Full Text of SB0229 99th General Assembly
SB0229sam001 99TH GENERAL ASSEMBLY | Sen. Michael E. Hastings Filed: 3/9/2016
| | 09900SB0229sam001 | | LRB099 03158 NHT 45060 a |
|
| 1 | | AMENDMENT TO SENATE BILL 229
| 2 | | AMENDMENT NO. ______. Amend Senate Bill 229 by replacing | 3 | | everything after the enacting clause with the following:
| 4 | | "Section 1. Short title. This Act may be cited as the | 5 | | Student Online Personal Protection Act. | 6 | | Section 5. Definitions. In this Act: | 7 | | "Covered information" means personally identifiable | 8 | | information or material or information that is linked to | 9 | | personally identifiable information or material in any media or | 10 | | format that is not publicly available and is any of the | 11 | | following: | 12 | | (1) Created by or provided to an operator by a student | 13 | | or the student's parent or legal guardian in the course of | 14 | | the student's, parent's, or legal guardian's use of the | 15 | | operator's site, service, or application for K through 12 | 16 | | school purposes. |
| | | 09900SB0229sam001 | - 2 - | LRB099 03158 NHT 45060 a |
|
| 1 | | (2) Created by or provided to an operator by an | 2 | | employee or agent of a school or school district for K | 3 | | through 12 school purposes. | 4 | | (3) Gathered by an operator through the operation of | 5 | | its site, service, or application for K through 12 school | 6 | | purposes and personally identifies a student, including, | 7 | | but not limited to, information in the student's | 8 | | educational record or electronic mail, first and last name, | 9 | | home address, telephone number, electronic mail address, | 10 | | or other information that allows physical or online | 11 | | contact, discipline records, test results, special | 12 | | education data, juvenile dependency records, grades, | 13 | | evaluations, criminal records, medical records, health | 14 | | records, a social security number, biometric information, | 15 | | disabilities, socioeconomic information, food purchases, | 16 | | political affiliations, religious information, text | 17 | | messages, documents, student identifiers, search activity, | 18 | | photos, voice recordings, or geolocation information. | 19 | | "Interactive computer service" has the meaning ascribed to | 20 | | that term in Section 230 of the federal Communications Decency | 21 | | Act of 1996 (47 U.S.C. 230). | 22 | | "K through 12 school purposes" means purposes that are | 23 | | directed by or that customarily take place at the direction of | 24 | | a school, teacher, or school district; aid in the | 25 | | administration of school activities, including, but not | 26 | | limited to, instruction in the classroom or at home, |
| | | 09900SB0229sam001 | - 3 - | LRB099 03158 NHT 45060 a |
|
| 1 | | administrative activities, and collaboration between students, | 2 | | school personnel, or parents; or are otherwise for the use and | 3 | | benefit of the school. | 4 | | "Operator" means, to the extent that an entity is operating | 5 | | in this capacity, the operator of an Internet website, online | 6 | | service, online application, or mobile application with actual | 7 | | knowledge that the site, service, or application is used | 8 | | primarily for K through 12 school purposes and was designed and | 9 | | marketed for K through 12 school purposes. | 10 | | "School" means a school that offers any of grades | 11 | | kindergarten through 12 and that is operated by a school | 12 | | district. | 13 | | "Targeted advertising" means presenting advertisements to | 14 | | a student where the advertisement is selected based on | 15 | | information obtained or inferred over time from that student's | 16 | | online behavior, usage of applications, or covered | 17 | | information. The term does not include advertising to a student | 18 | | at an online location based upon that student's current visit | 19 | | to that location or in response to that student's request for | 20 | | information or feedback, without the retention of that | 21 | | student's online activities or requests over time for the | 22 | | purpose of targeting subsequent ads. | 23 | | Section 10. Operator prohibitions. An operator shall not | 24 | | knowingly do any of the following: | 25 | | (1) Engage in targeted advertising on the operator's |
| | | 09900SB0229sam001 | - 4 - | LRB099 03158 NHT 45060 a |
|
