ASSEMBLY, No. 3936

STATE OF NEW JERSEY

217th LEGISLATURE

 

INTRODUCED JUNE 20, 2016

 

 

Sponsored by:

Assemblyman  TROY SINGLETON

District 7 (Burlington)

 

 

 

 

SYNOPSIS

     "Student Online Personal Protection Act."

 

CURRENT VERSION OF TEXT

     As introduced.

  

An Act concerning the privacy of certain student digital information and supplementing chapter 36 of Title 18A of the New Jersey Statutes.

 

     Be It Enacted by the Senate and General Assembly of the State of New Jersey:

 

     1.    This act shall be known and may be cited as the "Student Online Personal Protection Act."

 

     2.    As used in this act:

     "Covered information" means personally indentifiable information or material, or information that is linked to personally indentifiable information or material, in any media or format that is not publicly available and is:

     (1)   created by or provided to an operator by a student, or the student's parent or guardian, in the course of the student's, parent's, or guardian's use of the operator's site, service, or application for K-12 school purposes;

     (2)   created by or provided to an operator by an employee or agent of a school district or charter school for K-12 school purposes; or

     (3)   gathered by an operator through the operation of its site, service, or application for K-12 school purposes and personally identifies a student including, but not limited to, information in the student's educational record or electronic mail, first and last name, home address, telephone number, electronic mail address, any other information that allows physical or online contact with the student, discipline records, test results, special education data, juvenile dependency records, grades, evaluations, criminal records, medical records, health records, social security number, biometric information, disabilities, socioeconomic information, food purchases, political affiliations, religious information, text messages, documents, student identifiers, search activity, photos, voice recordings, or geolocation information.

     "Interactive computer service" means that term as defined in 47 U.S.C. s.230.

     "K-12 school" means a school that offers any of grades kindergarten to 12 and that is operated by a board of education or a charter school board of trustees.

     "K-12 school purposes" means purposes that are directed by or that customarily take place at the direction of a school district or charter school, a K-12 school, or a teacher, or aid in the administration of school activities including, but not limited to, instruction in the classroom or at home, administrative activities, and collaboration between students, school personnel, or parents or guardians, or are otherwise for the use and benefit of the school district or charter school.

     "Operator" means, to the extent that it is operating in this capacity, the operator of an Internet website, online service, online application, or mobile application with actual knowledge that the site, service, or application is used primarily for K-12 school purposes and was designed and marketed for K-12 school purposes.

     "Targeted advertising" means presenting advertisements to a student where the advertisement is selected based on information obtained or inferred over time from that student's online behavior, usage of applications, or covered information. "Targeted advertising" does not include advertising to a student at an online location based upon that student's current visit to that location, or in response to that student's request for information or feedback, without the retention of that student's online activities or requests over time for the purpose of targeting subsequent advertising.

 

     3.    An operator shall not knowingly:

     a.     Engage in targeted advertising on the operator's site, service, or application, or target advertising on any other site, service, or application if the targeting of the advertising is based on any information, including covered information and persistent unique identifiers, that the operator has acquired because of the use of that operator's site, service, or application for K-12 school purposes;

     b.    Use information, including persistent unique identifiers, created or gathered by the operator's site, service, or application, to amass a profile about a student except in furtherance of K-12 school purposes.  "Amass a profile" does not include the collection and retention of account information that remains under the control of the student, the student's parent or guardian, or the school district or charter school;

     c.    Sell or rent a student's information, including covered information.  This subsection shall not apply to the purchase, merger, or other type of acquisition of an operator by another entity, if the operator or successor entity complies with this act regarding previously acquired student information; or

     d.    Except as otherwise provided in section 5 of this act, disclose covered information unless the disclosure is made for the following purposes:

     (1)  in furtherance of the K-12 school purpose of the site, service, or application, if the recipient of the covered information disclosed under this paragraph does not further disclose the information other than to allow or improve operability and functionality of the operator's site, service, or application;

     (2)  to ensure legal and regulatory compliance or protect against liability;

     (3)  to respond to or participate in the judicial process;

     (4)  to protect the safety or integrity of users of the site or other individuals, or the security of the site, service, or application;

     (5)  for a school, educational, or employment purpose upon request of the student or the student's parent or guardian, provided that the information is not used or further disclosed for any other purpose; or

     (6)  to a third party, if the operator contractually prohibits the third party from using any covered information for any purpose other than providing the contracted service to or on behalf of the operator, prohibits the third party from disclosing any covered information provided by the operator with subsequent third parties, and requires the third party to implement and maintain reasonable security procedures and practices.

