H.F. 92 Section 1. Section 714H.3, subsection 2, Code 2017, is 1 amended by adding the following new paragraph: 2 NEW PARAGRAPH . h. Chapter 715D. 3 Sec. 2. NEW SECTION . 715D.1 Definitions. 4 As used in this chapter, unless the context otherwise 5 requires: 6 1. “Covered information” means personally identifiable 7 information or materials, in any media or format that meets any 8 of the following: 9 a. Is created or provided by a student, or the student’s 10 parent or legal guardian, to an operator in the course of the 11 student’s, parent’s, or legal guardian’s use of the operator’s 12 internet site, service, or application for kindergarten through 13 grade twelve school purposes. 14 b. Is created or provided by an employee or agent of the 15 school district, accredited nonpublic school, or area education 16 agency, to an operator. 17 c. Is gathered by an operator through the operation 18 of an internet site, service, or application described in 19 subsection 3 and is descriptive of a student or otherwise 20 identifies a student, including but not limited to information 21 in the student’s educational record or e-mail, first and last 22 name, home address, telephone number, e-mail address, other 23 information that allows physical or online contact, discipline 24 records, test results, special education data, juvenile 25 dependency records, grades, evaluations, criminal records, 26 medical records, health records, social security number, 27 biometric information, disabilities, socioeconomic information, 28 food purchases, political affiliations, religious information, 29 text messages, documents, student identifiers, search activity, 30 photos, voice recordings, or geolocation information. 31 2. “Kindergarten through grade twelve school purposes” 32 means purposes that customarily take place at the direction 33 of a school district or accredited nonpublic school offering 34 instruction at any or all levels from kindergarten through 35 -1- LSB 1417YH (8) 87 kh/jh/rj 1/ 10

H.F. 92 grade twelve, at the direction of an area education agency, or 1 at the direction of a teacher employed by or under contract 2 with a school district, accredited nonpublic school, or area 3 education agency, and purposes which aid in the administration 4 of school activities, including but not limited to instruction 5 in the classroom or at home, administrative activities, and 6 collaboration between students, school personnel, or parents, 7 or are for the use and benefit of the school district, school, 8 or area education agency. 9 3. “Operator” means the operator of an internet site, online 10 service, online application, or mobile application with actual 11 knowledge that the internet site, service, or application is 12 used primarily for kindergarten through grade twelve school 13 purposes and was designed and marketed for kindergarten 14 through grade twelve school purposes. “Operator” includes 15 any third party that receives student data, including covered 16 information, from a school district, accredited nonpublic 17 school, or area education agency. “Online service” includes 18 cloud computing services that otherwise meet the definition of 19 an operator. 20 Sec. 3. NEW SECTION . 715D.2 Prohibitions —— duties —— 21 exceptions. 22 1. An operator, with respect to the operator’s internet 23 site, service, or application, shall not knowingly do any of 24 the following: 25 a. Engage in targeted advertising on the operator’s internet 26 site, service, or application, or target advertising on any 27 other internet site, service, or application when the targeting 28 of the advertising is based upon any information, including 29 covered information and persistent unique identifiers, that the 30 operator has acquired because of the use of that operator’s 31 internet site, service, or application described in section 32 715D.1, subsection 3. 33 b. Use information, including persistent unique identifiers 34 such as unique student identifiers, created or gathered by the 35 -2- LSB 1417YH (8) 87 kh/jh/rj 2/ 10

