H.F. 2354 Section 1. NEW SECTION . 279.70 Student online personal 1 information protection. 2 1. As used in this section, unless the context otherwise 3 requires: 4 a. “Attendance center” means a school district building 5 that contains classrooms used for instructional purposes for 6 elementary, middle, or secondary school students. 7 b. “Covered information” means personally identifiable 8 information or material, or information that is linked to 9 personally identifiable information or material, in any media 10 or format that is not publicly available and is any of the 11 following: 12 (1) Created by or provided to an operator by a student, or 13 the student’s parent or legal guardian, in the course of the 14 student’s, parent’s, or legal guardian’s use of the operator’s 15 site, service, or application for kindergarten through grade 16 twelve school purposes. 17 (2) Created by or provided to an operator by an employee 18 or agent of a school district or attendance center for 19 kindergarten through grade twelve school purposes. 20 (3) Gathered by an operator through the operation of its 21 site, service, or application for kindergarten through grade 22 twelve school purposes and personally identifies a student, 23 including but not limited to information in the student’s 24 educational record or electronic mail, first and last name, 25 home address, telephone number, electronic mail address, or 26 other information that allows physical or online contact, 27 discipline records, test results, special education data, 28 juvenile dependency records, grades, evaluations, criminal 29 records, medical records, health records, social security 30 number, biometric information, disabilities, socioeconomic 31 information, food purchases, political affiliations, religious 32 information, text messages, documents, student identifiers, 33 search activity, photos, voice recordings, or geolocation 34 information. 35 -1- LSB 1417HV (3) 87 kh/jh/rj 1/ 9

H.F. 2354 c. “Interactive computer service” means that term as defined 1 in 47 U.S.C. §230. 2 d. “Kindergarten through grade twelve school purposes” means 3 purposes that are directed by or that customarily take place at 4 the direction of a kindergarten through grade twelve attendance 5 center, school district, or a practitioner employed by a school 6 district, in the administration of school activities, including 7 but not limited to instruction in the classroom or at home, 8 administrative activities, and collaboration between students, 9 school district or attendance center personnel, or parents, or 10 are otherwise for the use and benefit of the school district or 11 attendance center. 12 e. “Operator” means, to the extent that it is operating 13 in this capacity, the operator of an internet site, online 14 service, online application, or mobile application with actual 15 knowledge that the site, service, or application is used 16 primarily for kindergarten through grade twelve school purposes 17 and was designed and marketed for such purposes. 18 f. “School district” means a public school district 19 described in chapter 274. 20 g. “Targeted advertising” means presenting advertisements 21 to a student where the advertisement is selected based on 22 information obtained or inferred over time from that student’s 23 online behavior, usage of applications, or covered information. 24 “Targeted advertising” does not include advertising to a student 25 at an online location based upon that student’s current visit 26 to that location, or in response to that student’s request 27 for information or feedback, without the retention of that 28 student’s online activities or requests over time for the 29 purpose of targeting subsequent ads. 30 2. a. An operator shall not knowingly do any of the 31 following: 32 (1) Engage in targeted advertising on the operator’s 33 internet site, service, or application, or target advertising 34 on any other internet site, service, or application if the 35 -2- LSB 1417HV (3) 87 kh/jh/rj 2/ 9

H.F. 2354 targeting of the advertising is based on any information, 1 including covered information and persistent unique 2 identifiers, that the operator has acquired because of the use 3 of that operator’s internet site, service, or application for 4 kindergarten through grade twelve school purposes. 5 (2) Use information, including persistent unique 6 identifiers, created or gathered by the operator’s internet 7 site, service, or application, to amass a profile about a 8 student except in furtherance of kindergarten through grade 9 twelve school purposes. “Amass a profile” does not include the 10 collection and retention of account information that remains 11 under the control of the student, the student’s parent or 12 guardian, or kindergarten through grade twelve school. 13 (3) Sell or rent a student’s information, including covered 14 information. This subparagraph does not apply to the purchase, 15 merger, or other type of acquisition of an operator by another 16 entity, if the operator or successor entity complies with this 17 section regarding previously acquired student information, or 18 to national assessment providers if the provider secures the 19 express written consent of the parent or student, given in 20 response to clear and conspicuous notice, solely to provide 21 access to employment, educational scholarships or financial 22 aid, or postsecondary educational opportunities. 23 (4) Except as otherwise provided in subsection 4, disclose 24 covered information unless the disclosure is made for the 25 following purposes: 26 (a) In furtherance of the kindergarten through grade twelve 27 school purpose of the internet site, service, or application, 28 if the recipient of the covered information disclosed under 29 this subparagraph division does not further disclose the 30 information unless done to allow or improve operability and 31 functionality of the operator’s internet site, service, or 32 application. 33 (b) To ensure legal and regulatory compliance or protect 34 against liability. 35 -3- LSB 1417HV (3) 87 kh/jh/rj 3/ 9

