2016 -- H 7582

========

LC004299

========

     STATE OF RHODE ISLAND

IN GENERAL ASSEMBLY

JANUARY SESSION, A.D. 2016

____________

A N   A C T

RELATING TO EDUCATION - STUDENT ONLINE PERSONAL INFORMATION

PROTECTION ACT

     

     Introduced By: Representatives Hearn, Serpa, Fellela, Nunes, and Naughton

     Date Introduced: February 11, 2016

     Referred To: House Health, Education & Welfare

     It is enacted by the General Assembly as follows:

1

     SECTION 1. Title 16 of the General Laws entitled "EDUCATION" is hereby amended

2

by adding thereto the following chapter:

3

CHAPTER 106

4

STUDENT ONLINE PERSONAL INFORMATION PROTECTION ACT

5

     16-106-1. Short title. -- This chapter shall be known and may be cited as the "Student

6

Online Personal Information Protection Act."

7

     16-106-2. Definitions. -- The following words and phrases used in this chapter shall have

8

the following meanings unless the context clearly indicates otherwise:

9

     (1) "Covered information" means any sensitive, nonpublic, personal information.

10

     (2) "K-12 school purposes" means purposes that customarily take place at the direction of

11

the K-12 school, teacher, or school district or aid in the administration of school activities,

12

including, but not limited to, instruction in the classroom or at home, administrative activities,

13

and collaboration between students, school personnel, or parents, or are for the use and benefit of

14

the school.

15

     (3) "Operator" means the operator of an Internet website, online service, online

16

application, or mobile application with actual knowledge that the site, service, or application is

17

used primarily for K-12 school purposes and was designed and marketed for K-12 school

18

purposes.

 

1

     (4) "Online service" means and includes cloud computing services, which must comply

2

with this section if the service otherwise meets the definition of an operator.

3

     (5) "Covered information" means personally identifiable information or materials, in any

4

media or format that meets any of the following:

5

     (i) Is created or provided by a student, or the student's parent or legal guardian, to an

6

operator in the course of the student's, parent's, or legal guardian's use of the operator's site,

7

service, or application for K-12 school purposes.

8

     (ii) Is created or provided by an employee or agent of the K-12 school, school district,

9

local education agency, or county office of education, to an operator.

10

     (iii) Is gathered by an operator through the operation of a site, service, or application for

11

K-12 services defined in §16-106-2 and is descriptive of a student or otherwise identifies a

12

student, including, but not limited to, information in the student's educational record or email,

13

first and last name, home address, telephone number, email address, or other information that

14

allows physical or online contact, discipline records, test results, special education data, juvenile

15

dependency records, grades, evaluations, criminal records, medical records, health records, social

16

security number, biometric information, disabilities, socioeconomic information, food purchases,

17

political affiliations, religious information, text messages, documents, student identifiers, search

18

activity, photos, voice recordings, or geolocation information.

19

     16-106-3. Prohibited activities. -- (a) An operator shall not knowingly engage in any of

20

the following activities with respect to their site, service, or application:

21

     (1) Engage in targeted advertising on the operator's site, service, or application, or target,

22

advertising on any other site, service, or application when the targeting of the advertising is based

23

upon any information, including covered information and persistent unique identifiers, that the

24

operator has acquired because of the use of that operator's site, service, or application in a K-12

25

school.

26

     (2) Use information, including persistent unique identifiers, created or gathered by the

27

operator's site, service, or application, to amass a profile about a K-12 student except in

28

furtherance of K-12 school purposes.

29

     (3) Sell a student's information, including covered information. This prohibition does not

30

apply to the purchase, merger, or other type of acquisition of an operator by another entity,

31

provided that the operator or successor entity continues to be subject to the provisions of this

32

section with respect to previously acquired student information.

33

     (4) Disclose covered information unless the disclosure is made:

34

     (i) In furtherance of the K-12 purpose of the site, service, or application, provided the

 

LC004299 - Page 2 of 6

1

recipient of the covered information disclosed pursuant to this subsection:

2

     (A) Shall not further disclose the information unless done to allow or improve operability

3

and functionality within that student's classroom or school; and

4

     (B) Is legally required to comply with subsection (e) of this section.

5

     (ii) To ensure legal and regulatory compliance;

6

     (iii) To respond to or participate in judicial process;

7

     (iv) To protect the safety of users or others or security of the state; or

8

     (v) To a service provider, provided the operator contractually:

9

     (A) Prohibits the service provider from using any covered information for any purpose

10

other than providing the contracted service to, or on behalf of, the operator;

11

     (B) Prohibits the service provider from disclosing any covered information provided by

12

the operator with subsequent third parties; and

13

     (C) Requires the service provider to implement and maintain reasonable security

14

procedures and practices as provided in subsection (c) of this section.

