2016 -- H 7582 | |
======== | |
LC004299 | |
======== | |
STATE OF RHODE ISLAND | |
IN GENERAL ASSEMBLY | |
JANUARY SESSION, A.D. 2016 | |
____________ | |
A N A C T | |
RELATING TO EDUCATION - STUDENT ONLINE PERSONAL INFORMATION | |
PROTECTION ACT | |
| |
Introduced By: Representatives Hearn, Serpa, Fellela, Nunes, and Naughton | |
Date Introduced: February 11, 2016 | |
Referred To: House Health, Education & Welfare | |
It is enacted by the General Assembly as follows: | |
1 | SECTION 1. Title 16 of the General Laws entitled "EDUCATION" is hereby amended |
2 | by adding thereto the following chapter: |
3 | CHAPTER 106 |
4 | STUDENT ONLINE PERSONAL INFORMATION PROTECTION ACT |
5 | 16-106-1. Short title. -- This chapter shall be known and may be cited as the "Student |
6 | Online Personal Information Protection Act." |
7 | 16-106-2. Definitions. -- The following words and phrases used in this chapter shall have |
8 | the following meanings unless the context clearly indicates otherwise: |
9 | (1) "Covered information" means any sensitive, nonpublic, personal information. |
10 | (2) "K-12 school purposes" means purposes that customarily take place at the direction of |
11 | the K-12 school, teacher, or school district or aid in the administration of school activities, |
12 | including, but not limited to, instruction in the classroom or at home, administrative activities, |
13 | and collaboration between students, school personnel, or parents, or are for the use and benefit of |
14 | the school. |
15 | (3) "Operator" means the operator of an Internet website, online service, online |
16 | application, or mobile application with actual knowledge that the site, service, or application is |
17 | used primarily for K-12 school purposes and was designed and marketed for K-12 school |
18 | purposes. |
| |
1 | (4) "Online service" means and includes cloud computing services, which must comply |
2 | with this section if the service otherwise meets the definition of an operator. |
3 | (5) "Covered information" means personally identifiable information or materials, in any |
4 | media or format that meets any of the following: |
5 | (i) Is created or provided by a student, or the student's parent or legal guardian, to an |
6 | operator in the course of the student's, parent's, or legal guardian's use of the operator's site, |
7 | service, or application for K-12 school purposes. |
8 | (ii) Is created or provided by an employee or agent of the K-12 school, school district, |
9 | local education agency, or county office of education, to an operator. |
10 | (iii) Is gathered by an operator through the operation of a site, service, or application for |
11 | K-12 services defined in §16-106-2 and is descriptive of a student or otherwise identifies a |
12 | student, including, but not limited to, information in the student's educational record or email, |
13 | first and last name, home address, telephone number, email address, or other information that |
14 | allows physical or online contact, discipline records, test results, special education data, juvenile |
15 | dependency records, grades, evaluations, criminal records, medical records, health records, social |
16 | security number, biometric information, disabilities, socioeconomic information, food purchases, |
17 | political affiliations, religious information, text messages, documents, student identifiers, search |
18 | activity, photos, voice recordings, or geolocation information. |
19 | 16-106-3. Prohibited activities. -- (a) An operator shall not knowingly engage in any of |
20 | the following activities with respect to their site, service, or application: |
21 | (1) Engage in targeted advertising on the operator's site, service, or application, or target, |
22 | advertising on any other site, service, or application when the targeting of the advertising is based |
23 | upon any information, including covered information and persistent unique identifiers, that the |
24 | operator has acquired because of the use of that operator's site, service, or application in a K-12 |
25 | school. |
26 | (2) Use information, including persistent unique identifiers, created or gathered by the |
27 | operator's site, service, or application, to amass a profile about a K-12 student except in |
28 | furtherance of K-12 school purposes. |
29 | (3) Sell a student's information, including covered information. This prohibition does not |
30 | apply to the purchase, merger, or other type of acquisition of an operator by another entity, |
31 | provided that the operator or successor entity continues to be subject to the provisions of this |
32 | section with respect to previously acquired student information. |
33 | (4) Disclose covered information unless the disclosure is made: |
34 | (i) In furtherance of the K-12 purpose of the site, service, or application, provided the |
| LC004299 - Page 2 of 6 |
1 | recipient of the covered information disclosed pursuant to this subsection: |
2 | (A) Shall not further disclose the information unless done to allow or improve operability |
3 | and functionality within that student's classroom or school; and |
4 | (B) Is legally required to comply with subsection (e) of this section. |
5 | (ii) To ensure legal and regulatory compliance; |
6 | (iii) To respond to or participate in judicial process; |
7 | (iv) To protect the safety of users or others or security of the state; or |
8 | (v) To a service provider, provided the operator contractually: |
9 | (A) Prohibits the service provider from using any covered information for any purpose |
10 | other than providing the contracted service to, or on behalf of, the operator; |
11 | (B) Prohibits the service provider from disclosing any covered information provided by |
