PRINTER'S NO. 1315

THE GENERAL ASSEMBLY OF PENNSYLVANIA

SENATE BILL

No.

342

Session of

2024

INTRODUCED BY CAPPELLETTI, KANE, FONTANA, PENNYCUICK, COSTA,

SCHWANK, DILLON, KEARNEY, BREWSTER AND COLLETT,

JANUARY 8, 2024

laws relating thereto," providing for school safety practices

and for student online personal data safety practices;

imposing penalties; making an appropriation; and making

editorial changes.

The General Assembly of the Commonwealth of Pennsylvania

hereby enacts as follows:

Section 1. Article XIII-C of the act of March 10, 1949

(P.L.30, No.14), known as the Public School Code of 1949, is

amended by adding a subarticle heading to read:

subarticle shall have the meanings given to them in this section

unless the context clearly indicates otherwise:

* * *

Section 1310-C. Employee status.

When acting within the scope of this [article] subarticle,

school police officers shall, at all times, be employees of the

school entity or nonpublic school and shall be entitled to all

of the rights and benefits accruing from that employment.

Section 1311-C. Independent contractors and third-party

vendors.

Section 1312-C. Construction.

Nothing in this [article] subarticle shall be construed to

preclude a school entity or nonpublic school from employing

other security personnel as the school entity or nonpublic

school deems necessary.

Section 1315-C. Duties of commission.

The commission shall have the following duties under this

[article] subarticle:

* * *

Section 3. Article XIII-C of the act is amended by adding a

The purpose of this subarticle is to strengthen privacy

protections for students using education services technology by

prohibiting educational technology providers operating in an

educational entity from:

(1) Selling student data.

(2) Using information collected to advertise to students

and families.

(3) Creating student profiles to be used for

noneducation purposes.

Section 1322-C. Definitions.

(1) Filter, screen, allow or disallow content.

(2) Pick, choose, analyze or digest content.

(3) Transmit, receive, display, forward, cache, search,

subset, organize, reorganize or translate content.

"Attorney General." The Attorney General of the

Commonwealth.

"Biometric identifier." A measurable biological or

behavioral characteristic that can be used for automated

recognition of an individual. The following apply:

(i) A retina or iris scan.

(ii) A fingerprint.

(iii) A human biological sample.

(iv) A scan of the hand.

(v) A voice print.

(vi) Facial geometry.

(2) The term shall not include any of the following:

(i) A physical description, including height,

weight, hair color or eye color.

(ii) A writing sample.

(iii) A written signature.

(iv) Demographic data.

"Breach of Personal Information Notification Act." The act

of December 22, 2005 (P.L.474, No.94), known as the Breach of

(2) Review all educational entity reports, policies,

plans or any revisions to reports, policies or plans, that

are required by this subarticle to be submitted to the

department or to the chief data security officer.

(3) Conduct outreach to educational entities, provide

notice of guidelines or department development or revision of

models required under this subarticle.

(4) Provide student data related information, material,

model language or resources requested by an educational

(5) Review contracts submitted by educational entities

and advise educational entities of any noncompliance issues

an educational entity may experience under this subarticle.

(6) Compile each educational entity's report of

compromise of student data submitted as required under

section 1324-C(c), the data contained in the compromise

report and the provider contracted with when the compromise

occurred. The chief data security officer shall:

(i) Upon receipt of an occurrence of compromise from

an educational entity, notify the secretary of the

compromise. The report shall include the date of the

occurrence of a compromise of student data and identify

the providers upon receipt of the report of the provider

by the educational entity of the steps taken by the

compromise. The entry shall include the date of the

compromise and the date of the provider's resolution of

the compromise. The chief data security officer shall

assign a risk level to the situation of compromise. A

provider shall be deemed a high risk when the severity,

frequency, level of compromise or any other factors the

chief data security officer deems relevant indicates the

provider offers services with a potential for exposure of

student data.

determining the risk level of the compromise and updating

the provider's record of risk in the searchable database,

as appropriate.

(7) Maintain a list of providers, contact information

and the services a provider offers to each educational

entity. The list shall include the risk level assessed to the

provider if the provider is recorded in the database created

in paragraph (6)(ii).

(8) Perform any other duty the department deems

necessary for a chief data security officer to perform in

furthering the protection of student data.

"Children's Online Privacy Protection Act." The Children's

Online Privacy Protection Act (Public Law 105-277, Div. C, Title

XIII).

Commonwealth.

"Educational record." Student data or other student

information created and maintained by an educational entity or a

third party.

