HOUSE BILL NO. 745
INTRODUCED BY A. OLSEN, D. ZOLNIKOV
AN ACT CREATING THE MONTANA PUPIL ONLINE PERSONAL INFORMATION PROTECTION ACT; PROTECTING PUPILS FROM MARKETING AIDED BY DISCLOSURE OF THEIR PERSONAL INFORMATION GATHERED IN RELATION TO CERTAIN ONLINE EDUCATIONAL OPPORTUNITIES; PROVIDING CONTRACTUAL REQUIREMENTS FOR SCHOOL DISTRICTS RELATED TO ONLINE MANAGEMENT OF PUPIL RECORDS; PROVIDING DEFINITIONS; AND PROVIDING AN IMMEDIATE EFFECTIVE DATE.
BE IT ENACTED BY THE LEGISLATURE OF THE STATE OF MONTANA:
Section 1. Short title. [Sections 1 through 4] may be cited as the "Montana Pupil Online Personal Information Protection Act".
Section 2. Definitions. As used in [sections 1 through 4], the following definitions apply:
(1) "Deidentified information" means information that cannot be used to identify an individual pupil.
(2) "K-12 online application" means an internet website, online service, cloud computing service, online application, or mobile application that is used primarily for K-12 school purposes and that was designed and is marketed for K-12 school purposes.
(3) "K-12 school purposes" means activities that customarily take place at the direction of a school, teacher, or school district or aid in the administration of school activities, including but not limited to instruction in the classroom or at home, administrative activities, and collaboration between pupils, school personnel, or parents, or that are for the use and benefit of a school.
(4) "Operator" means the operator of a K-12 online application who knows or reasonably should know that the application is used primarily for K-12 school purposes.
(5) (a) "Protected information" means personally identifiable information or materials, in any media or format, that describes or otherwise identifies a pupil and that is:
(i) created or provided by a pupil, or the pupil's parent or legal guardian, to an operator in the course of the pupil's, parent's, or legal guardian's use of the operator's K-12 online application;
(ii) created or provided by an employee or agent of a school district to an operator in the course of the employee's or agent's use of the operator's K-12 online application; or
(iii) gathered by an operator through the operator's K-12 online application.
(b) The term includes but is not limited to:
(i) information in the pupil's educational record or e-mail messages;
(ii) first and last name, home address, telephone number, e-mail address, or other information that allows physical or online contact;
(iii) discipline records, test results, special education data, juvenile dependency records, grades, or evaluations;
(iv) criminal, medical, or health records;
(v) social security number;
(vi) biometric information;
(viii) socioeconomic information;
(ix) food purchases;
(x) political affiliation;
(xi) religious information; or
(xii) text messages, documents, pupil identifiers, search activity, photos, voice recordings, or geolocation information.
(6) (a) "Pupil records" means:
(i) any information directly related to a pupil that is maintained by a school district; or
(ii) any information acquired directly from a pupil through the use of instructional software or applications assigned to the pupil by a teacher or other school district employee.
(b) The term does not include deidentified information, including aggregated deidentified information used:
(i) by a third party to improve educational products for adaptive learning purposes and for customizing pupil learning;
(ii) to demonstrate the effectiveness of a third party's products in the marketing of those products; or
(iii) for the development and improvement of educational sites, services, or applications.
(7) (a) "Pupil-generated content" means materials created by a pupil, including but not limited to essays, research reports, portfolios, creative writing, music or other audio files, photographs, and account information that enables ongoing ownership of pupil content.
(b) The term does not include pupil responses to a standardized assessment for which pupil possession and control would jeopardize the validity and reliability of that assessment.
(8) "Third party" refers to a provider of digital educational software or services, including cloud-based services, for the digital storage, management, and retrieval of pupil records.
Section 3. Online protections for pupils. (1) An operator may not knowingly engage in any of the following activities with respect to the operator's K-12 online application:
(a) (i) engage in targeted advertising on the operator's K-12 online application; or
(ii) target advertising on any other site, service, or application when the targeting of the advertising is based on any information, including protected information and persistent unique identifiers, that the operator has acquired because of the use of the operator's K-12 online application;
(b) use information, including persistent unique identifiers, created or gathered by the operator's K-12 online application to amass a profile about a pupil, except in furtherance of K-12 school purposes;
(c) sell a pupil's information, including protected information. This prohibition does not apply to the purchase, merger, or other type of acquisition of an operator by another entity, provided that the operator or successor entity continues to be subject to the provisions of this section with respect to previously acquired pupil information.
(d) disclose protected information unless the disclosure is made:
(i) in furtherance of the K-12 school purposes of the K-12 online application, provided that the recipient of the protected information disclosed pursuant to this subsection (1)(d)(i):
(A) may not further disclose the information unless done to allow or improve operability and functionality within that pupil's classroom or school; and
(B) is legally required to comply with subsection (2);
(ii) to ensure legal and regulatory compliance;
(iii) to respond to or participate in the judicial process;
(iv) to protect the safety of users or others or the security of the site; or
(v) to a service provider, provided the operator contractually:
(A) prohibits the service provider from using any protected information for any purpose other than providing the contracted service to, or on behalf of, the operator;
(B) prohibits the service provider from disclosing any protected information provided by the operator with subsequent third parties; and
(C) requires the service provider to implement and maintain reasonable security procedures and practices as provided in subsection (2).
(2) An operator shall:
(a) implement and maintain reasonable security procedures and practices appropriate to the nature of the protected information and safeguard that information from unauthorized access, destruction, use, modification, or disclosure; and
(b) delete a pupil's protected information if the school or district requests the deletion of data under the control of the school or district.
