Regular Session 2015-2016 House Bill 1635 P.N. 2384

PRINTER'S NO. 2384

THE GENERAL ASSEMBLY OF PENNSYLVANIA

HOUSE BILL

No.

1635

Session of

2015

INTRODUCED BY D. MILLER, NESBIT, KINSEY, MURT, ENGLISH,

D. COSTA, ROZZI, PASHINSKI, THOMAS, SCHLOSSBERG, CUTLER,

BIZZARRO, GROVE, SAYLOR, TALLMAN, NEILSON, DUSH, COHEN,

LAWRENCE, HENNESSEY, DRISCOLL, KAUFER AND HARHAI,

OCTOBER 19, 2015

REFERRED TO COMMITTEE ON EDUCATION, OCTOBER 19, 2015

AN ACT

Amending the act of March 10, 1949 (P.L.30, No.14), entitled "An

act relating to the public school system, including certain

provisions applicable as well to private and parochial

schools; amending, revising, consolidating and changing the

laws relating thereto," in preliminary provisions, providing

for protection of student online personal information.

The General Assembly of the Commonwealth of Pennsylvania

hereby enacts as follows:

Section 1. The act of March 10, 1949 (P.L.30, No.14), known

as the Public School Code of 1949, is amended by adding a

section to read:

Section 124. Protection of Student Online Personal

Information.-- (a) No operator may knowingly engage in any of

the following activities with respect to its site, service or

application:

(1) Conduct targeted advertising on the operator's site,

service or application or other site, service or application

when the targeting of the advertising is based upon any

information, including covered information and persistent unique

identifiers, that the operator has acquired because of the use

of that operator's site, service or application.

(2) Use information, including persistent unique

identifiers, created or gathered by the operator's site, service

or application to amass a profile about a student attending a K-

12 school except in furtherance of K-12 school purposes.

(3) Sell a student's information, including covered

information. This paragraph does not apply to the purchase,

merger or other type of acquisition of an operator by another

entity, provided that the operator or successor entity continues

to be subject to the provisions of this section with respect to

previously acquired student information.

(4) Disclose covered information, unless the disclosure is

made:

(i) In furtherance of the K-12 school purpose of the site,

service or application, provided the recipient of the covered

information disclosed pursuant to this paragraph:

(A) Does not further disclose the information unless done to

allow or improve functionality within the student's classroom or

school;

(B) Is legally required to comply with subsection (b):

(I) to ensure legal and regulatory compliance;

(II) to respond to or participate in a judicial process;

(III) to protect the safety of users or others or security

of the site; and

(ii) is contractually:

(A) Prohibited from using covered information for a purpose

other than providing the contracted service to, or on behalf of,

the operator.

20150HB1635PN2384 - 2 -

(B) Prohibited from disclosing covered information provided

by the operator with subsequent third parties.

procedures and practices as provided in subsection (b).

(b) An operator shall:

(1) Implement and maintain reasonable security procedures

and practices appropriate to the nature of the covered

information and protect covered information from unauthorized

access, destruction, use, modification or disclosure.

(2) Delete a student's covered information, if the school or

district requests deletion of data under the control of the K-12

school or school district.

disclose covered information of a student, as long as subsection

(a)(1), (2) and (3) are not violated, under the following

circumstances:

(1) If a provision of Federal or State law requires the

operator to disclose the information and the operator complies

with the requirements of Federal and State law in protecting and

disclosing the information.

(2) For legitimate research purposes:

(i) as required by and subject to the restrictions under

applicable Federal and State law; or

(ii) as allowed by Federal and State law and under the

direction of a K-12 school, school district or the Department of

Education, if no covered information is used for any purpose in

furtherance of advertising or to amass a profile on the student

for a purpose other than K-12 school purposes.

(3) To a State or local educational agency, including K-12

schools and school districts, for K-12 school purposes, as

20150HB1635PN2384 - 3 -

permitted by Federal or State law.

(d) A school district shall develop and implement a policy

to determine whether an operator's application used in the

school district is in compliance with this section. The policy

shall include:

(1) Notice to parents and legal guardians of students about:

(i) The requirements of this section.