"Family Educational Rights and Privacy Act." The Family

Educational Rights and Privacy Act of 1974 (Public Law 90-247,

20 U.S.C. § 1232g).

"IEP." An Individualized Education Plan under the

Individuals with Disabilities Education Act.

Individuals with Disabilities Education Act (Public Law 91-230,

20 U.S.C. § 1400 et seq.).

"Information service." The offering of a capability for

generating, acquiring, storing, transforming, processing,

retrieving, utilizing or making available information via

telecommunications. The term includes electronic publishing, but

does not include any use of a capability for the management,

control or operation of a telecommunications system or the

management of a telecommunications service.

"Interactive computer service." An information service,

system or access software that provides or enables computer

access by multiple users to a computer server, including a

service or system that provides access to the Internet and the

systems operated or services offered by libraries or educational

place at the direction of the K-12 school, teacher or

educational entity or aids in the administration of school

activities, including instruction in the classroom or at home,

administrative activities and collaboration between students,

school personnel or parents or guardians or that is for the use

and benefit of the school.

"Online service." Online service, including cloud computing

services, provided by an entity subject to this subarticle.

"Privacy of Social Security Numbers Law." The act of June

Security Numbers Law.

"Protection of Pupil Rights Amendment." 20 U.S.C. § 1232h

(relating to protection of pupil rights).

"Provider." Any of the following which enter into a written

or oral contract with an education entity to provide related

goods or services for the current school year:

(1) A third-party vendor, contractor, subcontractor,

corporation, partnership, business trust, foundation, limited

liability company, corporation or partnership, incorporated

or unincorporated association, organization or any other

legal entity.

(2) A government entity, other than the Commonwealth.

(3) A natural person.

"Secretary." The Secretary of Education of the Commonwealth.

including any of the following:

(1) The following information regarding the student:

(i) Name.

(ii) Date and location of birth.

(iii) Social Security number.

(iv) Gender.

(v) Race.

(vi) Ethnicity.

(vii) Tribal affiliation.

(ix) Migrant status.

(x) English language learner status.

(xi) Disability status.

(xii) Mother's maiden name.

(xiii) Contact information, including telephone

numbers, email addresses, physical addresses, home

address, geolocation information and other distinct

contact identifiers.

(xiv) Text messages, photos, voice recordings or

documents.

(xv) Search identifiers or search activities.

(xvi) Disabilities.

(xvii) Special education records or an applicable

mandate under the Individuals with Disabilities Education

for an exception from taking a State or local assessment.

(xxi) Courses taken and completed, credits earned or

other transcript information.

(xxii) Course grades, grade point average,

evaluations or another indicator of academic achievement.

(xxiii) Cohort graduation rate or related

information.

(xxiv) Degree, diploma, credential attainment or

other school exit information.

(xxvi) Dropout data.

(xxvii) An immunization record or the reason for an

exception from receiving an immunization.

(xxviii) Remediation efforts.

entity shall have 60 days to adopt a revised policy with any

deficiencies cured. Within 10 days after adoption, the

educational entity shall submit the policy to the chief data

security officer for review.

(c) Compromise.--Within 10 days of an educational entity

being notified or becoming aware of a compromise of student

data, the following shall apply:

(1) The educational entity shall submit information to

the chief data security officer of the occurrence of the

compromise.

deficiencies in the data system that facilitated the

compromise of the data.

(3) The provider shall have five days to issue a report

of the requested information.

(4) Upon receipt of the report, the educational entity

shall submit the report to the chief data security officer.

Section 1325-C. Interactive computer service contract.

(a) Contract.--

(1) An educational entity may enter into a contract with

learning, access software or online communication services,

including on-site learning services, remote online learning

services, quasi remote online learning services, virtual

video and audio conferencing, to be used primarily for K-12

school purposes. The contract must be in writing and signed

by each party. Within 10 days of entering a contract with a

provider, an educational entity shall report to the chief

data security officer the name of the provider, provider

contact information and a list of services contracted for

with the provider.

(2) A contract with a provider entered into by the

educational entity prior to the effective date of this

paragraph shall be reviewed by the governing body of the

educational entity within 60 days of the effective date of

(ii) terminate the contract and the provider awarded

the contract shall be compensated for the actual expenses

reasonably incurred under the contract prior to the

termination. The compensation shall not include loss of

anticipated profit, loss of use of money or

administrative overhead cost.

(b) Terms.--The service or goods under the contract may

include educational learning tools or communication platforms

requiring the use of student data only if the contract with the

(1) Implementation and maintenance of reasonable

security procedures and practices appropriate for student

data.

(2) Protection of student data from unauthorized access,

destruction, use, modification or disclosure.

