SENATE BILL No. 510

September 24, 2015, Introduced by Senators PAVLOV, COLBECK, BOOHER, KOWALL, EMMONS, PROOS, SCHUITMAKER, HANSEN, KNOLLENBERG, HORN and MARLEAU and referred to the Committee on Education.

     A bill to prohibit the disclosure or use of certain

information.

THE PEOPLE OF THE STATE OF MICHIGAN ENACT:

     Sec. 1. This act shall be known and may be cited as the

"student online personal protection act".

     Sec. 3. As used in this act:

     (a) "Covered information" means personally identifiable

information or material in any media or format that is any of the

following:

     (i) Created by or provided to an operator by a student, or the

student's parent or legal guardian, in the course of the student's,

parent's, or legal guardian's use of the operator's site, service,

or application for K–12 school purposes.

     (ii) Created by or provided to an operator by an employee or

agent of a K-12 school or school district.

     (iii) Gathered by an operator through the operation of a site,

service, or application for K-12 school purposes and is descriptive

of a student or otherwise identifies a student, including, but not

limited to, information in the student's educational record or

electronic mail, first and last name, home address, telephone

number, electronic mail address, or other information that allows

physical or online contact, discipline records, test results,

special education data, juvenile dependency records, grades,

evaluations, criminal records, medical records, health records,

social security number, biometric information, disabilities,

socioeconomic information, food purchases, political affiliations,

religious information, text messages, documents, student

identifiers, search activity, photos, voice recordings, or

geolocation information.

     (b) "Interactive computer service" means that term as defined

in 47 USC 230.

     (c) "K-12 school" means a school that offers any of grades

kindergarten to 12 and that is operated by a school district.

     (d) "K–12 school purposes" means purposes that customarily

take place at the direction of a K-12 school, teacher, or school

district or aid in the administration of school activities,

including, but not limited to, instruction in the classroom or at

home, administrative activities, and collaboration between

students, school personnel, or parents, or are for the use and

benefit of the school.

     (e) "Operator" means the operator of an Internet website,

online service, online application, or mobile application with

actual knowledge that the site, service, or application is used

primarily for K–12 school purposes and was designed and marketed

for K–12 school purposes.

     (f) "School district" means a school district, intermediate

school district, or public school academy, as those terms are

defined in the revised school code, 1976 PA 451, MCL 380.1 to

380.1852.

     (g) "Service provider" means a company that provides its

subscribers with Internet access.

     Sec. 5. (1) An operator shall not knowingly do any of the

following:

     (a) Engage in targeted advertising on the operator's site,

service, or application, or target advertising on any other site,

service, or application if the targeting of the advertising is

based on any information, including covered information and

persistent unique identifiers, that the operator has acquired

because of the use of that operator's site, service, or application

for K-12 school purposes.

     (b) Use information, including persistent unique identifiers,

created or gathered by the operator's site, service, or

application, to amass a profile about a student except in

furtherance of K–12 school purposes.

     (c) Sell a student's information, including covered

information. This subdivision does not apply to the purchase,

merger, or other type of acquisition of an operator by another

entity, if the operator or successor entity complies with this

section regarding previously acquired student information.

     (d) Except as otherwise provided in subsection (3), disclose

covered information unless the disclosure is made for the following

purposes:

     (i) In furtherance of the K–12 school purpose of the site,

service, or application, if the recipient of the covered

information disclosed under this subparagraph does not further

disclose the information unless done to allow or improve

operability and functionality within that student's classroom or K-

12 school.

     (ii) To ensure legal and regulatory compliance.

     (iii) To respond to or participate in the judicial process.

     (iv) To protect the safety of users of the site or the

security of the site.

     (v) To a service provider, if the operator contractually

prohibits the service provider from using any covered information

for any purpose other than providing the contracted service to or

on behalf of the operator, prohibits the service provider from

disclosing any covered information provided by the operator with

subsequent third parties, and requires the service provider to

implement and maintain reasonable security procedures and

practices. This subparagraph does not prohibit the operator's use

of information for maintaining, developing, supporting, improving,

or diagnosing the operator's site, service, or application.

     (2) An operator shall do all of the following:

     (a) Implement and maintain reasonable security procedures and

practices appropriate to the nature of the covered information, and

protect that covered information from unauthorized access,

destruction, use, modification, or disclosure.

     (b) Delete a student's covered information if the K-12 school

or school district requests deletion of data under the control of

the K-12 school or school district.

     (3) An operator may disclose covered information of a student

under the following circumstances:

     (a) If other provisions of federal or state law require the

operator to disclose the information, and the operator complies

with the requirements of federal and state law in protecting and

disclosing that information.

     (b) For legitimate research purposes as required by state or

federal law and subject to the restrictions under applicable state

and federal law or as allowed by state or federal law and under the

direction of a K-12 school, school district, or state department of

education, if covered information is not used for advertising or to

amass a profile on the student for purposes other than K–12 school

purposes.

     (c) To a state or local educational agency, including K-12

schools and school districts, for K–12 school purposes, as

permitted by state or federal law.

     (4) This section does not prohibit an operator from doing any

of the following:

     (a) Using covered information that is not associated with an

identified student within the operator's site, service, or

application or other sites, services, or applications owned by the

operator to improve educational products.

     (b) Using covered information that is not associated with an

identified student to demonstrate the effectiveness of the

operator's products or services, including in their marketing.

     (c) Sharing aggregated covered information that is not

associated with an identified student for the development and

improvement of educational sites, services, or applications.

     (5) This section does not do any of the following:

     (a) Limit the authority of a law enforcement agency to obtain

any content or information from an operator as authorized by law or

under a court order.

     (b) Limit the ability of an operator to use student data,

including covered information, for adaptive learning or customized

student learning purposes.

     (c) Apply to general audience Internet websites, general

audience online services, general audience online applications, or

general audience mobile applications, even if login credentials

created for an operator's site, service, or application may be used

to access those general audience sites, services, or applications.

     (d) Limit service providers from providing Internet

connectivity to schools or students and their families.

     (e) Prohibit an operator of an Internet website, online

service, online application, or mobile application from marketing

educational products directly to parents if the marketing did not

result from the use of covered information obtained by the operator

through the provision of services covered under this section.

     (f) Impose a duty upon a provider of an electronic store,

gateway, marketplace, or other means of purchasing or downloading

software or applications to review or enforce compliance with this

section on those applications or software.

     (g) Impose a duty upon a provider of an interactive computer

service to review or enforce compliance with this section by third-

party content providers.

     (h) Prohibit students from downloading, exporting, saving, or

maintaining their own student-created data or documents.

     Enacting section 1. This act takes effect 90 days after the

date it is enacted into law.