| 1 | | site, service, or application or target advertising on any | 2 | | other site, service, or application if the targeting of the | 3 | | advertising is based on any information, including covered | 4 | | information and persistent unique identifiers, that the | 5 | | operator has acquired because of the use of that operator's | 6 | | site, service, or application for K through 12 school | 7 | | purposes. | 8 | | (2) Use information, including persistent unique | 9 | | identifiers, created or gathered by the operator's site, | 10 | | service, or application to amass a profile about a student, | 11 | | except in furtherance of K through 12 school purposes. | 12 | | "Amass a profile" does not include the collection and | 13 | | retention of account information that remains under the | 14 | | control of the student, the student's parent or legal | 15 | | guardian, or the school. | 16 | | (3) Sell or rent a student's information, including | 17 | | covered information. This subdivision (3) does not apply to | 18 | | the purchase, merger, or other type of acquisition of an | 19 | | operator by another entity if the operator or successor | 20 | | entity complies with this Act regarding previously | 21 | | acquired student information. | 22 | | (4) Except as otherwise provided in Section 20 of this | 23 | | Act, disclose covered information, unless the disclosure | 24 | | is made for the following purposes: | 25 | | (A) In furtherance of the K through 12 school | 26 | | purposes of the site, service, or application if the |
| | | 09900SB0229sam001 | - 5 - | LRB099 03158 NHT 45060 a |
|
| 1 | | recipient of the covered information disclosed under | 2 | | this clause (A) does not further disclose the | 3 | | information, unless done to allow or improve | 4 | | operability and functionality of the operator's site, | 5 | | service, or application. | 6 | | (B) To ensure legal and regulatory compliance or | 7 | | protect
against liability. | 8 | | (C) To respond to or participate in the judicial | 9 | | process. | 10 | | (D) To protect the safety or integrity of users of | 11 | | the site or others or the security of the site, | 12 | | service, or application. | 13 | | (E) For a school, educational, or employment | 14 | | purpose requested by the student or the student's | 15 | | parent or legal guardian, provided that the | 16 | | information is not used or further disclosed for any | 17 | | other purpose. | 18 | | (F) To a third party if the operator contractually | 19 | | prohibits the third party from using any covered | 20 | | information for any purpose other than providing the | 21 | | contracted service to or on behalf of the operator, | 22 | | prohibits the third party from disclosing any covered | 23 | | information provided by the operator with subsequent | 24 | | third parties, and requires the third party to | 25 | | implement and maintain reasonable security procedures | 26 | | and practices. |
| | | 09900SB0229sam001 | - 6 - | LRB099 03158 NHT 45060 a |
|
| 1 | | Nothing in this Section prohibits the operator's use of | 2 | | information for maintaining, developing, supporting, | 3 | | improving, or diagnosing the operator's site, service, or | 4 | | application. | 5 | | Section 15. Operator duties. An operator shall do both of | 6 | | the following: | 7 | | (1) Implement and maintain reasonable security | 8 | | procedures and practices appropriate to the nature of the | 9 | | covered information and designed to protect that covered | 10 | | information from unauthorized access, destruction, use, | 11 | | modification, or disclosure. | 12 | | (2) Delete, within a reasonable time period, a | 13 | | student's covered information if the school or school | 14 | | district requests deletion of covered information under | 15 | | the control of the school or school district, unless a | 16 | | student or his or her parent or legal guardian consents to | 17 | | the maintenance of the covered information. | 18 | | Section 20. Permissive use or disclosure. An operator may | 19 | | use or disclose covered information of a student under the | 20 | | following circumstances: | 21 | | (1) If other provisions of federal or State law require | 22 | | the operator to disclose the information, and the operator | 23 | | complies with the requirements of federal and State law in | 24 | | protecting and disclosing that information. |
| | | 09900SB0229sam001 | - 7 - | LRB099 03158 NHT 45060 a |
|
