EXPLANATION: CAPITALS INDICATE MAT TER ADDED TO EXISTIN G LAW.
[Brackets] indicate matter deleted from existing law.
*sb1089*
SENATE BILL 1089
F1 4lr2805
By: Senator M. Washington
Introduced and read first time: February 2, 2024
Assigned to: Education, Energy, and the Environment
A BILL ENTITLED
AN ACT concerning 1
Education – Student and School Employee Data Privacy – Protections 2
FOR the purpose of requiring certain operators of certain Internet sites, services, and 3
applications to protect certain school employee information from unauthorized 4
access, to implement and maintain certain security procedures and practices, and to 5
delete certain school employee information under certain circumstances; prohibiting 6
certain operators from knowingly engaging in certain activities with respect to 7
certain sites, services, and applications relating to targeted advertising, selling 8
certain school employee information, and disclosing certain school employee 9
information under certain circumstances; providing that certain operators may use 10
certain de–identified or aggregated school employee information under certain 11
circumstances; and generally relating to student and school employee data privacy. 12
BY repealing and reenacting, with amendments, 13
Article – Education 14
Section 4–131 15
Annotated Code of Maryland 16
(2022 Replacement Volume and 2023 Supplement) 17
SECTION 1. BE IT ENACTED BY THE GENERAL ASSEMBLY OF MARYLAND, 18
That the Laws of Maryland read as follows: 19
Article – Education 20
4–131. 21
(a) (1) In this section the following words have the meanings indicated. 22
(2) (i) “Covered information” means information or material that, alone 23
or in combination with other information or material, is linked or could be linked to a 24 2 SENATE BILL 1089
student OR SCHOOL EMPLOYEE in a manner that would allow an employee or a student 1
of the student’s school to identify the student OR SCHOOL EMPLOYEE with reasonable 2
certainty. 3
(ii) “Covered information” includes, AS APPLICABLE, a student’s OR 4
SCHOOL EMPLOYEE ’S: 5
1. Educational records as defined in § 7–1303 of this article; 6
2. First and last name; 7
3. Home address and geolocation information; 8
4. Telephone number; 9
5. Electronic mail address or other information that allows 10
physical or online contact; 11
6. Test results, grades, and student evaluations; 12
7. Special education information; 13
8. Criminal records; 14
9. Medical records and health records; 15
10. Social Security number; 16
11. Biometric information; 17
12. Socioeconomic information; 18
13. Food purchases; 19
14. Political and religious affiliations; 20
15. Text messages; 21
16. Student OR SCHOOL EMPLOYEE identifiers; 22
17. Search activity; 23
18. Photos; 24
19. Voice recordings; 25
20. Disciplinary information; 26 SENATE BILL 1089 3
21. Online behavior or usage of applications when linked or 1
linkable to a specific student OR SCHOOL EMPLOYEE ; 2
22. Persistent unique identifiers; and 3
23. Confidential information as defined by the Department of 4
Information Technology. 5
(3) (i) “Operator” means an individual or an entity who engages with 6
institutions [under the school official exception of the federal Family Educational Rights 7
and Privacy Act], INCLUDING A VIRTUAL SCHOOL UNDER TITLE 7, SUBTITLE 14 OF 8
THIS ARTICLE and is operating in accordance with a contract or an agreement with a 9
public school or local school system in the State to provide an Internet website, an online 10
service, an online application, or a mobile application, INCLUDING A WEBSITE, A 11
SERVICE, OR AN APPLICATION THAT U TILIZES ARTIFICIAL INTELLIGENCE , that: 12
1. Processes covered information; and 13
2. A. Is used for a PreK–12 school purpose; or 14
B. Is issued at the direction of a public school, a teacher, or 15
any other employee of a public school, local school system, or the Department. 16
(ii) “Operator” includes [a]: 17
1. A division of a parent entity if the division: 18
[1.] A. Serves education clients; and 19
[2.] B. Does not share covered information with the parent 20
entity; AND 21
2. AN INDIVIDUAL OR ENTI TY WHO ENGAGES WITH 22
INSTITUTIONS UNDER THE SCHOOL OFFICIAL EXCEPTION OF THE FED ERAL FAMILY 23
EDUCATIONAL RIGHTS AND PRIVACY ACT AND IN ACCORDANCE WITH 24
SUBPARAGRAPH (I) OF THIS PARAGRAPH . 25
(4) (i) “Persistent unique identifier” means an identifier that can be 26
used to identify, recognize, track, single out, or make references about A SCHOOL 27
EMPLOYEE OR a student enrolled in prekindergarten through grade 12, the parent or 28
guardian of the student, and any other student of whom the parent or guardian has custody. 29
(ii) “Persistent unique identifier” includes: 30
4 SENATE BILL 1089
1. Cookie identifiers; 1
2. Customer numbers; 2
3. Device identifiers; 3
4. Hashed e–mail addresses; 4
5. Hashed phone numbers; 5
6. Identifiers generated through probabilistic methods; 6
7. Mobile ad identifiers; 7
8. Unique pseudonyms; and 8
9. User aliases. 9
(5) (i) “PreK–12 school purpose” means an activity that: 10
1. Takes place at the direction of a public school, a teacher, 11
