§953. Restrictions on operator's use of student data
1.
Prohibitions.
An operator may not knowingly engage in any of the following activities with respect to the operator's website, service or application without explicit written or electronic consent from a student's parent or an eligible student:
A.
Use student data to engage in targeted advertising on the operator's website, service or application or targeted advertising on any other website, service or application when the targeting of the advertising is based upon any student data and state-assigned student identifiers or other persistent unique identifiers that the operator has acquired because of the use of the operator's website, service or application;
[PL 2015, c. 256, §1 (NEW).]
B.
Use student data, including state-assigned student identifiers or other persistent unique identifiers, created or gathered by the operator to amass a profile of a student except for kindergarten to grade 12 school purposes. For purposes of this paragraph, "amass a profile" does not include collection and retention of account information that remains under the control of a student, parent or school administrative unit;
[PL 2015, c. 256, §1 (NEW).]
C.
Sell student data. This prohibition does not apply to the purchase, merger or other type of acquisition of an operator by another entity as long as the operator or successor entity continues to be subject to the provisions of this section with respect to previously acquired student data subject to this chapter.
[PL 2015, c. 256, §1 (NEW).]
D.
Except as provided in subsection 3, disclose student personally identifiable information, unless the disclosure is made:
[PL 2015, c. 256, §1 (NEW).]
(1)
To advance the kindergarten to grade 12 school purposes of the website, service or application, as long as the recipient of the student data disclosed:
(a)
May not further disclose the student data except to allow or improve operability and functionality of the website, service or application within that student's classroom or school; and
(b)
Is legally required to comply with the requirements of this chapter;
(2)
To ensure legal or regulatory compliance or protect against liability;
(3)
To respond to or participate in judicial process;
(4)
To protect the security or integrity of the operator's website, service or application;
(5)
To protect the safety of users or others; or
(6)
To a service provider, as long as the operator contractually:
(a)
Prohibits the service provider from using any student data for any purpose other than providing the contracted service to, or on behalf of, the operator;
(b)
Requires the service provider to impose the restrictions of this subsection on its own service providers; and
(c)
Requires the service provider to implement and maintain reasonable security procedures and practices as provided in subsection 2.
[PL 2015, c. 256, §1 (NEW).]
2.
Security procedures and practices.
An operator shall:
A.
Implement and maintain reasonable security procedures and practices appropriate to the nature of the student data to protect that data from unauthorized access, destruction, use, modification and disclosure; and
[PL 2015, c. 256, §1 (NEW).]
B.
Delete student data within 45 days of a school's or school administrative unit's request.
[PL 2015, c. 256, §1 (NEW).]
[PL 2015, c. 256, §1 (NEW).]
3.
Permitted disclosures.
The following provisions apply to disclosure of student data by an operator.
A.
Notwithstanding subsection 1, paragraph D, and in accordance with subsection 1, paragraphs A, B and C, an operator may disclose student data under the following circumstances:
(1)
If another provision of federal or state law requires the operator to disclose the student data and the operator complies with applicable requirements of federal and state law in protecting and disclosing that information;
(2)
For legitimate research purposes:
(a)
As required by state or federal law and subject to the restrictions under applicable state and federal law; or
(b)
As allowed by state or federal law and under the direction of a school, a school administrative unit or the department; or
(3)
To a state agency, school administrative unit or school for kindergarten to grade 12 purposes, as permitted by state or federal law.
[PL 2017, c. 288, Pt. A, §28 (AMD).]
B.
Nothing in this section prohibits an operator from using student data, including student personally identifiable information, as follows:
(1)
For maintaining, delivering, developing, supporting, evaluating, improving or diagnosing the operator's website, service or application;
(2)
Within other websites, services or applications owned by the operator and intended for school or student use, to evaluate and improve educational products or services intended for school or student use;
(3)
For adaptive learning or customized student learning purposes;
(4)
For recommendation engines to recommend additional content or services for educational, other learning or job opportunities to students within the operator's website, service or application without the response being determined in whole or in part by payment or other consideration from a 3rd party; or
(5)
To ensure legal or regulatory compliance or to retain student data for these purposes.
[PL 2015, c. 256, §1 (NEW).]
C.
Nothing in this section prohibits an operator from using or sharing aggregate student data or data from which personally identifying information has been removed as follows:
[PL 2017, c. 288, Pt. A, §28 (AMD).]
(1)
For the development and improvement of the operator's website, service or application or other educational websites, services or applications; or
(2)
To demonstrate or market the effectiveness of the operator's products or services.
[PL 2015, c. 256, §1 (NEW).]
4.
Construction.
The following provisions govern the application and construction of this chapter.
A.
This chapter may not be construed to limit the authority of a law enforcement agency to obtain any content or student data from an operator as authorized by law or pursuant to an order of a court of competent jurisdiction.
[PL 2015, c. 256, §1 (NEW).]
B.
This chapter does not apply to general audience Internet websites, general audience online services, general audience online applications or general audience mobile applications even if login credentials created for an operator's site, service or application may be used to access those general audience sites, services or applications.
[PL 2015, c. 256, §1 (NEW).]
C.
This chapter may not be construed to restrict Internet service providers from providing Internet connectivity to schools or students and their families.
[PL 2015, c. 256, §1 (NEW).]
D.
This chapter may not be construed to prohibit an operator from marketing educational products directly to parents so long as the marketing does not result from the use of student data obtained without parental consent by the operator through the provision of services covered under this section.
[PL 2015, c. 256, §1 (NEW).]
E.
This chapter may not be construed to impose a duty upon a provider of an electronic store, gateway, marketplace or other means of purchasing or downloading software or applications to review or enforce compliance of this section on those applications or software.
[PL 2015, c. 256, §1 (NEW).]
F.
This chapter may not be construed to impose a duty upon a provider of an interactive computer service, as defined in 47 United States Code, Section 230, to review or enforce compliance with this section by 3rd-party content providers.
[PL 2015, c. 256, §1 (NEW).]
G.
This chapter may not be construed to impede the ability of a student or a student's parent to download, transfer or otherwise save or maintain student data or documents belonging to the student.
[PL 2015, c. 256, §1 (NEW).]
H.
Nothing in this chapter prevents this State or a school administrative unit or employee of this State or a school administrative unit from recommending, directly or via a product or service, any educational materials, online content, services or other products to any student or the student's family if this State or a school administrative unit determines that such products will benefit the student and the State or school administrative unit does not receive compensation for developing, enabling or communicating such recommendations.
[PL 2015, c. 256, §1 (NEW).]
I.
Nothing in this chapter authorizes the dissemination of information in violation of section 6001.
[PL 2015, c. 256, §1 (NEW).]
[PL 2015, c. 256, §1 (NEW).]
SECTION HISTORY
PL 2015, c. 256, §1 (NEW). PL 2017, c. 288, Pt. A, §28 (AMD).