Bill Text: IA HF92 | 2017-2018 | 87th General Assembly | Introduced
Bill Title: A bill for an act relating to student personal information protection and providing remedies. (See HF 2354.)
Spectrum: Partisan Bill (Republican 1-0)
Status: (Introduced - Dead) 2018-03-01 - Withdrawn. H.J. 441. [HF92 Detail]
Download: Iowa-2017-HF92-Introduced.html
House File 92 - Introduced HOUSE FILE BY PETTENGILL A BILL FOR 1 An Act relating to student personal information protection and 2 providing remedies. 3 BE IT ENACTED BY THE GENERAL ASSEMBLY OF THE STATE OF IOWA: TLSB 1417YH (8) 87 kh/jh/rj PAG LIN 1 1 Section 1. Section 714H.3, subsection 2, Code 2017, is 1 2 amended by adding the following new paragraph: 1 3 NEW PARAGRAPH. h. Chapter 715D. 1 4 Sec. 2. NEW SECTION. 715D.1 Definitions. 1 5 As used in this chapter, unless the context otherwise 1 6 requires: 1 7 1. "Covered information" means personally identifiable 1 8 information or materials, in any media or format that meets any 1 9 of the following: 1 10 a. Is created or provided by a student, or the student's 1 11 parent or legal guardian, to an operator in the course of the 1 12 student's, parent's, or legal guardian's use of the operator's 1 13 internet site, service, or application for kindergarten through 1 14 grade twelve school purposes. 1 15 b. Is created or provided by an employee or agent of the 1 16 school district, accredited nonpublic school, or area education 1 17 agency, to an operator. 1 18 c. Is gathered by an operator through the operation 1 19 of an internet site, service, or application described in 1 20 subsection 3 and is descriptive of a student or otherwise 1 21 identifies a student, including but not limited to information 1 22 in the student's educational record or e=mail, first and last 1 23 name, home address, telephone number, e=mail address, other 1 24 information that allows physical or online contact, discipline 1 25 records, test results, special education data, juvenile 1 26 dependency records, grades, evaluations, criminal records, 1 27 medical records, health records, social security number, 1 28 biometric information, disabilities, socioeconomic information, 1 29 food purchases, political affiliations, religious information, 1 30 text messages, documents, student identifiers, search activity, 1 31 photos, voice recordings, or geolocation information. 1 32 2. "Kindergarten through grade twelve school purposes" 1 33 means purposes that customarily take place at the direction 1 34 of a school district or accredited nonpublic school offering 1 35 instruction at any or all levels from kindergarten through 2 1 grade twelve, at the direction of an area education agency, or 2 2 at the direction of a teacher employed by or under contract 2 3 with a school district, accredited nonpublic school, or area 2 4 education agency, and purposes which aid in the administration 2 5 of school activities, including but not limited to instruction 2 6 in the classroom or at home, administrative activities, and 2 7 collaboration between students, school personnel, or parents, 2 8 or are for the use and benefit of the school district, school, 2 9 or area education agency. 2 10 3. "Operator" means the operator of an internet site, online 2 11 service, online application, or mobile application with actual 2 12 knowledge that the internet site, service, or application is 2 13 used primarily for kindergarten through grade twelve school 2 14 purposes and was designed and marketed for kindergarten 2 15 through grade twelve school purposes. "Operator" includes 2 16 any third party that receives student data, including covered 2 17 information, from a school district, accredited nonpublic 2 18 school, or area education agency. "Online service" includes 2 19 cloud computing services that otherwise meet the definition of 2 20 an operator. 2 21 Sec. 3. NEW SECTION. 715D.2 Prohibitions ==== duties ==== 2 22 exceptions. 2 23 1. An operator, with respect to the operator's internet 2 24 site, service, or application, shall not knowingly do any of 2 25 the following: 2 26 a. Engage in targeted advertising on the operator's internet 2 27 site, service, or application, or target advertising on any 2 28 other internet site, service, or application when the targeting 2 29 of the advertising is based upon any information, including 2 30 covered information and persistent unique identifiers, that the 2 31 operator has acquired because of the use of that operator's 2 32 internet site, service, or application described in section 2 33 715D.1, subsection 3. 2 34 b. Use information, including persistent unique identifiers 2 35 such as unique student identifiers, created or gathered by the 3 1 operator's internet site, service, or application, to amass 3 2 a profile about a student enrolled in a kindergarten through 3 3 grade twelve school in this state except in furtherance of 3 4 kindergarten through grade twelve school purposes. 3 5 c. Sell a student's information, including covered 3 6 information. This prohibition does not apply to the purchase, 3 7 merger, or other type of acquisition of an operator by another 3 8 entity, provided that the operator or successor entity 3 9 continues to be subject to the provisions of this chapter with 3 10 respect to previously acquired student information. 