an administrator, or a local school system; or 12
2. Aids in the administration of public school activities. 13
(ii) “PreK–12 school purpose” includes: 14
1. Instruction in the classroom; 15
2. Home instruction; 16
3. Administrative activities; 17
4. Collaboration among students, public school employees, 18
and parents; 19
5. Maintaining, developing, supporting, improving, or 20
diagnosing the operator’s site, service, or application; and 21
6. An activity that is for the use and benefit of the public 22
school. 23
(6) “SCHOOL EMPLOYEE ” MEANS AN EMPLOYEE OF A STUDENT’S 24
SCHOOL. 25
(7) (i) “Targeted advertising” means presenting advertisements to an 26
individual student OR SCHOOL EMPLOYEE that are selected based on information 27 SENATE BILL 1089 5
obtained or inferred from the student’s OR SCHOOL EMPLOYEE ’S covered information. 1
(ii) “Targeted advertising” does not include advertisements 2
presented to an individual student OR SCHOOL EMPLOYEE at an online location: 3
1. Based on the student’s OR SCHOOL EMPLOYEE ’S current 4
visit to the online location if there is no collection or retention of the student’s OR SCHOOL 5
EMPLOYEE’S covered information over time; or 6
2. In response to a single search query if there is no collection 7
or retention of the student’s OR SCHOOL EMPLOYEE ’S covered information over time. 8
(b) This section does not apply to a general audience Internet website, general 9
audience online service, general audience online application, or general audience mobile 10
application, even if log–in credentials created for an operator’s site, service, or application 11
may be used to access the general audience site, service, or application. 12
(c) An operator shall: 13
(1) Protect covered information from unauthorized access, destruction, use, 14
modification, or disclosure; 15
(2) Implement and maintain reasonable security procedures and practices 16
to protect covered information; and 17
(3) If covered information is under the authority of a public school or local 18
school system in accordance with a contract or an agreement, delete within a reasonable 19
time the covered information if the public school or local school system requests deletion of 20
the covered information. 21
(d) (1) An operator may not knowingly engage in any of the following activities 22
with respect to the operator’s site, service, or application: 23
(i) Engage in targeted advertising if the advertising is based on 24
information, including covered information and persistent unique identifiers, that the 25
operator has acquired because of the use of the operator’s site, service, or application; 26
(ii) Except in furtherance of a PreK–12 school purpose, use 27
information, including covered information and persistent unique identifiers, created or 28
gathered by the operator’s site, service, or application, to make a profile about a student 29
OR SCHOOL EMPLOYEE ; 30
(iii) Subject to paragraph (2) of this subsection and except as provided 31
in subsection (f) of this section, sell a student’s OR SCHOOL EMPLOYEE ’S information; or 32
(iv) Except as provided in subsection (e) of this section, disclose 33 6 SENATE BILL 1089
covered information. 1
(2) Nothing in this subsection shall be construed to prohibit the operator’s 2
use of information for maintaining, developing, supporting, improving, or diagnosing the 3
operator’s site, service, or application. 4
(3) For purposes of paragraph (1)(ii) of this subsection, making a profile of 5
a student OR SCHOOL EMPLOYEE does not include the collection and retention of account 6
information that remains under the authority of a student, a student’s parent or guardian, 7
A SCHOOL EMPLOYEE , a public school, or a local school system. 8
(e) Notwithstanding subsection (d)(1)(iv) of this section, an operator may disclose 9
a student’s OR SCHOOL EMPLOYEE ’S covered information: 10
(1) If the disclosure is made only in furtherance of the PreK–12 school 11
purpose of the site, service, or application and the recipient of the covered information: 12
(i) Does not further disclose the information; and 13
(ii) Is legally required to comply with subsections (c) and (d)(1) of this 14
section; 15
(2) To ensure legal or regulatory compliance; 16
(3) To take precautions against liability; 17
(4) To respond to or participate in judicial process; 18
(5) To protect the safety of users or others or the security or integrity of the 19
site, service, or application; 20
(6) To a service provider, provided the operator contractually: 21
(i) Prohibits the service provider from using any covered 22
information for any purpose other than providing the contracted service to, or on behalf of, 23
the operator; 24
(ii) Except for a purpose expressly permitted under this subsection, 25
prohibits the service provider from disclosing covered information provided by the operator 26
with a third party; and 27
(iii) Requires the service provider to comply with the requirements of 28
subsections (c) and (d)(1)(i) through (iii) of this section; 29
