Student Digital Privacy and Parental Rights Act of 2015
Prohibits an operator of a school's Internet or online service that is designed and marketed for K-12 educational or administrative purposes from presenting students or parents with targeted advertisements that are selected based on information obtained or inferred from: (1) students' online behavior or use of online or mobile applications, or (2) personally identifiable information about the student. Exempts online advertisements that are contextually relevant and selected based on a single visit or session of use during which the advertisements are presented, provided that information about students' online behavior is not collected or retained over time.
Prohibits operators from: (1) selling students' personal information to third parties; or (2) collecting student information to create a personal profile or for purposes unrelated to educational instruction, school collaboration, or administrative activities.
Requires operators to: (1) implement information security procedures and a process for responding to data breaches; (2) notify the Federal Trade Commission (FTC) and students, parents, educational agencies or institutions, school officials, or teachers of unauthorized acquisitions of, or access to, personal information; and (3) delete certain student information that is not required to be maintained by the school within 45 days after a request from an educational agency, institution, or student's parent or within one year after the operator ceases to provide the service.
Requires operators to disclose publicly the types of personal information they collect or generate, the purposes for which the information is used or disclosed to third parties, and the identity of any such third parties.
Instructs operators to establish procedures for parents and system users to access and correct certain information.
Allows operators to disclose students' information only for certain lawful purposes or pursuant to a process that requires the student's or parent's express affirmative request. Requires an operator to receive the student's or parent's request before providing transcripts for admission to an institution of higher education or to a potential employer.
Provides authority to the FTC to enforce this Act and treats violations as unfair or deceptive acts or practices under the Federal Trade Commission Act.
Authorizes a student who is at least 18 years of age, enrolled in an institution of higher education, or a secondary school graduate to provide any required consent or to exercise rights provided to parents under this Act.
[Congressional Bills 114th Congress]
[From the U.S. Government Publishing Office]
[H.R. 2092 Introduced in House (IH)]
114th CONGRESS
1st Session
H. R. 2092
To require operators that provide online and similar services to
educational agencies or institutions to protect the privacy and
security of personally identifiable information, and for other
purposes.
_______________________________________________________________________
IN THE HOUSE OF REPRESENTATIVES
April 29, 2015
Mr. Messer (for himself and Mr. Polis) introduced the following bill;
which was referred to the Committee on Energy and Commerce, and in
addition to the Committee on Education and the Workforce, for a period
to be subsequently determined by the Speaker, in each case for
consideration of such provisions as fall within the jurisdiction of the
committee concerned
_______________________________________________________________________
A BILL
To require operators that provide online and similar services to
educational agencies or institutions to protect the privacy and
security of personally identifiable information, and for other
purposes.
Be it enacted by the Senate and House of Representatives of the
United States of America in Congress assembled,
SECTION 1. SHORT TITLE.
This Act may be cited as the ``Student Digital Privacy and Parental
Rights Act of 2015''.
SEC. 2. DEFINITIONS.
(a) In General.--In this Act:
(1) Commission.--The term ``Commission'' means the Federal
Trade Commission.
(2) Covered information.--The term ``covered information''
means personally identifiable information, and information that
is linked or linkable to personally identifiable information,
that--
(A) is collected or generated through a school
service; and
(B)(i) the operator of the school service knows or
should know relates to a student; or
(ii) is collected, generated, or maintained at the
direction of an educational agency or institution
serving the student or officials of such an agency or
institution, including teachers.
(3) Educational agency or institution.--The term
``educational agency or institution'' has the meaning given
such term in section 444 of the General Education Provisions
Act (20 U.S.C. 1232g), except that such term does not include
an institution of higher education.
(4) Eligible student.--The term ``eligible student'' means
a student who--
(A) is 18 years of age or older;
(B) is enrolled in an institution of higher
education; or
(C) has graduated from a secondary school.
(5) Institution of higher education.--The term
``institution of higher education'' has the meaning given such
term in section 102 of the Higher Education Act of 1965 (20
U.S.C. 1002).
