Be it enacted by the General Assembly of Virginia:

1. That §22.1-289.01 of the Code of Virginia is amended and reenacted as follows:

§22.1-289.01. School service providers; student personal information.

A. For the purposes of this section:

"Elementary and secondary school purposes" means purposes that (i) customarily take place at the direction of an elementary or secondary school, elementary or secondary school teacher, or school division; (ii) aid in the administration of school activities, including instruction in the classroom or at home; administrative activities; and collaboration between students, school personnel, or parents; or (iii) are otherwise for the use and benefit of an elementary or secondary school.

"Personal profile" does not include account information that is collected and retained by a school service provider and remains under control of a student, parent, or elementary or secondary school.

"School service" means a website, mobile application, or online service that (i) is designed and marketed solely primarily for use in elementary or secondary schools; (ii) is used at the direction of teachers or other employees at elementary or secondary schools; and (iii) collects and maintains, uses, or shares student personal information. "School service" does not include a website, mobile application, or online service that is designed and marketed for use by individuals or entities generally, even if it is also marketed for use in elementary or secondary schools.

"School service provider" means an entity that operates a school service pursuant to a contract with a local school division in the Commonwealth.

"Student personal information" means information collected through a school service that identifies an individual student or is linked to information that identifies an individual student.

"Targeted advertising" means advertising that is presented to a student and selected on the basis of information obtained or inferred over time from such student's online behavior, use of applications, or sharing of student personal information. "Targeted advertising" does not include advertising (i) that is presented to a student at an online location (a) on the basis of such student's online behavior, use of applications, or sharing of student personal information during his current visit to that online location or (b) in response to that student's request for information or feedback and (ii) for which a student's online activities or requests are not retained over time for the purpose of subsequent advertising.

B. Each In operating a school service pursuant to a contract with a local school division, each school service provider shall:

1. Provide clear and easy-to-understand information about the types of student personal information it collects through any school service and how it maintains, uses, or shares such student personal information;

2. Maintain a policy for the privacy of student personal information for each school service and provide prominent notice before making material changes to its policy for the privacy of student personal information for the relevant school service;

3. Maintain a comprehensive information security program that is reasonably designed to protect the security, privacy, confidentiality, and integrity of student personal information and makes use of appropriate administrative, technological, and physical safeguards;

4. Facilitate access to and correction of student personal information by each student whose student personal information has been collected, maintained, used, or shared by the school service provider, or by such student's parent, either directly or through the student's school or teacher;

5. Collect, maintain, use, and share student personal information only with the consent of the student or, if the student is less than 18 years of age, his parent or for the purposes authorized in the contract between the school division and the school service provider;

6. When it collects student personal information directly from the student, obtain the consent of the student or, if the student is less than 18 years of age, his parent before using student personal information in a manner that is inconsistent with its policy for the privacy of student personal information for the relevant school service, and when it collects student personal information from an individual or entity other than the student, obtain the consent of the school division before using student personal information in a manner that is inconsistent with its policy for the privacy of student personal information for the relevant school service; and

7. Ensure that Require any successor entity or third party with whom it contracts abides to abide by its policy for the privacy of student personal information and comprehensive information security program before accessing student personal information.; and

8. Upon the request of the school or school division, delete student personal information within a reasonable period of time after such request unless the student or, if the student is less than 18 years of age, his parent consents to the maintenance of the student personal information by the school service provider.

C. No In operating a school service pursuant to a contract with a local school division, no school service provider shall knowingly:

1. Use or share any student personal information for the purpose of behaviorally targeting advertisements to targeted advertising to students;

2. Use or share any student personal information to create a personal profile of a student other than for supporting elementary and secondary school purposes authorized in the contract between by the school division and the school service provider, with the consent of the student or, if the student is less than 18 years of age, his parent, or as otherwise authorized in the contract between the school division and the school service provider;

3. Knowingly retain student personal information beyond the time period authorized in the contract between the school division and the school service provider, except with the consent of the student or, if the student is less than 18 years of age, his parent; or

4. 3. Sell student personal information, except to the extent that such student personal information is sold to or acquired by a successor entity that purchases, merges with, or otherwise acquires the school service provider, subject to the provisions of subdivision B 7.

D. Nothing in this section shall be construed to prohibit school service providers from using:

1. Using student personal information for purposes of adaptive learning, personalized learning, or customized education.;

2. Using student personal information for maintaining, developing, supporting, improving, or diagnosing the school service;

3. Providing recommendations for employment, school, educational, or other learning purposes within a school service when such recommendation is not determined in whole or in part by payment or other consideration from a third party;

4. Disclosing student personal information to (i) ensure legal or regulatory compliance, (ii) protect against liability, or (iii) protect the security or integrity of its school service; or

5. Disclosing student personal information pursuant to a contract with a service provider, provided that the school service provider (i) contractually prohibits the service provider from using any student personal information for any purpose other than providing the contracted service to or on behalf of the school service provider, (ii) contractually prohibits the service provider from disclosing any student personal information provided by the school service provider to any third party unless such disclosure is permitted by subdivision 7, and (iii) requires the service provider to comply with the requirements set forth in subsection B and prohibitions set forth in subsection C.

E. Nothing in this section shall be construed to:

1. Impose a duty upon a provider of an electronic store, gateway, marketplace, forum, or means for purchasing or downloading software or applications to review or enforce compliance with this section with regard to any school service provider whose school service is available for purchase or download on such electronic store, gateway, marketplace, forum, or means;

2. Impose liability on an interactive computer service, as that term is defined in 47 U.S.C. §230(f), for content provided by another individual; or

3. Prohibit any student from downloading, exporting, transferring, saving, or maintaining his personal information, data, or documents.

E. F. No school service provider in operation on June 30, 2015 2016, shall be subject to the provisions of this section until such time as the contract to operate a school service is renewed.