H.F. 213 Section 1. Section 714H.3, subsection 2, Code 2015, is 1 amended by adding the following new paragraph: 2 NEW PARAGRAPH . g. Chapter 715D. 3 Sec. 2. NEW SECTION . 715D.1 Definitions. 4 As use in this chapter, unless the context otherwise 5 requires: 6 1. “Covered information” means personally identifiable 7 information or materials, in any media or format that meets any 8 of the following: 9 a. Is created or provided by a student, or the student’s 10 parent or legal guardian, to an operator in the course of the 11 student’s, parent’s, or legal guardian’s use of the operator’s 12 internet site, service, or application for kindergarten through 13 grade twelve school purposes. 14 b. Is created or provided by an employee or agent of the 15 school district, accredited nonpublic school, or area education 16 agency, to an operator. 17 c. Is gathered by an operator through the operation 18 of an internet site, service, or application described in 19 subsection 3 and is descriptive of a student or otherwise 20 identifies a student, including but not limited to information 21 in the student’s educational record or e-mail, first and last 22 name, home address, telephone number, e-mail address, other 23 information that allows physical or online contact, discipline 24 records, test results, special education data, juvenile 25 dependency records, grades, evaluations, criminal records, 26 medical records, health records, social security number, 27 biometric information, disabilities, socioeconomic information, 28 food purchases, political affiliations, religious information, 29 text messages, documents, student identifiers, search activity, 30 photos, voice recordings, or geolocation information. 31 2. “Kindergarten through grade twelve school purposes” 32 means purposes that customarily take place at the direction 33 of a school district or accredited nonpublic school offering 34 instruction at any or all levels from kindergarten through 35 -1- LSB 1575YH (4) 86 kh/rj 1/ 10

H.F. 213 grade twelve, at the direction of an area education agency, or 1 at the direction of a teacher employed by or under contract 2 with a school district, accredited nonpublic school, or area 3 education agency, and purposes which aid in the administration 4 of school activities, including but not limited to instruction 5 in the classroom or at home, administrative activities, and 6 collaboration between students, school personnel, or parents, 7 or are for the use and benefit of the school district, school, 8 or area education agency. 9 3. “Operator” means the operator of an internet site, online 10 service, online application, or mobile application with actual 11 knowledge that the internet site, service, or application is 12 used primarily for kindergarten through grade twelve school 13 purposes and was designed and marketed for kindergarten through 14 grade twelve school purposes. “Online service” includes cloud 15 computing services that otherwise meet the definition of an 16 operator. 17 Sec. 3. NEW SECTION . 715D.2 Prohibitions —— duties —— 18 exceptions. 19 1. An operator, with respect to the operator’s internet 20 site, service, or application, shall not knowingly do any of 21 the following: 22 a. Engage in targeted advertising on the operator’s internet 23 site, service, or application, or target advertising on any 24 other internet site, service, or application when the targeting 25 of the advertising is based upon any information, including 26 covered information and persistent unique identifiers, that the 27 operator has acquired because of the use of that operator’s 28 internet site, service, or application described in section 29 715D.1, subsection 3. 30 b. Use information, including persistent unique identifiers 31 such as unique student identifiers, created or gathered by the 32 operator’s internet site, service, or application, to amass 33 a profile about a student enrolled in a kindergarten through 34 grade twelve school in this state except in furtherance of 35 -2- LSB 1575YH (4) 86 kh/rj 2/ 10

H.F. 213 kindergarten through grade twelve school purposes. 1 c. Sell a student’s information, including covered 2 information. This prohibition does not apply to the purchase, 3 merger, or other type of acquisition of an operator by another 4 entity, provided that the operator or successor entity 5 continues to be subject to the provisions of this chapter with 6 respect to previously acquired student information. 7 d. Disclose covered information unless the disclosure is any 8 of the following: 9 (1) In furtherance of the kindergarten through grade twelve 10 school purposes of the internet site, service, or application 11 provided that the recipient of the covered information 12 disclosed pursuant to this subparagraph shall not further 13 disclose the information unless done to allow or improve 14 operability and functionality within that student’s classroom 15 or school and the recipient is legally required to comply with 16 this paragraph “d” . 17 (2) To ensure legal and regulatory compliance. 18 (3) To respond to or participate in judicial process. 19 (4) To protect the safety of the internet site users or 20 other persons identified on the internet site or security of 21 the internet site. 22 (5) To a service provider, provided the operator 23 contractually prohibits the service provider from using any 24 covered information for any purpose other than providing the 25 contracted service to, or on behalf of, the operator; prohibits 26 the service provider from disclosing any covered information 27 provided by the operator to subsequent third parties; and 28 requires the service provider to implement and maintain 29 reasonable security procedures and practices as provided in 30 subsection 3. 31 2. Subsection 1 shall not be construed to prohibit the 32 operator’s use of information for maintaining, developing, 33 supporting, improving, or diagnosing the operator’s internet 34 site, service, or application. 35 -3- LSB 1575YH (4) 86 kh/rj 3/ 10

