Bill Summaries: H632 (2015-2016 Session)

Tracking:
  • Summary date: Jun 9 2016 - View summary

    AN ACT TO PROTECT STUDENT ONLINE PRIVACY. Enacted June 9, 2016. Effective October 1, 2016.


  • Summary date: May 26 2016 - View summary

    Senate amendments makes the following changes to the 2nd edition.

    Amendment #1 amends the requirements for operators under GS 115C-401.2 (student online privacy protection) to require the operator to delete a student's covered information within 45 days when the K-12 school or local board of education notifies the operator of completion of services with that operator, in addition to when the K-12 school or local board of education requests deletion of the covered information that is under the control of the board or school.

    Amendment #2 adds GS 115C-401.2(g) to allow a parent, K-12 school, teacher, local board of education, or the State Board of Education to report an alleged violation of the statute to the Attorney General. Allows the Attorney General to bring a civil action for injunctive and other relief. Adds that nothing in the statute creates a private right of action.


  • Summary date: May 24 2016 - View summary

    Senate committee substitute makes the following changes to the 1st edition.

    Deletes the previous edition and replaces it as follows.

    Changes the long title to AN ACT TO PROTECT STUDENT ONLINE PRIVACY.

    Enacts GS 115C-401.2 to prohibit an operator from knowingly doing any of four specified activities. Defines operator as, to the extent that it is operating in this capacity, the operator of an Internet website, online service, online application, or mobile application with actual knowledge that the site, service, or application is used primarily for K-12 school purposes and was designed and marketed for K-12 purposes. Excludes from the definition of operator a K-12 school or local board of education that operates an Internet website, online service, online application, or mobile application for that K-12 school or local board of education's own K-12 school purposes. Establishes the first prohibition to be that an operator may not knowingly engage in targeted advertising on the operator's site, service, or application if the targeting of advertising is based on any information, including covered information and persistent unique identifiers, that the operator has acquired because of the use of that operator's site, service, or application for K-12 school purposes. Defines targeted advertising as presenting an advertisement to a student where the advertisement is selected based on information obtained or inferred over time from that student's online behavior, usage of applications, or covered information. Excludes from the definition of targeted advertising advertising to a student at an online location based upon that student's current visit to that location, or in response to that student's request for information or feedback, without the retention of that student's online activities or requests over time for the purpose of targeting subsequent ads. Defines covered information as any personally identifiable information or material created or provided in use of the application or for K-12 purposes, gathered in the course of the application's operation, including, but not limited to, name, address, electronic mail address, Social Security numbers, grades, medical records and other specified identifying information. Defines K-12 school purposes as purposes that are directed by or that customarily take place at the direction of a K-12 school, a teacher, a local board of education, or the State Board of Education, or aid in the administration of school activities, including, but not limited to, instruction in the classroom or at home, administrative activities, and collaboration between students, school personnel, or parents, or are for the use and benefit of the K-12 school. Defines K-12 school and local board of education as specified.

    Establishes the second prohibition to be that no operator may knowingly use information, including persistent unique identifiers, created or gathered by the operator's site, service, or application, to amass a profile about a student except in furtherance of K-12 school purposes. Provides that amass a profile does not include the collection and retention of account information that remains under the control of the student, the student's parent or guardian, or K-12 school. 

    Establishes the third prohibition to be that no operator may knowingly sell or rent a student's information, including covered information. Excludes from this prohibition the purchase, merger, or other type of acquisition of an operator by another entity, if the operator or successor entity complies with the statute regarding previously acquired student information, or to national assessment providers if the provider secures the express written consent of the parent or student who is at least 13 years of age given in response to a clear, conspicuous notice, solely to provide access to employment, educational scholarships or financial aid, and postsecondary educational opportunities.