3 11 d. Disclose covered information unless the disclosure is any 3 12 of the following: 3 13 (1) In furtherance of the kindergarten through grade twelve 3 14 school purposes of the internet site, service, or application, 3 15 provided that the recipient of the covered information 3 16 disclosed pursuant to this subparagraph shall not further 3 17 disclose the information unless done to allow or improve 3 18 operability and functionality within that student's classroom 3 19 or school and the recipient is legally required to comply with 3 20 this paragraph "d". 3 21 (2) To ensure legal and regulatory compliance. 3 22 (3) To respond to or participate in judicial process. 3 23 (4) To protect the safety of the internet site users or 3 24 other persons identified on the internet site or security of 3 25 the internet site. 3 26 (5) To a service provider, provided the operator 3 27 contractually prohibits the service provider from using any 3 28 covered information for any purpose other than providing the 3 29 contracted service to, or on behalf of, the operator, prohibits 3 30 the service provider from disclosing any covered information 3 31 provided by the operator to subsequent third parties; and 3 32 requires the service provider to implement and maintain 3 33 reasonable security procedures and practices as provided in 3 34 subsection 3. 3 35 2. Subsection 1 shall not be construed to prohibit the 4 1 operator's use of information for maintaining, developing, 4 2 supporting, improving, or diagnosing the operator's internet 4 3 site, service, or application. 4 4 3. An operator shall do all of the following: 4 5 a. Implement and maintain reasonable security procedures and 4 6 practices appropriate to the nature of the covered information, 4 7 and protect the covered information from unauthorized access, 4 8 destruction, use, modification, or disclosure. 4 9 b. Delete a student's covered information if the school 4 10 district, accredited nonpublic school, or area education agency 4 11 requests deletion of data under the control of the school 4 12 district, the school, or the area education agency. 4 13 c. Notwithstanding subsection 1, paragraph "d", as long 4 14 as the operator does not violate subsection 1, paragraph "a", 4 15 "b", or "c", an operator may disclose covered information of a 4 16 student under the following circumstances: 4 17 (1) If other provisions of federal or state law require the 4 18 operator to disclose the information and the operator complies 4 19 with the requirements of federal and state law in protecting 4 20 and disclosing that information. 4 21 (2) For legitimate research purposes as required by state or 4 22 federal law and subject to the restrictions under applicable 4 23 state or federal law or as allowed by state or federal law 4 24 and under the direction of a school district, an accredited 4 25 nonpublic school, an area education agency, or the state or 4 26 federal department of education, if no covered information is 4 27 used for any purpose in furtherance of advertising or to amass 4 28 a profile of the student for purposes other than kindergarten 4 29 through grade twelve school purposes. 4 30 (3) To state or local educational agencies, including 4 31 school districts, accredited nonpublic schools, area education 4 32 agencies, and community colleges, for kindergarten through 4 33 grade twelve school purposes, as permitted by state or federal 4 34 law. 4 35 4. This section shall not be construed to do any of the 5 1 following: 5 2 a. Prohibit an operator from using deidentified student 5 3 covered information as follows: 5 4 (1) Within the operator's internet site, service, or 5 5 application or other internet sites, services, or applications 5 6 owned by the operator to improve educational products. 5 7 (2) To demonstrate the effectiveness of the operator's 5 8 products or services and their marketing. 5 9 b. Prohibit an operator from sharing aggregated deidentified 5 10 student covered information for the development and improvement 5 11 of educational internet sites, services, or applications. 5 12 c. Limit the authority of a law enforcement agency to obtain 5 13 any content or information from an operator as authorized 5 14 by law or pursuant to an order of a court of competent 5 15 jurisdiction. 5 16 d. Limit the ability of an operator to use student data, 5 17 including covered information, for adaptive learning or 5 18 customized student learning purposes. 5 19 e. Apply to general audience internet sites, general 5 20 audience online services, general audience online applications, 5 21 or general audience mobile applications, even if login 5 22 credentials created for an operator's internet site, service, 5 23 or application may be used to access those general audience 5 24 internet sites, services, or applications. 5 25 f. Restrict internet service providers from providing 5 26 internet connectivity to schools or students and their 5 27 families. 