Current with legislation from 2024 Fiscal and Special Sessions.
Section 6-18-109 - Student Online Personal Information Protection Act - Definitions(a) As used in this section: (1) "Covered information" means personally identifiable information or materials regarding a public school student in this state, in any media or format, when the information is: (A) Created or provided by a student or the student's parent or guardian to an operator in the course of the student's, parent's, or guardian's use of the operator's website, service, or application;(B) Created or provided by an employee or agent of a public school, school district, local education agency, or the Division of Elementary and Secondary Education to the operator for public school purposes; or(C) Gathered by an operator through the operation of the website, service, or application and personally identifies a student, including without limitation a student's: (vii) Special education data;(viii) Juvenile dependency records;(x) Medical or health records;(xi) Social Security number;(xii) Biometric information;(xiii) Socioeconomic information;(xiv) Political affiliations;(xv) Religious information;(xvi) Student identifiers;(xvii) Search activity, photos, voice recordings; or(xviii) Geolocation information;(2)(A) "Operator" means, to the extent that the owner is operating in the capacity defined under this subdivision (a)(2), owner of an internet website, online service, online application, or mobile application with actual knowledge that the website, service, or application is:(i) Used primarily for public school purposes;(ii) Designed and marketed for public school purposes; and(iii) Operating at capacity.(B) An operator does not include the division, a school district, or an open-enrollment public charter school;(3) "Public school purpose" means a purpose that customarily takes place at the direction of the public school teacher, administrator, or superintendent to aid in the administration of school activities primarily for the use and benefit of the school, including without limitation:(A) Instruction in the classroom or at home;(B) Administrative activities; or(C) Collaboration between student, school personnel, or parents; and(4)(A) "Targeted advertising" means presenting advertisements to a student when the advertisement is selected based on information obtained or inferred from a student's online behavior, usage of applications, or covered information.(B) "Targeted advertising" does not include advertising to a student at an online location based on a student's current visit to that online location or using the search query without the collection and retention of the student's online activities over time.(b) An operator shall not engage knowingly in the following activities with respect to the website, service, or application: (1) Target advertising when the targeting of the advertising is based on any covered information that the operator has acquired because of the use of the operator's website, service, or application;(2)(A) Create or gather covered information obtained by the operator's website, service, or application to compile a profile about a public school student except in furtherance of public school purposes.(B) Compiling a profile does not include the collection and retention of account registration records or information that remains under the control of a student, parent, public school, or school district;(3) Sell a public school student's covered information, other than with respect to the purchase, merger, or other acquisition of an operator by another entity, provided that the other entity is subject to the provisions of this section with respect to previously acquired student information that is subject to this section; or(4) Disclose covered information of a public school student unless the disclosure is: (A) Done in furtherance of public school purposes or to allow or improve operation and functionality within the student's classroom or school;(B) Necessary disclosure to: (i) Ensure legal or regulatory compliance or protect against liability;(ii) Respond to or participate in the judicial process; or(iii) Protect the safety or integrity of users or others or the security of the website, service, or application;(C) Done to a service provider, if the operator contractually: (i) Prohibits the service provider from using any covered information for any purpose other than providing the contracted service to or on behalf of the operator;(ii) Prohibits the service provider from disclosing any covered information provided by the operator with subsequent third parties, unless the disclosure is expressly permitted under this section; and(iii) Requires the service provider to implement and maintain reasonable security procedures and practices as provided under subsection (d) of this section; or(D) Done for the public school, educational, or employment purpose requested by the student or the student's parent or guardian, provided that the information is not used or further disclosed for any other purpose.(c) Subsection (b) of this section does not prohibit an operator from using covered information to maintain, develop, support, improve, or diagnose the operator's website, service, or application.(d) An operator shall: (1) Implement and maintain reasonable security measures that are appropriate to the nature of the covered information obtained and protect the covered information from unauthorized access, destruction, use, modification, or disclosure; and(2) Delete a public school student's covered information within a reasonable time frame if the school or school district requests the deletion of covered information under the control of the public school or school district.(e) Subdivisions (b)(1), (2), and (4) of this section shall not be construed to prohibit the use or disclosure of covered information with the affirmative consent of the public school, the student, or the student's parent or guardian in response to clear and conspicuous notice of the use or disclosure.(f) Notwithstanding subdivision (b)(4) of this section, an operator may disclose covered information of a public school student under the following circumstances:(1) If other provisions of federal or state law require the operator to disclose the covered information and the operator complies with the applicable requirements of federal and state law in protecting and disclosing the covered information;(2) For legitimate research purposes: (A) As required by federal or state law and subject to the restrictions under the applicable federal or state law;(B) As allowed by federal or state law and under the direction of a school, school district, or the division if no covered information is used for advertising or to compile a profile of a public school student; or(C) As permitted by federal or state law to a state or local educational agency, including a school or school district, for public school purposes; or(3) To a state or local educational agency, including public schools and school districts, for public school purposes, as permitted by federal or state law.(g) This section does not prohibit an operator from:(1) Using aggregated or deidentified covered information of a public school student as follows: (A) Within the operator's website, service, or application or other websites, services, or applications owned by the operator to develop or improve educational products; or(B) To demonstrate the effectiveness of the operator's website, service, or application, including the operator's marketing of the website, service, or application; or(2) Sharing aggregated or deidentified covered information of a public school student for the development or improvement of educational websites, services, or applications.(h) This section does not limit: (1) The authority of a law enforcement agency to obtain any content or information from an operator that is authorized by law or pursuant to an order of a court of competent jurisdiction;(2) The ability of an operator to use student data, including covered information, for adaptive learning or customized student learning purposes;(3) Internet service providers from providing internet connectivity to public schools, school districts, or students;(4) The ability of an operator to use recommendation engines to recommend additional content or services to a student within an operator's website, service, or application without the response being determined in whole or in part by payment or other consideration from a third party;(5) The ability of an operator to respond to a student's request for information or for feedback without the information or response being determined in whole or in part by payment or other consideration from a third party; or(6) The ability of an operator to use or retain student information to ensure legal or regulatory compliance or to take precautions against liability.(i) This section does not apply to general audience websites, services, or applications, even if login credentials created on the operator's website, service, or application are used to access those general audience websites, services, or applications.(j) This section does not impose a duty on a provider of an:(1) Electronic store, gateway, marketplace, or other means of purchasing or downloading software or applications to review or enforce compliance with this section on those software or applications; or(2) Interactive computer service, as defined in the Telecommunications Act of 1996, 47 U.S.C § 230, to review or enforce compliance with this section by a third-party content provider.(k) This section does not limit the ability of a student or the student's parent or guardian to download, export, transfer, or otherwise save or maintain his or her own student data or documents.Amended by Act 2019, No. 910,§ 1509, eff. 7/1/2019.Amended by Act 2019, No. 910,§ 1508, eff. 7/1/2019.Amended by Act 2019, No. 910,§ 1507, eff. 7/1/2019.Added by Act 2015, No. 1196,§ 1, eff. 7/22/2015.