 

     4.    An operator shall:

     a.    Implement and maintain reasonable security procedures and practices appropriate to the nature of the covered information which are designed to protect that covered information from unauthorized access, destruction, use, modification, or disclosure; and

     b.    Delete within a reasonable time period a student's covered information if the school district or charter school requests deletion of covered information under the control of the school district or charter school, unless a student or the student's parent or guardian consents to the maintenance of the covered information.

 

     5.    An operator may use or disclose covered information of a student under the following circumstances:

     a.    If other provisions of federal or State law require the operator to disclose the information, and the operator complies with the requirements of federal and State law in protecting and disclosing that information;

     b.    For legitimate research purposes required by and subject to federal and State law, and under the direction of a school district, charter school, or the Department of Education, if the covered information is not used for advertising or to amass a profile on the student for purposes other than K-12 school purposes; or

     c.    Upon request to a state or local educational agency for K-12 school purpose, as permitted by federal or State law.

 

     6.    Nothing in this act shall be construed to prohibit an operator from:

     a.    Using covered information to improve educational products, provided that information is not associated with an identified student within the operator's site, service, or application or other sites, services, or applications owned by the operator;

     b.    Using covered information that is not associated with an identified student to demonstrate the effectiveness of the operator's products or services, including in its marketing;

     c.    Sharing covered information that is not associated with an identified student for the development and improvement of educational sites, services, or applications;

     d.    Using recommendation engines to recommend to a student additional content or services related to an educational, other learning, or employment opportunity purpose, within an online site, service, or application, provided the recommendation is not determined in whole or in part by payment or other consideration from a third party;

     e.    Responding to a student's request for information or feedback, provided the information or response is not determined in whole or in part by payment or other consideration from a third party; or

     f.     Using covered information for maintaining, developing, supporting, improving, or diagnosing the operator's site, service, or application.

 

     7.    Nothing in this act shall be construed to:

     a.    Limit the authority of a law enforcement agency to obtain any content or information from an operator as authorized by law or under a court order;

     b.    Limit the ability of an operator to use student data, including covered information, for adaptive learning or customized student learning purposes;

     c.    Apply to general audience Internet websites, general audience online services, general audience online applications, or general audience mobile applications, even if login credentials created for an operator's site, service, or application may be used to access those general audience sites, services, or applications;

     d.    Limit service providers from providing Internet connectivity to schools or students and their families;

     e.    Prohibit an operator of an Internet website, online service, online application, or mobile application from marketing educational products directly to parents or guardians provided that the marketing does not result from the use of covered information obtained by the operator through the provision of services covered under this act;

     f.     Impose a duty upon a provider of an electronic store, gateway, marketplace, or other means of purchasing or downloading software or applications to review or enforce compliance with this act on those applications or software;

     g.    Impose a duty upon a provider of an interactive computer service to review or enforce compliance with this act by third-party content providers; or

     h.    Prohibit students from downloading, exporting, transferring, saving, or maintaining their own student data or documents.

 

     8.    This act shall take effect immediately.

 

 

STATEMENT

 

     This bill is entitled the "Student Online Personal Protection Act."  The bill concerns the personally identifiable information of a public school student that is not publicly available and is created or gathered by or provided to the operator of an Internet website, online service, online application, or mobile application that is designed and marketed for K-12 school purposes. Under the provisions of the bill, the operator is not permitted to knowingly:

·       engage in targeted advertising if it is based on any information that the operator has acquired because of the use of that operator's site, service, or application for K-12 school purposes;

·       use information created or gathered by the operator's site, service, or application, to amass a profile about a student except in furtherance of K-12 school purposes;

·       sell or rent a student's information; or

·       disclose certain information regarding a student.

     In addition to the list of prohibited practices for an operator, the bill also sets forth certain actions that an operator is required to perform:

·       implement and maintain reasonable security procedures and practices which are designed to protect student information from unauthorized access, destruction, use, modification, or disclosure; and

·       delete within a reasonable time period a student's information if the school district or charter school requests deletion of covered information under the control of the school district or charter school.

     The bill also clarifies that certain activities on the part of operators are not intended to be covered by the provisions of the bill, including:

·       using student information to improve educational products, provided the information is not associated with an identified student;

·       using or sharing student information that is not associated with an identified student to demonstrate the effectiveness of the operator's products or services or for the development and improvement of educational sites, services, or applications;

·       using recommendation engines to suggest to a student additional content or services, provided the suggestion is not determined by payment from a third party;

·       responding to a student's request for information or feedback, provided the information or response is not determined by payment from a third party; or

·       using student information for maintaining, developing, supporting, improving, or diagnosing the operator's site, service, or application.