12 | the operator with subsequent third parties; and |
13 | (C) Requires the service provider to implement and maintain reasonable security |
14 | procedures and practices as provided in subsection (c) of this section. |
15 | (b) Nothing in subsection (a) of this section shall be construed to prohibit the operator's |
16 | use of information for maintaining, developing, supporting, improving, or diagnosing the |
17 | operator's site, service, or application. |
18 | (c) An operator shall: |
19 | (1) Implement and maintain reasonable security procedures and practices appropriate to |
20 | the nature of the covered information, and protect that information from unauthorized access, |
21 | destruction, use, modification, or disclosure. |
22 | (2) Delete a student's covered information if the school or district requests deletion of |
23 | data under the control of the school or district. |
24 | (d) Notwithstanding the provisions of §16-106-3(a)(4), an operator may disclose covered |
25 | information of a student, as long as §§16-106-3(a)(1),(2), or (3), are not violated, under the |
26 | following circumstances: |
27 | (1) If other provisions of federal or state law require the operator to disclose the |
28 | information, and the operator complies with the requirements of federal and state law in |
29 | protecting and disclosing that information. |
30 | (2) For legitimate research purposes: either as required by state or federal law and subject |
31 | to the restrictions under applicable state and federal law, or as allowed by state or federal law and |
32 | under the direction of a school, school district, or state department of education, if no covered |
33 | information is used for any purpose in furtherance of advertising or to amass a profile on the |
34 | student for purposes other than K-12 school purposes. |
| LC004299 - Page 3 of 6 |
1 | (3) To a state or local educational agency, including schools and school districts, for K-12 |
2 | school purposes, as permitted by state or federal law. |
3 | (e) Nothing in this section shall be construed to prohibit an operator from using de- |
4 | identified student covered information as follows: |
5 | (1) With in the operator's site, service, or application or other sites, services, or |
6 | applications owned by the operator to improve educational products. |
7 | (2) To demonstrate the effectiveness of the operator's products or services, including in |
8 | their marketing. |
9 | (f) Nothing in this section shall be construed to prohibit an operator from sharing |
10 | aggregated de-identified student covered information for the development and improvement of |
11 | educational sites, services, or applications. |
12 | (g) This section shall not be construed to limit the authority of a law enforcement agency |
13 | to obtain any content or information from an operator as authorized by law or pursuant to an |
14 | order of a court of competent jurisdiction. |
15 | (h) This section does not limit the ability of an operator to use student data, including |
16 | covered information, for adaptive learning or customized student learning purposes. |
17 | (i) This section does not apply to general audience Internet websites, general audience |
18 | online services, general audience online applications, or general audience mobile applications, |
19 | even if login credentials created for an operator's site, service, or application may be used to |
20 | access those general audience sites, services, or applications. |
21 | (j) This section does not limit Internet service providers from providing Internet |
22 | connectivity to schools or students and their families. |
23 | (k) This section shall not be construed to prohibit an operator of an Internet website, |
24 | online service, online application, or mobile application from marketing educational products |
25 | directly to parents so long as the marketing did not result from the use of covered information |
26 | obtained by the operator through the provision of services covered under this section. |
27 | (l) This section does not impose a duty upon a provider of an electronic store, gateway, |
28 | marketplace, or other means of purchasing or downloading software or applications to review or |
29 | enforce compliance of this section on those applications or software. |
30 | (m) This section does not impose a duty upon a provider of an interactive computer |
31 | service, as defined in 47 U.S.C. §230, to review or enforce compliance with this section by third- |
32 | party content providers. |
33 | (n) This section does not impede the ability of students to download, export, or otherwise |
34 | save or maintain their own student created data or documents. |
| LC004299 - Page 4 of 6 |
1 | 16-106-4. Severability. -- The provisions of this act are severable. If any provision of |
2 | this chapter or its application is held invalid, that invalidity shall not affect other provisions or |
3 | applications that can be given effect without the invalid provision or application. |
4 | SECTION 2. This act shall take effect upon passage. |
======== | |
LC004299 | |
======== | |
| LC004299 - Page 5 of 6 |
EXPLANATION | |
BY THE LEGISLATIVE COUNCIL | |
OF | |
A N A C T | |
RELATING TO EDUCATION - STUDENT ONLINE PERSONAL INFORMATION | |
PROTECTION ACT | |
*** | |
1 | This act would create the "Student Online Personal Information Protection Act" the |
2 | purpose of which would be, to protect K-12 students personal information from operators of |
3 | Internet services which are provided to schools grades K-12 by requiring that the use of any |
4 | information gathered about the student in K-12 be used for educational purposes only. |
5 | This act would take effect upon passage. |
======== | |
LC004299 | |
======== | |
| LC004299 - Page 6 of 6 |