| 1 | | (2) For legitimate research purposes as required by | 2 | | State or federal law and subject to the restrictions under | 3 | | applicable State and federal law or as allowed by State or | 4 | | federal law and under the direction of a school, school | 5 | | district, or the State Board of Education if the covered | 6 | | information is not used for advertising or to amass a | 7 | | profile on the student for purposes other than for K | 8 | | through 12 school purposes. | 9 | | (3) To a State or local educational agency, including | 10 | | schools and school districts, for K through 12 school | 11 | | purposes, as permitted by State or federal law. | 12 | | Section 25. Operator actions that are not prohibited. This | 13 | | Act does not prohibit an operator from doing any of the | 14 | | following: | 15 | | (1) Using covered information to improve educational | 16 | | products if that information is not associated with an | 17 | | identified student within the operator's site, service, or | 18 | | application or other sites, services, or applications | 19 | | owned by the operator. | 20 | | (2) Using covered information that is not associated | 21 | | with an identified student to demonstrate the | 22 | | effectiveness of the operator's products or services, | 23 | | including in their marketing. | 24 | | (3) Sharing covered information that is not associated | 25 | | with an identified student for the development and |
| | | 09900SB0229sam001 | - 8 - | LRB099 03158 NHT 45060 a |
|
| 1 | | improvement of educational sites, services, or | 2 | | applications. | 3 | | (4) Using recommendation engines to recommend to a | 4 | | student either of the following: | 5 | | (A) Additional content relating to an educational, | 6 | | other learning, or employment opportunity purpose | 7 | | within an online site, service, or application if the | 8 | | recommendation is not determined in whole or in part by | 9 | | payment or other consideration from a third party. | 10 | | (B) Additional services relating to an | 11 | | educational, other learning, or employment opportunity | 12 | | purpose within an online site, service, or application | 13 | | if the recommendation is not determined in whole or in | 14 | | part by payment or other consideration from a third | 15 | | party. | 16 | | (5) Responding to a student's request for information | 17 | | or for feedback without the information or response being | 18 | | determined in whole or in part by payment or other | 19 | | consideration from a third party. | 20 | | Section 30. Applicability. This Act does not do any of the | 21 | | following: | 22 | | (1) Limit the authority of a law enforcement agency to | 23 | | obtain any content or information from an operator as | 24 | | authorized by law or under a court order. | 25 | | (2) Limit the ability of an operator to use student |
| | | 09900SB0229sam001 | - 9 - | LRB099 03158 NHT 45060 a |
|
| 1 | | data, including covered information, for adaptive learning | 2 | | or customized student learning purposes. | 3 | | (3) Apply to general audience Internet websites, | 4 | | general audience online services, general audience online | 5 | | applications, or general audience mobile applications, | 6 | | even if login credentials created for an operator's site, | 7 | | service, or application may be used to access those general | 8 | | audience sites, services, or applications. | 9 | | (4) Limit service providers from providing Internet | 10 | | connectivity to schools or students and their families. | 11 | | (5) Prohibit an operator of an Internet website, online | 12 | | service, online application, or mobile application from | 13 | | marketing educational products directly to parents if the | 14 | | marketing did not result from the use of covered | 15 | | information obtained by the operator through the provision | 16 | | of services covered under this Act. | 17 | | (6) Impose a duty upon a provider of an electronic | 18 | | store, gateway, marketplace, or other means of purchasing | 19 | | or downloading software or applications to review or | 20 | | enforce compliance with this Act on those applications or | 21 | | software. | 22 | | (7) Impose a duty upon a provider of an interactive | 23 | | computer service to review or enforce compliance with this | 24 | | Act by third-party content providers. | 25 | | (8) Prohibit students from downloading, exporting, | 26 | | transferring, saving, or maintaining their own student |
| | | 09900SB0229sam001 | - 10 - | LRB099 03158 NHT 45060 a |
|
| 1 | | data or documents. | 2 | | Section 99. Effective date. This Act takes effect upon | 3 | | becoming law.".
|
|