Regular Session 2021-2022 Senate Bill 1337 P.N. 1915

PRINTER'S NO. 1915

THE GENERAL ASSEMBLY OF PENNSYLVANIA

SENATE BILL

No.

1337

Session of

2022

INTRODUCED BY CAPPELLETTI, KANE, HUGHES, FONTANA, KEARNEY,

COSTA, COMITTA, STREET, DILLON AND MUTH, SEPTEMBER 19, 2022

REFERRED TO EDUCATION, SEPTEMBER 19, 2022

AN ACT

Amending the act of March 10, 1949 (P.L.30, No.14), entitled "An

act relating to the public school system, including certain

provisions applicable as well to private and parochial

schools; amending, revising, consolidating and changing the

laws relating thereto," providing for student online personal

data; imposing penalties; and making editorial changes.

The General Assembly of the Commonwealth of Pennsylvania

hereby enacts as follows:

Section 1. Article XIII-C of the act of March 10, 1949

(P.L.30, No.14), known as the Public School Code of 1949, is

amended by adding a subarticle heading to read:

SUBARTICLE A

GOOD ORDER

Section 2. Sections 1301-C introductory paragraph, 1310-C,

1311-C(a), 1312-C and 1315-C introductory paragraph of the act

are amended to read:

Section 1301-C. Definitions.

The following words and phrases when used in this [article]

subarticle shall have the meanings given to them in this section

unless the context clearly indicates otherwise:

* * *

Section 1310-C. Employee status.

When acting within the scope of this [article] subarticle,

school police officers shall, at all times, be employees of the

school entity or nonpublic school and shall be entitled to all

of the rights and benefits accruing from that employment.

Section 1311-C. Independent contractors and third-party

vendors.

(a) General rule.--Notwithstanding section 1310-C, a school

entity or nonpublic school may contract with an independent

contractor or third-party vendor to provide school police

officer or school security guard services under this [article]

subarticle.

* * *

Section 1312-C. Construction.

Nothing in this [article] subarticle shall be construed to

preclude a school entity or nonpublic school from employing

other security personnel as the school entity or nonpublic

school deems necessary.

Section 1315-C. Duties of commission.

The commission shall have the following duties under this

[article] subarticle:

* * *

Section 3. Article XIII-C of the act is amended by adding a

subarticle to read:

SUBARTICLE B

STUDENT ONLINE PERSONAL DATA

Section 1321-C. Purpose.

The purpose of this subarticle is to strengthen privacy

protections for students using education services technology by

20220SB1337PN1915 - 2 -

prohibiting educational technology providers operating in an

educational entity from:

(1) Selling student data.

(2) Using information collected to advertise to students

and families.

(3) Creating student profiles to be used for

noneducation purposes.

Section 1322-C. Definitions.

The following words and phrases when used in this subarticle

shall have the meanings given to them in this section unless the

context clearly indicates otherwise:

"Access software provider." A provider of software,

including client or server software, or enabling tools that do

any of the following:

(1) Filter, screen, allow or disallow content.

(2) Pick, choose, analyze or digest content.

(3) Transmit, receive, display, forward, cache, search,

subset, organize, reorganize or translate content.

"Attorney General." The Attorney General of the

Commonwealth.

"Biometric identifier." A measurable biological or

behavioral characteristic that can be used for automated

recognition of an individual. The following apply:

(1) The term shall include any of the following:

(i) A retina or iris scan.

(ii) A fingerprint.

(iii) A human biological sample.

(iv) A scan of the hand.

(v) A voice print.

(vi) Facial geometry.

20220SB1337PN1915 - 3 -

(2) The term shall not include any of the following:

(i) A physical description, including height,

weight, hair color or eye color.

(ii) A writing sample.

(iii) A written signature.

(iv) Demographic data.

"Breach of Personal Information Notification Act." The act

of December 22, 2005 (P.L.474, No.94), known as the Breach of

Personal Information Notification Act.

"Children's Online Privacy Protection Act." The Children's

Online Privacy Protection Act (Public Law 105-277, Div. C, Title

XIII).

"Department." The Department of Education of the

Commonwealth.

"Educational entity." A school district, charter school,

cyber charter school, private school, private residential

rehabilitative institution, nonpublic school, intermediate unit

or area career and technical school operating within this

Commonwealth.

"Educational record." Student data or other student

information created and maintained by an educational entity or a

third party.

