_____________
bill NO. _____________
INTRODUCED
BY _________________________________________________
By Request of the ****
A BILL FOR AN ACT ENTITLED: "AN ACT GENERALLY REVISING PUPIL DATA PRIVACY PROTECTIONS; REQUIRING CONTRACTUAL OBLIGATIONS FOR THIRD PARTY OPERATORS TO COMPLY WITH THE MONTANA PUPIL ONLINE PERSONAL INFORMATION PROTECTION ACT; providing definitions; AMENDING SECTIONS 20-7-1324 AND 20-7-1326, MCA; and PROVIDING AN IMMEDIATE EFFECTIVE DATE and AN APPLICABILITY DATE."
BE IT ENACTED BY THE LEGISLATURE OF THE STATE OF MONTANA:
Section 1. Section 20-7-1324, MCA, is amended to read:
"20-7-1324. Definitions. As used in 20-7-1323 through 20-7-1326, the following definitions apply:
(1) "Deidentified information" means information that cannot be used to identify an individual pupil.
(2) "K-12 online application" means an internet website, online service, cloud computing service, online application, or mobile application that is used primarily for K-12 school purposes and that was designed and is marketed for K-12 school purposes.
(3) "K-12 school purposes" means activities that customarily take place at the direction of a school, teacher, or school district or aid in the administration of school activities, including but not limited to instruction in the classroom or at home, administrative activities, and collaboration between pupils, school personnel, or parents, or that are for the use and benefit of a school.
(4) "Online privacy protections" means the school district policies and contractual provisions required pursuant to 20-7-1326.
(4)(5) "Operator" means the operator of a K-12 online application who is an employee or a third party of a school district who knows or reasonably should know that the application is used primarily for K-12 school purposes.
(5)(6) (a) "Protected information" means personally identifiable information or materials, in any media or format, that describes or otherwise identifies a pupil and that is:
(i) created or provided by a pupil, or the pupil's parent or legal guardian, to an operator in the course of the pupil's, parent's, or legal guardian's use of the operator's K-12 online application;
(ii) created or provided by an employee or agent of a school district to an operator in the course of the employee's or agent's use of the operator's K-12 online application; or
(iii) gathered by an operator through the operator's K-12 online application.
(b) The term includes any information meeting the definition under subsection (6)(a), including but is not limited to:
(i) information in the pupil's educational record or e-mail messages;
(ii) first and last name, home address, telephone number, e-mail address, or other information that allows physical or online contact;
(iii) discipline records, test results, special education data, juvenile dependency records, grades, or evaluations;
(iv) criminal, medical, or health records;
(v) social security number;
(vi) biometric information;
(vii) disability;
(viii) socioeconomic information;
(ix) food purchases;
(x) political affiliation;
(xi) religious information; or
(xii) text messages, documents, pupil identifiers, search activity, photos, voice recordings, or geolocation information.
(6)(7) (a) "Pupil records" means:
(i) any protected information directly related to a pupil that is maintained by a school district through electronic means, including cloud-based services and digital software that can be used to access, store, and use protected information; or
(ii) any information acquired directly from a pupil through the use of instructional software or applications assigned to the pupil by a teacher or other school district employee.
(b) The term does not include deidentified information, including aggregated deidentified information used:
(i) by a third party to improve educational products for adaptive learning purposes, to ensure school and student safety and security, and for customizing pupil learning;
(ii) to demonstrate the effectiveness of a third party's products in the marketing of those products; or
(iii) for the development and improvement of educational sites, services, or applications.
(7)(8) (a) "Pupil-generated content" means materials created by a pupil, including but not limited to essays, research reports, portfolios, creative writing, music or other audio files, photographs, and account information that enables ongoing ownership of pupil content.
(b) The term does not include pupil responses to a standardized assessment for which pupil possession and control would jeopardize the validity and reliability of that assessment.
