Print
House File 2354 - IntroducedA Bill ForAn Act 1relating to student personal information protection.
2BE IT ENACTED BY THE GENERAL ASSEMBLY OF THE STATE OF IOWA:
1 Section 1. NEW SECTION. 279.70 Student online personal
2information protection.
31. As used in this section, unless the context otherwise
4requires:
5a. “Attendance center” means a school district building
6that contains classrooms used for instructional purposes for
7elementary, middle, or secondary school students.
8b. “Covered information” means personally identifiable
9information or material, or information that is linked to
10personally identifiable information or material, in any media
11or format that is not publicly available and is any of the
12following:
13(1) Created by or provided to an operator by a student, or
14the student’s parent or legal guardian, in the course of the
15student’s, parent’s, or legal guardian’s use of the operator’s
16site, service, or application for kindergarten through grade
17twelve school purposes.
18(2) Created by or provided to an operator by an employee
19or agent of a school district or attendance center for
20kindergarten through grade twelve school purposes.
21(3) Gathered by an operator through the operation of its
22site, service, or application for kindergarten through grade
23twelve school purposes and personally identifies a student,
24including but not limited to information in the student’s
25educational record or electronic mail, first and last name,
26home address, telephone number, electronic mail address, or
27other information that allows physical or online contact,
28discipline records, test results, special education data,
29juvenile dependency records, grades, evaluations, criminal
30records, medical records, health records, social security
31number, biometric information, disabilities, socioeconomic
32information, food purchases, political affiliations, religious
33information, text messages, documents, student identifiers,
34search activity, photos, voice recordings, or geolocation
35information.
-1- 1c. “Interactive computer service” means that term as defined
2in 47 U.S.C. §230.
3d. “Kindergarten through grade twelve school purposes” means
4purposes that are directed by or that customarily take place at
5the direction of a kindergarten through grade twelve attendance
6center, school district, or a practitioner employed by a school
7district, in the administration of school activities, including
8but not limited to instruction in the classroom or at home,
9administrative activities, and collaboration between students,
10school district or attendance center personnel, or parents, or
11are otherwise for the use and benefit of the school district or
12attendance center.
13e. “Operator” means, to the extent that it is operating
14in this capacity, the operator of an internet site, online
15service, online application, or mobile application with actual
16knowledge that the site, service, or application is used
17primarily for kindergarten through grade twelve school purposes
18and was designed and marketed for such purposes.
19f. “School district” means a public school district
20described in chapter 274.
21g. “Targeted advertising” means presenting advertisements
22to a student where the advertisement is selected based on
23information obtained or inferred over time from that student’s
24online behavior, usage of applications, or covered information.
25“Targeted advertising” does not include advertising to a student
26at an online location based upon that student’s current visit
27to that location, or in response to that student’s request
28for information or feedback, without the retention of that
29student’s online activities or requests over time for the
30purpose of targeting subsequent ads.
312. a. An operator shall not knowingly do any of the
32following:
33(1) Engage in targeted advertising on the operator’s
34internet site, service, or application, or target advertising
35on any other internet site, service, or application if the
-2-1targeting of the advertising is based on any information,
2including covered information and persistent unique
3identifiers, that the operator has acquired because of the use
4of that operator’s internet site, service, or application for
5kindergarten through grade twelve school purposes.
6(2) Use information, including persistent unique
7identifiers, created or gathered by the operator’s internet
8site, service, or application, to amass a profile about a
9student except in furtherance of kindergarten through grade
10twelve school purposes. “Amass a profile” does not include the
11collection and retention of account information that remains
12under the control of the student, the student’s parent or
13guardian, or kindergarten through grade twelve school.
14(3) Sell or rent a student’s information, including covered
15information. This subparagraph does not apply to the purchase,
16merger, or other type of acquisition of an operator by another
17entity, if the operator or successor entity complies with this
18section regarding previously acquired student information, or
19to national assessment providers if the provider secures the
20express written consent of the parent or student, given in
21response to clear and conspicuous notice, solely to provide
22access to employment, educational scholarships or financial
23aid, or postsecondary educational opportunities.