(6) K-12 purposes.--The term ``K-12 purposes'' means
purposes that--
(A) aid in the administration of activities by an
educational agency or institution, including
instruction in the classroom or at home, administrative
activities, and collaboration between students, school
personnel, or parents; or
(B) are for the use and benefit of the educational
agency or institution.
(7) Online contact information.--The term ``online contact
information'' means, with respect to a student, an email
address or any other substantially similar identifier that
permits direct contact with the student online, including an
instant messaging user identifier, a voice over Internet
Protocol identifier, a video chat user identifier, or a screen
name or user name that permits such contact.
(8) Operator.--The term ``operator'' means an entity that
operates a school service, except that such term does not
include an educational agency or institution.
(9) Personally identifiable information.--The term
``personally identifiable information'' includes, with respect
to a student--
(A) the student's first and last name;
(B) the first and last name of the student's parent
or another family member;
(C) the home or physical address of the student or
student's family;
(D) online contact information for the student;
(E) a personal identifier, such as the student's
social security number, student number, or biometric
record;
(F) a persistent identifier that can be used to
recognize a user over time and across different
Internet Web sites, online services, online
applications, or mobile applications, including a
customer number held in a cookie, an Internet Protocol
address, a processor or device serial number, or
another unique identifier;
(G) a photograph, video, or audio recording that
contains the student's image or voice;
(H) geolocation information sufficient to identify
street name and name of a city or town;
(I) other indirect identifiers, such as the
student's date of birth, place of birth, or mother's
maiden name;
(J) other information that, alone or in
combination, would allow an operator or a reasonable
person in the school community, who does not have
personal knowledge of the relevant circumstances, to
identify a specific student with reasonable certainty;
and
(K) information requested by a person who the
educational agency or institution reasonably believes
knows the identity of the student to whom the
information relates.
(10) School service.--The term ``school service'' means an
Internet Web site, online service (including a cloud computing
service), online application, or mobile application that is
used for K-12 purposes and was designed and marketed for K-12
purposes.
(11) State.--The term ``State'' means each State of the
United States, the District of Columbia, each territory or
possession of the United States, and each federally recognized
Indian tribe.
(12) Student.--The term ``student'' means any individual
who is or has been enrolled in an elementary school or
secondary school.
(13) Targeted advertising.--
(A) In general.--The term ``targeted advertising''
means presenting advertisements to a student or the
student's parent, where the advertisements are selected
based on information obtained or inferred from the
student's online behavior or use of online applications
or mobile applications or from covered information
about the student maintained by the operator of a
school service.
(B) Exclusion.--Such term does not include
presenting advertisements to a student or the student's
parent at an online location or through an online
application or mobile application, if--
(i) the advertisements are contextually
relevant;
(ii) the advertisements are selected based
on a single visit or session of use during
which the advertisements are presented; and
(iii) information about the student's
online behavior or use of online applications
or mobile applications is not collected or
retained over time.
(b) Terms Defined in Elementary and Secondary Education Act of
1965.--In this Act, the terms ``elementary school'', ``parent'', and
``secondary school'' have the meanings given such terms in section 9101
of the Elementary and Secondary Education Act of 1965 (20 U.S.C. 7801).
SEC. 3. PROTECTING STUDENT PRIVACY.
