20-7-1325. Online protections for pupils. (1) An operator may not knowingly engage in any of the following activities with respect to the operator's K-12 online application:
(a) (i) engage in targeted advertising on the operator's K-12 online application; or
(ii) target advertising on any other site, service, or application when the targeting of the advertising is based on any information, including protected information and persistent unique identifiers, that the operator has acquired because of the use of the operator's K-12 online application;
(b) use information, including persistent unique identifiers, created or gathered by the operator's K-12 online application to amass a profile about a pupil, except in furtherance of K-12 school purposes;
(c) sell a pupil's information, including protected information. This prohibition does not apply to the purchase, merger, or other type of acquisition of an operator by another entity, provided that the operator or successor entity continues to be subject to the provisions of this section with respect to previously acquired pupil information.
(d) disclose protected information unless the disclosure is made:
(i) in furtherance of the K-12 school purposes of the K-12 online application, provided that the recipient of the protected information disclosed pursuant to this subsection (1)(d)(i):
(A) may not further disclose the information unless done to allow or improve operability and functionality within that pupil's classroom or school; and
(B) is legally required to comply with subsection (2);
(ii) to ensure legal and regulatory compliance;
(iii) to respond to or participate in the judicial process;
(iv) to protect the safety of users or others or the security of the site; or
(v) to a service provider, provided the operator contractually:
(A) prohibits the service provider from using any protected information for any purpose other than providing the contracted service to, or on behalf of, the operator;
(B) prohibits the service provider from disclosing any protected information provided by the operator with subsequent third parties; and
(C) requires the service provider to implement and maintain reasonable security procedures and practices as provided in subsection (2).
(2) An operator shall:
(a) implement and maintain reasonable security procedures and practices appropriate to the nature of the protected information and safeguard that information from unauthorized access, destruction, use, modification, or disclosure; and
(b) delete a pupil's protected information if the school or district requests the deletion of data under the control of the school or district.
(3) Notwithstanding subsection (1)(d), an operator may disclose protected information of a pupil, as long as subsections (1)(a) through (1)(c) are not violated, under the following circumstances:
(a) if other provisions of federal or state law require the operator to disclose the information, and the operator complies with the requirements of federal and state law in protecting and disclosing that information;
(b) for legitimate research purposes:
(i) as required by state or federal law and subject to the restrictions under applicable state and federal law; or
(ii) as allowed by state or federal law and under the direction of a school, school district, office of public instruction, or board of public education, if no protected information is used for any purpose to further advertising or to amass a profile on the pupil for purposes other than K-12 school purposes; or
(c) to a state or local educational agency, including schools and school districts, for K-12 school purposes, as permitted by state or federal law.
(4) Nothing in this section prohibits:
(a) the operator's use of information for maintaining, developing, supporting, improving, or diagnosing the operator's site, service, or application;
(b) an operator from using deidentified pupil protected information:
(i) within the operator's K-12 online application or other sites, services, or applications owned by the operator to improve educational products; or
(ii) to demonstrate the effectiveness of the operator's products or services, including in the operator's marketing;
(c) an operator from sharing aggregated deidentified pupil protected information for the development and improvement of educational sites, services, or applications; or
(d) an operator of an internet website, online service, online application, or mobile application from marketing educational products directly to parents, as long as the marketing did not result from the use of protected information obtained by the operator through the provision of services covered under this section.
(5) This section does not limit:
(a) the authority of a law enforcement agency to obtain any content or information from an operator as authorized by law or pursuant to an order of a court of competent jurisdiction;
(b) the ability of an operator to use pupil data, including protected information, for adaptive learning or customized pupil learning purposes;
(c) internet service providers from providing internet connectivity to schools or pupils and their families; or
(d) the ability of pupils to download, export, or otherwise save or maintain their own pupil-created data or documents.
(6) This section does not impose a duty on:
(a) a provider of an electronic store, gateway, marketplace, or other means of purchasing or downloading software or applications to review or enforce compliance of this section on those applications or software; or
(b) a provider of an interactive computer service, as defined in 47 U.S.C. 230, to review or enforce compliance with this section by third-party content providers.
(7) This section does not apply to general audience internet websites, general audience online services, general audience online applications, or general audience mobile applications, even if the login credentials created for an operator's K-12 online application may be used to access those general audience sites, services, or applications.
(8) An operator who violates this section is guilty of a misdemeanor and, if convicted by a court of competent jurisdiction, shall be fined not less than $200 or more than $500.
History: En. Sec. 3, Ch. 369, L. 2019.