24(4) Except as otherwise provided in subsection 4, disclose
25covered information unless the disclosure is made for the
26following purposes:
27(a) In furtherance of the kindergarten through grade twelve
28school purpose of the internet site, service, or application,
29if the recipient of the covered information disclosed under
30this subparagraph division does not further disclose the
31information unless done to allow or improve operability and
32functionality of the operator’s internet site, service, or
33application.
34(b) To ensure legal and regulatory compliance or protect
35against liability.
-3- 1(c) To respond to or participate in the judicial process.
2(d) To protect the safety or integrity of users of the
3internet site or others or the security of the internet site,
4service, or application.
5(e) For a kindergarten through grade twelve school,
6educational, or employment purpose requested by the student or
7the student’s parent or guardian, provided that the information
8is not used or further disclosed for any other purpose.
9(f) To a third party, if the operator contractually
10prohibits the third party from using any covered information
11for any purpose other than providing the contracted service
12to or on behalf of the operator and requires the third party
13to protect student information to the same extent that the
14operator is required to do pursuant to this section, prohibits
15the third party from disclosing any covered information
16provided by the operator with subsequent third parties, and
17requires the third party to implement and maintain security
18procedures and practices consistent with current industry
19standards and all applicable state and federal laws, rules, and
20regulations.
21b. Nothing in paragraph “a” shall prohibit the operator’s
22use of information for maintaining, developing, supporting,
23improving, or diagnosing the operator’s internet site, service,
24or application.
253. An operator shall do all of the following:
26a. Implement and maintain security procedures and practices
27consistent with current industry standards and all applicable
28state and federal laws, rules, and regulations appropriate to
29the nature of the covered information designed to protect that
30covered information from unauthorized access, destruction, use,
31modification, or disclosure.
32b. Delete as soon as reasonably practicable, a student’s
33covered information if the school district or attendance center
34requests deletion of covered information under the control of
35the school district or attendance center, unless a student or
-4-1parent or guardian consents to the maintenance of the covered
2information.
34. An operator may use or disclose covered information of a
4student under all of the following circumstances:
5a. If other provisions of federal or state law require the
6operator to disclose the information, and the operator complies
7with the requirements of federal and state law in protecting
8and disclosing that information.
9b. If no covered information is used for advertising or
10to amass a profile on the student for purposes other than
11elementary, middle school, or high school purposes; for
12legitimate research purposes, as required by state or federal
13law and subject to the restrictions under applicable state
14and federal law; or as allowed by state or federal law and
15in furtherance of kindergarten through grade twelve school
16purposes or postsecondary educational purposes.
17c. To a state or local educational agency, including
18kindergarten through grade twelve attendance centers and
19school districts, for kindergarten through grade twelve school
20purposes, as permitted by state or federal law.
215. This section does not prohibit an operator from doing any
22of the following:
23a. Using covered information to improve educational products
24if that information is not associated with an identified
25student within the operator’s internet site, service, or
26application or other internet sites, services, or applications
27owned by the operator.
28b. Using covered information that is not associated with
29an identified student to demonstrate the effectiveness of the
30operator’s products or services, including in the operator’s
31marketing.
32c. Sharing covered information that is not associated with
33an identified student for the development and improvement of
34educational internet sites, services, or applications.
35d. Using recommendation engines to recommend to a student
-5-1either of the following:
2(1) Additional content relating to an educational,
3other learning, or employment opportunity purpose within an
4online site, service, or application if the recommendation
5is not determined in whole or in part by payment or other
6consideration from a third party.
7(2) Additional services relating to an educational,
8other learning, or employment opportunity purpose within an
9online site, service, or application if the recommendation
10is not determined in whole or in part by payment or other
11consideration from a third party.
12e. Responding to a student’s request for information or for
13feedback without the information or response being determined
14in whole or in part by payment or other consideration from a
15third party.
166. This section does not do any of the following:
17a. Limit the authority of a law enforcement agency to obtain
18any content or information from an operator as authorized by
19law or under a court order.
20b. Limit the ability of an operator to use student data,
21including covered information, for adaptive learning or
22customized student learning purposes.
23c. Apply to general audience internet sites, general
24audience online services, general audience online applications,
25or general audience mobile applications, even if login
26credentials created for an operator’s internet site, service,
27or application may be used to access those general audience
28internet sites, services, or applications.