"Family Educational Rights and Privacy Act." The Family

Educational Rights and Privacy Act of 1974 (Public Law 90-247,

20 U.S.C. § 1232g).

"IEP." An Individualized Education Plan under the

Individuals with Disabilities Education Act.

"Individuals with Disabilities Education Act." The

Individuals with Disabilities Education Act (Public Law 91-230,

20 U.S.C. § 1400 et seq.).

20220SB1337PN1915 - 4 -

"Information service." The offering of a capability for

generating, acquiring, storing, transforming, processing,

retrieving, utilizing or making available information via

telecommunications. The term includes electronic publishing, but

does not include any use of a capability for the management,

control or operation of a telecommunications system or the

management of a telecommunications service.

"Interactive computer service." An information service,

system or access software that provides or enables computer

access by multiple users to a computer server, including a

service or system that provides access to the Internet and the

systems operated or services offered by libraries or educational

institutions.

"K-12 school purposes." A purpose that customarily takes

place at the direction of the K-12 school, teacher or

educational entity or aids in the administration of school

activities, including instruction in the classroom or at home,

administrative activities and collaboration between students,

school personnel or parents or guardians or that is for the use

and benefit of the school.

"Online service." Online service, including cloud computing

services, provided by an entity subject to this subarticle.

"Privacy of Social Security Numbers Law." The act of June

29, 2006 (P.L.281, No.60), referred to as the Privacy of Social

Security Numbers Law.

"Protection of Pupil Rights Amendment." 20 U.S.C. § 1232h

(relating to protection of pupil rights).

"Provider." Any of the following:

(1) A third-party vendor, contractor, subcontractor,

corporation, partnership, business trust, foundation, limited

20220SB1337PN1915 - 5 -

liability company, corporation or partnership, incorporated

or unincorporated association, organization or any other

legal entity.

(2) A government entity, other than the Commonwealth.

(3) A natural person.

"Section 504 plan." A plan prescribed by the Rehabilitation

Act of 1973 (Public Law 93-112, 29 U.S.C. § 701 et seq.).

"Student data." Personally identifiable information or

material regarding a student that is descriptive of the student

and collected and maintained at the individual student level,

notwithstanding the physical, electronic or other media format,

including any of the following:

(1) The following information regarding the student:

(i) Name.

(ii) Date and location of birth.

(iii) Social Security number.

(iv) Gender.

(v) Race.

(vi) Ethnicity.

(vii) Tribal affiliation.

(viii) Sexual identity or orientation.

(ix) Migrant status.

(x) English language learner status.

(xi) Disability status.

(xii) Mother's maiden name.

(xiii) Contact information, including telephone

numbers, email addresses, physical addresses, home

address, geolocation information and other distinct

contact identifiers.

(xiv) Text messages, photos, voice recordings or

20220SB1337PN1915 - 6 -

documents.

(xv) Search identifiers or search activities.

(xvi) Disabilities.

(xvii) Special education records or an applicable

mandate under the Individuals with Disabilities Education

Act.

(xviii) An IEP, Section 504 plan or other written

education plan, including special education evaluation

data for the program or plan.

(xix) A student's identification number.

(xx) State or Local assessment results or the reason

for an exception from taking a State or local assessment.

(xxi) Courses taken and completed, credits earned or

other transcript information.

(xxii) Course grades, grade point average,

evaluations or another indicator of academic achievement.

(xxiii) Cohort graduation rate or related

information.

(xxiv) Degree, diploma, credential attainment or

other school exit information.

(xxv) Attendance and mobility.

(xxvi) Dropout data.

(xxvii) An immunization record or the reason for an

exception from receiving an immunization.

(xxviii) Remediation efforts.

(xxix) Cumulative disciplinary records.

(xxx) Juvenile delinquency records.

(xxxi) Criminal records.

(xxxii) Medical or health records created or

maintained by an educational entity, including test

20220SB1337PN1915 - 7 -

results.

(xxxiii) Political affiliation, voter registration

information or voting history.

(xxxiv) Income or other socioeconomic information,

except as required by law or if an educational entity

determines income information is required to apply for,

administer, research or evaluate programs to assist

students from low-income families.

(xxxv) Religious information or beliefs.

(xxxvi) A biometric identifier or other biometric

information.

(xxxvii) Food purchases.

(xxxviii) Geolocation data.

(xxxix) Any other information that either on its own

or collectively could reasonably be used to identify a

specific student.