(3) Notwithstanding subsection (1)(d), an operator may disclose protected information of a pupil, as long as subsections (1)(a) through (1)(c) are not violated, under the following circumstances:
(a) if other provisions of federal or state law require the operator to disclose the information, and the operator complies with the requirements of federal and state law in protecting and disclosing that information;
(b) for legitimate research purposes:
(i) as required by state or federal law and subject to the restrictions under applicable state and federal law; or
(ii) as allowed by state or federal law and under the direction of a school, school district, office of public instruction, or board of public education, if no protected information is used for any purpose to further advertising or to amass a profile on the pupil for purposes other than K-12 school purposes; or
(c) to a state or local educational agency, including schools and school districts, for K-12 school purposes, as permitted by state or federal law.
(4) Nothing in this section prohibits:
(a) the operator's use of information for maintaining, developing, supporting, improving, or diagnosing the operator's site, service, or application;
(b) an operator from using deidentified pupil protected information:
(i) within the operator's K-12 online application or other sites, services, or applications owned by the operator to improve educational products; or
(ii) to demonstrate the effectiveness of the operator's products or services, including in the operator's marketing;
(c) an operator from sharing aggregated deidentified pupil protected information for the development and improvement of educational sites, services, or applications; or
(d) an operator of an internet website, online service, online application, or mobile application from marketing educational products directly to parents, as long as the marketing did not result from the use of protected information obtained by the operator through the provision of services covered under this section.
(5) This section does not limit:
(a) the authority of a law enforcement agency to obtain any content or information from an operator as authorized by law or pursuant to an order of a court of competent jurisdiction;
(b) the ability of an operator to use pupil data, including protected information, for adaptive learning or customized pupil learning purposes;
(c) internet service providers from providing internet connectivity to schools or pupils and their families; or
(d) the ability of pupils to download, export, or otherwise save or maintain their own pupil-created data or documents.
(6) This section does not impose a duty on:
(a) a provider of an electronic store, gateway, marketplace, or other means of purchasing or downloading software or applications to review or enforce compliance of this section on those applications or software; or
(b) a provider of an interactive computer service, as defined in 47 U.S.C. 230, to review or enforce compliance with this section by third-party content providers.
(7) This section does not apply to general audience internet websites, general audience online services, general audience online applications, or general audience mobile applications, even if the login credentials created for an operator's K-12 online application may be used to access those general audience sites, services, or applications.
(8) An operator who violates this section is guilty of a misdemeanor and, if convicted by a court of competent jurisdiction, shall be fined not less than $200 or more than $500.
Section 4. Pupil records -- online privacy protections. (1) A school district may, pursuant to a policy adopted by its trustees, enter into a contract with a third party to:
(a) provide services, including cloud-based services, for the digital storage, management, and retrieval of pupil records; or
(b) provide digital educational software that authorizes a third-party provider of digital educational software to access, store, and use pupil records in accordance with the contractual provisions listed in subsection (2).
(2) A school district that enters into a contract with a third party for purposes of subsection (1) shall ensure the contract contains all of the following:
(a) a statement that pupil records continue to be the property of and under the control of the school district;
(b) notwithstanding subsection (2)(a), a description of the means by which pupils may retain possession and control of their own pupil-generated content, if applicable, including options by which a pupil may transfer pupil-generated content to a personal account;
(c) a prohibition against the third party for using any information in pupil records for any purpose other than those required or specifically permitted by the contract;
(d) a description of the procedures by which a parent, legal guardian, or eligible pupil may review personally identifiable information in the pupil's records and correct erroneous information;
(e) a description of the actions the third party will take, including the designation and training of responsible individuals, to ensure the security and confidentiality of pupil records. Compliance with this requirement does not, in itself, absolve the third party of liability in the event of an unauthorized disclosure of pupil records.
(f) a description of the procedures for notifying the affected parent, legal guardian, or pupil if 18 years of age or older in the event of an unauthorized disclosure of the pupil's records;
(g) a certification that pupil records will not be retained or available to the third party upon completion of the terms of the contract and a description of how that certification will be enforced. This requirement does not apply to pupil-generated content if a pupil chooses to establish or maintain an account with the third party for the purpose of storing that content pursuant to subsection (2)(b).
(h) a description of how the school district and the third party will jointly ensure compliance with the federal Family Educational Rights and Privacy Act (20 U.S.C. 1232g); and
(i) a prohibition against the third party using personally identifiable information in pupil records to engage in targeted advertising.
(3) In addition to any other penalties, a contract that fails to comply with the requirements of this section is void if, upon notice and a reasonable opportunity to cure, the noncompliant party fails to come into compliance and cure any defect. Written notice of noncompliance may be provided by any party to the contract. All parties subject to a contract voided under this subdivision shall return all pupil records in their possession to the school district.
(4) If the provisions of this section are in conflict with the terms of a contract in effect before [the effective date of this act], the provisions of this section do not apply to the school district or the third party subject to that agreement until the expiration, amendment, or renewal of the agreement.
(5) Nothing in this section may be construed to impose liability on a third party for content provided by any other third party.
Section 5. Codification instruction. [Sections 1 through 4] are intended to be codified as an integral part of Title 20, chapter 7, part 13, and the provisions of Title 20, chapter 7, part 13, apply to [sections 1 through 4].
Section 6. Effective date. [This act] is effective on passage and approval.
- END -
New language in a bill appears underlined, deleted material appears stricken.
Sponsor names are handwritten on introduced bills, hence do not appear on the bill until it is reprinted.
See the status of this bill for the bill's primary sponsor.
Prepared by Montana Legislative Services