House
File
213
-
Introduced
HOUSE
FILE
213
BY
PETTENGILL
A
BILL
FOR
An
Act
relating
to
student
online
personal
information
1
protection
and
providing
remedies.
2
BE
IT
ENACTED
BY
THE
GENERAL
ASSEMBLY
OF
THE
STATE
OF
IOWA:
3
TLSB
1575YH
(4)
86
kh/rj
H.F.
213
Section
1.
Section
714H.3,
subsection
2,
Code
2015,
is
1
amended
by
adding
the
following
new
paragraph:
2
NEW
PARAGRAPH
.
g.
Chapter
715D.
3
Sec.
2.
NEW
SECTION
.
715D.1
Definitions.
4
As
use
in
this
chapter,
unless
the
context
otherwise
5
requires:
6
1.
“Covered
information”
means
personally
identifiable
7
information
or
materials,
in
any
media
or
format
that
meets
any
8
of
the
following:
9
a.
Is
created
or
provided
by
a
student,
or
the
student’s
10
parent
or
legal
guardian,
to
an
operator
in
the
course
of
the
11
student’s,
parent’s,
or
legal
guardian’s
use
of
the
operator’s
12
internet
site,
service,
or
application
for
kindergarten
through
13
grade
twelve
school
purposes.
14
b.
Is
created
or
provided
by
an
employee
or
agent
of
the
15
school
district,
accredited
nonpublic
school,
or
area
education
16
agency,
to
an
operator.
17
c.
Is
gathered
by
an
operator
through
the
operation
18
of
an
internet
site,
service,
or
application
described
in
19
subsection
3
and
is
descriptive
of
a
student
or
otherwise
20
identifies
a
student,
including
but
not
limited
to
information
21
in
the
student’s
educational
record
or
e-mail,
first
and
last
22
name,
home
address,
telephone
number,
e-mail
address,
other
23
information
that
allows
physical
or
online
contact,
discipline
24
records,
test
results,
special
education
data,
juvenile
25
dependency
records,
grades,
evaluations,
criminal
records,
26
medical
records,
health
records,
social
security
number,
27
biometric
information,
disabilities,
socioeconomic
information,
28
food
purchases,
political
affiliations,
religious
information,
29
text
messages,
documents,
student
identifiers,
search
activity,
30
photos,
voice
recordings,
or
geolocation
information.
31
2.
“Kindergarten
through
grade
twelve
school
purposes”
32
means
purposes
that
customarily
take
place
at
the
direction
33
of
a
school
district
or
accredited
nonpublic
school
offering
34
instruction
at
any
or
all
levels
from
kindergarten
through
35
-1-
LSB
1575YH
(4)
86
kh/rj
1/
10
H.F.
213
grade
twelve,
at
the
direction
of
an
area
education
agency,
or
1
at
the
direction
of
a
teacher
employed
by
or
under
contract
2
with
a
school
district,
accredited
nonpublic
school,
or
area
3
education
agency,
and
purposes
which
aid
in
the
administration
4
of
school
activities,
including
but
not
limited
to
instruction
5
in
the
classroom
or
at
home,
administrative
activities,
and
6
collaboration
between
students,
school
personnel,
or
parents,
7
or
are
for
the
use
and
benefit
of
the
school
district,
school,
8
or
area
education
agency.
9
3.
“Operator”
means
the
operator
of
an
internet
site,
online
10
service,
online
application,
or
mobile
application
with
actual
11
knowledge
that
the
internet
site,
service,
or
application
is
12
used
primarily
for
kindergarten
through
grade
twelve
school
13
purposes
and
was
designed
and
marketed
for
kindergarten
through
14
grade
twelve
school
purposes.
“Online
service”
includes
cloud
15
computing
services
that
otherwise
meet
the
definition
of
an
16
operator.
17
Sec.
3.
NEW
SECTION
.
715D.2
Prohibitions
——
duties
——
18
exceptions.
19
1.
An
operator,
with
respect
to
the
operator’s
internet
20
site,
service,
or
application,
shall
not
knowingly
do
any
of
21
the
following:
22
a.
Engage
in
targeted
advertising
on
the
operator’s
internet
23
site,
service,
or
application,
or
target
advertising
on
any
24
other
internet
site,
service,
or
application
when
the
targeting
25
of
the
advertising
is
based
upon
any
information,
including
26
covered
information
and
persistent
unique
identifiers,
that
the
27
operator
has
acquired
because
of
the
use
of
that
operator’s
28
internet
site,
service,
or
application
described
in
section
29
715D.1,
subsection
3.