(2) The following information regarding family members,

including parents and legal guardians, of the student:

(i) Name of family members.

(ii) Contact information for family members,

including telephone numbers, email addresses, physical

addresses and other distinct contact identifiers.

(iii) Education status, an educational record or

student data of a family member who is a student.

(3) Data, information or material that is created or

provided by a student or the student's parent or legal

guardian to a provider in the course of the student's,

parent's or legal guardian's use of the provider's site,

service or application for K-12 purposes.

(4) Data, information or material that is created or

20220SB1337PN1915 - 8 -

provided by an employee or agent of the K-12 educational

entity, the department or a county department of education to

a provider.

(5) Data, information or material that is gathered by a

provider through the operation of a site, service or

application used primarily for K-12 school purposes and that

is descriptive of a student or otherwise identifies a

student, including student data under paragraphs (1) and (2).

"Targeted marketing." Advertising to a student or a

student's parent or legal guardian that is selected based on

information obtained or inferred from the student's online or

offline behavior, usage of applications or student data. The

term does not include:

(1) Advertising to a student at an online location based

on the student's current visit to the location or single

search query without collection and retention of the

student's online activities over time.

(2) Use of the student's personally identifiable student

data to identify for the student institutions of higher

education or scholarship providers that are seeking students

who meet specific criteria, if a written data authorization

by the student or the student's parent or legal guardian, if

the student is under 18 years of age, permits the disclosure

of use.

"Third-party vendor." The provider of a publicly accessible

Internet website, online service, online application or mobile

application with actual knowledge that the site, service or

application is used primarily for K-12 school purposes, was

designed and marketed for K-12 school purposes and has entered

into a contract with an educational entity to provide a related

20220SB1337PN1915 - 9 -

good or service. The term includes a subcontractor.

Section 1323-C. Department duties and responsibilities.

(a) State data system and secure transmittal.--Within six

months of the effective date of this subsection, the department

shall establish in the department a State data system on a

technology platform that maintains student data in a safe

educational electronic document delivery and storage system. The

system design shall include an integrated educational entity

interdepartmental communication tool for exchange of student

data. The data contained in the State data system shall be

transmitted, stored, delivered or integrated in a manner that

meets the requirements of:

(1) This subarticle.

(2) The Family Educational Rights and Privacy Act,

Protection of Pupil Rights Amendment, Children's Online

Privacy Protection Act and any regulations promulgated under

the acts.

(3) The Breach of Personal Information Notification Act,

Privacy of Social Security Numbers Law and any regulations

promulgated under the acts.

(4) Other Federal and State data privacy and security

laws applicable to educational entities.

(b) State data system guidelines.--Within six months of the

effective date of this subsection, the department, in

consultation with a third-party cloud-based solution leader in

the industry, shall develop guidelines for the educational

entities' use of a State data system third-party platform to

assist educational entities in protecting student data.

effective date of this subsection, the department shall develop

20220SB1337PN1915 - 10 -

and post on its publicly accessible Internet website a model:

(1) Student data privacy and security plan.

(2) Training program that provides best practices on

protecting student data and use of third-party vendor

platforms that an educational entity may use and adopt.

(3) Third-party vendor protection of student data

policy. The policy shall include best practices strategies

for student data security.

(4) Security policies and procedures to protect student

records and student data in accordance with this subarticle

to protect information from unauthorized access, destruction,

use, modification or disclosure.

(5) Review process for each request for data for the

purpose of external research or evaluation.

(d) Model contract.--

(1) Within six months of the effective date of this

subsection, the department, in consultation with a third-

party vendor and the Attorney General, shall provide guidance

and develop a model contract for use between educational

entities and third-party vendors to ensure that the

requirements of this subarticle are incorporated with the

educational entities' use of technologies and that third-

party vendors are contractually bound to sustain, enhance and

not erode privacy protections relating to the use, collection

and disclosure of student data. The model contract shall be

reviewed on a biennial basis and revised if necessary.

(2) The State Board of Education shall promulgate final-

omitted regulations under the act of June 25, 1982 (P.L.633,

No.181), known as the Regulatory Review Act, as necessary to

implement the model contract and may revise the model

20220SB1337PN1915 - 11 -

contract by transmitting a notice to the Legislative

Reference Bureau for publication in the Pennsylvania Bulletin

that contains a summary of the revised model contract. The

revised model contract shall be placed on the department's

publicly accessible Internet website.

Section 1324-C. Educational entity duties and responsibilities.