5 28 g. Prohibit an operator of an internet site, online service, 5 29 online application, or mobile application from marketing 5 30 educational products directly to parents so long as the 5 31 marketing did not result from the use of covered information 5 32 obtained by the operator through the provision of services 5 33 regulated under this section. 5 34 h. Impose a duty upon a provider of an electronic store, 5 35 gateway, or marketplace, or of another means of purchasing 6 1 or downloading software or applications to review or enforce 6 2 compliance with this section by such software or applications. 6 3 i. Impose a duty upon a provider of an interactive computer 6 4 service, as defined in 47 U.S.C. {230, to review or enforce 6 5 compliance with this section by third=party content providers. 6 6 j. Impede the ability of students to download, export, or 6 7 otherwise save or maintain their own student=created data or 6 8 documents. 6 9 Sec. 4. NEW SECTION. 715D.3 Remedies. 6 10 1. A violation of this chapter is an unlawful practice 6 11 pursuant to section 714.16 and, in addition to the remedies 6 12 provided to the attorney general pursuant to section 714.16, 6 13 subsection 7, the attorney general may seek and obtain an order 6 14 that a party held to violate this chapter pay damages to the 6 15 attorney general for the benefit of a person injured by the 6 16 violation. 6 17 2. The rights and remedies available under this chapter are 6 18 cumulative to each other and to any other rights and remedies 6 19 available under the law. 6 20 EXPLANATION 6 21 The inclusion of this explanation does not constitute agreement with 6 22 the explanation's substance by the members of the general assembly. 6 23 This bill places restrictions on third parties that 6 24 receive student data from a school district, accredited 6 25 nonpublic school, or area education agency; and on operators 6 26 of internet sites, online services, online applications, and 6 27 mobile applications designed, marketed, and used primarily 6 28 for kindergarten through grade 12 (K=12) school purposes. A 6 29 violation of any of the restrictions is an unlawful practice 6 30 pursuant to Code section 714.16, a prohibited practice or act 6 31 under Code section 714H.3, and, in addition, the attorney 6 32 general may bring a civil action on behalf of an injured 6 33 person. 6 34 PROHIBITIONS AND DISCLOSURE PROVISIONS. The bill prohibits 6 35 an operator from engaging in targeted advertising that is 7 1 based on or derived from information the operator acquired 7 2 through the operator's internet site, service, or application; 7 3 from using information created or gathered by the operator's 7 4 internet site, service, or application, to amass a profile 7 5 about a student enrolled in a K=12 school in this state except 7 6 in furtherance of school purposes; and from selling a student's 7 7 information, though this prohibition does not apply to the 7 8 purchase, merger, or other type of acquisition of an operator 7 9 by another entity, provided that the operator or successor 7 10 entity continues to be subject to the restrictions relating to 7 11 previously acquired student information. 7 12 The operator is also prohibited from disclosing covered 7 13 information unless the disclosure is in furtherance of the K=12 7 14 school purposes and the recipient of the covered information is 7 15 subject to similar restrictions. Disclosure is also authorized 7 16 in order to ensure legal and regulatory compliance, to respond 7 17 to or participate in judicial process, or to protect the 7 18 safety of the internet site users or persons identified on the 7 19 internet site or security of the internet site. 7 20 The operator may also disclose covered information to a 7 21 service provider if the operator implements and maintains 7 22 reasonable security procedures and practices, and, if the 7 23 service provider is contractually prohibited from using any 7 24 of the information for any purpose other than providing the 7 25 contracted service to, or on behalf of, the operator, and from 7 26 disclosing any covered information provided by the operator to 7 27 subsequent third parties. 7 28 However, these prohibitions shall not be construed to 7 29 prohibit the operator's use of information for maintaining, 7 30 developing, supporting, improving, or diagnosing the operator's 7 31 internet site, service, or application. 7 32 The operator is required to implement and maintain 7 33 reasonable security procedures and practices appropriate to the 7 34 nature of the covered information, and protect that information 7 35 from unauthorized access, destruction, use, modification, or 8 1 disclosure; and to delete a student's covered information if 8 2 the school district, accredited nonpublic school, or area 8 3 education agency requests deletion of data under the control of 8 4 the school district, school, or area education agency. 