(8)(9) "Third party" refers to a provider of digital educational software or services, including cloud-based services, for the digital storage, management, and retrieval of pupil records."
Section 2. Section 20-7-1326, MCA, is amended to read:
"20-7-1326. Pupil records -- online privacy protections. (1) A school district may, pursuant to a policy adopted by its trustees, enter into a contract with a third party to:
(a) provide services, including cloud-based services, for the digital storage, management, and retrieval of pupil records; or
(b) provide digital educational software that authorizes a third-party provider of digital educational software to access, store, and use pupil records in accordance with the contractual provisions listed in subsection (2). Online privacy protections specified under this section must be implemented by any school district or operator that uses a K-12 online application for K-12 purposes to collect, track, or use protected information or pupil records, including pupil-generated content.
(2) A school district that enters into a contract with a third party for purposes of subsection (1) shall ensure the contract contains A school district shall adopt a policy requiring online privacy protections through compliance directives that apply to employee operators and through contractual provisions that apply to third party operators that include all of the following:
(a) a statement that pupil records continue to be the property of and under the control of the school district;
(b) notwithstanding subsection (2)(a), a description of the means by which pupils may retain possession and control of their own pupil-generated content, if applicable, including options by which a pupil may transfer pupil-generated content to a personal account;
(c) a prohibition against the third party for an operator using any information in pupil records for any purpose other than those required or specifically permitted by the policy or contract;
(d) a description of the procedures by which a parent, legal guardian, or eligible pupil may review personally identifiable information in the pupil's records and correct erroneous information;
(e) a description of the actions the third party operator of a K-12 online application will take, including the designation and training of responsible individuals, to ensure the security and confidentiality of pupil records. Compliance with this requirement does not, in itself, absolve the third party operator of liability in the event of an unauthorized disclosure of pupil records.
(f) a description of the procedures for notifying the affected parent, legal guardian, or pupil if 18 years of age or older in the event of an unauthorized disclosure of the pupil's records;
(g) a certification requirement that pupil records will not be retained or available to the a third party operator upon on completion of the terms of the contract and a description of how that certification requirement will be enforced. This requirement does not apply to pupil-generated content if a pupil chooses to establish or maintain an account with the third party operator for the purpose of storing that content pursuant to subsection (2)(b).
(h) a description of how the school district and the third party operator will jointly ensure compliance with the federal Family Educational Rights and Privacy Act (20 U.S.C. 1232g); and
(i) a prohibition against the third party operator using personally identifiable information in pupil records to engage in targeted advertising.
(3) A school district may satisfy its obligation to execute a contract with the third party operator of a K-12 online application by using a model contract approved by a public or private consortium that uses binding standards of privacy that meet or exceed the requirements of this section.
(3)(4) In addition to any other penalties, a contract that fails to comply with the requirements of this section is void if, upon on notice and a reasonable 30-day opportunity to cure, the noncompliant party fails to come into compliance and cure any defect. Written A school district shall provide notice of noncompliance may be provided by any party to the contract and notice of a 30-day opportunity to cure within 10 days following the discovery of the noncompliance. All parties A third party operator of a K-12 online application subject to a contract voided under this subdivision section shall return all pupil records, protected information, pupil-generated content, and deidentified information in their possession to the school district on expiration of the 30-day opportunity to cure.
(4)(5) If the provisions of this section are in conflict with the terms of a contract in effect before May 7, 2019 [the effective date of this act], the provisions of this section do not apply to the school district or the third party subject to that agreement until the expiration, amendment, or renewal of the agreement.
(5)(6) Nothing in this section may be construed to impose liability on a third party for content provided by any other third party.
(7) The office of public instruction and the department of administration shall coordinate to verify compliance of third party operators and school districts with the contract requirements under this section."
NEW SECTION. Section 3. Effective date. [This act] is effective on passage and approval.
NEW SECTION. Section 4. Applicability. [This act] applies to contracts executed pursuant to [section 2] on or after [the effective date of this act].