Add a note about this bill. Your note is for you and will not be shared with anyone.
Because you are a member of panel , your positions on legislation and notes below will be shared with the panel administrators. (More Info)
The text of the bill below is as of Apr 29, 2015 (Introduced). The bill was not enacted into law.
IN THE HOUSE OF REPRESENTATIVES
Mr. Messer (for himself and Mr. Polis ) introduced the following bill; which was referred to the Committee on Energy and Commerce , and in addition to the Committee on Education and the Workforce , for a period to be subsequently determined by the Speaker, in each case for consideration of such provisions as fall within the jurisdiction of the committee concerned
To require operators that provide online and similar services to educational agencies or institutions to protect the privacy and security of personally identifiable information, and for other purposes.
This Act may be cited as the Student Digital Privacy and Parental Rights Act of 2015 .
The term means the Federal Trade Commission.
The term means personally identifiable information, and information that is linked or linkable to personally identifiable information, that—
is collected or generated through a school service; and
the operator of the school service knows or should know relates to a student; or
is collected, generated, or maintained at the direction of an educational agency or institution serving the student or officials of such an agency or institution, including teachers.
Educational agency or institution
The term educational agency or institution has the meaning given such term in section 444 of the General Education Provisions Act ( 20 U.S.C. 1232g ), except that such term does not include an institution of higher education.
The term means a student who—
is 18 years of age or older;
is enrolled in an institution of higher education; or
has graduated from a secondary school.
Institution of higher education
The term institution of higher education has the meaning given such term in section 102 of the Higher Education Act of 1965 ( 20 U.S.C. 1002 ).
The term means purposes that—
aid in the administration of activities by an educational agency or institution, including instruction in the classroom or at home, administrative activities, and collaboration between students, school personnel, or parents; or
are for the use and benefit of the educational agency or institution.
Online contact information
The term means, with respect to a student, an email address or any other substantially similar identifier that permits direct contact with the student online, including an instant messaging user identifier, a voice over Internet Protocol identifier, a video chat user identifier, or a screen name or user name that permits such contact.
The term means an entity that operates a school service, except that such term does not include an educational agency or institution.
Personally identifiable information
The term includes, with respect to a student—
the student’s first and last name;
the first and last name of the student’s parent or another family member;
the home or physical address of the student or student’s family;
online contact information for the student;
a personal identifier, such as the student’s social security number, student number, or biometric record;
a persistent identifier that can be used to recognize a user over time and across different Internet Web sites, online services, online applications, or mobile applications, including a customer number held in a cookie, an Internet Protocol address, a processor or device serial number, or another unique identifier;
a photograph, video, or audio recording that contains the student’s image or voice;
geolocation information sufficient to identify street name and name of a city or town;
other indirect identifiers, such as the student’s date of birth, place of birth, or mother’s maiden name;
other information that, alone or in combination, would allow an operator or a reasonable person in the school community, who does not have personal knowledge of the relevant circumstances, to identify a specific student with reasonable certainty; and
information requested by a person who the educational agency or institution reasonably believes knows the identity of the student to whom the information relates.
The term means an Internet Web site, online service (including a cloud computing service), online application, or mobile application that is used for K-12 purposes and was designed and marketed for K-12 purposes.
The term means each State of the United States, the District of Columbia, each territory or possession of the United States, and each federally recognized Indian tribe.
The term means any individual who is or has been enrolled in an elementary school or secondary school.
The term means presenting advertisements to a student or the student’s parent, where the advertisements are selected based on information obtained or inferred from the student’s online behavior or use of online applications or mobile applications or from covered information about the student maintained by the operator of a school service.
Such term does not include presenting advertisements to a student or the student’s parent at an online location or through an online application or mobile application, if—
the advertisements are contextually relevant;
the advertisements are selected based on a single visit or session of use during which the advertisements are presented; and
information about the student’s online behavior or use of online applications or mobile applications is not collected or retained over time.
Terms defined in Elementary and Secondary Education Act of 1965
In this Act, the terms , , and have the meanings given such terms in section 9101 of the Elementary and Secondary Education Act of 1965 ( 20 U.S.C. 7801 ).
Protecting student privacy
An operator may not knowingly—
engage in or permit targeted advertising on a school service;
collect, generate, use, or disclose any covered information for purposes of targeted advertising;
sell covered information to a third party;
collect, generate, or use covered information (including using covered information to create a personal profile of a student) other than for K-12 purposes; or
disclose covered information, unless the disclosure is made—
pursuant to lawful process or to ensure legal and regulatory compliance with Federal or State law;
in accordance with subsection (c), pursuant to a request for disclosure—
in the case of information about a student, from the student’s parent; or
in the case of information about a student’s parent or another user of the school service, from the parent or such other user, as the case may be;
in accordance with subsection (c), pursuant to a request for disclosure from a student who is or has been enrolled in a secondary school or from the student’s parent for the exclusive purpose of—
providing or authenticating the student’s transcript, standardized test scores, letters of recommendation, or other information required by an institution of higher education for an application for admission or by a potential employer for an application for employment; or
providing information relating to—
admission to an institution of higher education; or
a scholarship or financial aid for attendance at an institution of higher education;
to protect the safety of users or others or the security of the school service;
to an educational agency or institution, as permitted by Federal and State law; or
to a third-party service provider of the operator, and the operator contractually—
prohibits the service provider from using any covered information for any purpose other than providing the contracted service to, or on behalf of, the operator;
prohibits the service provider from disclosing to subsequent third parties any covered information disclosed by the operator to the service provider; and
requires the service provider to establish, implement, and maintain reasonable security procedures as described in subsection (b)(1).