(a) Prohibited Practices.--An operator may not knowingly--
(1) engage in or permit targeted advertising on a school
service;
(2) collect, generate, use, or disclose any covered
information for purposes of targeted advertising;
(3) sell covered information to a third party;
(4) collect, generate, or use covered information
(including using covered information to create a personal
profile of a student) other than for K-12 purposes; or
(5) disclose covered information, unless the disclosure is
made--
(A) pursuant to lawful process or to ensure legal
and regulatory compliance with Federal or State law;
(B) in accordance with subsection (c), pursuant to
a request for disclosure--
(i) in the case of information about a
student, from the student's parent; or
(ii) in the case of information about a
student's parent or another user of the school
service, from the parent or such other user, as
the case may be;
(C) in accordance with subsection (c), pursuant to
a request for disclosure from a student who is or has
been enrolled in a secondary school or from the
student's parent for the exclusive purpose of--
(i) providing or authenticating the
student's transcript, standardized test scores,
letters of recommendation, or other information
required by an institution of higher education
for an application for admission or by a
potential employer for an application for
employment; or
(ii) providing information relating to--
(I) admission to an institution of
higher education; or
(II) a scholarship or financial aid
for attendance at an institution of
higher education;
(D) to protect the safety of users or others or the
security of the school service;
(E) to an educational agency or institution, as
permitted by Federal and State law; or
(F) to a third-party service provider of the
operator, and the operator contractually--
(i) prohibits the service provider from
using any covered information for any purpose
other than providing the contracted service to,
or on behalf of, the operator;
(ii) prohibits the service provider from
disclosing to subsequent third parties any
covered information disclosed by the operator
to the service provider; and
(iii) requires the service provider to
establish, implement, and maintain reasonable
security procedures as described in subsection
(b)(1).
(b) Requirements.--An operator shall--
(1) establish, implement, and maintain reasonable security
procedures appropriate to the nature of covered information to
protect the confidentiality, security, and integrity of covered
information;
(2) delete a student's covered information (except for
information that is required to be maintained by Federal or
State law) within a reasonable time, not to exceed 45 days,
after receiving--
(A) a request from an educational agency or
institution serving the student; or
(B) a request (either directly or through the
educational agency or institution) from the student's
parent, except in the case of information that is
included in the student's education records (as defined
in section 444 of the General Education Provisions Act
(20 U.S.C. 1232g)), such as the student's test scores
or grades, or that is directed by the educational
agency or institution to be maintained for educational
or administrative purposes;
(3) disclose publicly and to each educational agency or
institution to which the operator provides a school service, in
contracts or privacy policies in a manner that is clear and
easy to understand, the types of covered information collected
or generated (if any), the purposes for which the covered
information is used or disclosed to third parties, and the
identity of any such party;
(4) facilitate access to and correction of covered
information, either directly or through an educational agency
or institution--
(A) in the case of information about a student, by
the student's parent; or
(B) in the case of information about a parent or
another user of the school service, by the parent or
such other user, as the case may be;
(5) implement policies and procedures for responding to
data breaches involving unauthorized acquisition of or access
to personally identifiable information that occur on a school
service, in compliance with any obligations imposed by Federal
or State law;
(6) notify the Commission and, as appropriate, students,
parents, educational agencies or institutions, or officials of
such agencies or institutions (including teachers) of each data
breach involving unauthorized acquisition of or access to
personally identifiable information that occurs on a school
service, in compliance with any obligations imposed by Federal
or State law; and
(7) delete any covered information maintained by a school
service (except for information that is required to be
maintained by Federal or State law)--
(A) except as provided in subparagraph (B), within
a reasonable time, not to exceed one year, after the
operator ceases to provide the service to the
educational agency or institution, unless the
information is required to be maintained at the
direction of the educational agency or institution or
the student's parent; or
(B) if the operator continues providing the service
in whole or in part to a student after ceasing to
provide the service to the educational agency or
institution, within a reasonable time, not to exceed
one year, after the operator ceases to provide the
service to the student, unless the information is
required to be maintained at the direction of the
student's parent.
(c) Requirements for Certain Disclosures.--An operator may disclose
covered information under subparagraph (B) or (C) of subsection (a)(5)
only after the operator--
(1) receives from the student, the student's parent, or
other user of the school service, as the case may be (in this
subsection referred to as the ``requesting party''), an
affirmative express request (whether made directly or through
an educational agency or institution serving the student) to
disclose information specified in the request;
(2) provides to the requesting party, in a manner that is
clear and easy to understand, a description of the types of
covered information that will be disclosed to a third party,
any fees collected by the operator to cover administrative
costs, and the purposes for which the covered information will
be disclosed to and used by the third party;
(3) ensures that the third party agrees, in writing or an
electronic equivalent--
(A) not to use any covered information received
pursuant to the request for any purpose other than
fulfilling the purpose for which the request was made;
(B) not to disclose to subsequent third parties any
covered information received pursuant to the request;
and
(C) to establish, implement, and maintain
reasonable security procedures as described in
subsection (b)(1); and
(4) provides a readily available mechanism for the
requesting party to revoke the request.
