SB-0510, As Passed House, December 7, 2016

HOUSE SUBSTITUTE FOR

SENATE BILL NO. 510

     A bill to prohibit the disclosure or use of certain

information.

THE PEOPLE OF THE STATE OF MICHIGAN ENACT:

     Sec. 1. This act shall be known and may be cited as the

"student online personal protection act".

     Sec. 3. As used in this act:

     (a) "Covered information" means personally identifiable

information or material in any media or format that is any of the

following:

     (i) Created by or provided to an operator by a student, or the

student's parent or legal guardian, in the course of the student's,

parent's, or legal guardian's use of the operator's site, service,

or application for K–12 school purposes.

     (ii) Created by or provided to an operator by an employee or

agent of a K-12 school or school district for K-12 school purposes.

     (iii) Gathered by an operator through the operation of a site,

service, or application for K-12 school purposes and personally

identifies a student, including, but not limited to, information in

the student's educational record or electronic mail, first and last

name, home address, telephone number, electronic mail address, or

other information that allows physical or online contact,

discipline records, test results, special education data, juvenile

dependency records, grades, evaluations, criminal records, medical

records, health records, social security number, biometric

information, disabilities, socioeconomic information, food

purchases, political affiliations, religious information, text

messages, documents, student identifiers, search activity, photos,

voice recordings, or geolocation information.

     (b) "Interactive computer service" means that term as defined

in 47 USC 230.

     (c) "K-12 school" means a school that offers any of grades

kindergarten to 12 and that is operated by a school district.

     (d) "K–12 school purposes" means purposes that are directed by

or that customarily take place at the direction of a K-12 school,

teacher, or school district or aid in the administration of school

activities, including, but not limited to, instruction in the

classroom or at home, administrative activities, and collaboration

between students, school personnel, or parents, or are for the use

and benefit of the school. Other than advertising described in

section 5(3)(b), K-12 school purposes also includes those purposes

related to K-12 students preparing for postsecondary education.

     (e) "Operator" means, to the extent that it is operating in

this capacity, the operator of an Internet website, online service,

online application, or mobile application with actual knowledge

that the site, service, or application is used primarily for K–12

school purposes and was designed and marketed for K–12 school

purposes.

     (f) "School district" means a school district, intermediate

school district, or public school academy, as those terms are

defined in the revised school code, 1976 PA 451, MCL 380.1 to

380.1852.

     (g) "Service provider" means a person or entity that provides

a service that enables users to access content, information,

electronic mail, or other services offered over the Internet or a

computer network.

     (h) "Targeted advertising" means presenting an advertisement

to a student where the advertisement is selected based on

information obtained or inferred from that student's online

behavior, usage of applications, or covered information. Targeted

advertising does not include advertising to a student at an online

location based upon that student's current visit to that location

or single search query without the collection and retention of a

student's online activities over time.

     Sec. 5. (1) An operator shall not knowingly do any of the

following:

     (a) Engage in targeted advertising on the operator's site,

service, or application, or target advertising on any other site,

service, or application if the targeting of the advertising is

based on any information, including covered information and

persistent unique identifiers, that the operator has acquired

because of the use of that operator's site, service, or application

for K-12 school purposes.

     (b) Use information, including persistent unique identifiers,

created or gathered by the operator's site, service, or

application, to amass a profile about a student except in

furtherance of K–12 school purposes. As used in this subdivision,

"amass a profile" does not include the collection and retention of

account registration records or information that remains under the

control of the student, the student's parent or guardian, or K-12

school.

     (c) Sell or rent a student's information, including covered

information. This subdivision does not apply to the purchase,

merger, or other type of acquisition of an operator by another

entity, if the operator or successor entity complies with this

section regarding previously acquired student information.

     (d) Except as otherwise provided in subsection (3), disclose

covered information unless the disclosure is made for the following

purposes:

     (i) In furtherance of the K–12 school purpose of the site,

service, or application, if the recipient of the covered

information disclosed under this subparagraph does not further

disclose the information unless done to allow or improve

operability and functionality of the operator's site, service, or

application.

     (ii) To ensure legal and regulatory compliance or protect

against liability.

     (iii) To respond to or participate in the judicial process.

     (iv) To protect the safety or integrity of users of the site

or others or the security of the site, service, or application.