29d. Limit service providers from providing internet
30connectivity to attendance centers or students and students’
31families.
32e. Prohibit an operator of an internet site, online service,
33online application, or mobile application from marketing
34educational products directly to parents if the marketing did
35not result from the use of covered information obtained by the
-6-1operator through the provision of services covered under this
2section.
3f. Impose a duty upon a provider of an electronic store,
4gateway, marketplace, or other means of purchasing or
5downloading software or applications to review or enforce
6compliance with this section on those applications or software.
7g. Impose a duty on a provider of an interactive computer
8service to review or enforce compliance with this section by
9third-party content providers.
10h. Prohibit students from downloading, exporting,
11transferring, saving, or maintaining the students’ own student
12data or documents.
13EXPLANATION
14The inclusion of this explanation does not constitute agreement with
15the explanation’s substance by the members of the general assembly.
16This bill places restrictions on third parties that receive
17student data from a school district or attendance center,
18and on operators of internet sites, online services, online
19applications, and mobile applications designed, marketed, and
20used primarily for kindergarten through grade 12 (K-12) school
21purposes.
22PROHIBITIONS AND DISCLOSURE PROVISIONS. The bill prohibits
23an operator from knowingly engaging in targeted advertising
24that is based on or derived from information the operator
25acquired through use of that operator’s internet sites and
26from using information created or gathered by the operator to
27amass a profile about a K-12 student in this state except in
28furtherance of school purposes. The bill also prohibits an
29operator from knowingly selling a student’s information, though
30this prohibition does not apply to the purchase, merger, or
31other type of acquisition of an operator by another entity,
32provided that the operator or successor entity continues to be
33subject to the same restrictions.
34The operator is also prohibited from disclosing covered
35information unless the disclosure is in furtherance of K-12
-7-1school purposes and the recipient of the covered information is
2subject to similar restrictions. Disclosure is also authorized
3in order to ensure legal and regulatory compliance, to respond
4to or participate in judicial process, or to protect the safety
5or security of the internet site.
6The operator may also disclose covered information to a
7service provider if the operator implements and maintains
8reasonable security procedures and if the service provider is
9contractually prohibited from using any of the information for
10any purpose other than providing the contracted service to, or
11on behalf of, the operator, and from disclosing any covered
12information provided by the operator to subsequent third
13parties.
14However, these prohibitions do not prohibit the operator’s
15use of information for maintaining, developing, supporting,
16improving, or diagnosing the operator’s internet site, service,
17or application.
18The operator is required to implement and maintain
19reasonable security procedures and protect covered information
20from unauthorized access, destruction, use, modification, or
21disclosure; and to delete a student’s covered information if
22the school district or attendance center requests deletion of
23data under its control.
24Notwithstanding the disclosure prohibitions, as long as
25the operator does not violate the provisions prohibiting
26targeted advertising, the use of student information to amass a
27profile, and the sale of student information, an operator may
28disclose covered information of a student if other provisions
29of federal or state law require the operator to disclose the
30information, or for legitimate research purposes as required by
31and subject to state or federal law and under the direction of
32the school district or attendance center; and to state or local
33educational agencies as permitted by state or federal law.
34The bill does not prohibit an operator from using
35deidentified student covered information to improve educational
-8-1products; limit a law enforcement agency from obtaining
2information as authorized by law or court order; limit the
3ability of an operator to use student data for adaptive
4learning or customized student learning purposes; apply
5to general audience internet sites, services, and online
6applications; restrict internet service providers from
7providing internet connectivity to attendance centers or
8students and their families; prohibit an operator from
9marketing educational products directly to parents so long
10as the marketing did not result from the use of covered
11information; impose a duty upon a provider of an electronic
12store, gateway, marketplace, or other means of purchasing or
13downloading software or applications to review or enforce
14compliance with applicable restrictions by such software or
15applications; impose a duty upon a provider of an interactive
16computer service to review or enforce compliance by third-party
17content providers; or prohibit students from downloading,
18exporting, or otherwise saving or maintaining their own
19student-created data or documents.
20DEFINITIONS. The bill provides definitions for “operator”,
21“covered information”, “targeted advertising”, and
22“kindergarten through grade twelve school purposes”.