30
b.
Use
information,
including
persistent
unique
identifiers
31
such
as
unique
student
identifiers,
created
or
gathered
by
the
32
operator’s
internet
site,
service,
or
application,
to
amass
33
a
profile
about
a
student
enrolled
in
a
kindergarten
through
34
grade
twelve
school
in
this
state
except
in
furtherance
of
35
-2-
LSB
1575YH
(4)
86
kh/rj
2/
10
H.F.
213
kindergarten
through
grade
twelve
school
purposes.
1
c.
Sell
a
student’s
information,
including
covered
2
information.
This
prohibition
does
not
apply
to
the
purchase,
3
merger,
or
other
type
of
acquisition
of
an
operator
by
another
4
entity,
provided
that
the
operator
or
successor
entity
5
continues
to
be
subject
to
the
provisions
of
this
chapter
with
6
respect
to
previously
acquired
student
information.
7
d.
Disclose
covered
information
unless
the
disclosure
is
any
8
of
the
following:
9
(1)
In
furtherance
of
the
kindergarten
through
grade
twelve
10
school
purposes
of
the
internet
site,
service,
or
application
11
provided
that
the
recipient
of
the
covered
information
12
disclosed
pursuant
to
this
subparagraph
shall
not
further
13
disclose
the
information
unless
done
to
allow
or
improve
14
operability
and
functionality
within
that
student’s
classroom
15
or
school
and
the
recipient
is
legally
required
to
comply
with
16
this
paragraph
“d”
.
17
(2)
To
ensure
legal
and
regulatory
compliance.
18
(3)
To
respond
to
or
participate
in
judicial
process.
19
(4)
To
protect
the
safety
of
the
internet
site
users
or
20
other
persons
identified
on
the
internet
site
or
security
of
21
the
internet
site.
22
(5)
To
a
service
provider,
provided
the
operator
23
contractually
prohibits
the
service
provider
from
using
any
24
covered
information
for
any
purpose
other
than
providing
the
25
contracted
service
to,
or
on
behalf
of,
the
operator;
prohibits
26
the
service
provider
from
disclosing
any
covered
information
27
provided
by
the
operator
to
subsequent
third
parties;
and
28
requires
the
service
provider
to
implement
and
maintain
29
reasonable
security
procedures
and
practices
as
provided
in
30
subsection
3.
31
2.
Subsection
1
shall
not
be
construed
to
prohibit
the
32
operator’s
use
of
information
for
maintaining,
developing,
33
supporting,
improving,
or
diagnosing
the
operator’s
internet
34
site,
service,
or
application.
35
-3-
LSB
1575YH
(4)
86
kh/rj
3/
10
H.F.
213
3.
An
operator
shall
do
all
of
the
following:
1
a.
Implement
and
maintain
reasonable
security
procedures
and
2
practices
appropriate
to
the
nature
of
the
covered
information,
3
and
protect
the
covered
information
from
unauthorized
access,
4
destruction,
use,
modification,
or
disclosure.
5
b.
Delete
a
student’s
covered
information
if
the
school
6
district,
accredited
nonpublic
school,
or
area
education
agency
7
requests
deletion
of
data
under
the
control
of
the
school
8
district,
the
school,
or
the
area
education
agency.
9
c.
Notwithstanding
subsection
1,
paragraph
“d”
,
as
long
10
as
the
operator
does
not
violate
subsection
1,
paragraph
“a”
,
11
“b”
,
or
“c”
,
an
operator
may
disclose
covered
information
of
a
12
student
under
the
following
circumstances:
13
(1)
If
other
provisions
of
federal
or
state
law
require
the
14
operator
to
disclose
the
information
and
the
operator
complies
15
with
the
requirements
of
federal
and
state
law
in
protecting
16
and
disclosing
that
information.
17
(2)
For
legitimate
research
purposes
as
required
by
state
or
18
federal
law
and
subject
to
the
restrictions
under
applicable
19
state
or
federal
law
or
as
allowed
by
state
or
federal
law
20
and
under
the
direction
of
a
school
district,
an
accredited
21
nonpublic
school,
an
area
education
agency,
or
the
state
or
22
federal
department
of
education,
if
no
covered
information
is
23
used
for
any
purpose
in
furtherance
of
advertising
or
to
amass
24
a
profile
of
the
student
for
purposes
other
than
kindergarten
25
through
grade
twelve
school
purposes.
