LAWRENCE J. HOGAN, JR., Governor Ch. 164
– 1 –
Chapter 164
(House Bill 769)
AN ACT concerning
Student Data Privacy – Protections, Digital Tools, and Student Data Privacy
Council
FOR the purpose of altering certain definitions to provide increased protections for certain
student data; requiring each county board of education to provide a list of digital
tools to the State Department of Education on or before a certain date each year;
requiring the Department to publish information on digital tools provided by each
county board on or before a certain date each year; establishing the Student Data
Privacy Council; and generally relating to student data privacy in the State.
BY repealing and reenacting, with amendments,
Article – Education
Section 4–131(a)
Annotated Code of Maryland
(2018 Replacement Volume and 2021 Supplement)
BY adding to
Article – Education
Section 4–131(p)
Annotated Code of Maryland
(2018 Replacement Volume and 2021 Supplement)
SECTION 1. BE IT ENACTED BY THE GENERAL ASSEMBLY OF MARYLAND,
That the Laws of Maryland read as follows:
Article – Education
4–131.
(a) (1) In this section the following words have the meanings indicated.
(2) (i) “Covered information” means information or material that[:
1. Personally identifies an individual student in this State or
that is linked to information or material that personally identifies an individual student in
this State; and
2. Is gathered by an operator through the operation of a site,
a service, or an application], ALONE OR IN COMBINAT ION WITH OTHER INFOR MATION
OR MATERIAL, IS LINKED OR COULD B E LINKED TO A STUDEN T IN A MANNER THAT Ch. 164 2022 LAWS OF MARYLAND
– 2 –
WOULD ALLOW AN EMPLO YEE OR A STUDENT OF THE STUDENT ’S SCHOOL TO
IDENTIFY THE STUDENT WIT H REASONABLE CERTAIN TY.
(ii) “Covered information” includes a student’s:
1. Educational [and disciplinary record] RECORDS AS
DEFINED IN § 7–1303 OF THIS ARTICLE ;
2. First and last name;
3. Home address and geolocation information;
4. Telephone number;
5. Electronic mail address or other information that allows
physical or online contact;
6. Test results, grades, and student evaluations;
7. Special education [data] INFORMATION ;
8. Criminal records;
9. Medical records and health records;
10. Social Security number;
11. Biometric information;
12. Socioeconomic information;
13. Food purchases;
14. Political and religious affiliations;
15. Text messages;
16. Student identifiers;
17. Search activity;
18. Photos; [and]
19. Voice recordings;
LAWRENCE J. HOGAN, JR., Governor Ch. 164
– 3 –
20. DISCIPLINARY INFORMAT ION;
21. ONLINE BEHAVIOR OR US AGE OF APPLICATIONS
WHEN LINKED OR LINKA BLE TO A SPECIFIC ST UDENT;
22. PERSISTENT UN IQUE IDENTIFIERS ; AND
23. CONFIDENTIAL INFORMAT ION AS DEFINED BY TH E
DEPARTMENT OF INFORMATION TECHNOLOGY .
(3) (I) “Operator” means [a person] AN INDIVIDUAL OR AN ENTITY
who ENGAGES WITH INSTITU TIONS UNDER THE SCHO OL OFFICIAL EXCEPTIO N OF
THE FEDERAL FAMILY EDUCATIONAL RIGHTS AND PRIVACY ACT AND is operating in
accordance with a contract or an agreement with a public school or local school system in
the State to provide an Internet website, an online service, an online application, or a
mobile application that:
1. PROCESSES COVERED INF ORMATION; AND
[(i)] 2. A. Is used [primarily] for a PreK–12 school purpose;
OR
[(ii)] B. Is issued at the direction of a public school, a teacher, or
any other employee of a public school, local school system, or the Department[; and
(iii) Was designed and marketed primarily for a PreK–12 school
purpose].