(3) Deletion of student data if the educational entity

requests deletion of student data that is under the control

of the educational entity.

(4) Assurance that any contract the provider enters with

any subcontractor will contain the same binding provisions

that the provider is subject to and the same protections and

prohibited uses of student data for the subcontractor.

(b.1) Damages.--The use of student data contrary to the

provisions of this subarticle shall subject the provider to all

provider's failure to protect student data.

(c) Duties to be included.--A contract for goods or services

with a provider shall contain, at a minimum, the duties and

requirements under section 1326-C.

(d) Use of model contract.--An educational entity, in its

sole discretion, may base its contract on the model contract

developed by the department or may develop an original contract

to meet the requirements of this subarticle.

(e) Limitation.--Except when applicable in Federal or State

disclosing of student data prohibition does not apply to a

merger or acquisition of a provider by another provider when the

acquiring or successor provider continues to be subject to this

subarticle and the prohibition of acts, uses or disclosures of

student data, including any student data obtained through the

merger or acquisition.

Section 1326-C. Third-party vendor duties and responsibilities.

(a) Student data use and disclosure.--A third-party vendor

may:

(1) Use or disclose student data to ensure legal and

regulatory compliance, including complying with requirements

of Federal and State law in protecting and disclosing the

data.

(2) Disclose student data to respond to or participate

service to, or on behalf of, the third-party vendor,

prohibits the disclosure of student data provided by the

third-party vendor with subsequent third parties and requires

the implementation and maintenance of reasonable security

procedures and practices required of the third-party vendor

under section 1325-C(c).

(b) Merger or sale.--In the event of a merger or sale by a

provider to a third party, the following shall apply:

(1) A provider shall delete student data if the

the control of the educational entity.

(2) A provider may disclose student data to a service

provider or a subsequent subcontractor if the acquiring

service provider, provider or subsequent subcontractor agrees

to be subject to this subarticle with respect to previously

acquired student data and subsequently acquired student data.

(3) A provider shall provide notification to the

educational entity at least 60 days prior to the sale or

merger.

(4) An educational entity shall have the right to

terminate the existing contract with the provider with no

compensation for early termination or damages to the

provider.

Section 1327-C. Construction.

applications or software.

(2) An interactive computer service to review or enforce

compliance with this section by third-party content

providers.

(b) Ability not limited.--Nothing under this subarticle

shall be construed to prohibit or otherwise limit the ability

of:

(1) An educational entity from reporting or making

available aggregate student data or other collective data for

(2) A third-party vendor from using student data,

including information protected in this subarticle, for the

purposes of adaptive learning or customized student learning

purposes or for maintaining, developing, supporting,

improving or diagnosing the third-party vendor's publicly

accessible Internet website, service or application.

(3) A third-party vendor from marketing educational

products directly to parents or students if the marketing did

not result from the use of student data obtained by the

third-party vendor through the provisions of goods or

services covered under this subarticle.

(4) An Internet service provider from providing Internet

connectivity to schools or students and their families.

(5) A student or the student's parent or legal guardian

(1) The Bureau of Consumer Protection in the Office of

Attorney General shall investigate any complaints received

concerning violations of this subarticle. If, after

investigating a complaint, the Attorney General finds that

there has been a violation of this subarticle, the Attorney

General may bring an action to impose a civil penalty up to

$10,000 for each violation and to seek other relief,

including injunctive relief, restitution and costs under the

act of December 17, 1968 (P.L.1224, No.387), known as the

(2) Prior to the initiation of a civil action, the

Attorney General may require the attendance and testimony of

witnesses and the production of documents. For this purpose,

the Attorney General may issue subpoenas, examine witnesses

and receive evidence. If a person objects to or otherwise

fails to comply with a subpoena or request for testimony, the

Attorney General may file in Commonwealth Court or any court

of record of the Commonwealth an action to enforce the

subpoenas or request. Noti ce of hearing of the action and a

copy of each pleading shall be served upon the person who may

appear in opposition.

(3) Testimony taken or material produced shall be kept

confidential by the Attorney General except to the extent

that the information may be used in a judicial proceeding, if

supersede an action for criminal or civil liabilities applicable

or enforceable under a Federal or State law.

Section 1330-C. Regulations.

(a) General rule.--The State Board of Education, in

consultation with the Office of Attorney General, shall develop

regulations necessary to implement this subarticle .

(b) Final-omitted regulations.--Within one year of the

effective date of this subsection, the State Board of Education

shall promulgate final-omitted regulations under the act of June

Section 4. The sum of $500,000 shall be appropriated from

of implementation of the provisions of this act.

Section 5. This act shall take effect in six months.