(a) An operator shall (1) implement and maintain security procedures and practices that meet or exceed industry standards and that are designed to protect student information, student records and student-generated content from unauthorized access, destruction, use, modification or disclosure, and (2) delete any student information, student records or student-generated content within a reasonable amount of time if a student, parent or legal guardian of a student or local or regional board of education who has the right to control such student information requests the deletion of such student information, student records or student-generated content, unless (A) state or federal law prohibits such deletion or otherwise requires the retention of such student information, student records or student-generated content, or (B) a copy of such student information, student records or student-generated content is in the possession of the operator as part of a disaster recovery storage system and is inaccessible to the public and unable to be used in the normal course of business by the operator, provided such student, parent or legal guardian of a student or local or regional board of education may request the deletion of any such student information, student records or student-generated content described in this subparagraph if such copy is used by the operator to repopulate accessible data following a disaster recovery.
(b) An operator shall not knowingly:
(1) Engage in (A) targeted advertising on the operator's Internet web site, online service or mobile application, or (B) targeted advertising on any other Internet web site, online service or mobile application if such advertising is based on any student information, student records, student-generated content or persistent unique identifiers that the operator has acquired because of the use of the operator's Internet web site, online service or mobile application for school purposes;
(2) Collect, store and use student information, student records, student-generated content or persistent unique identifiers for purposes other than the furtherance of school purposes;
(3) Sell, rent or trade student information, student records or student-generated content unless the sale is part of the purchase, merger or acquisition of an operator by a successor operator and the operator and successor operator continue to be subject to the provisions of this section regarding student information; or
(4) Disclose student information, student records or student-generated content unless the disclosure is made (A) in furtherance of school purposes of the Internet web site, online service or mobile application, provided the recipient of the student information uses such student information to improve the operability and functionality of the Internet web site, online service or mobile application and complies with subsection (a) of this section; (B) to ensure compliance with federal or state law or regulations or pursuant to a court order; (C) in response to a judicial order; (D) to protect the safety or integrity of users or others, or the security of the Internet web site, online service or mobile application; (E) to an entity hired by the operator to provide services for the operator's Internet web site, online service or mobile application, provided the operator contractually (i) prohibits the entity from using student information, student records or student-generated content for any purpose other than providing the contracted service to, or on behalf of, the operator, (ii) prohibits the entity from disclosing student information, student records or student-generated content provided by the operator to subsequent third parties, and (iii) requires the entity to comply with subsection (a) of this section; or (F) for a school purpose or other educational or employment purpose requested by a student or the parent or legal guardian of a student, provided such student information is not used or disclosed for any other purpose.
(c) An operator may use student information (1) to maintain, support, improve, evaluate or diagnose the operator's Internet web site, online service or mobile application, (2) for adaptive learning purposes or customized student learning, (3) to provide recommendation engines to recommend content or services relating to school purposes or other educational or employment purposes, provided such recommendation is not determined in whole or in part by payment or other consideration from a third party, or (4) to respond to a request for information or feedback from a student, provided such response is not determined in whole or in part by payment or other consideration from a third party.
(d) An operator may use de-identified student information or aggregated student information (1) to develop or improve the operator's Internet web site, online service or mobile application, or other Internet web sites, online services or mobile applications owned by the operator, or (2) to demonstrate or market the effectiveness of the operator's Internet web site, online service or mobile application.
(e) An operator may share aggregated student information or de-identified student information for the improvement and development of Internet web sites, online services or mobile applications designed for school purposes.
(f) Nothing in this section shall be construed to (1) limit the ability of a law enforcement agency to obtain student information, student records or student-generated content from an operator as authorized by law or pursuant to a court order, (2) limit the ability of a student or the parent or legal guardian of a student to download, export, transfer or otherwise save or maintain student information, student records or student-generated content, (3) impose a duty upon a provider of an interactive computer service, as defined in 47 USC 230, as amended from time to time, to ensure compliance with this section by third-party information content providers, as defined in 47 USC 230, as amended from time to time, (4) impose a duty upon a seller or provider of an electronic store, gateway, marketplace or other means of purchasing or downloading software applications to review or enforce compliance with this section on such software applications, (5) limit an Internet service provider from providing a student, parent or legal guardian of a student or local or regional board of education with the ability to connect to the Internet, (6) prohibit an operator from advertising other Internet web sites, online services or mobile applications that are used for school purposes to parents or legal guardians of students, provided such advertising does not result from the operator's use of student information, student records or student-generated content, or (7) apply to Internet web sites, online services or mobile applications that are designed and marketed for use by individuals generally, even if the account credentials created for an operator's Internet web site, online service or mobile application may be used to access Internet web sites, online services or mobile applications that are designed and marketed for school purposes.
(P.A. 16-189, S. 3; P.A. 18-125, S. 3.)
History: P.A. 18-125 amended Subsec. (a)(2) by adding Subparas. (A) and (B) re when student information, student records or student-generated content is not required to be deleted by an operator, effective July 1, 2018.