ASSEMBLY COMMITTEE SUBSTITUTE FOR
ASSEMBLY, Nos. 1272 and 3936
STATE OF NEW JERSEY
217th LEGISLATURE
ADOPTED JUNE 15, 2017
Sponsored by:
Assemblywoman MARLENE CARIDE
District 36 (Bergen and Passaic)
Assemblyman TROY SINGLETON
District 7 (Burlington)
Assemblywoman ANNETTE QUIJANO
District 20 (Union)
Assemblyman JAY WEBBER
District 26 (Essex, Morris and Passaic)
Assemblywoman ANGELA V. MCKNIGHT
District 31 (Hudson)
Assemblywoman ANGELICA M. JIMENEZ
District 32 (Bergen and Hudson)
Assemblywoman ELIANA PINTOR MARIN
District 29 (Essex)
Assemblywoman JOANN DOWNEY
District 11 (Monmouth)
Co-Sponsored by:
Assemblymen Wisniewski and McKeon
SYNOPSIS
“Student Online Personal Protection Act.”
CURRENT VERSION OF TEXT
Substitute as adopted by the Assembly Education Committee.
An Act concerning the privacy of certain student digital information and supplementing chapter 36 of Title 18A of the New Jersey Statutes.
Be It Enacted by the Senate and General Assembly of the State of New Jersey:
1. This act shall be known and may be cited as the “Student Online Personal Protection Act.”
2. As used in this act:
“Covered information” means personally indentifiable information or material, or information that is linked to personally indentifiable information or material, in any media or format that is not publicly available and is:
(1) created by or provided to an operator by a student, or the student’s parent or guardian, in the course of the student’s, parent’s, or guardian’s use of the operator’s site, service, or application for K-12 school purposes;
(2) created by or provided to an operator by an employee or agent of a school district or a K-12 school for K-12 school purposes; or
(3) gathered by an operator through the operation of its site, service, or application for K-12 school purposes and personally identifies a student including, but not limited to, information in the student’s educational record or electronic mail, first and last name, home address, telephone number, electronic mail address, any other information that allows physical or online contact with the student, discipline records, test results, special education data, juvenile dependency records, grades, evaluations, criminal records, medical records, health records, social security number, biometric information, disabilities, socioeconomic information, food purchases, political affiliations, religious information, text messages, documents, student identifiers, search activity, photos, voice recordings, or geolocation information.
“Interactive computer service” means that term as defined in 47 U.S.C. s.230.
“K-12 school” means a public school or nonpublic school located in the State that offers any of grades kindergarten to 12.
“K-12 school purposes” means purposes that are directed by or that customarily take place at the direction of a school district, a K-12 school, or a teacher, or aid in the administration of school activities including, but not limited to, instruction in the classroom or at home, administrative activities, and collaboration between students, school personnel, or parents or guardians, or are otherwise for the use and benefit of the school district or K-12 school.
“Operator” means, to the extent that it is operating in this capacity, the operator of an Internet website, online service, online application, or mobile application with actual knowledge that the site, service, or application is used primarily for K-12 school purposes and was designed and marketed for K-12 school purposes.
“School service” means an Internet website, online service including a cloud computing service, online application, or mobile application that is used for K-12 purposes and was designed and marketed for K-12 purposes.
“Targeted advertising” means presenting advertisements to a student where the advertisement is selected based on information obtained or inferred over time from that student’s online behavior, usage of applications, or covered information. “Targeted advertising” does not include advertising to a student at an online location based upon that student’s current visit to that location, or in response to that student’s request for information or feedback, without the retention of that student’s online activities or requests over time for the purpose of targeting subsequent advertising.
3. An operator shall not knowingly:
a. Engage in targeted advertising on the operator’s site, service, or application, or target advertising on any other site, service, or application if the targeting of the advertising is based on any information, including covered information and persistent unique identifiers, that the operator has acquired because of the use of that operator’s site, service, or application for K-12 school purposes;
b. Use information, including persistent unique identifiers, created or gathered by the operator’s site, service, or application, to amass a profile about a student except in furtherance of K-12 school purposes. “Amass a profile” does not include the collection and retention of account information that remains under the control of the student, the student’s parent or guardian, the school district, or the K-12 school;
c. Sell or rent a student’s information, including covered information. This subsection shall not apply to the purchase, merger, or other type of acquisition of an operator by another entity, if the operator or successor entity complies with this act regarding previously acquired student information; or
d. Except as otherwise provided in section 5 of this act, disclose covered information unless the disclosure is made for the following purposes:
(1) in furtherance of the K-12 school purpose of the site, service, or application, if the recipient of the covered information disclosed under this paragraph does not further disclose the information other than to allow or improve operability and functionality of the operator’s site, service, or application;
(2) to ensure legal and regulatory compliance or protect against liability;
(3) to respond to or participate in the judicial process;
(4) to protect the safety or integrity of users of the site or other individuals, or the security of the site, service, or application;
(5) for a school, educational, or employment purpose upon request of the student or the student’s parent or guardian, provided that the information is not used or further disclosed for any other purpose; or
(6) to a third party service provider of the operator, if the operator contractually prohibits the third party from using any covered information for any purpose other than providing the contracted service to or on behalf of the operator, prohibits the third party from disclosing any covered information provided by the operator with subsequent third parties, and requires the third party to implement and maintain reasonable security procedures and practices.
