Bill Text: IA HF213 | 2015-2016 | 86th General Assembly | Introduced
Bill Title: A bill for an act relating to student online personal information protection and providing remedies.
Spectrum: Partisan Bill (Republican 1-0)
Status: (Introduced - Dead) 2015-03-04 - Passed subcommittee. [HF213 Detail]
Download: Iowa-2015-HF213-Introduced.html
House File 213 - Introduced HOUSE FILE BY PETTENGILL A BILL FOR 1 An Act relating to student online personal information 2 protection and providing remedies. 3 BE IT ENACTED BY THE GENERAL ASSEMBLY OF THE STATE OF IOWA: TLSB 1575YH (4) 86 kh/rj PAG LIN 1 1 Section 1. Section 714H.3, subsection 2, Code 2015, is 1 2 amended by adding the following new paragraph: 1 3 NEW PARAGRAPH. g. Chapter 715D. 1 4 Sec. 2. NEW SECTION. 715D.1 Definitions. 1 5 As use in this chapter, unless the context otherwise 1 6 requires: 1 7 1. "Covered information" means personally identifiable 1 8 information or materials, in any media or format that meets any 1 9 of the following: 1 10 a. Is created or provided by a student, or the student's 1 11 parent or legal guardian, to an operator in the course of the 1 12 student's, parent's, or legal guardian's use of the operator's 1 13 internet site, service, or application for kindergarten through 1 14 grade twelve school purposes. 1 15 b. Is created or provided by an employee or agent of the 1 16 school district, accredited nonpublic school, or area education 1 17 agency, to an operator. 1 18 c. Is gathered by an operator through the operation 1 19 of an internet site, service, or application described in 1 20 subsection 3 and is descriptive of a student or otherwise 1 21 identifies a student, including but not limited to information 1 22 in the student's educational record or e=mail, first and last 1 23 name, home address, telephone number, e=mail address, other 1 24 information that allows physical or online contact, discipline 1 25 records, test results, special education data, juvenile 1 26 dependency records, grades, evaluations, criminal records, 1 27 medical records, health records, social security number, 1 28 biometric information, disabilities, socioeconomic information, 1 29 food purchases, political affiliations, religious information, 1 30 text messages, documents, student identifiers, search activity, 1 31 photos, voice recordings, or geolocation information. 1 32 2. "Kindergarten through grade twelve school purposes" 1 33 means purposes that customarily take place at the direction 1 34 of a school district or accredited nonpublic school offering 1 35 instruction at any or all levels from kindergarten through 2 1 grade twelve, at the direction of an area education agency, or 2 2 at the direction of a teacher employed by or under contract 2 3 with a school district, accredited nonpublic school, or area 2 4 education agency, and purposes which aid in the administration 2 5 of school activities, including but not limited to instruction 2 6 in the classroom or at home, administrative activities, and 2 7 collaboration between students, school personnel, or parents, 2 8 or are for the use and benefit of the school district, school, 2 9 or area education agency. 2 10 3. "Operator" means the operator of an internet site, online 2 11 service, online application, or mobile application with actual 2 12 knowledge that the internet site, service, or application is 2 13 used primarily for kindergarten through grade twelve school 2 14 purposes and was designed and marketed for kindergarten through 2 15 grade twelve school purposes. "Online service" includes cloud 2 16 computing services that otherwise meet the definition of an 2 17 operator. 2 18 Sec. 3. NEW SECTION. 715D.2 Prohibitions == duties == 2 19 exceptions. 2 20 1. An operator, with respect to the operator's internet 2 21 site, service, or application, shall not knowingly do any of 2 22 the following: 2 23 a. Engage in targeted advertising on the operator's internet 2 24 site, service, or application, or target advertising on any 2 25 other internet site, service, or application when the targeting 2 26 of the advertising is based upon any information, including 2 27 covered information and persistent unique identifiers, that the 2 28 operator has acquired because of the use of that operator's 2 29 internet site, service, or application described in section 2 30 715D.1, subsection 3. 2 31 b. Use information, including persistent unique identifiers 2 32 such as unique student identifiers, created or gathered by the 2 33 operator's internet site, service, or application, to amass 2 34 a profile about a student enrolled in a kindergarten through 2 35 grade twelve school in this state except in furtherance of 3 1 kindergarten through grade twelve school purposes. 3 2 c. Sell a student's information, including covered 3 3 information. This prohibition does not apply to the purchase, 3 4 merger, or other type of acquisition of an operator by another 3 5 entity, provided that the operator or successor entity 3 6 continues to be subject to the provisions of this chapter with 3 7 respect to previously acquired student information. 