-9-kh/jh/rj
2BE IT ENACTED BY THE GENERAL ASSEMBLY OF THE STATE OF IOWA:
1 Section 1. NEW SECTION. 279.70 Student online personal
2information protection.
31. As used in this section, unless the context otherwise
4requires:
5a. “Attendance center” means a school district building
6that contains classrooms used for instructional purposes for
7elementary, middle, or secondary school students.
8b. “Covered information” means personally identifiable
9information or material, or information that is linked to
10personally identifiable information or material, in any media
11or format that is not publicly available and is any of the
12following:
13(1) Created by or provided to an operator by a student, or
14the student’s parent or legal guardian, in the course of the
15student’s, parent’s, or legal guardian’s use of the operator’s
16site, service, or application for kindergarten through grade
17twelve school purposes.
18(2) Created by or provided to an operator by an employee
19or agent of a school district or attendance center for
20kindergarten through grade twelve school purposes.
21(3) Gathered by an operator through the operation of its
22site, service, or application for kindergarten through grade
23twelve school purposes and personally identifies a student,
24including but not limited to information in the student’s
25educational record or electronic mail, first and last name,
26home address, telephone number, electronic mail address, or
27other information that allows physical or online contact,
28discipline records, test results, special education data,
29juvenile dependency records, grades, evaluations, criminal
30records, medical records, health records, social security
31number, biometric information, disabilities, socioeconomic
32information, food purchases, political affiliations, religious
33information, text messages, documents, student identifiers,
34search activity, photos, voice recordings, or geolocation
35information.
-1- 1c. “Interactive computer service” means that term as defined
2in 47 U.S.C. §230.
3d. “Kindergarten through grade twelve school purposes” means
4purposes that are directed by or that customarily take place at
5the direction of a kindergarten through grade twelve attendance
6center, school district, or a practitioner employed by a school
7district, in the administration of school activities, including
8but not limited to instruction in the classroom or at home,
9administrative activities, and collaboration between students,
10school district or attendance center personnel, or parents, or
11are otherwise for the use and benefit of the school district or
12attendance center.
13e. “Operator” means, to the extent that it is operating
14in this capacity, the operator of an internet site, online
15service, online application, or mobile application with actual
16knowledge that the site, service, or application is used
17primarily for kindergarten through grade twelve school purposes
18and was designed and marketed for such purposes.
19f. “School district” means a public school district
20described in chapter 274.
21g. “Targeted advertising” means presenting advertisements
22to a student where the advertisement is selected based on
23information obtained or inferred over time from that student’s
24online behavior, usage of applications, or covered information.
25“Targeted advertising” does not include advertising to a student
26at an online location based upon that student’s current visit
27to that location, or in response to that student’s request
28for information or feedback, without the retention of that
29student’s online activities or requests over time for the
30purpose of targeting subsequent ads.
312. a. An operator shall not knowingly do any of the
32following:
33(1) Engage in targeted advertising on the operator’s
34internet site, service, or application, or target advertising
35on any other internet site, service, or application if the
-2-1targeting of the advertising is based on any information,
2including covered information and persistent unique
3identifiers, that the operator has acquired because of the use
4of that operator’s internet site, service, or application for
5kindergarten through grade twelve school purposes.
6(2) Use information, including persistent unique
7identifiers, created or gathered by the operator’s internet
8site, service, or application, to amass a profile about a
9student except in furtherance of kindergarten through grade
10twelve school purposes. “Amass a profile” does not include the
11collection and retention of account information that remains
12under the control of the student, the student’s parent or
13guardian, or kindergarten through grade twelve school.
14(3) Sell or rent a student’s information, including covered
15information. This subparagraph does not apply to the purchase,
16merger, or other type of acquisition of an operator by another
17entity, if the operator or successor entity complies with this
18section regarding previously acquired student information, or
19to national assessment providers if the provider secures the
20express written consent of the parent or student, given in
21response to clear and conspicuous notice, solely to provide
22access to employment, educational scholarships or financial
23aid, or postsecondary educational opportunities.
