A4978 3R

An Act concerning online education services and student educational records and supplementing P.L.1960, c.39 (C.56:8-1 et seq.).

Be It Enacted by the Senate and General Assembly of the State of New Jersey:

1. As used in P.L. , c. (C. ) (pending before the Legislature as this bill):

³[“Cloud computing service” means a service that enables on-demand self-service network access to a shared pool of configurable computer resources to provide a student account-based productivity applications, including, but not limited to, electronic mail, document storage, and document editing, which can be rapidly provisioned and released with minimal management effort or cloud computing service provider interaction.]

“Covered information” means personally identifiable information or material, or information that is linked to personally identifiable information or material, in any media or format that is not publicly available and is:

created by or provided to an operator by a student, or the student’s parent or guardian, in the course of the student’s, parent’s, or guardian’s use of the operator’s site, service, or application for K-12 school purposes;

created by or provided to an operator by an employee or agent of a K-12 school or school district for K-12 school purposes; or

gathered by an operator through the operation of its site, service, or application for K-12 school purposes and personally identifies a student, including, but not limited to, information in the student’s education record or electronic mail, first and last name, home address, telephone number, electronic mail address, or other information that allows physical or online contact with the student, discipline records, test results, special education data, juvenile dependency records, grades, evaluations, criminal records, medical records, health records, social security number, biometric information, disabilities, socioeconomic information, persistent unique identifiers, food purchases, political affiliations, religious information, text messages, documents, student identifiers, search activity, photographs, voice recordings, or geolocation data.³

"De-identified data" means information that ³[does not identify an individual and for which there is no reasonable basis to believe that the information can be used to identify an individual] is not or can no longer be linked or reasonably linkable to a person or the person’s computer, telecommunications device, or wireless telecommunications device, but which may still contain unique records or attributes. “De-identified data” shall not mean covered information³.

³[“Educational record” means an official record, file, or data, in any medium or format, directly related to the student of an online education service as provided by a student, parent, legal guardian, school, or school district in the course of the student’s use of the online education service, including, but not limited to, records encompassing all the material stored or recorded in the student's cumulative folders, files, or applications, such as general identifying data, electronic mail addresses, records of academic work, records of achievement, results of evaluative tests, health data, test protocols, criminal records, biometric information, food purchases, political affiliations, search activity, persistent unique identifiers, photos, voice recordings, global positioning system data, and individualized education plans or programs.]

“Interactive computer service” shall have the same meaning as provided in 47 U.S.C. s.230.

“K-12 school” means a public school that offers any of grades kindergarten to 12 and that is operated by any school district in this State.

“K-12 school purposes” means purposes that are directed by or that customarily take place at the direction of a school district, K-12 school, teacher, or school district or aid in the administration of school activities, including, but not limited to, instruction in the classroom or at home, administrative activities, and collaboration between students, school personnel, or parents or guardians, or are otherwise for the use of a benefit of the school district or K-12 school.³

“Online education service” or “service” means an Internet website, online service, online computer application, ³[cloud computing service,]³ or mobile application ³[designed, marketed, and offering education for grades kindergarten through 12, or any combination thereof, to supplement, or use in lieu of, physical attendance at a private or public school in this State] that is used primarily for K-12 school purposes and is designed and marketed for K-12 school purposes³.

“Operator” means the ¹[operator] ³[owner¹] operator³ of an online education service with actual knowledge that the online education service is used primarily for K-12 school purposes and is designed and marketed for K-12 school purposes³.

“Persistent unique identifier” means a digital label given to an object, such as a digital file, or entity, such as a person, which is used on the online education service.

³[“Process” or “processing” means to use, access, manipulate, scan, modify, transform, disclose, store, transmit, transfer, retain, aggregate, or dispose of educational records.]

“Personally identifiable information” means information that is linked or reasonably linkable to an identified or identifiable person. “Personally identifiable information” shall not include de-identified data or publicly available information.

“Publicly available information” means information that is lawfully made available from federal, State, or local government records.

“Recommendation engine” means software that uses an algorithm to predict and recommend what information, product, or item a student may prefer.

“School district” means any school district established pursuant to Title 18A of the New Jersey Statutes.³

“Student” means a minor user of an online education service.

³“Targeted advertising” means the presenting of advertisements to a student where the advertisement is selected based on information obtained or inferred over time from that student’s online behavior, use of Internet websites, online services, online computer applications, or mobile applications, or covered information. “Targeted advertising” shall not include advertising to a student at an online location based upon that student’s current visit to that location, or in response to that student’s request for information or feedback, without the retention of the student’s online activities or requests over time for the purpose of targeting subsequent adverstisements.³

2. a. An operator of an online education service shall not knowingly:

(1) use information, including ³[educational] covered information³, created or gathered by the ³[operator] operator’s online education service³, to amass a profile about a student for any purpose other than ³[the furtherance of the student’s kindergarten through 12 grade education] K-12 school purposes. A profile shall not include the collection and retention of account information that remains under the control of the student, the student’s parents or guardian, or K-12 school³;

(2) sell ³[an educational record to any person unless sold in the course of the purchase, merger, or other type of acquisition of an online education service by another entity, provided that the online education service continues to be subject to the provisions of this section with respect to previously acquired student educational records] or rent a student’s information, including covered information. This paragraph shall not apply to the purchase, merger, or other type of acquisition of an operator by another entity if the operator or successor entity complies with this section concerning previously acquired student information, including covered information, or to national assessment providers if the provider secures express written consent of the student’s parent or guardian, given in response to clear and conspicuous notice, solely to provide access to employment, educational scholarships, financial aid, or postsecondary educational opportunities³; ³[and]³