H.F. 92 operator’s internet site, service, or application, to amass 1 a profile about a student enrolled in a kindergarten through 2 grade twelve school in this state except in furtherance of 3 kindergarten through grade twelve school purposes. 4 c. Sell a student’s information, including covered 5 information. This prohibition does not apply to the purchase, 6 merger, or other type of acquisition of an operator by another 7 entity, provided that the operator or successor entity 8 continues to be subject to the provisions of this chapter with 9 respect to previously acquired student information. 10 d. Disclose covered information unless the disclosure is any 11 of the following: 12 (1) In furtherance of the kindergarten through grade twelve 13 school purposes of the internet site, service, or application, 14 provided that the recipient of the covered information 15 disclosed pursuant to this subparagraph shall not further 16 disclose the information unless done to allow or improve 17 operability and functionality within that student’s classroom 18 or school and the recipient is legally required to comply with 19 this paragraph “d” . 20 (2) To ensure legal and regulatory compliance. 21 (3) To respond to or participate in judicial process. 22 (4) To protect the safety of the internet site users or 23 other persons identified on the internet site or security of 24 the internet site. 25 (5) To a service provider, provided the operator 26 contractually prohibits the service provider from using any 27 covered information for any purpose other than providing the 28 contracted service to, or on behalf of, the operator, prohibits 29 the service provider from disclosing any covered information 30 provided by the operator to subsequent third parties; and 31 requires the service provider to implement and maintain 32 reasonable security procedures and practices as provided in 33 subsection 3. 34 2. Subsection 1 shall not be construed to prohibit the 35 -3- LSB 1417YH (8) 87 kh/jh/rj 3/ 10

H.F. 92 operator’s use of information for maintaining, developing, 1 supporting, improving, or diagnosing the operator’s internet 2 site, service, or application. 3 3. An operator shall do all of the following: 4 a. Implement and maintain reasonable security procedures and 5 practices appropriate to the nature of the covered information, 6 and protect the covered information from unauthorized access, 7 destruction, use, modification, or disclosure. 8 b. Delete a student’s covered information if the school 9 district, accredited nonpublic school, or area education agency 10 requests deletion of data under the control of the school 11 district, the school, or the area education agency. 12 c. Notwithstanding subsection 1, paragraph “d” , as long 13 as the operator does not violate subsection 1, paragraph “a” , 14 “b” , or “c” , an operator may disclose covered information of a 15 student under the following circumstances: 16 (1) If other provisions of federal or state law require the 17 operator to disclose the information and the operator complies 18 with the requirements of federal and state law in protecting 19 and disclosing that information. 20 (2) For legitimate research purposes as required by state or 21 federal law and subject to the restrictions under applicable 22 state or federal law or as allowed by state or federal law 23 and under the direction of a school district, an accredited 24 nonpublic school, an area education agency, or the state or 25 federal department of education, if no covered information is 26 used for any purpose in furtherance of advertising or to amass 27 a profile of the student for purposes other than kindergarten 28 through grade twelve school purposes. 29 (3) To state or local educational agencies, including 30 school districts, accredited nonpublic schools, area education 31 agencies, and community colleges, for kindergarten through 32 grade twelve school purposes, as permitted by state or federal 33 law. 34 4. This section shall not be construed to do any of the 35 -4- LSB 1417YH (8) 87 kh/jh/rj 4/ 10

H.F. 92 following: 1 a. Prohibit an operator from using deidentified student 2 covered information as follows: 3 (1) Within the operator’s internet site, service, or 4 application or other internet sites, services, or applications 5 owned by the operator to improve educational products. 6 (2) To demonstrate the effectiveness of the operator’s 7 products or services and their marketing. 8 b. Prohibit an operator from sharing aggregated deidentified 9 student covered information for the development and improvement 10 of educational internet sites, services, or applications. 11 c. Limit the authority of a law enforcement agency to obtain 12 any content or information from an operator as authorized 13 by law or pursuant to an order of a court of competent 14 jurisdiction. 15 d. Limit the ability of an operator to use student data, 16 including covered information, for adaptive learning or 17 customized student learning purposes. 18 e. Apply to general audience internet sites, general 19 audience online services, general audience online applications, 20 or general audience mobile applications, even if login 21 credentials created for an operator’s internet site, service, 22 or application may be used to access those general audience 23 internet sites, services, or applications. 24 f. Restrict internet service providers from providing 25 internet connectivity to schools or students and their 26 families. 27 g. Prohibit an operator of an internet site, online service, 28 online application, or mobile application from marketing 29 educational products directly to parents so long as the 30 marketing did not result from the use of covered information 31 obtained by the operator through the provision of services 32 regulated under this section. 33 h. Impose a duty upon a provider of an electronic store, 34 gateway, or marketplace, or of another means of purchasing 35 -5- LSB 1417YH (8) 87 kh/jh/rj 5/ 10