26
(3)
To
state
or
local
educational
agencies,
including
27
school
districts,
accredited
nonpublic
schools,
area
education
28
agencies,
and
community
colleges,
for
kindergarten
through
29
grade
twelve
school
purposes,
as
permitted
by
state
or
federal
30
law.
31
4.
This
section
shall
not
be
construed
to
do
any
of
the
32
following:
33
a.
Prohibit
an
operator
from
using
deidentified
student
34
covered
information
as
follows:
35
-4-
LSB
1575YH
(4)
86
kh/rj
4/
10
H.F.
213
(1)
Within
the
operator’s
internet
site,
service,
or
1
application
or
other
internet
sites,
services,
or
applications
2
owned
by
the
operator
to
improve
educational
products.
3
(2)
To
demonstrate
the
effectiveness
of
the
operator’s
4
products
or
services
and
their
marketing.
5
b.
Prohibit
an
operator
from
sharing
aggregated
deidentified
6
student
covered
information
for
the
development
and
improvement
7
of
educational
internet
sites,
services,
or
applications.
8
c.
Limit
the
authority
of
a
law
enforcement
agency
to
obtain
9
any
content
or
information
from
an
operator
as
authorized
10
by
law
or
pursuant
to
an
order
of
a
court
of
competent
11
jurisdiction.
12
d.
Limit
the
ability
of
an
operator
to
use
student
data,
13
including
covered
information,
for
adaptive
learning
or
14
customized
student
learning
purposes.
15
e.
Apply
to
general
audience
internet
sites,
general
16
audience
online
services,
general
audience
online
applications,
17
or
general
audience
mobile
applications,
even
if
login
18
credentials
created
for
an
operator’s
internet
site,
service,
19
or
application
may
be
used
to
access
those
general
audience
20
internet
sites,
services,
or
applications.
21
f.
Restrict
internet
service
providers
from
providing
22
internet
connectivity
to
schools
or
students
and
their
23
families.
24
g.
Prohibit
an
operator
of
an
internet
site,
online
service,
25
online
application,
or
mobile
application
from
marketing
26
educational
products
directly
to
parents
so
long
as
the
27
marketing
did
not
result
from
the
use
of
covered
information
28
obtained
by
the
operator
through
the
provision
of
services
29
regulated
under
this
section.
30
h.
Impose
a
duty
upon
a
provider
of
an
electronic
store,
31
gateway,
or
marketplace,
or
of
another
means
of
purchasing
32
or
downloading
software
or
applications
to
review
or
enforce
33
compliance
with
this
section
by
such
software
or
applications.
34
i.
Impose
a
duty
upon
a
provider
of
an
interactive
computer
35
-5-
LSB
1575YH
(4)
86
kh/rj
5/
10
H.F.
213
service,
as
defined
in
47
U.S.C.
§230,
to
review
or
enforce
1
compliance
with
this
section
by
third-party
content
providers.
2
j.
Impede
the
ability
of
students
to
download,
export,
or
3
otherwise
save
or
maintain
their
own
student-created
data
or
4
documents.
5
Sec.
4.
NEW
SECTION
.
715D.3
Remedies.
6
1.
A
violation
of
this
chapter
is
an
unlawful
practice
7
pursuant
to
section
714.16
and,
in
addition
to
the
remedies
8
provided
to
the
attorney
general
pursuant
to
section
714.16,
9
subsection
7,
the
attorney
general
may
seek
and
obtain
an
order
10
that
a
party
held
to
violate
this
chapter
pay
damages
to
the
11
attorney
general
for
the
benefit
of
a
person
injured
by
the
12
violation.
13
2.
The
rights
and
remedies
available
under
this
chapter
are
14
cumulative
to
each
other
and
to
any
other
rights
and
remedies
15
available
under
the
law.
16
EXPLANATION
17
The
inclusion
of
this
explanation
does
not
constitute
agreement
with
18
the
explanation’s
substance
by
the
members
of
the
general
assembly.
19
This
bill
places
restrictions
on
operators
of
internet
20
sites,
online
services,
online
applications,
and
mobile
21
applications
designed,
marketed,
and
used
primarily
for
22
kindergarten
through
grade
twelve
school
purposes.