(a) Policy.--Within one year of the effective date of this

subsection, each educational entity shall adopt a written policy

regarding:

(1) Third-party vendor protection of student data

policy.

(2) Reasonable security policies and procedures to

protect student records and student data, in accordance with

this subarticle to protect information from unauthorized

access, destruction, use, modification or disclosure.

(3) A review process for each request for data for the

purpose of external research or evaluation.

(4) The policies adopted by the educational entity under

this subsection may be based on the model policies developed

by the department under section 1323-C(c).

(5) The policies adopted under this subsection shall be

posted on the educational entity's publicly accessible

Internet website.

(6) The policies under this subsection shall be

submitted to the department upon adoption.

(b) Report.--Each educational entity shall report annually

to the department any proposed changes to the educational

entity's third-party vendor protection policies and the

educational entity's data security policies and procedures and

the number of occurrences of data security breaches. The annual

20220SB1337PN1915 - 12 -

report shall be submitted to the department no later than July 1

of each year.

Section 1325-C. Educational entity and third-party vendor

contract requirements.

(a) General rule.--Each educational entity shall develop a

secure platform to protect student records and student data in

accordance with this subarticle to protect student data from

unauthorized access, destruction, use, modification or

disclosure.

(b) Authority.--An educational entity may enter into a

contract with a third-party vendor for goods and services to be

used primarily for K-12 school purposes to meet the requirements

of subsection (a). The contract must be in writing and signed by

each party and may be based on the model contract developed by

the department under section 1323-C(d).

may include educational learning tools requiring the use of

student data only if the third-party vendor contract contains

contractually binding terms for:

(1) Implementation and maintenance of reasonable

security procedures and practices appropriate to the nature

of the student data.

(2) Protection of student data from unauthorized access,

destruction, use, modification or disclosure.

(3) Deletion of student data if the educational entity

requests deletion of student data that is under the control

of the educational entity.

(4) Assurance that a contract made by the third-party

vendor with a subcontractor has the same binding contract

provisions and same prohibited acts for use of student data.

20220SB1337PN1915 - 13 -

(5) Breach of contract clause for a violation of

prohibited use of student data under this subarticle.

(d) Contract terms and prohibited use of student data.--A

contract for goods or services with a third-party vendor shall

include the acts that are prohibited by the third-party vendor,

including:

(1) Using student data for a purpose other than

providing the contracted goods and services.

(2) Knowingly engaging in targeted marketing on the

third-party vendor's publicly accessible Internet website,

online service or application.

(3) Knowingly engaging in targeted marketing on any

other publicly accessible Internet website, service or

publication when the targeted marketing is based upon any

information, including the student data and the persistent

unique identifiers, that the third-party vendor has acquired

because of the use of the publicly accessible Internet

website, service or application under paragraph (1).

(4) Knowingly engaging in amassing a profile about a K-

12 student, including the third-party vendor's persistent use

of unique identifiers, created or gathered by the publicly

accessible Internet website, service or application, except

in furtherance of K-12 purposes.

(5) Selling student data, excluding activities involving

a merger or other type of acquisition of a third-party vendor

by another third-party vendor, if the acquiring third-party

vendor or successor entity continues to be subject to the

provision of this subarticle with respect to previously

acquired student data.

(6) Disclosing student data unless the disclosure is

20220SB1337PN1915 - 14 -

permissible under this subarticle or Federal or State law.

Section 1326-C. Third-party vendor duties and responsibilities.

(a) Student data use and disclosure.--A third-party vendor

may:

(1) Use or disclose student data to allow or improve

operability and functionality within the student's classroom,

virtual instruction or within the educational entity in the

furtherance of the K-12 school purpose or is legally required

to comply with this subarticle.

(2) Use or disclose student data to ensure legal and

regulatory compliance, including complying with requirements

of Federal and State law in protecting and disclosing the

data.

(3) Use or disclose student data for research purposes

as required by Federal or State law under applicable

restrictions or if allowed under Federal or State law so long

as no student data is used for a purpose in the furtherance

of targeted marketing or to amass a profile on the student

for purposes other than K-12 school purposes.

(4) Disclose student data to respond to or participate

in the judicial process.

(5) Protect the safety of users or others or security of

the publicly accessible Internet website.

(6) Comply with the requirements and prohibitions

included in the contract with the educational entity for

goods and services to be used primarily for K-12 school

purposes under section 1325-C, as well as any additional

agreed-to requirements an prohibitions included in the

contract.