H.F. 213 3. An operator shall do all of the following: 1 a. Implement and maintain reasonable security procedures and 2 practices appropriate to the nature of the covered information, 3 and protect the covered information from unauthorized access, 4 destruction, use, modification, or disclosure. 5 b. Delete a student’s covered information if the school 6 district, accredited nonpublic school, or area education agency 7 requests deletion of data under the control of the school 8 district, the school, or the area education agency. 9 c. Notwithstanding subsection 1, paragraph “d” , as long 10 as the operator does not violate subsection 1, paragraph “a” , 11 “b” , or “c” , an operator may disclose covered information of a 12 student under the following circumstances: 13 (1) If other provisions of federal or state law require the 14 operator to disclose the information and the operator complies 15 with the requirements of federal and state law in protecting 16 and disclosing that information. 17 (2) For legitimate research purposes as required by state or 18 federal law and subject to the restrictions under applicable 19 state or federal law or as allowed by state or federal law 20 and under the direction of a school district, an accredited 21 nonpublic school, an area education agency, or the state or 22 federal department of education, if no covered information is 23 used for any purpose in furtherance of advertising or to amass 24 a profile of the student for purposes other than kindergarten 25 through grade twelve school purposes. 26 (3) To state or local educational agencies, including 27 school districts, accredited nonpublic schools, area education 28 agencies, and community colleges, for kindergarten through 29 grade twelve school purposes, as permitted by state or federal 30 law. 31 4. This section shall not be construed to do any of the 32 following: 33 a. Prohibit an operator from using deidentified student 34 covered information as follows: 35 -4- LSB 1575YH (4) 86 kh/rj 4/ 10

H.F. 213 (1) Within the operator’s internet site, service, or 1 application or other internet sites, services, or applications 2 owned by the operator to improve educational products. 3 (2) To demonstrate the effectiveness of the operator’s 4 products or services and their marketing. 5 b. Prohibit an operator from sharing aggregated deidentified 6 student covered information for the development and improvement 7 of educational internet sites, services, or applications. 8 c. Limit the authority of a law enforcement agency to obtain 9 any content or information from an operator as authorized 10 by law or pursuant to an order of a court of competent 11 jurisdiction. 12 d. Limit the ability of an operator to use student data, 13 including covered information, for adaptive learning or 14 customized student learning purposes. 15 e. Apply to general audience internet sites, general 16 audience online services, general audience online applications, 17 or general audience mobile applications, even if login 18 credentials created for an operator’s internet site, service, 19 or application may be used to access those general audience 20 internet sites, services, or applications. 21 f. Restrict internet service providers from providing 22 internet connectivity to schools or students and their 23 families. 24 g. Prohibit an operator of an internet site, online service, 25 online application, or mobile application from marketing 26 educational products directly to parents so long as the 27 marketing did not result from the use of covered information 28 obtained by the operator through the provision of services 29 regulated under this section. 30 h. Impose a duty upon a provider of an electronic store, 31 gateway, or marketplace, or of another means of purchasing 32 or downloading software or applications to review or enforce 33 compliance with this section by such software or applications. 34 i. Impose a duty upon a provider of an interactive computer 35 -5- LSB 1575YH (4) 86 kh/rj 5/ 10

H.F. 213 service, as defined in 47 U.S.C. §230, to review or enforce 1 compliance with this section by third-party content providers. 2 j. Impede the ability of students to download, export, or 3 otherwise save or maintain their own student-created data or 4 documents. 5 Sec. 4. NEW SECTION . 715D.3 Remedies. 6 1. A violation of this chapter is an unlawful practice 7 pursuant to section 714.16 and, in addition to the remedies 8 provided to the attorney general pursuant to section 714.16, 9 subsection 7, the attorney general may seek and obtain an order 10 that a party held to violate this chapter pay damages to the 11 attorney general for the benefit of a person injured by the 12 violation. 13 2. The rights and remedies available under this chapter are 14 cumulative to each other and to any other rights and remedies 15 available under the law. 16 EXPLANATION 17 The inclusion of this explanation does not constitute agreement with 18 the explanation’s substance by the members of the general assembly. 19 This bill places restrictions on operators of internet 20 sites, online services, online applications, and mobile 21 applications designed, marketed, and used primarily for 22 kindergarten through grade twelve school purposes. A violation 23 of any of the restrictions is an unlawful practice pursuant to 24 Code section 714.16, a prohibited practice or act under Code 25 section 714H.3, and, in addition, the attorney general may 26 bring a civil action on behalf of an injured person. 27 PROHIBITIONS AND DISCLOSURE PROVISIONS. The bill prohibits 28 an operator from engaging in targeted advertising that is 29 based on or derived from information the operator acquired 30 through the operator’s internet site, service, or application; 31 from using information created or gathered by the operator’s 32 internet site, service, or application, to amass a profile 33 about a student enrolled in a kindergarten through grade 34 twelve school in this state except in furtherance of school 35 -6- LSB 1575YH (4) 86 kh/rj 6/ 10