4. An operator shall:
a. Implement and maintain reasonable security procedures and practices appropriate to the nature of the covered information which are designed to protect that covered information from unauthorized access, destruction, use, modification, or disclosure;
b. (1) Delete within a reasonable time period, not to exceed 60 days, a student’s covered information if the school district or K-12 school requests deletion of covered information under the control of the school district or K-12 school, unless a student or the student’s parent or guardian consents to the maintenance of the covered information;
(2) Delete any covered information maintained by a school service, except for information that is required to be maintained by federal or State law:
(i) within a reasonable time, not to exceed one year, after the operator ceases to provide the service to the school district or K-12 school, unless the information is required to be maintained at the direction of the school district, K-12 school, or the student’s parent or guardian; or
(ii) if the operator continues providing the service in whole or in part to a student after ceasing to provide the service to the school district or K-12 school, within a reasonable time, not to exceed one year, after the operator ceases to provide the service to the student, unless the information is required to be maintained at the direction of the student’s parent or guardian.
c. Disclose publicly and to each school district and K-12 school to which the operator provides a school service, in contracts or privacy policies in a manner that is clear and easy to understand, the types of covered information collected or generated, if any, the purposes for which the covered information is used or disclosed to third parties, and the identity of any such third party;
d. Implement policies and procedures for responding to data breaches involving unauthorized acquisition of or access to personally identifiable information that occur on a school service, in compliance with any obligations imposed by federal or State law, and, upon request, make a copy of the policies and procedures available to a school district or K-12 school from which it receives personally identifiable information; and
e. Notify each school district and K-12 school to which the operator provides a school service, or personnel of the school, including teachers, of each data breach involving unauthorized acquisition of or access to personally identifiable information that occurs on a school service, in compliance with any obligations imposed by federal or State law.
5. An operator may use or disclose covered information of a student under the following circumstances:
a. If other provisions of federal or State law require the operator to disclose the information, and the operator complies with the requirements of federal and State law in protecting and disclosing that information;
b. For legitimate research purposes required by and subject to federal and State law, and under the direction of a school district, K-12 school, or the Department of Education, if the covered information is not used for advertising or to amass a profile on the student for purposes other than K-12 school purposes; or
c. Upon request of a state or local educational agency for K-12 school purposes, as permitted by federal or State law.
6. Nothing in this act shall be construed to prohibit an operator from:
a. Using covered information to improve educational products, provided that information is not associated with an identified student within the operator’s site, service, or application or other sites, services, or applications owned by the operator;
b. Using covered information that is not associated with an identified student to demonstrate the effectiveness of the operator’s products or services, including in its marketing;
c. Sharing covered information that is not associated with an identified student for the development and improvement of educational sites, services, or applications;
d. Using recommendation engines to recommend to a student additional content or services related to an educational, other learning, or employment opportunity purpose, within an online site, service, or application, provided the recommendation is not determined in whole or in part by payment or other consideration from a third party;
e. Responding to a student’s request for information or feedback, provided the information or response is not determined in whole or in part by payment or other consideration from a third party;
f. Using covered information for maintaining, developing, supporting, improving, or diagnosing the operator’s site, service, or application; or
g. Using a student’s information, including covered information, solely to identify or display information to the student about, or to facilitate the connection of the student with, a not-for-profit institution of higher education or a scholarship opportunity. Such use shall require the express consent of the student or the student’s parent, which may be obtained by the school in response to the annual notice required pursuant to 34 C.F.R. s.99.7.
7. Nothing in this act shall be construed to:
a. Limit the authority of a law enforcement agency to obtain any content or information from an operator as authorized by law or under a court order;
b. Limit the ability of an operator to use student data, including covered information, for adaptive learning or customized student learning purposes;
c. Apply to general audience Internet websites, general audience online services, general audience online applications, or general audience mobile applications, even if login credentials created for an operator’s site, service, or application may be used to access those general audience sites, services, or applications;
d. Limit service providers from providing Internet connectivity to schools or students and their families;
e. Prohibit an operator of an Internet website, online service, online application, or mobile application from marketing educational products directly to parents or guardians provided that the marketing does not result from the use of covered information obtained by the operator through the provision of services covered under this act;
f. Impose a duty upon a provider of an electronic store, gateway, marketplace, or other means of purchasing or downloading software or applications to review or enforce compliance with this act on those applications or software;
g. Impose a duty upon a provider of an interactive computer service to review or enforce compliance with this act by third-party content providers; or
h. Prohibit students from downloading, exporting, transferring, saving, or maintaining their own student data or documents.
8. This act shall continue to apply, after a student is no longer enrolled in a K-12 school, to covered information relating to the student that was collected or generated while the student was enrolled.
9. The Commissioner of Education shall provide school districts and K-12 schools with guidance and technical assistance with respect to preventing and responding to data breaches involving unauthorized acquisition of or access to personally identifiable information that occur on a school service, in compliance with any obligations imposed by federal or State law.
10. This act shall take effect 90 days following the date of enactment.