An operator shall—
establish, implement, and maintain reasonable security procedures appropriate to the nature of covered information to protect the confidentiality, security, and integrity of covered information;
delete a student’s covered information (except for information that is required to be maintained by Federal or State law) within a reasonable time, not to exceed 45 days, after receiving—
a request from an educational agency or institution serving the student; or
a request (either directly or through the educational agency or institution) from the student’s parent, except in the case of information that is included in the student’s education records (as defined in section 444 of the General Education Provisions Act ( 20 U.S.C. 1232g )), such as the student’s test scores or grades, or that is directed by the educational agency or institution to be maintained for educational or administrative purposes;
disclose publicly and to each educational agency or institution to which the operator provides a school service, in contracts or privacy policies in a manner that is clear and easy to understand, the types of covered information collected or generated (if any), the purposes for which the covered information is used or disclosed to third parties, and the identity of any such party;
facilitate access to and correction of covered information, either directly or through an educational agency or institution—
in the case of information about a student, by the student’s parent; or
in the case of information about a parent or another user of the school service, by the parent or such other user, as the case may be;
implement policies and procedures for responding to data breaches involving unauthorized acquisition of or access to personally identifiable information that occur on a school service, in compliance with any obligations imposed by Federal or State law;
notify the Commission and, as appropriate, students, parents, educational agencies or institutions, or officials of such agencies or institutions (including teachers) of each data breach involving unauthorized acquisition of or access to personally identifiable information that occurs on a school service, in compliance with any obligations imposed by Federal or State law; and
delete any covered information maintained by a school service (except for information that is required to be maintained by Federal or State law)—
except as provided in subparagraph (B), within a reasonable time, not to exceed one year, after the operator ceases to provide the service to the educational agency or institution, unless the information is required to be maintained at the direction of the educational agency or institution or the student’s parent; or
if the operator continues providing the service in whole or in part to a student after ceasing to provide the service to the educational agency or institution, within a reasonable time, not to exceed one year, after the operator ceases to provide the service to the student, unless the information is required to be maintained at the direction of the student’s parent.
Requirements for certain disclosures
An operator may disclose covered information under subparagraph (B) or (C) of subsection (a)(5) only after the operator—
receives from the student, the student’s parent, or other user of the school service, as the case may be (in this subsection referred to as the requesting party ), an affirmative express request (whether made directly or through an educational agency or institution serving the student) to disclose information specified in the request;
provides to the requesting party, in a manner that is clear and easy to understand, a description of the types of covered information that will be disclosed to a third party, any fees collected by the operator to cover administrative costs, and the purposes for which the covered information will be disclosed to and used by the third party;
ensures that the third party agrees, in writing or an electronic equivalent—
not to use any covered information received pursuant to the request for any purpose other than fulfilling the purpose for which the request was made;
not to disclose to subsequent third parties any covered information received pursuant to the request; and
to establish, implement, and maintain reasonable security procedures as described in subsection (b)(1); and
provides a readily available mechanism for the requesting party to revoke the request.
Effect on mergers and acquisitions
The prohibitions of this section on sale and disclosure of covered information do not apply to the merger of an operator with another entity or the acquisition of the operator by another entity (including any subsequent merger or acquisition), provided that the operator or successor entity continues to be subject to the provisions of this section with respect to covered information acquired before the merger or acquisition.
This section shall continue to apply, after a student is no longer enrolled in an elementary school or secondary school, to covered information relating to the student that was collected or generated while the student was enrolled.
Rules of construction
This Act shall not—
be construed to affect or otherwise alter the protections and guarantees set forth in section 444 of the General Education Provisions Act ( 20 U.S.C. 1232g ) (commonly known as the Family Educational Rights and Privacy Act of 1974 ), the Children’s Online Privacy Protection Act of 1998 ( 15 U.S.C. 6501 et seq. ), or any other Federal statute relating to privacy protection;
be construed to limit the authority of a law enforcement agency to obtain content or information from an operator as authorized by law or pursuant to an order of a court of competent jurisdiction;
limit the ability of an operator to use information, including covered information, for adaptive or personalized student learning purposes;
limit an educational agency or institution from providing Internet access service for its own use, to other educational agencies or institutions, or to students and their families;
be construed to prohibit an operator’s use of covered information for maintaining, developing, supporting, improving, or diagnosing the operator’s school service;
be construed to prohibit an operator of a school service from marketing educational products directly to parents, provided that the marketing does not result from the use of covered information;
impose a duty upon a provider of an electronic store, gateway, marketplace, or other means of purchasing or downloading software or applications to review or enforce compliance with this Act by operators of school services;
impede the ability of a student or the student’s parent to download, export, create, or otherwise save or maintain data or documents created by or about the student or noncommercial applications created by the student, except to the extent any such activity would result in disclosure prohibited by this Act of covered information of other students or users of a school service; or
be construed to prohibit an operator from collecting a reasonable fee to cover the administrative costs of making a disclosure under section 3(a)(5)(C).