24(4) Except as otherwise provided in subsection 4, disclose
25covered information unless the disclosure is made for the
26following purposes:
27(a) In furtherance of the kindergarten through grade twelve
28school purpose of the internet site, service, or application,
29if the recipient of the covered information disclosed under
30this subparagraph division does not further disclose the
31information unless done to allow or improve operability and
32functionality of the operator’s internet site, service, or
33application.
34(b) To ensure legal and regulatory compliance or protect
35against liability.
-3- 1(c) To respond to or participate in the judicial process.
2(d) To protect the safety or integrity of users of the
3internet site or others or the security of the internet site,
4service, or application.
5(e) For a kindergarten through grade twelve school,
6educational, or employment purpose requested by the student or
7the student’s parent or guardian, provided that the information
8is not used or further disclosed for any other purpose.
9(f) To a third party, if the operator contractually
10prohibits the third party from using any covered information
11for any purpose other than providing the contracted service
12to or on behalf of the operator and requires the third party
13to protect student information to the same extent that the
14operator is required to do pursuant to this section, prohibits
15the third party from disclosing any covered information
16provided by the operator with subsequent third parties, and
17requires the third party to implement and maintain security
18procedures and practices consistent with current industry
19standards and all applicable state and federal laws, rules, and
20regulations.
21b. Nothing in paragraph “a” shall prohibit the operator’s
22use of information for maintaining, developing, supporting,
23improving, or diagnosing the operator’s internet site, service,
24or application.
253. An operator shall do all of the following:
26a. Implement and maintain security procedures and practices
27consistent with current industry standards and all applicable
28state and federal laws, rules, and regulations appropriate to
29the nature of the covered information designed to protect that
30covered information from unauthorized access, destruction, use,
31modification, or disclosure.
32b. Delete as soon as reasonably practicable, a student’s
33covered information if the school district or attendance center
34requests deletion of covered information under the control of
35the school district or attendance center, unless a student or
-4-1parent or guardian consents to the maintenance of the covered
2information.
34. An operator may use or disclose covered information of a
4student under all of the following circumstances:
5a. If other provisions of federal or state law require the
6operator to disclose the information, and the operator complies
7with the requirements of federal and state law in protecting
8and disclosing that information.
9b. If no covered information is used for advertising or
10to amass a profile on the student for purposes other than
11elementary, middle school, or high school purposes; for
12legitimate research purposes, as required by state or federal
13law and subject to the restrictions under applicable state
14and federal law; or as allowed by state or federal law and
15in furtherance of kindergarten through grade twelve school
16purposes or postsecondary educational purposes.
17c. To a state or local educational agency, including
18kindergarten through grade twelve attendance centers and
19school districts, for kindergarten through grade twelve school
20purposes, as permitted by state or federal law.
215. This section does not prohibit an operator from doing any
22of the following:
23a. Using covered information to improve educational products
24if that information is not associated with an identified
25student within the operator’s internet site, service, or
26application or other internet sites, services, or applications
27owned by the operator.
28b. Using covered information that is not associated with
29an identified student to demonstrate the effectiveness of the
30operator’s products or services, including in the operator’s
31marketing.
32c. Sharing covered information that is not associated with
33an identified student for the development and improvement of
34educational internet sites, services, or applications.
35d. Using recommendation engines to recommend to a student
-5-1either of the following:
2(1) Additional content relating to an educational,
3other learning, or employment opportunity purpose within an
4online site, service, or application if the recommendation
5is not determined in whole or in part by payment or other
6consideration from a third party.
7(2) Additional services relating to an educational,
8other learning, or employment opportunity purpose within an
9online site, service, or application if the recommendation
10is not determined in whole or in part by payment or other
11consideration from a third party.
12e. Responding to a student’s request for information or for
13feedback without the information or response being determined
14in whole or in part by payment or other consideration from a
15third party.
166. This section does not do any of the following:
17a. Limit the authority of a law enforcement agency to obtain
18any content or information from an operator as authorized by
19law or under a court order.
20b. Limit the ability of an operator to use student data,
21including covered information, for adaptive learning or
22customized student learning purposes.
23c. Apply to general audience internet sites, general
24audience online services, general audience online applications,
25or general audience mobile applications, even if login
26credentials created for an operator’s internet site, service,
27or application may be used to access those general audience
28internet sites, services, or applications.