(d) Effect on Mergers and Acquisitions.--The prohibitions of this
section on sale and disclosure of covered information do not apply to
the merger of an operator with another entity or the acquisition of the
operator by another entity (including any subsequent merger or
acquisition), provided that the operator or successor entity continues
to be subject to the provisions of this section with respect to covered
information acquired before the merger or acquisition.
(e) Continued Application.--This section shall continue to apply,
after a student is no longer enrolled in an elementary school or
secondary school, to covered information relating to the student that
was collected or generated while the student was enrolled.
SEC. 4. RULES OF CONSTRUCTION.
(a) In General.--This Act shall not--
(1) be construed to affect or otherwise alter the
protections and guarantees set forth in section 444 of the
General Education Provisions Act (20 U.S.C. 1232g) (commonly
known as the ``Family Educational Rights and Privacy Act of
1974''), the Children's Online Privacy Protection Act of 1998
(15 U.S.C. 6501 et seq.), or any other Federal statute relating
to privacy protection;
(2) be construed to limit the authority of a law
enforcement agency to obtain content or information from an
operator as authorized by law or pursuant to an order of a
court of competent jurisdiction;
(3) limit the ability of an operator to use information,
including covered information, for adaptive or personalized
student learning purposes;
(4) limit an educational agency or institution from
providing Internet access service for its own use, to other
educational agencies or institutions, or to students and their
families;
(5) be construed to prohibit an operator's use of covered
information for maintaining, developing, supporting, improving,
or diagnosing the operator's school service;
(6) be construed to prohibit an operator of a school
service from marketing educational products directly to
parents, provided that the marketing does not result from the
use of covered information;
(7) impose a duty upon a provider of an electronic store,
gateway, marketplace, or other means of purchasing or
downloading software or applications to review or enforce
compliance with this Act by operators of school services;
(8) impede the ability of a student or the student's parent
to download, export, create, or otherwise save or maintain data
or documents created by or about the student or noncommercial
applications created by the student, except to the extent any
such activity would result in disclosure prohibited by this Act
of covered information of other students or users of a school
service; or
(9) be construed to prohibit an operator from collecting a
reasonable fee to cover the administrative costs of making a
disclosure under section 3(a)(5)(C).
(b) De-Identified and Aggregated Covered Information.--
(1) In general.--Nothing in this Act prohibits an operator
from--
(A) using de-identified and aggregated covered
information--
(i) within the operator's school service or
other sites, services, or applications owned by
the operator to improve educational products;
or
(ii) to demonstrate the effectiveness of
the operator's products or services, including
in the marketing of such products or services;
or
(B) disclosing de-identified and aggregated covered
information for research and development, including--
(i) research, development, and improvement
of educational sites, services, and
applications; and
(ii) advancements in the science of
learning.
(2) Steps to prevent re-identification or disaggregation.--
If an operator uses or discloses covered information as
described in paragraph (1), the operator shall take reasonable
steps to ensure that the information cannot be manipulated in a
manner that would enable--
(A) identification of an individual to whom the
information relates; or
(B) disaggregation of aggregated information into
its component parts.
(c) Power To Consent and Rights Regarding Information About
Eligible Student.--Any provision of this Act that refers to the consent
of the student's parent for the use or disclosure of covered
information or the right of the student's parent to access or otherwise
obtain, use, correct, request disclosure of, or request deletion of
covered information, shall, in the case of covered information about an
eligible student, be considered to refer to the consent or right of the
student and not the student's parent.
(d) No Effect on Consent Under Other Law.--Except as provided in
section 5(g), this Act does not modify the requirements or standards
for consent, including consent from minors and employees on behalf of
educational institutions, under any other provision of Federal law or
under State law.