3 8 d. Disclose covered information unless the disclosure is any 3 9 of the following: 3 10 (1) In furtherance of the kindergarten through grade twelve 3 11 school purposes of the internet site, service, or application 3 12 provided that the recipient of the covered information 3 13 disclosed pursuant to this subparagraph shall not further 3 14 disclose the information unless done to allow or improve 3 15 operability and functionality within that student's classroom 3 16 or school and the recipient is legally required to comply with 3 17 this paragraph "d". 3 18 (2) To ensure legal and regulatory compliance. 3 19 (3) To respond to or participate in judicial process. 3 20 (4) To protect the safety of the internet site users or 3 21 other persons identified on the internet site or security of 3 22 the internet site. 3 23 (5) To a service provider, provided the operator 3 24 contractually prohibits the service provider from using any 3 25 covered information for any purpose other than providing the 3 26 contracted service to, or on behalf of, the operator; prohibits 3 27 the service provider from disclosing any covered information 3 28 provided by the operator to subsequent third parties; and 3 29 requires the service provider to implement and maintain 3 30 reasonable security procedures and practices as provided in 3 31 subsection 3. 3 32 2. Subsection 1 shall not be construed to prohibit the 3 33 operator's use of information for maintaining, developing, 3 34 supporting, improving, or diagnosing the operator's internet 3 35 site, service, or application. 4 1 3. An operator shall do all of the following: 4 2 a. Implement and maintain reasonable security procedures and 4 3 practices appropriate to the nature of the covered information, 4 4 and protect the covered information from unauthorized access, 4 5 destruction, use, modification, or disclosure. 4 6 b. Delete a student's covered information if the school 4 7 district, accredited nonpublic school, or area education agency 4 8 requests deletion of data under the control of the school 4 9 district, the school, or the area education agency. 4 10 c. Notwithstanding subsection 1, paragraph "d", as long 4 11 as the operator does not violate subsection 1, paragraph "a", 4 12 "b", or "c", an operator may disclose covered information of a 4 13 student under the following circumstances: 4 14 (1) If other provisions of federal or state law require the 4 15 operator to disclose the information and the operator complies 4 16 with the requirements of federal and state law in protecting 4 17 and disclosing that information. 4 18 (2) For legitimate research purposes as required by state or 4 19 federal law and subject to the restrictions under applicable 4 20 state or federal law or as allowed by state or federal law 4 21 and under the direction of a school district, an accredited 4 22 nonpublic school, an area education agency, or the state or 4 23 federal department of education, if no covered information is 4 24 used for any purpose in furtherance of advertising or to amass 4 25 a profile of the student for purposes other than kindergarten 4 26 through grade twelve school purposes. 4 27 (3) To state or local educational agencies, including 4 28 school districts, accredited nonpublic schools, area education 4 29 agencies, and community colleges, for kindergarten through 4 30 grade twelve school purposes, as permitted by state or federal 4 31 law. 4 32 4. This section shall not be construed to do any of the 4 33 following: 4 34 a. Prohibit an operator from using deidentified student 4 35 covered information as follows: 5 1 (1) Within the operator's internet site, service, or 5 2 application or other internet sites, services, or applications 5 3 owned by the operator to improve educational products. 5 4 (2) To demonstrate the effectiveness of the operator's 5 5 products or services and their marketing. 5 6 b. Prohibit an operator from sharing aggregated deidentified 5 7 student covered information for the development and improvement 5 8 of educational internet sites, services, or applications. 5 9 c. Limit the authority of a law enforcement agency to obtain 5 10 any content or information from an operator as authorized 5 11 by law or pursuant to an order of a court of competent 5 12 jurisdiction. 5 13 d. Limit the ability of an operator to use student data, 5 14 including covered information, for adaptive learning or 5 15 customized student learning purposes. 5 16 e. Apply to general audience internet sites, general 5 17 audience online services, general audience online applications, 5 18 or general audience mobile applications, even if login 5 19 credentials created for an operator's internet site, service, 5 20 or application may be used to access those general audience 5 21 internet sites, services, or applications. 