8 5 Notwithstanding the disclosure prohibitions, as long as the 8 6 operator does not violate the provisions prohibiting targeting 8 7 advertising, the use of student information to amass a profile, 8 8 and the sale of student information, an operator may disclose 8 9 covered information of a student if other provisions of federal 8 10 or state law require the operator to disclose the information, 8 11 or for legitimate research purposes as required by and subject 8 12 to state or federal law and under the direction of the school 8 13 district, school, or area education agency; and to state or 8 14 local educational agencies as permitted by state or federal 8 15 law. 8 16 The bill shall not be construed to prohibit an operator 8 17 from using deidentified student covered information to improve 8 18 educational products or to demonstrate the effectiveness of 8 19 the operator's products or services and their marketing; to 8 20 prohibit an operator from sharing aggregated deidentified 8 21 student covered information for the development and improvement 8 22 of educational internet sites, services, or applications; to 8 23 limit a law enforcement agency from obtaining information 8 24 as authorized by law or court order; to limit the ability 8 25 of an operator to use student data for adaptive learning or 8 26 customized student learning purposes; to apply to general 8 27 audience internet sites, general audience online services, 8 28 general audience online applications, or general audience 8 29 mobile applications; to restrict internet service providers 8 30 from providing internet connectivity to schools or students 8 31 and their families; to prohibit an operator from marketing 8 32 educational products directly to parents so long as the 8 33 marketing did not result from the use of covered information; 8 34 to impose a duty upon a provider of an electronic store, 8 35 gateway, marketplace, or other means of purchasing or 9 1 downloading software or applications to review or enforce 9 2 compliance with applicable restrictions by such software 9 3 or applications; to impose a duty upon a provider of an 9 4 interactive computer service to review or enforce compliance 9 5 by third=party content providers; or to impede the ability of 9 6 students to download, export, or otherwise save or maintain 9 7 their own student=created data or documents. 9 8 REMEDIES. The bill provides that a violation of new Code 9 9 chapter 715D is a prohibited practice or act under Code section 9 10 714H.3, providing for a private right of action for a person 9 11 who suffers an ascertainable loss of money or property as the 9 12 result of a prohibited practice or act, allowing the person to 9 13 bring an action at law to recover actual damages and to seek 9 14 court protection from further violations including temporary 9 15 and permanent injunctive relief. 9 16 The bill provides that a violation of new Code chapter 715D 9 17 is an unlawful practice pursuant to Code section 714.16. In 9 18 addition to the remedies provided to the attorney general 9 19 pursuant to Code section 714.16(7), the attorney general may 9 20 seek and obtain an order that a party held to violate the 9 21 chapter pay damages to the attorney general on behalf of a 9 22 person injured by the violation. The rights and remedies 9 23 available are cumulative to each other and to any other rights 9 24 and remedies available under the law. 9 25 DEFINITIONS. The bill provides that "online service" 9 26 includes cloud computing services. "Operator" means 9 27 the operator of an internet site, online service, online 9 28 application, or mobile application with actual knowledge that 9 29 the internet site, service, or application is used primarily 9 30 for K=12 school purposes and was designed and marketed for K=12 9 31 school purposes. "Operator" includes any third party that 9 32 receives student data, including "covered information", from a 9 33 school district, accredited nonpublic school, or area education 9 34 agency. "Covered information" means personally identifiable 9 35 information or materials, in any media or format that is 10 1 created or provided by a student, or the student's parent or 10 2 legal guardian, to an operator in the course of the student's, 10 3 parent's, or legal guardian's use of the operator's site, 10 4 service, or application for K=12 school purposes; is created 10 5 or provided by an employee or agent of the school district, 10 6 accredited nonpublic school, or area education agency, to an 10 7 operator; or is gathered by an operator and is descriptive of a 10 8 student or otherwise identifies a student. 10 9 "Kindergarten through grade twelve school purposes" means 10 10 purposes that customarily take place at the direction of 10 11 a school district or accredited nonpublic school offering 10 12 instruction at any or all levels from K=12 or at the direction 10 13 of an area education agency or a teacher employed by or under 10 14 contract with a school district, accredited nonpublic school, 10 15 or area education agency, and purposes which aid in the 10 16 administration of school activities, including but not limited 10 17 to instruction in the classroom or at home, administrative 10 18 activities, and collaboration between students, school 10 19 personnel, or parents, or are for the use and benefit of the 10 20 school district, school, or area education agency. LSB 1417YH (8) 87 kh/jh/rj