SEC. 5. IMPLEMENTATION AND ENFORCEMENT.
(a) Enforcement by Federal Trade Commission.--
(1) Unfair or deceptive acts or practices.--A violation of
this Act or a regulation promulgated under this Act shall be
treated as a violation of a regulation under section
18(a)(1)(B) of the Federal Trade Commission Act (15 U.S.C.
57a(a)(1)(B)) regarding unfair or deceptive acts or practices.
(2) Powers of the commission.--The Commission shall enforce
this Act and the regulations promulgated under this Act in the
same manner, by the same means, and with the same jurisdiction,
powers, and duties as though all applicable terms and
provisions of the Federal Trade Commission Act (15 U.S.C. 41 et
seq.) were incorporated into and made a part of this Act, and
any person who violates this Act or a regulation promulgated
under this Act shall be subject to the penalties entitled to
the privileges and immunities provided in the Federal Trade
Commission Act, except as provided in paragraph (3).
(3) Enforcement with respect to non-profit organizations.--
Notwithstanding sections 4 and 5(a)(2) of the Federal Trade
Commission Act (15 U.S.C. 44; 45(a)(2)), any jurisdictional
limitation of the Commission with respect to nonprofit
organizations shall not apply for purposes of this Act.
(b) Preservation of Commission Authority.--Nothing in this Act may
be construed in any way to limit or affect the Commission's authority
under any other provision of law.
(c) Regulations.--The Commission may promulgate regulations under
section 553 of title 5, United States Code, to carry out this Act.
(d) Consultation and Cooperation With Secretary of Education.--The
Commission shall consult and cooperate with the Secretary of Education
in implementing and enforcing this Act, including in promulgating any
regulations to carry out this Act, in matters involving educational
agencies or institutions.
(e) Report by Commission.--Not later than 1 year after the
effective date described in section 6, and annually thereafter, the
Commission shall submit to Congress and make available on the Internet
Web site of the Commission a report on the number, scope, and nature of
the data breaches about which the Commission receives notice under
section 3(b)(6).
(f) Guidance and Technical Assistance From Secretary of
Education.--The Secretary of Education shall provide educational
agencies or institutions with reasonable guidance and technical
assistance with respect to preventing and responding to data breaches
involving unauthorized acquisition of or access to personally
identifiable information that occur on a school service, in compliance
with any obligations imposed by Federal or State law.
(g) Relationship to State Law.--
(1) In general.--This Act does not annul, alter, or affect,
or exempt any person subject to the provisions of this Act from
complying with, the laws of any State with respect to the
treatment of covered information by operators of school
services, except to the extent that such laws are inconsistent
with any provision of this Act, and then only to the extent of
the inconsistency. For purposes of this paragraph, a law of a
State is not inconsistent with this Act if the protection such
law affords any user of a school service is greater than the
protection provided by this Act.
(2) Rule of construction.--Any reference in this Act to
State law shall be considered also to refer to the law of a
political subdivision of a State.
SEC. 6. EFFECTIVE DATE.
This Act shall take effect on the date that is 18 months after the
date of the enactment of this Act.
<all>
Introduced in House
Introduced in House
Referred to the Committee on Energy and Commerce, and in addition to the Committee on Education and the Workforce, for a period to be subsequently determined by the Speaker, in each case for consideration of such provisions as fall within the jurisdiction of the committee concerned.
Referred to the Committee on Energy and Commerce, and in addition to the Committee on Education and the Workforce, for a period to be subsequently determined by the Speaker, in each case for consideration of such provisions as fall within the jurisdiction of the committee concerned.
Referred to the Committee on Energy and Commerce, and in addition to the Committee on Education and the Workforce, for a period to be subsequently determined by the Speaker, in each case for consideration of such provisions as fall within the jurisdiction of the committee concerned.
Referred to the Subcommittee on Commerce, Manufacturing, and Trade.
Llama 3.2 · runs locally in your browser
Ask anything about this bill. The AI reads the full text to answer.
Enter to send · Shift+Enter for new line