H.F. 92 or downloading software or applications to review or enforce 1 compliance with this section by such software or applications. 2 i. Impose a duty upon a provider of an interactive computer 3 service, as defined in 47 U.S.C. §230, to review or enforce 4 compliance with this section by third-party content providers. 5 j. Impede the ability of students to download, export, or 6 otherwise save or maintain their own student-created data or 7 documents. 8 Sec. 4. NEW SECTION . 715D.3 Remedies. 9 1. A violation of this chapter is an unlawful practice 10 pursuant to section 714.16 and, in addition to the remedies 11 provided to the attorney general pursuant to section 714.16, 12 subsection 7, the attorney general may seek and obtain an order 13 that a party held to violate this chapter pay damages to the 14 attorney general for the benefit of a person injured by the 15 violation. 16 2. The rights and remedies available under this chapter are 17 cumulative to each other and to any other rights and remedies 18 available under the law. 19 EXPLANATION 20 The inclusion of this explanation does not constitute agreement with 21 the explanation’s substance by the members of the general assembly. 22 This bill places restrictions on third parties that 23 receive student data from a school district, accredited 24 nonpublic school, or area education agency; and on operators 25 of internet sites, online services, online applications, and 26 mobile applications designed, marketed, and used primarily 27 for kindergarten through grade 12 (K-12) school purposes. A 28 violation of any of the restrictions is an unlawful practice 29 pursuant to Code section 714.16, a prohibited practice or act 30 under Code section 714H.3, and, in addition, the attorney 31 general may bring a civil action on behalf of an injured 32 person. 33 PROHIBITIONS AND DISCLOSURE PROVISIONS. The bill prohibits 34 an operator from engaging in targeted advertising that is 35 -6- LSB 1417YH (8) 87 kh/jh/rj 6/ 10

H.F. 92 based on or derived from information the operator acquired 1 through the operator’s internet site, service, or application; 2 from using information created or gathered by the operator’s 3 internet site, service, or application, to amass a profile 4 about a student enrolled in a K-12 school in this state except 5 in furtherance of school purposes; and from selling a student’s 6 information, though this prohibition does not apply to the 7 purchase, merger, or other type of acquisition of an operator 8 by another entity, provided that the operator or successor 9 entity continues to be subject to the restrictions relating to 10 previously acquired student information. 11 The operator is also prohibited from disclosing covered 12 information unless the disclosure is in furtherance of the K-12 13 school purposes and the recipient of the covered information is 14 subject to similar restrictions. Disclosure is also authorized 15 in order to ensure legal and regulatory compliance, to respond 16 to or participate in judicial process, or to protect the 17 safety of the internet site users or persons identified on the 18 internet site or security of the internet site. 19 The operator may also disclose covered information to a 20 service provider if the operator implements and maintains 21 reasonable security procedures and practices, and, if the 22 service provider is contractually prohibited from using any 23 of the information for any purpose other than providing the 24 contracted service to, or on behalf of, the operator, and from 25 disclosing any covered information provided by the operator to 26 subsequent third parties. 27 However, these prohibitions shall not be construed to 28 prohibit the operator’s use of information for maintaining, 29 developing, supporting, improving, or diagnosing the operator’s 30 internet site, service, or application. 31 The operator is required to implement and maintain 32 reasonable security procedures and practices appropriate to the 33 nature of the covered information, and protect that information 34 from unauthorized access, destruction, use, modification, or 35 -7- LSB 1417YH (8) 87 kh/jh/rj 7/ 10