H.F. 213 purposes; and from selling a student’s information, though this 1 prohibition does not apply to the purchase, merger, or other 2 type of acquisition of an operator by another entity, provided 3 that the operator or successor entity continues to be subject 4 to the restrictions relating to previously acquired student 5 information. 6 The operator is also prohibited from disclosing covered 7 information unless the disclosure is in furtherance of the 8 kindergarten through grade twelve school purposes and the 9 recipient of the covered information is subject to similar 10 restrictions. Disclosure is also authorized in order to ensure 11 legal and regulatory compliance; to respond to or participate 12 in judicial process, or to protect the safety of the internet 13 site users or persons identified on the internet site or 14 security of the internet site. 15 The operator may also disclose covered information to a 16 service provider if the operator implements and maintains 17 reasonable security procedures and practices, and, if the 18 service provider is contractually prohibited from using any 19 of the information for any purpose other than providing the 20 contracted service to, or on behalf of, the operator, and from 21 disclosing any covered information to subsequent third parties. 22 However, these prohibitions shall not be construed to 23 prohibit the operator’s use of information for maintaining, 24 developing, supporting, improving, or diagnosing the operator’s 25 internet site, service, or application. 26 The operator is required to implement and maintain 27 reasonable security procedures and practices appropriate to the 28 nature of the covered information, and protect that information 29 from unauthorized access, destruction, use, modification, or 30 disclosure; and to delete a student’s covered information if 31 the school district, accredited nonpublic school, or area 32 education agency requests deletion of data under the control of 33 the school district, school, or area education agency. 34 Notwithstanding the disclosure prohibitions, as long as the 35 -7- LSB 1575YH (4) 86 kh/rj 7/ 10

H.F. 213 operator does not violate the provisions prohibiting targeting 1 advertising, the use of student information to amass a profile, 2 and the sale of student information, an operator may disclose 3 covered information of a student if other provisions of federal 4 or state law require the operator to disclose the information, 5 or for legitimate research purposes as required by and subject 6 to state or federal law and under the direction of the school 7 district, school, or area education agency; and to state or 8 local educational agencies as permitted by state or federal 9 law. 10 The bill shall not be construed to prohibit an operator 11 from using deidentified student covered information to improve 12 educational products or to demonstrate the effectiveness of 13 the operator’s products or services and their marketing; to 14 prohibit an operator from sharing aggregated deidentified 15 student covered information for the development and improvement 16 of educational internet sites, services, or applications; to 17 limit a law enforcement agency from obtaining information 18 as authorized by law or court order; to limit the ability 19 of an operator to use student data for adaptive learning or 20 customized student learning purposes; to apply to general 21 audience internet sites, general audience online services, 22 general audience online applications, or general audience 23 mobile applications; to restrict internet service providers 24 from providing internet connectivity to schools or students 25 and their families; to prohibit an operator from marketing 26 educational products directly to parents so long as the 27 marketing did not result from the use of covered information; 28 to impose a duty upon a provider of an electronic store, 29 gateway, marketplace, or other means of purchasing or 30 downloading software or applications to review or enforce 31 compliance with applicable restrictions by such software 32 or applications; to impose a duty upon a provider of an 33 interactive computer service to review or enforce compliance 34 by third-party content providers; or to impede the ability of 35 -8- LSB 1575YH (4) 86 kh/rj 8/ 10

H.F. 213 students to download, export, or otherwise save or maintain 1 their own student-created data or documents. 2 REMEDIES. The bill provides that a violation of new Code 3 chapter 715D is a prohibited practice or act under Code section 4 714H.3, providing for a private right of action for a person 5 who suffers an ascertainable loss of money or property as the 6 result of a prohibited practice or act, allowing the person to 7 bring an action at law to recover actual damages and to seek 8 court protection from further violations including temporary 9 and permanent injunctive relief. 10 In addition to the remedies provided to the attorney general 11 pursuant to Code section 714.16(7), the attorney general may 12 seek and obtain an order that a party held to violate the 13 chapter pay damages to the attorney general on behalf of a 14 person injured by the violation. The rights and remedies 15 available are cumulative to each other and to any other rights 16 and remedies available under the law. 17 DEFINITIONS. The bill provides that “online service” 18 includes cloud computing services. “Covered information” 19 means personally identifiable information or materials, in any 20 media or format that is created or provided by a student, or 21 the student’s parent or legal guardian, to an operator in the 22 course of the student’s, parent’s, or legal guardian’s use of 23 the operator’s site, service, or application for K–12 school 24 purposes; is created or provided by an employee or agent of the 25 school district, accredited nonpublic school, or area education 26 agency, to an operator; or is gathered by an operator and is 27 descriptive of a student or otherwise identifies a student. 28 “Kindergarten through grade twelve school purposes” means 29 purposes that customarily take place at the direction of 30 a school district or accredited nonpublic school offering 31 instruction at any or all levels from kindergarten through 32 grade twelve or at the direction of an area education agency or 33 a teacher employed by or under contract with a school district, 34 accredited nonpublic school, or area education agency, and 35 -9- LSB 1575YH (4) 86 kh/rj 9/ 10