    Establishes the fourth prohibition to be that no operator may knowingly disclose covered information, except as otherwise provided in subsection (d), or unless the disclosure is made for the following purposes: (1) in furtherance of the K-12 school purpose of the site, service, or application, if the recipient of the covered information disclosed under subsubsection (4) of subsection (b) does not further disclose the information unless done to allow or improve operability and functionality of the operator's site, service or application; (2) to ensure legal and regulatory compliance or protect against liability; (3) to respond to or participate in the judicial process; (4) to protect the safety or integrity of users of the site or others or the security of the site, service, or application; (5) to a third party for a school, educational, or employment purpose requested by the student or the student's parent or guardian, provided that the information is required not to be used or further disclosed by the third party for any other purpose; and (6) to a subcontractor, if the operator contractually prohibits the subcontractor from using any covered information for any purpose other than providing the contracted service to or on behalf of the operator, prohibits the subcontractor from disclosing any covered information provided by the operator with subsequent third parties, and requires the subcontractor to implement and maintain reasonable security procedures and practices. Provides that this does not prohibit the operator's use of information for maintaining, developing, supporting, improving, or diagnosing the operator's site, service, or application. Defines subcontractor as an entity providing a service to an operator under contract and on its behalf to further a K-12 purpose. 

    Requires an operator to (1) implement and maintain reasonable security procedures and practices appropriate to the nature of the covered information, and protect that covered information from unauthorized access, destruction, use modification, or disclosure and (2) delete a student's covered information within 45 days if the K-12 school or local board of education requests deletion of covered information under the control of the K-12 school or local board of education, unless a student who is at least 13 years of age, a parent, or a guardian provides express written consent in response to clear and conspicuous notice to the maintenance of covered information.

    Allows an operator to use or disclose covered information of a student under the following circumstances: (1) if other provisions of federal or state law require disclosure and the operator complies with federal and state law in protecting and disclosing the information; (2) for legitimate research purposes as required by federal or state law or as allowed in furtherance of K-12 school purposes as permitted by federal and state law, as long as no covered information is used for advertising or to amass a profile on the student for purposes other than for K-12 school purposes; (3) to a K-12 school, local administrative unit, or the State Board of Education for K-12 school purposes, as permitted by State or federal law; and (4) at the direction of a K-12 school, local administrative unit, or the State Board of Education for K-12 school purposes, as permitted by State or federal law.

    Provides that the statute does not prohibit an operator from the following: (1) using covered information not associated with an identified student within the operator's site, service or application or other sites, services or applications owned by the operator to improve educational products; (2) using covered information not associated with an identified student to demonstrate the effectiveness of the operator's products or services, including their marketing; (3) sharing covered information not associated with an identified student for the development and improvement of educational sites, services, or applications; (4) using recommendation engines to recommend to a student additional content or services, as specified; and (5) responding to a student's request for information or for feedback to help improve learning without the information or response being determined in whole or in part by payment or other consideration from a third party.

    Provides seven limitations of the statute as follows. Provides that the statute does not (1) limit the authority of a law enforcement agency to obtain any content or information from an operator as authorized by law or under a court order; (2) limit the ability of an operator to use student data, including covered information, for adaptive learning or customized student learning purposes; (3) apply to general audience Internet websites, online services, online applications, or mobile application, even if login credentials created for an operator's site, service, or applications may be used to access those general audience sites, services or applications; (4) limit service providers from providing Internet connectivity to schools or students and their families; (5) prohibit an operator of an Internet website, online service, online application, or mobile application from marketing educational products directly to parents if the marketing did not result from the use of covered information obtained by the operator through the provision of services covered under the statute; (6) impose a duty on the provider of an electronic store, gateway, marketplace, or other means of purchasing or downloading software or applications to review or enforce compliance with the statute on those applications or software; (7) impose a duty upon a provider of an interactive computer service to review or enforce compliance with the statute by third-party content providers; and (8) prohibit students from downloading, exporting, transferring, saving, or maintaining their own student data or documents.

    Effective October 1, 2016.


  • Summary date: Apr 13 2015 - View summary

    Identical to S 534, filed 3/26/15.

    As the title indicates. The Joint Legislative Education Oversight Committee shall report on its findings, including any recommended legislation, to the 2016 Session of the 2015 General Assembly.