ASSEMBLY, No. 1272

STATE OF NEW JERSEY

217th LEGISLATURE

 

PRE-FILED FOR INTRODUCTION IN THE 2016 SESSION

 


 

Sponsored by:

Assemblywoman  MARLENE CARIDE

District 36 (Bergen and Passaic)

Assemblywoman  ANNETTE QUIJANO

District 20 (Union)

Assemblyman  JAY WEBBER

District 26 (Essex, Morris and Passaic)

 

 

 

 

SYNOPSIS

     “Student Digital Privacy and Parental Rights Act.”

 

CURRENT VERSION OF TEXT

     Introduced Pending Technical Review by Legislative Counsel.

  


An Act concerning the privacy of certain student digital information and supplementing chapter 36 of Title 18A of the New Jersey Statutes.

 

     Be It Enacted by the Senate and General Assembly of the State of New Jersey:

 

     1.    This act shall be known and may be cited as the “Student Digital Privacy and Parental Rights Act.”

 

     2.    As used in this act:

     “Covered information” means personally identifiable information and information that is linked or linkable to personally identifiable information that:

     a.     is collected or generated through a school service; and

     b.    (1) the operator of the school service knows or should know relates to a student, or

     (2)   is collected, generated, or maintained at the direction of the public or nonpublic school serving the student or at the direction of officials of that school, including teachers.

     “K-12 purposes” means purposes that: aid in the administration of activities by a public or nonpublic school, including instruction in the classroom or at home, administrative activities, and collaboration between students, school personnel, or parents and guardians; or are for the use and benefit of the public or nonpublic school.

     “Online contact information” means, with respect to a student, an email address or any other substantially similar identifier that permits direct contact with the student online, including an instant messaging user identifier, a Voice Over Internet Protocol identifier, a video chat user identifier, or a screen name or user name that permits the contact.

     “Operator” means an entity that operates a school service, except that the term shall not include a public or nonpublic school.

     “Personally identifiable information” includes, with respect to a student: the student’s first and last name; the first and last name of the student’s parent or guardian or another family member; the home or physical address of the student or student’s family; online contact information for the student; a personal identifier, such as the student’s social security number, student number, or biometric record; a persistent identifier that can be used to recognize a user over time and across different Internet Web sites, online services, online applications, or mobile applications, including a customer number held in a cookie, an Internet Protocol address, a processor or device serial number, or another unique identifier; a photograph, video, or audio recording that contains the student’s image or voice; geolocation information sufficient to identify a street name and the name of a city or town; other indirect identifiers, such as the student’s date of birth, place of birth, or mother’s maiden name; other information that, alone or in combination, would allow an operator or a reasonable person in the school community, who does not have personal knowledge of the relevant circumstances, to identify a specific student with reasonable certainty; and information requested by a person who the public or nonpublic school reasonably believes knows the identity of the student to whom the information relates.

     “School service” means an Internet Web site, online service including a cloud computing service, online application, or mobile application that is used for K-12 purposes and was designed and marketed for K-12 purposes.

     “Student” means any individual who is or has been enrolled in a public school or nonpublic school.

     “Targeted advertising” means presenting advertisements to a student or the student’s parent or guardian, where the advertisements are selected based on information obtained or inferred from the student’s online behavior or use of online applications or mobile applications or from covered information about the student maintained by the operator of a school service.  “Targeted advertising” shall not include presenting advertisements to a student or the student’s parent or guardian at an online location or through an online application or mobile application, if: the advertisements are contextually relevant; the advertisements are selected based on a single visit or session of use during which the advertisements are presented; and information about the student’s online behavior or use of online applications or mobile applications is not collected or retained over time.

 

     3.    An operator shall not knowingly:

     a.     engage in or permit targeted advertising on a school service;

     b.    collect, generate, use, or disclose any covered information for purposes of targeted advertising;

     c.     sell covered information to a third party;

     d.    collect, generate, or use covered information, including using covered information to create a personal profile of a student, other than for K-12 purposes; or

     e.     disclose covered information, unless the disclosure is made:

     (1)   pursuant to lawful process or to ensure legal and regulatory compliance with federal or State law;

     (2)   in accordance with section 5 of this act, pursuant to a request for disclosure.  In the case of information about a student, the request for disclosure shall be from the student’s parent or guardian and in the case of information about a student’s parent or guardian or another user of the school service, the request for disclosure shall be from the parent or guardian or the other user, as the case may be;

     (3)   in accordance with section 5 of this act, pursuant to a request for disclosure from a student who is or has been enrolled in a high school or from the student’s parent or guardian for the exclusive purpose of: providing or authenticating the student’s transcript, standardized test scores, letters of recommendation, or other information required by an institution of higher education for an application for admission or by a potential employer for an application for employment; or providing information relating to admission to an institution of higher education or a scholarship or financial aid for attendance at an institution of higher education;

     (4)   to protect the safety of users or others, or the security of the school service;

     (5)   to a public or nonpublic school, as permitted by federal and State law; or

     (6)   to a third-party service provider of the operator, and the operator contractually: prohibits the service provider from using any covered information for any purpose other than providing the contracted service to, or on behalf of, the operator; prohibits the service provider from disclosing to subsequent third parties any covered information disclosed by the operator to the service provider; and requires the service provider to establish, implement, and maintain reasonable security procedures in accordance with security practices established pursuant to subsection a. of section 4 of this act.

