, saving, or maintaining the students' own student 7 12 data or documents. 7 13 EXPLANATION 7 14 The inclusion of this explanation does not constitute agreement with 7 15 the explanation's substance by the members of the general assembly. 7 16 This bill places restrictions on third parties that receive 7 17 student data from a school district or attendance center, 7 18 and on operators of internet sites, online services, online 7 19 applications, and mobile applications designed, marketed, and 7 20 used primarily for kindergarten through grade 12 (K=12) school 7 21 purposes. 7 22 PROHIBITIONS AND DISCLOSURE PROVISIONS. The bill prohibits 7 23 an operator from knowingly engaging in targeted advertising 7 24 that is based on or derived from information the operator 7 25 acquired through use of that operator's internet sites and 7 26 from using information created or gathered by the operator to 7 27 amass a profile about a K=12 student in this state except in 7 28 furtherance of school purposes. The bill also prohibits an 7 29 operator from knowingly selling a student's information, though 7 30 this prohibition does not apply to the purchase, merger, or 7 31 other type of acquisition of an operator by another entity, 7 32 provided that the operator or successor entity continues to be 7 33 subject to the same restrictions. 7 34 The operator is also prohibited from disclosing covered 7 35 information unless the disclosure is in furtherance of K=12 8 1 school purposes and the recipient of the covered information is 8 2 subject to similar restrictions. Disclosure is also authorized 8 3 in order to ensure legal and regulatory compliance, to respond 8 4 to or participate in judicial process, or to protect the safety 8 5 or security of the internet site. 8 6 The operator may also disclose covered information to a 8 7 service provider if the operator implements and maintains 8 8 reasonable security procedures and if the service provider is 8 9 contractually prohibited from using any of the information for 8 10 any purpose other than providing the contracted service to, or 8 11 on behalf of, the operator, and from disclosing any covered 8 12 information provided by the operator to subsequent third 8 13 parties. 8 14 However, these prohibitions do not prohibit the operator's 8 15 use of information for maintaining, developing, supporting, 8 16 improving, or diagnosing the operator's internet site, service, 8 17 or application. 8 18 The operator is required to implement and maintain 8 19 reasonable security procedures and protect covered information 8 20 from unauthorized access, destruction, use, modification, or 8 21 disclosure; and to delete a student's covered information if 8 22 the school district or attendance center requests deletion of 8 23 data under its control. 8 24 Notwithstanding the disclosure prohibitions, as long as 8 25 the operator does not violate the provisions prohibiting 8 26 targeted advertising, the use of student information to amass a 8 27 profile, and the sale of student information, an operator may 8 28 disclose covered information of a student if other provisions 8 29 of federal or state law require the operator to disclose the 8 30 information, or for legitimate research purposes as required by 8 31 and subject to state or federal law and under the direction of 8 32 the school district or attendance center; and to state or local 8 33 educational agencies as permitted by state or federal law. 8 34 The bill does not prohibit an operator from using 8 35 deidentified student covered information to improve educational 9 1 products; limit a law enforcement agency from obtaining 9 2 information as authorized by law or court order; limit the 9 3 ability of an operator to use student data for adaptive 9 4 learning or customized student learning purposes; apply 9 5 to general audience internet sites, services, and online 9 6 applications; restrict internet service providers from 9 7 providing internet connectivity to attendance centers or 9 8 students and their families; prohibit an operator from 9 9 marketing educational products directly to parents so long 9 10 as the marketing did not result from the use of covered 9 11 information; impose a duty upon a provider of an electronic 9 12 store, gateway, marketplace, or other means of purchasing or 9 13 downloading software or applications to review or enforce 9 14 compliance with applicable restrictions by such software or 9 15 applications; impose a duty upon a provider of an interactive 9 16 computer service to review or enforce compliance by third=party 9 17 content providers; or prohibit students from downloading, 9 18 exporting, or otherwise saving or maintaining their own 9 19 student=created data or documents. 9 20 DEFINITIONS. The bill provides definitions for "operator", 9 21 "covered information", "targeted advertising", and 9 22 "kindergarten through grade twelve school purposes". LSB 1417HV (3) 87 kh/jh/rj