H.F. 92 disclosure; and to delete a student’s covered information if 1 the school district, accredited nonpublic school, or area 2 education agency requests deletion of data under the control of 3 the school district, school, or area education agency. 4 Notwithstanding the disclosure prohibitions, as long as the 5 operator does not violate the provisions prohibiting targeting 6 advertising, the use of student information to amass a profile, 7 and the sale of student information, an operator may disclose 8 covered information of a student if other provisions of federal 9 or state law require the operator to disclose the information, 10 or for legitimate research purposes as required by and subject 11 to state or federal law and under the direction of the school 12 district, school, or area education agency; and to state or 13 local educational agencies as permitted by state or federal 14 law. 15 The bill shall not be construed to prohibit an operator 16 from using deidentified student covered information to improve 17 educational products or to demonstrate the effectiveness of 18 the operator’s products or services and their marketing; to 19 prohibit an operator from sharing aggregated deidentified 20 student covered information for the development and improvement 21 of educational internet sites, services, or applications; to 22 limit a law enforcement agency from obtaining information 23 as authorized by law or court order; to limit the ability 24 of an operator to use student data for adaptive learning or 25 customized student learning purposes; to apply to general 26 audience internet sites, general audience online services, 27 general audience online applications, or general audience 28 mobile applications; to restrict internet service providers 29 from providing internet connectivity to schools or students 30 and their families; to prohibit an operator from marketing 31 educational products directly to parents so long as the 32 marketing did not result from the use of covered information; 33 to impose a duty upon a provider of an electronic store, 34 gateway, marketplace, or other means of purchasing or 35 -8- LSB 1417YH (8) 87 kh/jh/rj 8/ 10

H.F. 92 downloading software or applications to review or enforce 1 compliance with applicable restrictions by such software 2 or applications; to impose a duty upon a provider of an 3 interactive computer service to review or enforce compliance 4 by third-party content providers; or to impede the ability of 5 students to download, export, or otherwise save or maintain 6 their own student-created data or documents. 7 REMEDIES. The bill provides that a violation of new Code 8 chapter 715D is a prohibited practice or act under Code section 9 714H.3, providing for a private right of action for a person 10 who suffers an ascertainable loss of money or property as the 11 result of a prohibited practice or act, allowing the person to 12 bring an action at law to recover actual damages and to seek 13 court protection from further violations including temporary 14 and permanent injunctive relief. 15 The bill provides that a violation of new Code chapter 715D 16 is an unlawful practice pursuant to Code section 714.16. In 17 addition to the remedies provided to the attorney general 18 pursuant to Code section 714.16(7), the attorney general may 19 seek and obtain an order that a party held to violate the 20 chapter pay damages to the attorney general on behalf of a 21 person injured by the violation. The rights and remedies 22 available are cumulative to each other and to any other rights 23 and remedies available under the law. 24 DEFINITIONS. The bill provides that “online service” 25 includes cloud computing services. “Operator” means 26 the operator of an internet site, online service, online 27 application, or mobile application with actual knowledge that 28 the internet site, service, or application is used primarily 29 for K-12 school purposes and was designed and marketed for K-12 30 school purposes. “Operator” includes any third party that 31 receives student data, including “covered information”, from a 32 school district, accredited nonpublic school, or area education 33 agency. “Covered information” means personally identifiable 34 information or materials, in any media or format that is 35 -9- LSB 1417YH (8) 87 kh/jh/rj 9/ 10

H.F. 92 created or provided by a student, or the student’s parent or 1 legal guardian, to an operator in the course of the student’s, 2 parent’s, or legal guardian’s use of the operator’s site, 3 service, or application for K–12 school purposes; is created 4 or provided by an employee or agent of the school district, 5 accredited nonpublic school, or area education agency, to an 6 operator; or is gathered by an operator and is descriptive of a 7 student or otherwise identifies a student. 8 “Kindergarten through grade twelve school purposes” means 9 purposes that customarily take place at the direction of 10 a school district or accredited nonpublic school offering 11 instruction at any or all levels from K-12 or at the direction 12 of an area education agency or a teacher employed by or under 13 contract with a school district, accredited nonpublic school, 14 or area education agency, and purposes which aid in the 15 administration of school activities, including but not limited 16 to instruction in the classroom or at home, administrative 17 activities, and collaboration between students, school 18 personnel, or parents, or are for the use and benefit of the 19 school district, school, or area education agency. 20 -10- LSB 1417YH (8) 87 kh/jh/rj 10/ 10