(II) “OPERATOR” INCLUDES A DIVISION OF A PARENT ENTITY I F
THE DIVISION:
1. SERVES EDUCATION CLIE NTS; AND
2. DOES NOT SHARE COVERE D INFORMATION WITH THE
PARENT ENTITY .
(4) (I) “Persistent unique identifier” means [a unique reference number
used as an identifier in computer software that is stored across different usage sessions]
AN IDENTIFIER THAT C AN BE USED TO IDENTI FY, RECOGNIZE, TRACK, SINGLE OUT,
OR MAKE REFERENCES A BOUT A STUDENT ENROL LED IN PREKINDERGART EN
THROUGH GRADE 12, THE PARENT OR GUARDI AN OF THE STUDENT , AND ANY OTHER
STUDENT OF WHOM THE PARENT OR GUARDIAN H AS CUSTODY.
(II) “PERSISTENT UNIQUE IDE NTIFIER” INCLUDES: Ch. 164 2022 LAWS OF MARYLAND
– 4 –
1. COOKIE IDENTIFIERS ;
2. CUSTOMER NUMBERS ;
3. DEVICE IDENTIFIERS ;
4. HASHED E–MAIL ADDRESSES ;
5. HASHED PHONE NUMBERS ;
6. IDENTIFIERS GENERATED THROUGH PROBABILISTI C
METHODS;
7. MOBILE AD IDENTIFIERS ;
8. UNIQUE PSEUDONYMS ; AND
9. USER ALIASES.
(5) (i) “PreK–12 school purpose” means an activity that:
1. Takes place at the direction of a public school, a teacher,
an administrator, or a local school system; or
2. Aids in the administration of public school activities.
(ii) “PreK–12 school purpose” includes:
1. Instruction in the classroom;
2. Home instruction;
3. Administrative activities;
4. Collaboration among students, public school employees,
and parents;
5. Maintaining, developing, supporting, improving, or
diagnosing the operator’s site, service, or application; and
6. An activity that is for the use and benefit of the public
school.
LAWRENCE J. HOGAN, JR., Governor Ch. 164
– 5 –
(6) (i) “Targeted advertising” means presenting advertisements to an
individual student that are selected based on information obtained or inferred from the
student’s [online behavior, usage of applications, or] covered information.
(ii) “Targeted advertising” does not include advertisements
presented to an individual student at an online location:
1. Based on the student’s current visit to the online location
[without] IF THERE IS NO collection or retention of the student’s [online activities]
COVERED INFORMATION over time; or
2. In response to a single search query [without] IF THERE
IS NO collection or retention of the student’s [online activities] COVERED INFORMATION
over time.
(P) (1) ON OR BEFORE JULY 1, 2022, AND EACH JULY 1 THEREAFTER ,
EACH COUNTY BOARD SH ALL SUBMIT TO THE DEPARTMENT A LIST OF THE
FOLLOWING DIGITAL TOOLS WITH R ESPECT TO THE IMMEDI ATELY PRECEDING
SCHOOL YEAR :
(I) APPROVED DIGITAL TOOL S;
(II) DIGITAL TOOLS KNOWN T O BE USED BY EDUCATO RS; AND
(III) DIGITAL TOOLS NOT AUT HORIZED BY THE COUNT Y BOARD.
(2) ON OR BEFORE SEPTEMBER 1, 2022, AND EACH SEPTEMBER 1
THEREAFTER , THE DEPARTMENT SHALL PUBL ISH AN ONLINE DATABA SE OF THE
DIGITAL TOOLS REPORT ED BY EACH COUNTY BO ARD IN ACCORDANCE WI TH
PARAGRAPH (1) OF THIS SUBSECTION .
SECTION 2. AND BE IT FURTHER ENACTED, That:
(a) In this section, “Council” means the Student Data Privacy Council.
(b) There is a Student Data Privacy Council.