De-Identified and aggregated covered information
Nothing in this Act prohibits an operator from—
using de-identified and aggregated covered information—
within the operator’s school service or other sites, services, or applications owned by the operator to improve educational products; or
to demonstrate the effectiveness of the operator’s products or services, including in the marketing of such products or services; or
disclosing de-identified and aggregated covered information for research and development, including—
research, development, and improvement of educational sites, services, and applications; and
advancements in the science of learning.
Steps to prevent re-identification or disaggregation
If an operator uses or discloses covered information as described in paragraph (1), the operator shall take reasonable steps to ensure that the information cannot be manipulated in a manner that would enable—
identification of an individual to whom the information relates; or
disaggregation of aggregated information into its component parts.
Power To consent and rights regarding information about eligible student
Any provision of this Act that refers to the consent of the student’s parent for the use or disclosure of covered information or the right of the student’s parent to access or otherwise obtain, use, correct, request disclosure of, or request deletion of covered information, shall, in the case of covered information about an eligible student, be considered to refer to the consent or right of the student and not the student’s parent.
No effect on consent under other law
Except as provided in section 5(g), this Act does not modify the requirements or standards for consent, including consent from minors and employees on behalf of educational institutions, under any other provision of Federal law or under State law.
Implementation and enforcement
Enforcement by Federal Trade Commission
Unfair or deceptive acts or practices
A violation of this Act or a regulation promulgated under this Act shall be treated as a violation of a regulation under section 18(a)(1)(B) of the Federal Trade Commission Act ( 15 U.S.C. 57a(a)(1)(B) ) regarding unfair or deceptive acts or practices.
Powers of the Commission
The Commission shall enforce this Act and the regulations promulgated under this Act in the same manner, by the same means, and with the same jurisdiction, powers, and duties as though all applicable terms and provisions of the Federal Trade Commission Act ( 15 U.S.C. 41 et seq. ) were incorporated into and made a part of this Act, and any person who violates this Act or a regulation promulgated under this Act shall be subject to the penalties entitled to the privileges and immunities provided in the Federal Trade Commission Act, except as provided in paragraph (3).
Enforcement with respect to non-profit organizations
Notwithstanding sections 4 and 5(a)(2) of the Federal Trade Commission Act ( 15 U.S.C. 44 ; 45(a)(2)), any jurisdictional limitation of the Commission with respect to nonprofit organizations shall not apply for purposes of this Act.
Preservation of Commission authority
Nothing in this Act may be construed in any way to limit or affect the Commission’s authority under any other provision of law.
The Commission may promulgate regulations under section 553 of title 5, United States Code, to carry out this Act.
Consultation and cooperation with Secretary of Education
The Commission shall consult and cooperate with the Secretary of Education in implementing and enforcing this Act, including in promulgating any regulations to carry out this Act, in matters involving educational agencies or institutions.
Report by Commission
Not later than 1 year after the effective date described in section 6, and annually thereafter, the Commission shall submit to Congress and make available on the Internet Web site of the Commission a report on the number, scope, and nature of the data breaches about which the Commission receives notice under section 3(b)(6).
Guidance and technical assistance from Secretary of Education
The Secretary of Education shall provide educational agencies or institutions with reasonable guidance and technical assistance with respect to preventing and responding to data breaches involving unauthorized acquisition of or access to personally identifiable information that occur on a school service, in compliance with any obligations imposed by Federal or State law.
Relationship to State law
This Act does not annul, alter, or affect, or exempt any person subject to the provisions of this Act from complying with, the laws of any State with respect to the treatment of covered information by operators of school services, except to the extent that such laws are inconsistent with any provision of this Act, and then only to the extent of the inconsistency. For purposes of this paragraph, a law of a State is not inconsistent with this Act if the protection such law affords any user of a school service is greater than the protection provided by this Act.
Rule of construction
Any reference in this Act to State law shall be considered also to refer to the law of a political subdivision of a State.
This Act shall take effect on the date that is 18 months after the date of the enactment of this Act.
GovTrack helps everyone learn about and track the activities of the United States Congress. Launched more than 20 years ago, we’re one of the oldest government transparency and accountability websites on the Internet.
This is a project of Civic Impulse, LLC. GovTrack.us is not a government website.