 

     4.    An operator shall:

     a.     establish, implement, and maintain reasonable security procedures appropriate to the nature of covered information to protect the confidentiality, security, and integrity of covered information;

     b.    delete a student’s covered information, except for information that is required to be maintained by federal or State law, within a reasonable time, not to exceed 45 days, after receiving a request from a public or nonpublic school serving the student, or a request, either directly or through the public or nonpublic school, from the student’s parent or guardian, except in the case of information that is included in a mandated student record or that is directed by the public or nonpublic school to be maintained for educational or administrative purposes;

     c.     disclose publicly and to each public or nonpublic school to which the operator provides a school service, in contracts or privacy policies in a manner that is clear and easy to understand, the types of covered information collected or generated, if any, the purposes for which the covered information is used or disclosed to third parties, and the identity of any such third party;

     d.    facilitate access to and correction of covered information, either directly or through a public or nonpublic school, in the case of information about a student, by the student’s parent or guardian, or in the case of information about a parent or guardian or another user of the school service, by the parent or guardian or the other user, as the case may be;

     e.     implement policies and procedures for responding to data breaches involving unauthorized acquisition of or access to personally identifiable information that occur on a school service, in compliance with any obligations imposed by federal or State law;

     f.     notify the Department of Education and, as appropriate, students, parents or guardians, public and nonpublic schools, or personnel of the school, including teachers, of each data breach involving unauthorized acquisition of or access to personally identifiable information that occurs on a school service, in compliance with any obligations imposed by federal or State law; and

     g.    delete any covered information maintained by a school service, except for information that is required to be maintained by federal or State law:

     (1)   within a reasonable time, not to exceed one year, after the operator ceases to provide the service to the public or nonpublic school, unless the information is required to be maintained at the direction of the public or nonpublic school, or the student’s parent or guardian; or

     (2)   if the operator continues providing the service in whole or in part to a student after ceasing to provide the service to the public or nonpublic school, within a reasonable time, not to exceed one year, after the operator ceases to provide the service to the student, unless the information is required to be maintained at the direction of the student’s parent or guardian.

 

     5.    a.  An operator may disclose covered information under paragraphs (2) and (3) of subsection e. of section 3 of this act only after the operator:

     (1)   receives from the requesting party, an affirmative express request, whether made directly or through a public or nonpublic school serving the student, to disclose information specified in the request;

     (2)   provides to the requesting party, in a manner that is clear and easy to understand, a description of the types of covered information that will be disclosed to a third party, any fees collected by the operator to cover administrative costs, and the purposes for which the covered information will be disclosed to and used by the third party;

     (3)   ensures that the third party agrees, in writing or an electronic equivalent: not to use any covered information received pursuant to the request for any purpose other than fulfilling the purpose for which the request was made; not to disclose to subsequent third parties any covered information received pursuant to the request; and to establish, implement, and maintain reasonable security procedures in accordance with security practices established pursuant to subsection a. of section 4 of this act; and

     (4)   provides a readily available mechanism for the requesting party to revoke the request.

     b.    As used in this section, “requesting  party” means the student, the student’s parent or guardian, or other user of the school service.

 

     6.    a.  Nothing in this act shall prohibit an operator from:

     (1)   using de-identified and aggregated covered information within the operator’s school service or other sites, services, or applications owned by the operator to improve educational products, or to demonstrate the effectiveness of the operator’s products or services, including in the marketing of the products or services; or

     (2)   disclosing de-identified and aggregated covered information for research and development, including research, development, and improvement of educational sites, services, and applications, and advancements in the science of learning.

     b.    If an operator uses or discloses covered information as described in subsection a. of this section, the operator shall take reasonable steps to ensure that the information cannot be manipulated in a manner that would enable identification of an individual to whom the information relates, or disaggregation of aggregated information into its component parts.

 

     7.    The prohibitions of this act on the sale and disclosure of covered information shall not apply to the merger of an operator with another entity or the acquisition of the operator by another entity, including any subsequent merger or acquisition, provided that the operator or successor entity continues to be subject to the provisions of this act with respect to covered information acquired before the merger or acquisition.