(7) If subsection (d)(1)(i) through (iii) of this section is not violated; 30
(8) If federal or State law requires the operator to disclose the information, 31 SENATE BILL 1089 7
and the operator complies with the requirements of federal and State law in protecting and 1
disclosing the information; 2
(9) For a legitimate research purpose as: 3
(i) Required by federal or State law; or 4
(ii) Allowed by federal or State law and under the direction of a 5
public school, local school system, or the Department, if a student’s OR SCHOOL 6
EMPLOYEE’S covered information is not used for advertising or to make a profile on the 7
student for a purpose other than a PreK–12 school purpose; or 8
(10) To a State or local education agency, including public schools and local 9
school systems, for a PreK–12 school purpose, as permitted by federal and State law. 10
(f) If an operator of a site, a service, or an application used for a PreK–12 school 11
purpose is merged with or acquired by another entity, the successor entity is subject to this 12
section for previously collected covered information. 13
(g) Nothing in this section prohibits an operator from: 14
(1) Using aggregated or de–identified covered information: 15
(i) To develop or improve an educational product or service within 16
any site, service, or application the operator owns; or 17
(ii) To demonstrate the effectiveness of the operator’s products or 18
services; or 19
(2) Sharing aggregated or de–identified covered information for the 20
development or improvement of educational sites, services, or applications. 21
(h) (1) Except for subsection (d)(1)(iii) of this section and subject to paragraph 22
(2) of this subsection, nothing in subsections (d) and (e) of this section may be construed to 23
prohibit the use or disclosure of a student’s OR SCHOOL EMPLOYEE ’S covered information 24
by an operator. 25
(2) An operator may use or disclose covered information under paragraph 26
(1) of this subsection if the operator: 27
(i) Provided clear and conspicuous notice of the use or disclosure of 28
[the]: 29
1. THE student’s covered information to the student or the 30
student’s parent or guardian; OR 31
8 SENATE BILL 1089
2. THE SCHOOL EMPLOYEE’S COVERED INFORMAT ION 1
TO THE SCHOOL EMPLOYEE; and 2
(ii) Obtained the affirmative consent of [the]: 3
1. THE student, if the student is at least 18 years old, or the 4
student’s parent or guardian to use or disclose the student’s covered information; OR 5
2. THE SCHOOL EMPLOYEE. 6
(i) This section may not be construed to limit the authority of a law enforcement 7
agency to obtain content or information from an operator as authorized by federal or State 8
law or in accordance with an order of a court of competent jurisdiction. 9
(j) This section does not limit the ability of an operator to: 10
(1) Use a student’s covered information for adaptive learning or customized 11
student learning purposes; 12
(2) Use recommendation engines to recommend to a student OR SCHOOL 13
EMPLOYEE additional content or services relating to an educational, other learning, or 14
employment opportunity purpose within an operator’s site, service, or application if the 15
recommendation is not determined in whole or in part by payment or other consideration 16
from a third party; 17
(3) Respond to a student’s OR SCHOOL EMPLOYEE ’S search query, other 18
request for information, or request for feedback if the information or response is not 19
determined in whole or in part by payment or other consideration from a third party; or 20
(4) Use or retain covered information to: 21
(i) Ensure legal or regulatory compliance; or 22
(ii) Take precautions against liability. 23
(k) This section may not be construed to prohibit an operator of an Internet 24
website, an online service, an online application, or a mobile application from marketing 25
educational products directly to parents if the marketing was not a result of the use of 26
covered information obtained by the operator through the provision of services covered 27
under this section. 28
(l) This section may not be construed to impose a duty on a provider of an 29
electronic store, a gateway, a marketplace, or any other means of purchasing or 30
downloading software or applications to review or enforce compliance of this section. 31
(m) This section may not be construed to impose a duty on a provider of an 32 SENATE BILL 1089 9
interactive computer service, as defined in Chapter 5, Title 47 of the United States Code, 1
to review or enforce compliance with this section by third–party content providers. 2
(n) This section may not be construed to impede the ability of students OR 3
SCHOOL EMPLOYEES to download, export, transfer, or otherwise save or maintain their 4
own data or documents. 5
(o) The provisions of this section may not be construed to prohibit an Internet 6
service provider from providing Internet connectivity to public schools, students, [or] 7
students’ families, SCHOOL EMPLOYEES , OR SCHOOL EMPLOYEES ’ FAMILIES. 8
SECTION 2. AND BE IT FURTHER ENACTED, That this Act shall take effect 9
October 1, 2024. 10