15

     (b) Nothing in subsection (a) of this section shall be construed to prohibit the operator's

16

use of information for maintaining, developing, supporting, improving, or diagnosing the

17

operator's site, service, or application.

18

     (c) An operator shall:

19

     (1) Implement and maintain reasonable security procedures and practices appropriate to

20

the nature of the covered information, and protect that information from unauthorized access,

21

destruction, use, modification, or disclosure.

22

     (2) Delete a student's covered information if the school or district requests deletion of

23

data under the control of the school or district.

24

     (d) Notwithstanding the provisions of §16-106-3(a)(4), an operator may disclose covered

25

information of a student, as long as §§16-106-3(a)(1),(2), or (3), are not violated, under the

26

following circumstances:

27

     (1) If other provisions of federal or state law require the operator to disclose the

28

information, and the operator complies with the requirements of federal and state law in

29

protecting and disclosing that information.

30

     (2) For legitimate research purposes: either as required by state or federal law and subject

31

to the restrictions under applicable state and federal law, or as allowed by state or federal law and

32

under the direction of a school, school district, or state department of education, if no covered

33

information is used for any purpose in furtherance of advertising or to amass a profile on the

34

student for purposes other than K-12 school purposes.

 

LC004299 - Page 3 of 6

1

     (3) To a state or local educational agency, including schools and school districts, for K-12

2

school purposes, as permitted by state or federal law.

3

     (e) Nothing in this section shall be construed to prohibit an operator from using de-

4

identified student covered information as follows:

5

     (1) With in the operator's site, service, or application or other sites, services, or

6

applications owned by the operator to improve educational products.

7

     (2) To demonstrate the effectiveness of the operator's products or services, including in

8

their marketing.

9

     (f) Nothing in this section shall be construed to prohibit an operator from sharing

10

aggregated de-identified student covered information for the development and improvement of

11

educational sites, services, or applications.

12

     (g) This section shall not be construed to limit the authority of a law enforcement agency

13

to obtain any content or information from an operator as authorized by law or pursuant to an

14

order of a court of competent jurisdiction.

15

     (h) This section does not limit the ability of an operator to use student data, including

16

covered information, for adaptive learning or customized student learning purposes.

17

     (i) This section does not apply to general audience Internet websites, general audience

18

online services, general audience online applications, or general audience mobile applications,

19

even if login credentials created for an operator's site, service, or application may be used to

20

access those general audience sites, services, or applications.

21

     (j) This section does not limit Internet service providers from providing Internet

22

connectivity to schools or students and their families.

23

     (k) This section shall not be construed to prohibit an operator of an Internet website,

24

online service, online application, or mobile application from marketing educational products

25

directly to parents so long as the marketing did not result from the use of covered information

26

obtained by the operator through the provision of services covered under this section.

27

     (l) This section does not impose a duty upon a provider of an electronic store, gateway,

28

marketplace, or other means of purchasing or downloading software or applications to review or

29

enforce compliance of this section on those applications or software.

30

     (m) This section does not impose a duty upon a provider of an interactive computer

31

service, as defined in 47 U.S.C. §230, to review or enforce compliance with this section by third-

32

party content providers.

33

     (n) This section does not impede the ability of students to download, export, or otherwise

34

save or maintain their own student created data or documents.

 

LC004299 - Page 4 of 6

1

     16-106-4. Severability. -- The provisions of this act are severable. If any provision of

2

this chapter or its application is held invalid, that invalidity shall not affect other provisions or

3

applications that can be given effect without the invalid provision or application.

4

     SECTION 2. This act shall take effect upon passage.

========

LC004299

========

 

LC004299 - Page 5 of 6

EXPLANATION

BY THE LEGISLATIVE COUNCIL

OF

A N   A C T

RELATING TO EDUCATION - STUDENT ONLINE PERSONAL INFORMATION

PROTECTION ACT

***

1

     This act would create the "Student Online Personal Information Protection Act" the

2

purpose of which would be, to protect K-12 students personal information from operators of

3

Internet services which are provided to schools grades K-12 by requiring that the use of any

4

information gathered about the student in K-12 be used for educational purposes only.

5

     This act would take effect upon passage.

========

LC004299

========

 

LC004299 - Page 6 of 6