     (v) For a school, educational, or employment purpose requested

by the student or the student's parent or guardian, provided that

that information is not used or further disclosed for any other

purpose.

     (vi) To a service provider, if the operator contractually

prohibits the service provider from using any covered information

for any purpose other than providing the contracted service to or

on behalf of the operator, prohibits the service provider from

disclosing any covered information provided by the operator with

subsequent third parties, and requires the service provider to

implement and maintain reasonable security procedures and

practices. This subparagraph does not prohibit the operator's use

of information for maintaining, developing, supporting, improving,

or diagnosing the operator's site, service, or application.

     (2) An operator shall do all of the following:

     (a) Implement and maintain reasonable security procedures and

practices appropriate to the nature of the covered information, and

protect that covered information from unauthorized access,

destruction, use, modification, or disclosure.

     (b) Delete a student's covered information if the K-12 school

or school district requests deletion of covered information under

the control of the K-12 school or school district.

     (3) An operator may use or disclose covered information of a

student under the following circumstances:

     (a) If other provisions of federal or state law require the

operator to disclose the information, and the operator complies

with the requirements of federal and state law in protecting and

disclosing that information.

     (b) For legitimate research purposes as required by state or

federal law and subject to the restrictions under applicable state

and federal law or as allowed by state or federal law and under the

direction of a K-12 school, school district, or state department of

education, if covered information is not used for advertising or to

amass a profile on the student for purposes other than K–12 school

purposes.

     (c) To a state or local educational agency, including K-12

schools and school districts, for K–12 school purposes, as

permitted by state or federal law.

     (4) This section does not prohibit an operator from doing any

of the following:

     (a) Using covered information that is not associated with an

identified student within the operator's site, service, or

application or other sites, services, or applications owned by the

operator to improve educational products.

     (b) Using covered information that is not associated with an

identified student to demonstrate the effectiveness of the

operator's products or services, including in their marketing.

     (c) Sharing covered information that is not associated with an

identified student for the development and improvement of

educational sites, services, or applications.

     (d) Using recommendation engines to recommend to a student

either of the following:

     (i) Additional content relating to an educational, other

learning, or employment opportunity purpose within the operator's

site, service, or application if the recommendation is not

determined in whole or in part by payment or other consideration

from a third party.

     (ii) Additional services relating to an educational, other

learning, or employment opportunity purpose within the operator's

site, service, or application if the recommendation is not

determined in whole or in part by payment or other consideration

from a third party.

     (e) Responding to a student's request for information or for

feedback to help improve learning without the information or

response being determined in whole or in part by payment or other

consideration from a third party.

     (5) This section does not do any of the following:

     (a) Limit the authority of a law enforcement agency to obtain

any content or information from an operator as authorized by law or

under a court order.

     (b) Limit the ability of an operator to use student data,

including covered information, for adaptive learning or customized

student learning purposes.

     (c) Apply to general audience Internet websites, general

audience online services, general audience online applications, or

general audience mobile applications, even if login credentials

created for an operator's site, service, or application may be used

to access those general audience sites, services, or applications.

     (d) Limit service providers from providing Internet

connectivity to schools or students and their families.

     (e) Prohibit an operator of an Internet website, online

service, online application, or mobile application from marketing

educational products directly to parents if the marketing did not

result from the use of covered information obtained by the operator

through the provision of services covered under this section.

     (f) Impose a duty upon a provider of an electronic store,

gateway, marketplace, or other means of purchasing or downloading

software or applications to review or enforce compliance with this

section on those applications or software.

     (g) Impose a duty upon a provider of an interactive computer

service to review or enforce compliance with this section by third-

party content providers.

     (h) Prohibit students from downloading, exporting,

transferring, saving, or maintaining their own student data or

documents.

     (i) Prohibit a K-12 school, school district, operator, or

service provider from using a student's information, including

covered information, solely to identify or display information to

the student about or facilitate connection of the student with a

not-for-profit institution of higher education or a scholarship

opportunity if the K-12 school or school district has first

obtained the express written consent of the student's parent or

legal guardian or, if the student is age 18 or older or is an

emancipated minor, the student. For the purposes of this

subdivision, that express written consent may be obtained as a

response to the annual notice required under 34 CFR 99.7 and is not

required to be in addition to consent given in response to that

annual notice.

     Enacting section 1. This act takes effect 90 days after the

date it is enacted into law.