(c) The Council consists of the following members:
(1) one member of the Senate of Maryland, appointed by the President of
the Senate;
(2) one member of the House of Delegates, appointed by the Speaker of the
House;
Ch. 164 2022 LAWS OF MARYLAND
– 6 –
(3) the State Superintendent of Schools, or the Superintendent’s designee;
(4) the Secretary of Information Technology, or the Secretary’s designee;
(5) the Executive Director of the Public School Superintendents’
Association of Maryland, or the Executive Director’s designee;
(6) the Executive Director of the Maryland Association of Boards of
Education, or the Executive Director’s designee;
(7) the President of the Maryland Association of Boards of Education, or
the President’s designee;
(8) the President of the Maryland State Education Association, or the
President’s designee;
(9) the President of the Maryland PTA, or the President’s designee; and
(10) the following members appointed by the Chair of the Council:
(i) one School Data Privacy Officer, or the Officer’s designee;
(ii) one School Information Technology Officer, or the Officer’s
designee;
(iii) one representative of a company, trade association, or group who
has professional experience in the area of student data privacy or online educational
technology services;
(iv) one member of the academic community who studies K –12
student data privacy;
(v) one advocate for student data privacy who does not have a
professional relationship with a provider of online educational technology services;
(vi) one attorney who is knowledgeable in the laws and regulations
that pertain to local school systems;
(vii) one school–based administrator from a public school in the State;
and
(viii) one teacher from a public school in the State.
(d) The State Superintendent of Schools or the Superintendent’s designee shall
chair the Council and is responsible for the administration of the Council.
LAWRENCE J. HOGAN, JR., Governor Ch. 164
– 7 –
(e) The State Department of Education shall provide staff for the Council.
(f) A member of the Council:
(1) may not receive compensation as a member of the Council; but
(2) is entitled to reimbursement for expenses under the Standard State
Travel Regulations, as provided in the State budget.
(g) The Council shall:
(1) study the development and implementation of the Student Data
Privacy Act of 2015 to evaluate the impact of the Act on:
(i) the protection of covered information from unauthorized access,
destruction, use, modification, or disclosure;
(ii) the implementation and maintenance of reasonable security
procedures and practices to protect covered information under the Act; and
(iii) the implementation and maintenance of reasonable privacy
controls to protect covered information under the Act;
(2) review and analyze similar laws and best practices in other states;
(3) review and analyze developments in technologies as they may relate to
student data privacy; and
(4) make recommendations regarding:
(i) statutory and regulatory changes to the Student Data Privacy
Act based on the findings of the Council; and
(ii) repealing the termination date of this Act to allow the Council to
continue its evaluation of student data privacy in the State on a permanent basis.
(h) On or before December 1, 2025, the Student Data Privacy Council shall report
to the Governor and, in accordance with § 2–1257 of the State Government Article, the
General Assembly on:
(1) the implementation of § 4–131(p) of the Education Article, as enacted
by Section 1 of this Act; and
(2) best practices for student data privacy protection for parents and
guardians of students in the State, including:
Ch. 164 2022 LAWS OF MARYLAND
– 8 –
(i) (1) the actions that should occur if an operator engages in an
activity prohibited under § 4–131 of the Education Article;
(ii) (2) the type of investigation that should be done if an operator
is suspected of engaging in an activity prohibited under § 4–131 of the Education Article;
(iii) (3) the best remedies available to students and parents in
case of an operator engaging in an activity prohibited under § 4–131 of the Education
Article; and
(iv) (4) any statutory or regulatory changes necessary to best
effectuate items (i) through (iii) (1) through (3) of this item.
SECTION 3. AND BE IT FURTHER ENACTED, That this Act shall take effect June
1, 2022. Section 2 of this Act shall remain effective for a period of 6 years and 4 months
and, at the end of September 30, 2028, Section 2 of this Act, with no further action required
by the General Assembly, shall be abrogated and of no further force and effect.
Approved by the Governor, April 21, 2022.