H.F. 2354 (c) To respond to or participate in the judicial process. 1 (d) To protect the safety or integrity of users of the 2 internet site or others or the security of the internet site, 3 service, or application. 4 (e) For a kindergarten through grade twelve school, 5 educational, or employment purpose requested by the student or 6 the student’s parent or guardian, provided that the information 7 is not used or further disclosed for any other purpose. 8 (f) To a third party, if the operator contractually 9 prohibits the third party from using any covered information 10 for any purpose other than providing the contracted service 11 to or on behalf of the operator and requires the third party 12 to protect student information to the same extent that the 13 operator is required to do pursuant to this section, prohibits 14 the third party from disclosing any covered information 15 provided by the operator with subsequent third parties, and 16 requires the third party to implement and maintain security 17 procedures and practices consistent with current industry 18 standards and all applicable state and federal laws, rules, and 19 regulations. 20 b. Nothing in paragraph “a” shall prohibit the operator’s 21 use of information for maintaining, developing, supporting, 22 improving, or diagnosing the operator’s internet site, service, 23 or application. 24 3. An operator shall do all of the following: 25 a. Implement and maintain security procedures and practices 26 consistent with current industry standards and all applicable 27 state and federal laws, rules, and regulations appropriate to 28 the nature of the covered information designed to protect that 29 covered information from unauthorized access, destruction, use, 30 modification, or disclosure. 31 b. Delete as soon as reasonably practicable, a student’s 32 covered information if the school district or attendance center 33 requests deletion of covered information under the control of 34 the school district or attendance center, unless a student or 35 -4- LSB 1417HV (3) 87 kh/jh/rj 4/ 9

H.F. 2354 parent or guardian consents to the maintenance of the covered 1 information. 2 4. An operator may use or disclose covered information of a 3 student under all of the following circumstances: 4 a. If other provisions of federal or state law require the 5 operator to disclose the information, and the operator complies 6 with the requirements of federal and state law in protecting 7 and disclosing that information. 8 b. If no covered information is used for advertising or 9 to amass a profile on the student for purposes other than 10 elementary, middle school, or high school purposes; for 11 legitimate research purposes, as required by state or federal 12 law and subject to the restrictions under applicable state 13 and federal law; or as allowed by state or federal law and 14 in furtherance of kindergarten through grade twelve school 15 purposes or postsecondary educational purposes. 16 c. To a state or local educational agency, including 17 kindergarten through grade twelve attendance centers and 18 school districts, for kindergarten through grade twelve school 19 purposes, as permitted by state or federal law. 20 5. This section does not prohibit an operator from doing any 21 of the following: 22 a. Using covered information to improve educational products 23 if that information is not associated with an identified 24 student within the operator’s internet site, service, or 25 application or other internet sites, services, or applications 26 owned by the operator. 27 b. Using covered information that is not associated with 28 an identified student to demonstrate the effectiveness of the 29 operator’s products or services, including in the operator’s 30 marketing. 31 c. Sharing covered information that is not associated with 32 an identified student for the development and improvement of 33 educational internet sites, services, or applications. 34 d. Using recommendation engines to recommend to a student 35 -5- LSB 1417HV (3) 87 kh/jh/rj 5/ 9

H.F. 2354 either of the following: 1 (1) Additional content relating to an educational, 2 other learning, or employment opportunity purpose within an 3 online site, service, or application if the recommendation 4 is not determined in whole or in part by payment or other 5 consideration from a third party. 6 (2) Additional services relating to an educational, 7 other learning, or employment opportunity purpose within an 8 online site, service, or application if the recommendation 9 is not determined in whole or in part by payment or other 10 consideration from a third party. 11 e. Responding to a student’s request for information or for 12 feedback without the information or response being determined 13 in whole or in part by payment or other consideration from a 14 third party. 15 6. This section does not do any of the following: 16 a. Limit the authority of a law enforcement agency to obtain 17 any content or information from an operator as authorized by 18 law or under a court order. 19 b. Limit the ability of an operator to use student data, 20 including covered information, for adaptive learning or 21 customized student learning purposes. 22 c. Apply to general audience internet sites, general 23 audience online services, general audience online applications, 24 or general audience mobile applications, even if login 25 credentials created for an operator’s internet site, service, 26 or application may be used to access those general audience 27 internet sites, services, or applications. 28 d. Limit service providers from providing internet 29 connectivity to attendance centers or students and students’ 30 families. 31 e. Prohibit an operator of an internet site, online service, 32 online application, or mobile application from marketing 33 educational products directly to parents if the marketing did 34 not result from the use of covered information obtained by the 35 -6- LSB 1417HV (3) 87 kh/jh/rj 6/ 9

