ASSEMBLY, No. 1838

STATE OF NEW JERSEY

219th LEGISLATURE

PRE-FILED FOR INTRODUCTION IN THE 2020 SESSION

Sponsored by:

Assemblywoman  BRITNEE N. TIMBERLAKE

District 34 (Essex and Passaic)

Assemblyman  ANDREW ZWICKER

District 16 (Hunterdon, Mercer, Middlesex and Somerset)

Assemblywoman  VALERIE VAINIERI HUTTLE

District 37 (Bergen)

Co-Sponsored by:

Assemblywomen McKnight, Lopez and Assemblyman Conaway

SYNOPSIS

     Prohibits online education services from using and disclosing certain information, engaging in targeted advertising, and requires deletion of certain information in certain circumstances.

CURRENT VERSION OF TEXT

     Introduced Pending Technical Review by Legislative Counsel.

An Act concerning online education services and student educational records and supplementing P.L.1960, c.39 (C.56:8-1 et seq.).

     Be It Enacted by the Senate and General Assembly of the State of New Jersey:

      1.   As used in P.L.    , c.    (C.      ) (pending before the Legislature as this bill):

      "Covered information" means personally identifiable information or material, or information that is linked to personally identifiable information or material, in any media or format that is not publicly available and is:

      created by or provided to an operator by a student, or the student's parent or guardian, in the course of the student's, parent's, or guardian's use of the operator's site, service, or application for K-12 school purposes;

      created by or provided to an operator by an employee or agent of a K-12 school or school district for K-12 school purposes; or

      gathered by an operator through the operation of its site, service, or application for K-12 school purposes and personally identifies a student, including, but not limited to, information in the student's education record or electronic mail, first and last name, home address, telephone number, electronic mail address, or other information that allows physical or online contact with the student, discipline records, test results, special education data, juvenile dependency records, grades, evaluations, criminal records, medical records, health records, social security number, biometric information, disabilities, socioeconomic information, persistent unique identifiers, food purchases, political affiliations, religious information, text messages, documents, student identifiers, search activity, photographs, voice recordings, or geolocation data.

      "De-identified data" means information that is not or can no longer be linked or reasonably linkable to a person or the person's computer, telecommunications device, or wireless telecommunications device, but which may still contain unique records or attributes. "De-identified data" shall not mean covered information.

      "Interactive computer service" shall have the same meaning as provided in 47 U.S.C. s.230.

      "K-12 school" means a public school that offers any of grades kindergarten to 12 and that is operated by any school district in this State.

      "K-12 school purposes" means purposes that are directed by or that customarily take place at the direction of a school district, K-12 school, teacher, or school district or aid in the administration of school activities, including, but not limited to, instruction in the classroom or at home, administrative activities, and collaboration between students, school personnel, or parents or guardians, or are otherwise for the use of a benefit of the school district or K-12 school.

      "Online education service" or "service" means an Internet website, online service, online computer application, or mobile application that is used primarily for K-12 school purposes and is designed and marketed for K-12 school purposes.

      "Operator" means the operator of an online education service with actual knowledge that the online education service is used primarily for K-12 school purposes and is designed and marketed for K-12 school purposes.

      "Persistent unique identifier" means a digital label given to an object, such as a digital file, or entity, such as a person, which is used on the online education service.

      "Personally identifiable information" means information that is linked or reasonably linkable to an identified or identifiable person. "Personally identifiable information" shall not include de-identified data or publicly available information.

      "Publicly available information" means information that is lawfully made available from federal, State, or local government records.

      "Recommendation engine" means software that uses an algorithm to predict and recommend what information, product, or item a student may prefer.

      "School district" means any school district established pursuant to Title 18A of the New Jersey Statutes.

      "Student" means a minor user of an online education service.

      "Targeted advertising" means the presenting of advertisements to a student where the advertisement is selected based on information obtained or inferred over time from that student's online behavior, use of Internet websites, online services, online computer applications, or mobile applications, or covered information. "Targeted advertising" shall not include advertising to a student at an online location based upon that student's current visit to that location, or in response to that student's request for information or feedback, without the retention of the student's online activities or requests over time for the purpose of targeting subsequent adverstisements.