5 22 f. Restrict internet service providers from providing 5 23 internet connectivity to schools or students and their 5 24 families. 5 25 g. Prohibit an operator of an internet site, online service, 5 26 online application, or mobile application from marketing 5 27 educational products directly to parents so long as the 5 28 marketing did not result from the use of covered information 5 29 obtained by the operator through the provision of services 5 30 regulated under this section. 5 31 h. Impose a duty upon a provider of an electronic store, 5 32 gateway, or marketplace, or of another means of purchasing 5 33 or downloading software or applications to review or enforce 5 34 compliance with this section by such software or applications. 5 35 i. Impose a duty upon a provider of an interactive computer 6 1 service, as defined in 47 U.S.C. {230, to review or enforce 6 2 compliance with this section by third=party content providers. 6 3 j. Impede the ability of students to download, export, or 6 4 otherwise save or maintain their own student=created data or 6 5 documents. 6 6 Sec. 4. NEW SECTION. 715D.3 Remedies. 6 7 1. A violation of this chapter is an unlawful practice 6 8 pursuant to section 714.16 and, in addition to the remedies 6 9 provided to the attorney general pursuant to section 714.16, 6 10 subsection 7, the attorney general may seek and obtain an order 6 11 that a party held to violate this chapter pay damages to the 6 12 attorney general for the benefit of a person injured by the 6 13 violation. 6 14 2. The rights and remedies available under this chapter are 6 15 cumulative to each other and to any other rights and remedies 6 16 available under the law. 6 17 EXPLANATION 6 18 The inclusion of this explanation does not constitute agreement with 6 19 the explanation's substance by the members of the general assembly. 6 20 This bill places restrictions on operators of internet 6 21 sites, online services, online applications, and mobile 6 22 applications designed, marketed, and used primarily for 6 23 kindergarten through grade twelve school purposes. A violation 6 24 of any of the restrictions is an unlawful practice pursuant to 6 25 Code section 714.16, a prohibited practice or act under Code 6 26 section 714H.3, and, in addition, the attorney general may 6 27 bring a civil action on behalf of an injured person. 6 28 PROHIBITIONS AND DISCLOSURE PROVISIONS. The bill prohibits 6 29 an operator from engaging in targeted advertising that is 6 30 based on or derived from information the operator acquired 6 31 through the operator's internet site, service, or application; 6 32 from using information created or gathered by the operator's 6 33 internet site, service, or application, to amass a profile 6 34 about a student enrolled in a kindergarten through grade 6 35 twelve school in this state except in furtherance of school 7 1 purposes; and from selling a student's information, though this 7 2 prohibition does not apply to the purchase, merger, or other 7 3 type of acquisition of an operator by another entity, provided 7 4 that the operator or successor entity continues to be subject 7 5 to the restrictions relating to previously acquired student 7 6 information. 7 7 The operator is also prohibited from disclosing covered 7 8 information unless the disclosure is in furtherance of the 7 9 kindergarten through grade twelve school purposes and the 7 10 recipient of the covered information is subject to similar 7 11 restrictions. Disclosure is also authorized in order to ensure 7 12 legal and regulatory compliance; to respond to or participate 7 13 in judicial process, or to protect the safety of the internet 7 14 site users or persons identified on the internet site or 7 15 security of the internet site. 7 16 The operator may also disclose covered information to a 7 17 service provider if the operator implements and maintains 7 18 reasonable security procedures and practices, and, if the 7 19 service provider is contractually prohibited from using any 7 20 of the information for any purpose other than providing the 7 21 contracted service to, or on behalf of, the operator, and from 7 22 disclosing any covered information to subsequent third parties. 7 23 However, these prohibitions shall not be construed to 7 24 prohibit the operator's use of information for maintaining, 7 25 developing, supporting, improving, or diagnosing the operator's 7 26 internet site, service, or application. 7 27 The operator is required to implement and maintain 7 28 reasonable security procedures and practices appropriate to the 7 29 nature of the covered information, and protect that information 7 30 from unauthorized access, destruction, use, modification, or 7 31 disclosure; and to delete a student's covered information if 7 32 the school district, accredited nonpublic school, or area 7 33 education agency requests deletion of data under the control of 7 34 the school district, school, or area education agency. 