29d. Limit service providers from providing internet
30connectivity to attendance centers or students and students’
31families.
32e. Prohibit an operator of an internet site, online service,
33online application, or mobile application from marketing
34educational products directly to parents if the marketing did
35not result from the use of covered information obtained by the
-6-1operator through the provision of services covered under this
2section.
3f. Impose a duty upon a provider of an electronic store,
4gateway, marketplace, or other means of purchasing or
5downloading software or applications to review or enforce
6compliance with this section on those applications or software.
7g. Impose a duty on a provider of an interactive computer
8service to review or enforce compliance with this section by
9third-party content providers.
10h. Prohibit students from downloading, exporting,
11transferring, saving, or maintaining the students’ own student
12data or documents.
13EXPLANATION
14The inclusion of this explanation does not constitute agreement with
15the explanation’s substance by the members of the general assembly.
16This bill places restrictions on third parties that receive
17student data from a school district or attendance center,
18and on operators of internet sites, online services, online
19applications, and mobile applications designed, marketed, and
20used primarily for kindergarten through grade 12 (K-12) school
21purposes.
22PROHIBITIONS AND DISCLOSURE PROVISIONS. The bill prohibits
23an operator from knowingly engaging in targeted advertising
24that is based on or derived from information the operator
25acquired through use of that operator’s internet sites and
26from using information created or gathered by the operator to
27amass a profile about a K-12 student in this state except in
28furtherance of school purposes. The bill also prohibits an
29operator from knowingly selling a student’s information, though
30this prohibition does not apply to the purchase, merger, or
31other type of acquisition of an operator by another entity,
32provided that the operator or successor entity continues to be
33subject to the same restrictions.
34The operator is also prohibited from disclosing covered
35information unless the disclosure is in furtherance of K-12
-7-1school purposes and the recipient of the covered information is
2subject to similar restrictions. Disclosure is also authorized
3in order to ensure legal and regulatory compliance, to respond
4to or participate in judicial process, or to protect the safety
5or security of the internet site.
6The operator may also disclose covered information to a
7service provider if the operator implements and maintains
8reasonable security procedures and if the service provider is
9contractually prohibited from using any of the information for
10any purpose other than providing the contracted service to, or
11on behalf of, the operator, and from disclosing any covered
12information provided by the operator to subsequent third
13parties.
14However, these prohibitions do not prohibit the operator’s
15use of information for maintaining, developing, supporting,
16improving, or diagnosing the operator’s internet site, service,
17or application.
18The operator is required to implement and maintain
19reasonable security procedures and protect covered information
20from unauthorized access, destruction, use, modification, or
21disclosure; and to delete a student’s covered information if
22the school district or attendance center requests deletion of
23data under its control.
24Notwithstanding the disclosure prohibitions, as long as
25the operator does not violate the provisions prohibiting
26targeted advertising, the use of student information to amass a
27profile, and the sale of student information, an operator may
28disclose covered information of a student if other provisions
29of federal or state law require the operator to disclose the
30information, or for legitimate research purposes as required by
31and subject to state or federal law and under the direction of
32the school district or attendance center; and to state or local
33educational agencies as permitted by state or federal law.
34The bill does not prohibit an operator from using
35deidentified student covered information to improve educational
-8-1products; limit a law enforcement agency from obtaining
2information as authorized by law or court order; limit the
3ability of an operator to use student data for adaptive
4learning or customized student learning purposes; apply
5to general audience internet sites, services, and online
6applications; restrict internet service providers from
7providing internet connectivity to attendance centers or
8students and their families; prohibit an operator from
9marketing educational products directly to parents so long
10as the marketing did not result from the use of covered
11information; impose a duty upon a provider of an electronic
12store, gateway, marketplace, or other means of purchasing or
13downloading software or applications to review or enforce
14compliance with applicable restrictions by such software or
15applications; impose a duty upon a provider of an interactive
16computer service to review or enforce compliance by third-party
17content providers; or prohibit students from downloading,
18exporting, or otherwise saving or maintaining their own
19student-created data or documents.
20DEFINITIONS. The bill provides definitions for “operator”,
21“covered information”, “targeted advertising”, and
22“kindergarten through grade twelve school purposes”.
-9-kh/jh/rj