      2.   a.  An operator of an online education service shall not knowingly:

      (1)  use information, including covered information, created or gathered by the operator's online education service, to amass a profile about a student for any purpose other than K-12 school purposes. A profile shall not include the collection and retention of account information that remains under the control of the student, the student's parents or guardian, or K-12 school;

      (2)  sell or rent a student's information, including covered information. This paragraph shall not apply to the purchase, merger, or other type of acquisition of an operator by another entity if the operator or successor entity complies with this section concerning previously acquired student information, including covered information, or to national assessment providers if the provider secures express written consent of the student's parent or guardian, given in response to clear and conspicuous notice, solely to provide access to employment, educational scholarships, financial aid, or postsecondary educational opportunities;

      (3)  disclose covered information unless the disclosure is:         

      (a)  made in furtherance of the K-12 school purposes of the service, provided the recipient of the covered information shall not further disclose the information unless done to allow or improve the operability and functionality of the operator's online education service;

      (b)  required by federal or State law to protect against liability;

      (c)  made to respond to or participate in a judicial process;

      (d)  to protect the safety of students or security of the service;

      (e)  for educational or employment purposes requested by the student's parent or guardian, provided that the covered information is not used or further disclosed for any other purpose not requested by the student's parent or guardian;

      (f)  to a third party if the operator contractually prohibits the third party from using any covered information for any purpose other than providing the contracted service to or on behalf of the operator, prohibits the third party from disclosing any covered information provided by the operator with subsequent third parties, and requires the third party to implement and maintain reasonable security procedures and practices; or

      (g)  for legitimate research purposes, subject to the requirements of paragraphs (1) through (3) of this subsection:

      (i)   as required by federal or State law and subject to the restrictions of the application of federal or State law;

      (ii)  as allowed by federal or State law and under the direction of a K-12 school, school district, or the Department of Education, if no covered information is used for any purpose in furtherance of advertising or to amass a profile on the student for any purpose that is not in furtherance of a K-12 school purpose; or

      (iii)               for use by a federal, State, or local educational agency, including K-12 schools and school districts, for K-12 school purposes, as permitted by federal or State law; and

      (4)  engage in targeted advertising on the operator's service, or target advertising on any other Internet website, online service, online computer application, or mobile application if the targeted advertising is based on any information, including covered information, that the operator's service has acquired because of the use of the operator's service for K-12 school purposes.

      b.   Nothing in this section shall be construed to prohibit the operator's use of covered information for maintaining, developing, supporting, diagnosing, or improving the operator's online education service.

     3.    An operator of an online education service shall:

     a.     implement and maintain reasonable security procedures and practices appropriate to the nature of the covered information;

     b.    protect that information from unauthorized access, destruction, use, modification, or disclosure; and

     c.     delete covered information at the request of a K-12 school or a school district overseeing the student's education through the service or a student who has subsequently reached the age of majority, unless a student after having reached the age of majority or parent or guardian requests that the operator maintain the covered information.

     4.    Nothing in P.L.    , c.    (C.      ) (pending before the Legislature as this bill) shall be construed to prohibit an operator of an online education service from using de-identified data to:

     a.     improve the educational products within the service owned by the operator;

     b.    demonstrate the effectiveness of the operator's products or services, including their marketing;

     c.     develop or improve websites, online services, or online or mobile applications for K-12 school purposes;

     d.    use a recommendation engine to recommend to a student additional content or services concerning an educational or employment opportunity purpose on an Internet website, online service, online computer application, or mobile application if the recommendation is not determined in whole or in part by payment or other consideration from a third party; or

     e.     respond to a student's request for information or for feedback if the information or response is not determined, in whole or in part, by payment or other consideration from a third party.

