85R12590 CAE-F     By: Taylor of Galveston S.B. No. 1279       A BILL TO BE ENTITLED   AN ACT   relating to restricting the use of covered information, including   student personally identifiable information, by an operator of a   website, online service, online application, or mobile application   for a school purpose.          BE IT ENACTED BY THE LEGISLATURE OF THE STATE OF TEXAS:          SECTION 1.  The heading to Chapter 32, Education Code, is   amended to read as follows:   CHAPTER 32. COMPUTERS, [AND] COMPUTER-RELATED EQUIPMENT, AND   STUDENT INFORMATION PROTECTION          SECTION 2.  Chapter 32, Education Code, is amended by adding   Subchapter D to read as follows:   SUBCHAPTER D. STUDENT INFORMATION          Sec. 32.151.  DEFINITIONS. In this subchapter:                (1)  "Covered information" means personally   identifiable information or information that is linked to   personally identifiable information, in any media or format, that   is not publicly available and is:                      (A)  created by or provided to an operator by a   student or the student's parent in the course of the student's or   parent's use of the operator's website, online service, online   application, or mobile application for a school purpose;                      (B)  created by or provided to an operator by an   employee of a school district or school campus for a school purpose;   or                      (C)  gathered by an operator through the operation   of the operator's website, online service, online application, or   mobile application for a school purpose and personally identifies a   student, including the student's educational record, electronic   mail, first and last name, home address, telephone number,   electronic mail address, information that allows physical or online   contact, discipline records, test results, special education data,   juvenile delinquency records, grades, evaluations, criminal   records, medical records, health records, social security number,   biometric information, disabilities, socioeconomic information,   food purchases, political affiliations, religious information,   text messages, student identifiers, search activity, photograph,   voice recordings, or geolocation information.                (2)  "Interactive computer service" has the meaning   assigned by 47 U.S.C. Section 230.                (3)  "Operator" means, to the extent operating in this   capacity, the operator of a website, online service, online   application, or mobile application who has actual knowledge that   the website, online service, online application, or mobile   application is used primarily for a school purpose and was designed   and marketed for a school purpose.                (4)  "Parent" includes a person standing in parental   relation.                (5)  "School purpose" means a purpose that is directed   by or customarily takes place at the direction of a school district,   school campus, or teacher or assists in the administration of   school activities, including instruction in the classroom or at   home, administrative activities, and collaboration between   students, school personnel, or parents, or is otherwise for the use   and benefit of the school.                (6)  "Targeted advertising" means presenting an   advertisement to a student in which the advertisement is selected   for the student based on information obtained or inferred over time   from the student's online behavior, usage of applications, or   covered information.  The term does not include advertising to a   student at an online location based on the student's visit to that   location at that time, or in response to the student's request for   information or feedback, without the retention of the student's   online activities or requests over time for the purpose of   targeting subsequent advertisements.          Sec. 32.152.  PROHIBITED USE OF COVERED INFORMATION. (a) An   operator may not knowingly:                (1)  engage in targeted advertising on any website,   online service, online application, or mobile application if the   target of the advertising is based on any information, including   covered information and persistent unique identifiers, that the   operator has acquired through the use of the operator's website,   online service, online application, or mobile application for a   school purpose;                (2)  use information, including persistent unique   identifiers, created or gathered by the operator's website, online   service, online application, or mobile application, to create a   profile about a student unless the profile is created for a school   purpose; or                (3)  except as provided by Subsection (c), sell or rent   any student's covered information.          (b)  For purposes of Subsection (a)(2), the collection and   retention of account information by an operator that remains under   the control of the student, the student's parent, or the campus or   district is not an attempt to create a profile by the operator.          (c)  Subsection (a)(3) does not apply to:                (1)  the purchase, merger, or any other type of   acquisition of an operator by another entity, if the operator or   successor entity complies with this subchapter regarding   previously acquired student information; or                (2)  a national assessment provider if the provider   secures the express written consent of the student if the student is   18 years of age or older or the student's parent if the student is 17   years of age or younger, given in response to clear and conspicuous   notice, if the information is used solely to provide access to   employment, educational scholarships, financial aid, or   postsecondary educational opportunities.          Sec. 32.153.  ALLOWED DISCLOSURE OF COVERED INFORMATION.   (a) An operator may use or disclose covered information if the   disclosure is:                (1)  to further a school purpose of the website, online   service, online application, or mobile application and the   recipient of the covered information disclosed under this   subsection does not further disclose the information unless the   disclosure is to allow or improve operability and functionality of   the operator's website, online service, online application, or   mobile application;                (2)  to ensure legal and regulatory compliance;                (3)  to protect against liability;                (4)  to respond to or participate in the judicial   process;                (5)  to protect:                      (A)  the safety or integrity of users of the   website, online service, online application, or mobile   application; or                      (B)  the security of the website, online service,   online application, or mobile application;                (6)  for a school, education, or employment purpose   requested by the student or the student's parent and the   information is not used or disclosed for any other purpose;                (7)  to use the covered information for:                      (A)  a legitimate research purpose; or                      (B)  a school purpose or postsecondary   educational purpose; or                (8)  requested by the agency or the school district for   a school purpose.          (b)  An operator may disclose covered information if a   provision of federal or state law requires the operator to disclose   the information. The operator must comply with the requirements of   federal and state law to protect the information being disclosed.          (c)  An operator may disclose covered information to a third   party if the operator has contracted with the third party to provide   a service for a school purpose for or on behalf of the operator. The   contract must prohibit the third party from using any covered   information for any purpose other than providing the contracted   service. The operator must require the third party to implement and   maintain reasonable procedures and practices designed to prevent   disclosure of covered information.          (d)  Nothing in this subchapter prohibits the operator's use   of covered information for maintaining, developing, supporting,   improving, or diagnosing the operator's website, online service,   online application, or mobile application.          Sec. 32.154.  ALLOWED USE OF COVERED INFORMATION. This   subchapter does not prohibit an operator from:                (1)  using covered information:                      (A)  to improve educational products if that   information is not associated with an identified student using the   operator's website, online service, online application, or mobile   application; and                      (B)  that is not associated with an identified   student to demonstrate the effectiveness of the operator's products   or services and to market the operator's services;                (2)  sharing covered information that is not associated   with an identified student for the development and improvement of   educational websites, online services, online applications, or   mobile applications;                (3)  recommending to a student additional services or   content relating to an educational, learning, or employment   opportunity within a website, online service, online application,   or mobile application if the recommendation is not determined by   payment or other consideration from a third party;                (4)  responding to a student's request for information   or for feedback without the information or response being   determined by payment or other consideration from a third party; or                (5)  identifying for a student, with the express   affirmative consent of the student if the student is 18 years of age   or older or the student's parent if the student is 17 years of age or   younger, institutions of higher education or scholarship providers   that are seeking students who meet specific criteria, regardless of   whether the identified institution of higher education or   scholarship provider provides consideration to the operator.          Sec. 32.155.  PROTECTION OF COVERED INFORMATION. An   operator must implement and maintain reasonable security   procedures and practices designed to protect any covered   information from unauthorized access, deletion, use, modification,   or disclosure.          Sec. 32.156.  DELETION OF COVERED INFORMATION. If a school   district requests the deletion of a student's covered information   under the control of the school district and maintained by the   operator, the operator shall delete the information not later than   the 60th day after the date of the request, or as otherwise   specified in the contract or terms of service, unless the student or   the student's parent consents to the operator's maintenance of the   covered information.          Sec. 32.157.  APPLICABILITY. This subchapter does not:                (1)  limit the authority of a law enforcement agency to   obtain any information from an operator as authorized by law or   under a court order;                (2)  limit the ability of an operator to use student   data, including covered information, for adaptive learning or   customized student learning purposes;                (3)  apply to general audience:                      (A)  websites;                      (B)  online services;                      (C)  online applications; or                      (D)  mobile applications;                (4)  limit service providers from providing Internet   connection to school districts or students and students' families;                (5)  prohibit an operator from marketing educational   products directly to a student's parent if the marketing is not a   result of the use of covered information obtained by the operator   through providing services to the school district;                (6)  impose a duty on a provider of an electronic store,   gateway, marketplace, or other means of purchasing or downloading   software or applications to review or enforce compliance with this   subchapter on those applications or software;                (7)  impose a duty on a provider of an interactive   computer service to review or enforce compliance with this   subchapter by third-party content providers; or                (8)  prohibit a student from downloading, exporting,   transferring, saving, or maintaining the student's data or   documents.          SECTION 3.  This Act takes effect September 1, 2017.