(3) disclose ³[an educational record collected or maintained by the online education service] covered information³ unless the disclosure is:

(a) made in furtherance of the ³[educational purpose] K-12 school purposes³ purpose of the service, provided the recipient of the ³[educational record] covered information³ shall not further disclose the information unless done to allow or improve the operability and functionality ³[within that student’s classroom or school] of the operator’s online education service³;

(b) required by federal or State law ³to protect against liability³;

(d) to protect the safety of students or security of the service; ³[or]

(e) for educational or employment purposes requested by the student’s parent or guardian, provided that the covered information is not used or further disclosed for any other purpose not requested by the student’s parent or guardian;

(f) to a third party if the operator contractually prohibits the third party from using any covered information for any purpose other than providing the contracted service to or on behalf of the operator, prohibits the third party from disclosing any covered information provided by the operator with subsequent third parties, and requires the third party to implement and maintain reasonable security procedures and practices; or

(g)³ for legitimate research purposes ³[made in accordance with] , subject to the requirements of³ paragraphs (1) through (3) of this subsection ¹[,]¹:

(i) as required by federal or State law and subject to the restrictions of ³the³ application of federal or State law; ³[or]³

(ii) as allowed by federal or State law and under the direction of a ³K-12³school, school district, or the Department of Education, if no ³[educational record] covered information³ is used for any purpose in furtherance of advertising or to amass a profile on the student for any purpose that is not in furtherance of ³[kindergarten through 12 grade education] a K-12 school purpose³; ³or³

(iii) for use by a federal, State, or local educational agency, including ³K-12³ schools and school districts, for ³[kindergarten through 12 grade educational] K-12 school³ purposes, as permitted by federal or State law ³ ; and

(4) engage in targeted advertising on the operator’s service, or target advertising on any other Internet website, online service, online computer application, or mobile application if the targeted advertising is based on any information, including covered information, that the operator’s service has acquired because of the use of the operator’s service for K-12 school purposes³.

b. Nothing in this section shall be construed to prohibit the operator’s use of ³[educational records] covered information³ for maintaining, developing, supporting, ³diagnosing,³ or improving the operator’s online education service.

3. An operator of an online education service shall:

a. implement and maintain reasonable security procedures and practices appropriate to the nature of the ³[educational record] covered information³;

b. protect that information from unauthorized access, destruction, use, modification, or disclosure; and

c. delete ³[an educational record] covered information³ at the request of a ³K-12³ school or a school district overseeing the student’s education through the service or a student who has subsequently reached the age of majority ³, unless a student after having reached the age of majority or parent or guardian requests that the operator maintain the covered information³.

4. Nothing in P.L. , c. (C. ) (pending before the Legislature as this bill) shall be construed to prohibit an operator of an online education service from using de-identified data ³[as follows] to³:

a. ³[to]³ improve the educational products within the service owned by the operator; ³[or]³

b. ³[to]³ demonstrate the effectiveness of the operator’s products or services, including their marketing ³;

c. develop or improve websites, online services, or online or mobile applications for K-12 school purposes;

d. use a recommendation engine to recommend to a student additional content or services concerning an educational or employment opportunity purpose on an Internet website, online service, online computer application, or mobile application if the recommendation is not determined in whole or in part by payment or other consideration from a third party; or

e. respond to a student’s request for information or for feedback if the information or response is not determined, in whole or in part, by payment or other consideration from a third party³.

³5. Nothing in P.L. , c. (C. ) (pending before the Legislature as this bill) shall be construed to:

a. limit the authority of a law enforcement agency to obtain any content or information from an operator as authorized by law or under a court order;

b. limit the ability of an operator to use student data, including covered information, for adaptive learning or customized student learning purposes;

c. apply to general audience Internet websites, general audience online services, general audience online applications, or general audience mobile applications, even if login credentials created for an operator’s website, service, or application may be used to access those general audience websites, services, or applications;

d. limit service providers from providing Internet connectivity to schools or students and their families;

e. prohibit an operator from marketing educational products directly to parents or guardians if the marketing did not result from the use of covered information obtained by the operator through the provision of services pursuant to P.L. , c. (C. ) (pending before the Legislature as this bill);

f. impose a duty upon a provider of an electronic store, gateway, marketplace, or other means of purchasing or downloading software or applications to review or enforce compliance with P.L. , c. (C. ) (pending before the Legislature as this bill) on the software of applications;

g. impose a duty upon a provider of an interactive computer service to review or enforce compliance with P.L. , c. (C. ) (pending before the Legislature as this bill) by a third-party content provider; or

h. prohibit students from downloading, exporting, transferring, saving, or maintaining their own student data or documents.³

³[5.] 6.³ It shall be an unlawful practice pursuant to P.L.1960, c.39 (C.56:8-1 et seq.) for an operator of an online education service to violate the provisions of P.L. , c. (C. ) (pending before the Legislature as this bill), or any rule or regulation adopted pursuant thereto.

³[6.] 7.³ The Director of the Division of Consumer Affairs in the Department of Law and Public Safety ², in consultation with the Commissioner of Education,² shall adopt, pursuant to the "Administrative Procedure Act," P.L.1968, c.410 (C.52:14B-1 et seq.), rules and regulations necessary to effectuate the purposes of P.L. , c. (C. ) (pending before the Legislature as this bill).

³[7.] 8.³ This act shall take effect immediately, but shall remain inoperative for 180 days following the date of enactment.