     5.    Nothing in P.L.    , c.    (C.      ) (pending before the Legislature as this bill) shall be construed to:

     a.     limit the authority of a law enforcement agency to obtain any content or information from an operator as authorized by law or under a court order;

     b.    limit the ability of an operator to use student data, including covered information, for adaptive learning or customized student learning purposes;

     c.     apply to general audience Internet websites, general audience online services, general audience online applications, or general audience mobile applications, even if login credentials created for an operator's website, service, or application may be used to access those general audience websites, services, or applications;

     d.    limit service providers from providing Internet connectivity to schools or students and their families;

     e.     prohibit an operator from marketing educational products directly to parents or guardians if the marketing did not result from the use of covered information obtained by the operator through the provision of services pursuant to P.L.    , c.    (C.      ) (pending before the Legislature as this bill);

     f.     impose a duty upon a provider of an electronic store, gateway, marketplace, or other means of purchasing or downloading software or applications to review or enforce compliance with P.L.    , c.    (C.      ) (pending before the Legislature as this bill) on the software of applications;

     g.    impose a duty upon a provider of an interactive computer service to review or enforce compliance with P.L.    , c.    (C.      ) (pending before the Legislature as this bill) by a third-party content provider; or

     h.    prohibit students from downloading, exporting, transferring, saving, or maintaining their own student data or documents.

     6.    It shall be an unlawful practice pursuant to P.L.1960, c.39 (C.56:8-1 et seq.) for an operator of an online education service to violate the provisions of P.L.    , c.    (C.      ) (pending before the Legislature as this bill), or any rule or regulation adopted pursuant thereto.

     7.    The Director of the Division of Consumer Affairs in the Department of Law and Public Safety, in consultation with the Commissioner of Education, shall adopt, pursuant to the "Administrative Procedure Act," P.L.1968, c.410 (C.52:14B-1 et seq.), rules and regulations necessary to effectuate the purposes of P.L.    , c.    (C.      ) (pending before the Legislature as this bill).

     8.    This act shall take effect immediately, but shall remain inoperative for 180 days following the date of enactment.

STATEMENT

     This bill concerns the personally identifiable information of a public school student that is not publicly available and is created or gathered by, or provided to, the operator of an Internet website, online service, online computer application, or mobile application that is designed and marketed for K-12 school purposes.  Under the provisions of the bill, the operator is not permitted to knowingly:

·       Use information created or gathered by the operator's online education service to amass a profile about a student for any purpose other than K-12 school purposes;

·       Sell or rent a student's information;

·       Disclose certain information unless the disclosure is for certain specified purposes; or

·       Engage in targeted advertising if the targeted advertising is based on any information that the operator has acquired because of the use of the operator's service for K-12 school purposes.

     In addition to the list of prohibited practices for an operator, the bill also sets forth certain actions that an operator is required to perform:

·         Implement and maintain reasonable security procedures and practices appropriate to the nature of the student information;

·         Protect the information from unauthorized access, destruction, use, modification, or disclosure; and

·         Delete information at the request of a K-12 school or a school district overseeing the student's education through the service, or at the request of a student who has subsequently reached the age of majority.

     The bill also clarifies that the provisions of the bill are not intended to prohibit an operator from using de-identified data for certain purposes, such as improving the educational products within the service owned by the operator, demonstrating the effectiveness of the operator's products or services, using a recommendation engine to recommend to a student additional content or services, or responding to a student's request for information or for feedback.  De-identified data is defined in the bill as information that is not, or can no longer be, linked or reasonably linkable to a person or the person's computer, telecommunications device, or wireless telecommunications device, but which may still contain unique records or attributes. 

     The bill also provides that it is not to be construed to:

·         limit the authority of a law enforcement agency to obtain any content or information from an operator as authorized by law or under a court order;

·         limit the ability of an operator to use student data for adaptive learning or customized student learning purposes;

·         apply to general audience Internet websites, general audience online services, general audience online applications, or general audience mobile applications;

·         limit service providers from providing Internet connectivity to schools or students and their families;

·         prohibit an operator from marketing educational products directly to parents or guardians if the marketing does not result from the use of information obtained by the operator through the provision of services;

·         impose a duty upon a provider of an electronic store, gateway, marketplace, or other means of purchasing or downloading software or applications to review or enforce compliance with this bill;

·         impose a duty upon a provider of an interactive computer service to review or enforce compliance with this bill by third-party content providers; or

·         prohibit students from downloading, exporting, transferring, saving, or maintaining their own student data or documents.

     The bill provides that it is an unlawful practice under the New Jersey consumer fraud act, P.L.1960, c.39 (C.56:8-1 et seq.), for an operator of a service to violate the provisions of the bill.