(ii) The school district's determination of each application

used in the school district.

(iii) The right of students not to use an application that

the school district determines is not in compliance with this

section or that the school district is unable to determine is in

compliance with this section.

(2) A procedure by which a parent or legal guardian of a

student may, on behalf of the student, exercise the right not to

use an application that the school district determines is not in

compliance with this section or that the school district is

unable to determine is in compliance with this section.

(e) Nothing in this section shall be construed to:

(1) Prohibit an operator from using information that does

not identify covered information as follows:

(i) Within the operator's site, service or application or

other site, service or applications owned by the operator to

improve educational products.

(ii) To demonstrate the effectiveness of the operator's

products or services, including in the operator's marketing.

(2) Prohibit an operator from sharing aggregated information

that does not identify covered information for the development

and improvement of educational sites, services or applications.

(3) Limit the authority of a law enforcement agency to

20150HB1635PN2384 - 4 -

obtain any content or information from an operator as authorized

by law or pursuant to an order of a court of competent

jurisdiction.

(4) Limit the ability of an operator to use student data,

including covered information, for adaptive learning or

customized student learning purposes.

(5) Limit an Internet service provider from providing

Internet connectivity to schools or students and their families.

(6) Prohibit an operator of an Internet website, online

service, online application or mobile application from marketing

educational products directly to parents, so long as the

marketing does not result from the use of covered information

obtained by the operator through the provision of services

covered under this section.

(7) Impose a duty upon a provider of an electronic store,

gateway, marketplace or other means of purchasing or downloading

software or applications to review or enforce compliance of this

section on those applications or software.

(8) Impose a duty upon a provider of an interactive computer

service, as defined in section 230 of the Communications Act of

1934 (48 Stat. 1064, 47 U.S.C. § 230), to review or enforce

compliance with this section by third-party content providers.

(9) Impede the ability of students to download, export or

otherwise save or maintain their own student-created data or

documents.

(10) Prohibit an operator's use of information for

maintaining, developing, supporting, improving or diagnosing the

operator's site, service or application.

(f) This section does not apply to general audience Internet

websites, general audience online services, general audience

20150HB1635PN2384 - 5 -

online applications or general audience mobile applications,

even if log-in credentials created for an operator's site,

service or application may be used to access the general

audience sites, services or applications.

(g) As used in this section, the following words and phrases

shall have the meanings given to them in this subsection unless

the context clearly indicates otherwise:

"Covered information." Personally identifiable information

or materials, in any media or format that meets any of the

following:

(1) Is created or provided by a student, or the student's

parent or legal guardian, to an operator in the course of the

student's, parent's or legal guardian's use of the operator's

site, service or application for K-12 school purposes.

(2) Is created or provided by an employe or agent of a K-12

school to an operator for K-12 school purposes.

(3) Is gathered by an operator through the operation of a

site, service or application described in subsection (a) and is

descriptive of a student or otherwise identifies a student,

including, but not limited to, information in the student's

educational record or e-mail, first and last name, home address,

telephone number, e-mail address or other information that

allows physical or online contact, discipline records, test

results, special education data, juvenile dependency records,

grades, evaluations, criminal records, medical records, health

records, Social Security number, biometric information,

disabilities, socioeconomic information, food purchases,

political affiliations, religious information, text messages,

documents, student identifiers, search activity, photos, voice

recordings or geolocation information.

20150HB1635PN2384 - 6 -

"K-12 school." A school that provides instruction in any

grade between kindergarten and grade twelve.

"K-12 school purposes." Purposes that customarily take place

at the direction of a K-12 school, teacher or school district or

aid in the administration of school activities, including, but

not limited to, instruction in the classroom or at home or

during administrative activities and collaboration between

students, school personnel or parents, or are for the use and

benefit of the school.

"Online service." The term includes, but is not limited to,

cloud computing services that comply with this section if the

person that performs is an operator.

"Operator." A person who operates, owns or controls an

Internet website, online service, online application or mobile

application with actual knowledge that the site, service or

application is used primarily for K-12 school purposes and was

designed and marketed for K-12 school purposes.

Section 2. This act shall take effect in 60 days.

20150HB1635PN2384 - 7 -