 

     8.    This act shall continue to apply, after a student is no longer enrolled in a public or nonpublic school, to covered information relating to the student that was collected or generated while the student was enrolled.

 

     9.    Nothing in this act shall be construed to:

     a.     limit the authority of a law enforcement agency to obtain content or information from an operator as authorized by law or pursuant to an order of a court of competent jurisdiction;

     b.    limit the ability of an operator to use information, including covered information, for adaptive or personalized student learning purposes;

     c.     limit a public or nonpublic school from providing Internet access service for its own use, to other public or nonpublic schools, or to students and their families;

     d.    prohibit an operator’s use of covered information for maintaining, developing, supporting, improving, or diagnosing the operator’s school service;

     e.     prohibit an operator of a school service from marketing educational products directly to parents or guardians, provided that the marketing does not result from the use of covered information;

     f.     impose a duty upon a provider of an electronic store, gateway, marketplace, or other means of purchasing or downloading software or applications to review or enforce compliance with this act by operators of school services;

     g.    impede the ability of a student or the student’s parent or guardian to download, export, create, or otherwise save or maintain data or documents created by or about the student or noncommercial applications created by the student, except to the extent that this activity would result in disclosures prohibited by this act of covered information of other students or users of a school service; or

     h.    prohibit an operator from collecting a reasonable fee to cover the administrative costs of making a disclosure under paragraph (3) of subsection e. of section 3 of this act.

 

     10.  Any provision of this act that refers to the consent of the student’s parent or guardian for the use or disclosure of covered information or the right of the student’s parent or guardian to access or otherwise obtain, use, correct, request disclosure of, or request deletion of, covered information, shall, in the case of covered information about a student who is 18 years of age or older, be considered to refer to the consent or right of the student and not the student’s parent or guardian.

 

     11.  a.  The Commissioner of Education shall provide public and nonpublic schools with guidance and technical assistance with respect to preventing and responding to data breaches involving unauthorized acquisition of or access to personally identifiable information that occur on a school service, in compliance with any obligations imposed by federal or State law.

     b.    No later than one year after the effective date of this act and annually thereafter, the commissioner shall submit to the Governor and the Legislature pursuant to section 2 of P.L.1991, c.164 (C.52:14-19.1), a report on the number, scope, and nature of the data breaches about which the department receives notice pursuant to subsection f. of section of 4 of this act.

     12.  The State Board of Education shall promulgate regulations pursuant to the “Administrative Procedure Act,” P.L.1968, c.410 (C.52:14B-1 et seq.), to effectuate the provisions of this act.

 

     13.  This act shall take effect immediately.

 

 

STATEMENT

 

     This bill is entitled the “Student Digital Privacy and Parental Rights Act.”  The bill concerns student information collected or generated by a school service which is defined in the bill to mean an Internet Web site, online service, online application, or mobile application that is used to aid in the administration of activities of public or nonpublic schools and that is designed and marketed for those purposes.  Under the provisions of the bill an operator of a school service is prohibited from:

·      presenting students or parents with targeted advertisements that are selected based on information obtained or inferred from the students’ online behavior or use of online or mobile applications, or personally identifiable information about the student maintained by the operator;

·      selling a student’s personally identifiable information to third parties or collecting this information for purposes unrelated to educational instruction; and

·      disclosing a student’s personally identifiable information except in the specific instances outlined in the bill and in accordance with rules prescribed in the bill.

     In addition to the list of prohibited practices for an operator of a school service, the bill also sets forth certain actions that an operator is required to perform, including:

·         disclosing publicly and to public and nonpublic schools to which the operator provides a school service, the types of personal information the operator collects or generates, the purposes for which information is used or disclosed to third parties, and the identity of these third parties;

·         establishing procedures for parents and system users to access and correct certain information;

·         establishing, implementing, and maintaining security procedures to protect the confidentiality, security, and integrity of student information;

·         deleting certain student information within a specified timeframe upon the request of the public or nonpublic school serving the student or a request from the student’s parent;

·         deleting student information within a specified timeframe after the operator ceases to provide the service to the public or nonpublic school; and

·         implementing policies and procedures to respond to data breaches, including notifying the Department of Education and, as appropriate, students, parents, and public or nonpublic schools of the breach.

     The bill requires the Commissioner of Education to provide public and nonpublic schools with guidance and technical assistance with respect to preventing and responding to data breaches involving unauthorized acquisition of or access to students’ personally identifiable information.  The commissioner is also required to submit a report annually to the Governor and the Legislature on the number, scope, and nature of the data breaches about which the department receives notice from operators in accordance with the bill’s provisions.