A
violation
23
of
any
of
the
restrictions
is
an
unlawful
practice
pursuant
to
24
Code
section
714.16,
a
prohibited
practice
or
act
under
Code
25
section
714H.3,
and,
in
addition,
the
attorney
general
may
26
bring
a
civil
action
on
behalf
of
an
injured
person.
27
PROHIBITIONS
AND
DISCLOSURE
PROVISIONS.
The
bill
prohibits
28
an
operator
from
engaging
in
targeted
advertising
that
is
29
based
on
or
derived
from
information
the
operator
acquired
30
through
the
operator’s
internet
site,
service,
or
application;
31
from
using
information
created
or
gathered
by
the
operator’s
32
internet
site,
service,
or
application,
to
amass
a
profile
33
about
a
student
enrolled
in
a
kindergarten
through
grade
34
twelve
school
in
this
state
except
in
furtherance
of
school
35
-6-
LSB
1575YH
(4)
86
kh/rj
6/
10
H.F.
213
purposes;
and
from
selling
a
student’s
information,
though
this
1
prohibition
does
not
apply
to
the
purchase,
merger,
or
other
2
type
of
acquisition
of
an
operator
by
another
entity,
provided
3
that
the
operator
or
successor
entity
continues
to
be
subject
4
to
the
restrictions
relating
to
previously
acquired
student
5
information.
6
The
operator
is
also
prohibited
from
disclosing
covered
7
information
unless
the
disclosure
is
in
furtherance
of
the
8
kindergarten
through
grade
twelve
school
purposes
and
the
9
recipient
of
the
covered
information
is
subject
to
similar
10
restrictions.
Disclosure
is
also
authorized
in
order
to
ensure
11
legal
and
regulatory
compliance;
to
respond
to
or
participate
12
in
judicial
process,
or
to
protect
the
safety
of
the
internet
13
site
users
or
persons
identified
on
the
internet
site
or
14
security
of
the
internet
site.
15
The
operator
may
also
disclose
covered
information
to
a
16
service
provider
if
the
operator
implements
and
maintains
17
reasonable
security
procedures
and
practices,
and,
if
the
18
service
provider
is
contractually
prohibited
from
using
any
19
of
the
information
for
any
purpose
other
than
providing
the
20
contracted
service
to,
or
on
behalf
of,
the
operator,
and
from
21
disclosing
any
covered
information
to
subsequent
third
parties.
22
However,
these
prohibitions
shall
not
be
construed
to
23
prohibit
the
operator’s
use
of
information
for
maintaining,
24
developing,
supporting,
improving,
or
diagnosing
the
operator’s
25
internet
site,
service,
or
application.
26
The
operator
is
required
to
implement
and
maintain
27
reasonable
security
procedures
and
practices
appropriate
to
the
28
nature
of
the
covered
information,
and
protect
that
information
29
from
unauthorized
access,
destruction,
use,
modification,
or
30
disclosure;
and
to
delete
a
student’s
covered
information
if
31
the
school
district,
accredited
nonpublic
school,
or
area
32
education
agency
requests
deletion
of
data
under
the
control
of
33
the
school
district,
school,
or
area
education
agency.
34
Notwithstanding
the
disclosure
prohibitions,
as
long
as
the
35
-7-
LSB
1575YH
(4)
86
kh/rj
7/
10
H.F.
213
operator
does
not
violate
the
provisions
prohibiting
targeting
1
advertising,
the
use
of
student
information
to
amass
a
profile,
2
and
the
sale
of
student
information,
an
operator
may
disclose
3
covered
information
of
a
student
if
other
provisions
of
federal
4
or
state
law
require
the
operator
to
disclose
the
information,
5
or
for
legitimate
research
purposes
as
required
by
and
subject
6
to
state
or
federal
law
and
under
the
direction
of
the
school
7
district,
school,
or
area
education
agency;
and
to
state
or
8
local
educational
agencies
as
permitted
by
state
or
federal
9
law.