7 35 Notwithstanding the disclosure prohibitions, as long as the 8 1 operator does not violate the provisions prohibiting targeting 8 2 advertising, the use of student information to amass a profile, 8 3 and the sale of student information, an operator may disclose 8 4 covered information of a student if other provisions of federal 8 5 or state law require the operator to disclose the information, 8 6 or for legitimate research purposes as required by and subject 8 7 to state or federal law and under the direction of the school 8 8 district, school, or area education agency; and to state or 8 9 local educational agencies as permitted by state or federal 8 10 law. 8 11 The bill shall not be construed to prohibit an operator 8 12 from using deidentified student covered information to improve 8 13 educational products or to demonstrate the effectiveness of 8 14 the operator's products or services and their marketing; to 8 15 prohibit an operator from sharing aggregated deidentified 8 16 student covered information for the development and improvement 8 17 of educational internet sites, services, or applications; to 8 18 limit a law enforcement agency from obtaining information 8 19 as authorized by law or court order; to limit the ability 8 20 of an operator to use student data for adaptive learning or 8 21 customized student learning purposes; to apply to general 8 22 audience internet sites, general audience online services, 8 23 general audience online applications, or general audience 8 24 mobile applications; to restrict internet service providers 8 25 from providing internet connectivity to schools or students 8 26 and their families; to prohibit an operator from marketing 8 27 educational products directly to parents so long as the 8 28 marketing did not result from the use of covered information; 8 29 to impose a duty upon a provider of an electronic store, 8 30 gateway, marketplace, or other means of purchasing or 8 31 downloading software or applications to review or enforce 8 32 compliance with applicable restrictions by such software 8 33 or applications; to impose a duty upon a provider of an 8 34 interactive computer service to review or enforce compliance 8 35 by third=party content providers; or to impede the ability of 9 1 students to download, export, or otherwise save or maintain 9 2 their own student=created data or documents. 9 3 REMEDIES. The bill provides that a violation of new Code 9 4 chapter 715D is a prohibited practice or act under Code section 9 5 714H.3, providing for a private right of action for a person 9 6 who suffers an ascertainable loss of money or property as the 9 7 result of a prohibited practice or act, allowing the person to 9 8 bring an action at law to recover actual damages and to seek 9 9 court protection from further violations including temporary 9 10 and permanent injunctive relief. 9 11 In addition to the remedies provided to the attorney general 9 12 pursuant to Code section 714.16(7), the attorney general may 9 13 seek and obtain an order that a party held to violate the 9 14 chapter pay damages to the attorney general on behalf of a 9 15 person injured by the violation. The rights and remedies 9 16 available are cumulative to each other and to any other rights 9 17 and remedies available under the law. 9 18 DEFINITIONS. The bill provides that "online service" 9 19 includes cloud computing services. "Covered information" 9 20 means personally identifiable information or materials, in any 9 21 media or format that is created or provided by a student, or 9 22 the student's parent or legal guardian, to an operator in the 9 23 course of the student's, parent's, or legal guardian's use of 9 24 the operator's site, service, or application for K=12 school 9 25 purposes; is created or provided by an employee or agent of the 9 26 school district, accredited nonpublic school, or area education 9 27 agency, to an operator; or is gathered by an operator and is 9 28 descriptive of a student or otherwise identifies a student. 9 29 "Kindergarten through grade twelve school purposes" means 9 30 purposes that customarily take place at the direction of 9 31 a school district or accredited nonpublic school offering 9 32 instruction at any or all levels from kindergarten through 9 33 grade twelve or at the direction of an area education agency or 9 34 a teacher employed by or under contract with a school district, 9 35 accredited nonpublic school, or area education agency, and 10 1 purposes which aid in the administration of school activities, 10 2 including but not limited to instruction in the classroom or 10 3 at home, administrative activities, and collaboration between 10 4 students, school personnel, or parents, or are for the use 10 5 and benefit of the school district, school, or area education 10 6 agency. LSB 1575YH (4) 86 kh/rj