H.F. 2354 operator through the provision of services covered under this 1 section. 2 f. Impose a duty upon a provider of an electronic store, 3 gateway, marketplace, or other means of purchasing or 4 downloading software or applications to review or enforce 5 compliance with this section on those applications or software. 6 g. Impose a duty on a provider of an interactive computer 7 service to review or enforce compliance with this section by 8 third-party content providers. 9 h. Prohibit students from downloading, exporting, 10 transferring, saving, or maintaining the students’ own student 11 data or documents. 12 EXPLANATION 13 The inclusion of this explanation does not constitute agreement with 14 the explanation’s substance by the members of the general assembly. 15 This bill places restrictions on third parties that receive 16 student data from a school district or attendance center, 17 and on operators of internet sites, online services, online 18 applications, and mobile applications designed, marketed, and 19 used primarily for kindergarten through grade 12 (K-12) school 20 purposes. 21 PROHIBITIONS AND DISCLOSURE PROVISIONS. The bill prohibits 22 an operator from knowingly engaging in targeted advertising 23 that is based on or derived from information the operator 24 acquired through use of that operator’s internet sites and 25 from using information created or gathered by the operator to 26 amass a profile about a K-12 student in this state except in 27 furtherance of school purposes. The bill also prohibits an 28 operator from knowingly selling a student’s information, though 29 this prohibition does not apply to the purchase, merger, or 30 other type of acquisition of an operator by another entity, 31 provided that the operator or successor entity continues to be 32 subject to the same restrictions. 33 The operator is also prohibited from disclosing covered 34 information unless the disclosure is in furtherance of K-12 35 -7- LSB 1417HV (3) 87 kh/jh/rj 7/ 9

H.F. 2354 school purposes and the recipient of the covered information is 1 subject to similar restrictions. Disclosure is also authorized 2 in order to ensure legal and regulatory compliance, to respond 3 to or participate in judicial process, or to protect the safety 4 or security of the internet site. 5 The operator may also disclose covered information to a 6 service provider if the operator implements and maintains 7 reasonable security procedures and if the service provider is 8 contractually prohibited from using any of the information for 9 any purpose other than providing the contracted service to, or 10 on behalf of, the operator, and from disclosing any covered 11 information provided by the operator to subsequent third 12 parties. 13 However, these prohibitions do not prohibit the operator’s 14 use of information for maintaining, developing, supporting, 15 improving, or diagnosing the operator’s internet site, service, 16 or application. 17 The operator is required to implement and maintain 18 reasonable security procedures and protect covered information 19 from unauthorized access, destruction, use, modification, or 20 disclosure; and to delete a student’s covered information if 21 the school district or attendance center requests deletion of 22 data under its control. 23 Notwithstanding the disclosure prohibitions, as long as 24 the operator does not violate the provisions prohibiting 25 targeted advertising, the use of student information to amass a 26 profile, and the sale of student information, an operator may 27 disclose covered information of a student if other provisions 28 of federal or state law require the operator to disclose the 29 information, or for legitimate research purposes as required by 30 and subject to state or federal law and under the direction of 31 the school district or attendance center; and to state or local 32 educational agencies as permitted by state or federal law. 33 The bill does not prohibit an operator from using 34 deidentified student covered information to improve educational 35 -8- LSB 1417HV (3) 87 kh/jh/rj 8/ 9

H.F. 2354 products; limit a law enforcement agency from obtaining 1 information as authorized by law or court order; limit the 2 ability of an operator to use student data for adaptive 3 learning or customized student learning purposes; apply 4 to general audience internet sites, services, and online 5 applications; restrict internet service providers from 6 providing internet connectivity to attendance centers or 7 students and their families; prohibit an operator from 8 marketing educational products directly to parents so long 9 as the marketing did not result from the use of covered 10 information; impose a duty upon a provider of an electronic 11 store, gateway, marketplace, or other means of purchasing or 12 downloading software or applications to review or enforce 13 compliance with applicable restrictions by such software or 14 applications; impose a duty upon a provider of an interactive 15 computer service to review or enforce compliance by third-party 16 content providers; or prohibit students from downloading, 17 exporting, or otherwise saving or maintaining their own 18 student-created data or documents. 19 DEFINITIONS. The bill provides definitions for “operator”, 20 “covered information”, “targeted advertising”, and 21 “kindergarten through grade twelve school purposes”. 22 -9- LSB 1417HV (3) 87 kh/jh/rj 9/ 9