(7) Disclose student data to a service provider or a

20220SB1337PN1915 - 15 -

subsequent subcontractor that may accompany the third-party

vendor in the provision of the good or service, if the third-

party vendor contractually prohibits the use of the student

data for any purpose other than providing the contracted

service to, or on behalf of, the third-party vendor,

prohibits the disclosure of student data provided by the

third-party vendor with subsequent third parties and requires

the implementation and maintenance of reasonable security

procedures and practices required of the third-party vendor

under section 1325-C(c).

(b) Deletion of student data.--A third-party vendor shall

delete student data if the educational entity requests deletion

of student data under the control of the educational entity.

vendor may disclose or sell student data to a service provider

or a subsequent subcontractor if the acquiring service provider,

third-party vendor or subsequent subcontractor agrees to be

subject to this subarticle with respect to previously acquired

student data and subsequently acquired student data.

Section 1327-C. Construction.

(a) Duty not imposed.--Notwithstanding any other provision

under this subarticle, this subarticle shall not impose a duty

upon:

(1) An electronic store, gateway, marketplace or other

means of purchasing or downloading software or applications

to review or enforce compliance of this section on the

applications or software.

(2) An interactive computer service to review or enforce

compliance with this section by third-party content

providers.

20220SB1337PN1915 - 16 -

(b) Ability not limited.--Nothing under this subarticle

shall be construed to prohibit or otherwise limit the ability

of:

(1) An educational entity from reporting or making

available aggregate student data or other collective data for

reasonable usage.

(2) A third-party vendor from using student data,

including information protected in this subarticle, for the

purposes of adaptive learning or customized student learning

purposes or for maintaining, developing, supporting,

improving or diagnosing the third-party vendor's publicly

accessible Internet website, service or application.

(3) A third-party vendor from marketing educational

products directly to parents or students if the marketing did

not result from the use of student data obtained by the

third-party vendor through the provisions of goods or

services covered under this subarticle.

(4) An Internet service provider from providing Internet

connectivity to schools or students and their families.

(5) A student to download, export or save or maintain

the student's own student-created data or documents.

Section 1328-C. Enforcement.

An educational entity or third-party vendor that fails to

comply with a duty or other provision under this chapter

resulting in the intentional, knowing, reckless or negligent

data breach or security compromise shall be subject to the

following penalties and process:

(1) The Bureau of Consumer Protection in the Office of

Attorney General shall investigate any complaints received

concerning violations of this subarticle. If, after

20220SB1337PN1915 - 17 -

investigating a complaint, the Attorney General finds that

there has been a violation of this subarticle, the Attorney

General may bring an action to impose a civil penalty up to

$10,000 for each violation and to seek other relief,

including injunctive relief, restitution and costs under the

act of December 17, 1968 (P.L.1224, No.387), known as the

Unfair Trade Practices and Consumer Protection Law.

(2) Prior to the initiation of a civil action, the

Attorney General may require the attendance and testimony of

witnesses and the production of documents. For this purpose,

the Attorney General may issue subpoenas, examine witnesses

and receive evidence. If a person objects to or otherwise

fails to comply with a subpoena or request for testimony, the

Attorney General may file in Commonwealth Court or any court

of record of the Commonwealth an action to enforce the

subpoenas or request. Noti ce of hearing of the action and a

copy of each pleading shall be served upon the person who may

appear in opposition.

(3) Testimony taken or material produced shall be kept

confidential by the Attorney General except to the extent

that the information may be used in a judicial proceeding, if

the disclosure is authorized by the court for good cause

shown or confidentiality is waived by the person being

investigated and by the person who has testified, answered

interrogatories or produced materials.

Section 1329-C. Criminal and civil liability.

Nothing under this subarticle shall limit, preclude or

supersede an action for criminal or civil liabilities applicable

or enforceable under a Federal or State law.

Section 1330-C. Regulations.

20220SB1337PN1915 - 18 -

(a) General rule.--The State Board of Education, in

consultation with the Office of Attorney General, shall develop

regulations necessary to implement this subarticle .

(b) Final-omitted regulations.--Within one year of the

effective date of this subsection, the State Board of Education

shall promulgate final-omitted regulations under the act of June

25, 1982 (P.L.633, No.181), known as the Regulatory Review Act.

Section 4. This act shall take effect in 60 days.

20220SB1337PN1915 - 19 -