10
The
bill
shall
not
be
construed
to
prohibit
an
operator
11
from
using
deidentified
student
covered
information
to
improve
12
educational
products
or
to
demonstrate
the
effectiveness
of
13
the
operator’s
products
or
services
and
their
marketing;
to
14
prohibit
an
operator
from
sharing
aggregated
deidentified
15
student
covered
information
for
the
development
and
improvement
16
of
educational
internet
sites,
services,
or
applications;
to
17
limit
a
law
enforcement
agency
from
obtaining
information
18
as
authorized
by
law
or
court
order;
to
limit
the
ability
19
of
an
operator
to
use
student
data
for
adaptive
learning
or
20
customized
student
learning
purposes;
to
apply
to
general
21
audience
internet
sites,
general
audience
online
services,
22
general
audience
online
applications,
or
general
audience
23
mobile
applications;
to
restrict
internet
service
providers
24
from
providing
internet
connectivity
to
schools
or
students
25
and
their
families;
to
prohibit
an
operator
from
marketing
26
educational
products
directly
to
parents
so
long
as
the
27
marketing
did
not
result
from
the
use
of
covered
information;
28
to
impose
a
duty
upon
a
provider
of
an
electronic
store,
29
gateway,
marketplace,
or
other
means
of
purchasing
or
30
downloading
software
or
applications
to
review
or
enforce
31
compliance
with
applicable
restrictions
by
such
software
32
or
applications;
to
impose
a
duty
upon
a
provider
of
an
33
interactive
computer
service
to
review
or
enforce
compliance
34
by
third-party
content
providers;
or
to
impede
the
ability
of
35
-8-
LSB
1575YH
(4)
86
kh/rj
8/
10
H.F.
213
students
to
download,
export,
or
otherwise
save
or
maintain
1
their
own
student-created
data
or
documents.
2
REMEDIES.
The
bill
provides
that
a
violation
of
new
Code
3
chapter
715D
is
a
prohibited
practice
or
act
under
Code
section
4
714H.3,
providing
for
a
private
right
of
action
for
a
person
5
who
suffers
an
ascertainable
loss
of
money
or
property
as
the
6
result
of
a
prohibited
practice
or
act,
allowing
the
person
to
7
bring
an
action
at
law
to
recover
actual
damages
and
to
seek
8
court
protection
from
further
violations
including
temporary
9
and
permanent
injunctive
relief.
10
In
addition
to
the
remedies
provided
to
the
attorney
general
11
pursuant
to
Code
section
714.16(7),
the
attorney
general
may
12
seek
and
obtain
an
order
that
a
party
held
to
violate
the
13
chapter
pay
damages
to
the
attorney
general
on
behalf
of
a
14
person
injured
by
the
violation.
The
rights
and
remedies
15
available
are
cumulative
to
each
other
and
to
any
other
rights
16
and
remedies
available
under
the
law.
17
DEFINITIONS.
The
bill
provides
that
“online
service”
18
includes
cloud
computing
services.
“Covered
information”
19
means
personally
identifiable
information
or
materials,
in
any
20
media
or
format
that
is
created
or
provided
by
a
student,
or
21
the
student’s
parent
or
legal
guardian,
to
an
operator
in
the
22
course
of
the
student’s,
parent’s,
or
legal
guardian’s
use
of
23
the
operator’s
site,
service,
or
application
for
K–12
school
24
purposes;
is
created
or
provided
by
an
employee
or
agent
of
the
25
school
district,
accredited
nonpublic
school,
or
area
education
26
agency,
to
an
operator;
or
is
gathered
by
an
operator
and
is
27
descriptive
of
a
student
or
otherwise
identifies
a
student.
28
“Kindergarten
through
grade
twelve
school
purposes”
means
29
purposes
that
customarily
take
place
at
the
direction
of
30
a
school
district
or
accredited
nonpublic
school
offering
31
instruction
at
any
or
all
levels
from
kindergarten
through
32
grade
twelve
or
at
the
direction
of
an
area
education
agency
or
33
a
teacher
employed
by
or
under
contract
with
a
school
district,
34
accredited
nonpublic
school,
or
area
education
agency,
and
35
-9-
LSB
1575YH
(4)
86
kh/rj
9/
10
H.F.
213
purposes
which
aid
in
the
administration
of
school
activities,
1
including
but
not
limited
to
instruction
in
the
classroom
or
2
at
home,
administrative
activities,
and
collaboration
between
3
students,
school
personnel,
or
parents,
or
are
for
the
use
4
and
benefit
of
the
school
district,
school,
or
area
education
5
agency.
6
-10-
LSB
1575YH
(4)
86
kh/rj
10/
10