Maryland 2024 Regular Session

Maryland Senate Bill SB1089 Compare Versions

Only one version of the bill is available at this time.

Old	New	Differences
1	1
2	2
3	3	EXPLANATION: CAPITALS INDICATE MAT TER ADDED TO EXISTIN G LAW.
4	4	[Brackets] indicate matter deleted from existing law.
5	5	sb1089
6	6
7	7	SENATE BILL 1089
8	8	F1 4lr2805
9	9
10	10	By: Senator M. Washington
11	11	Introduced and read first time: February 2, 2024
12	12	Assigned to: Education, Energy, and the Environment
13	13
14	14	A BILL ENTITLED
15	15
16	16	AN ACT concerning 1
17	17
18	18	Education – Student and School Employee Data Privacy – Protections 2
19	19
20	20	FOR the purpose of requiring certain operators of certain Internet sites, services, and 3
21	21	applications to protect certain school employee information from unauthorized 4
22	22	access, to implement and maintain certain security procedures and practices, and to 5
23	23	delete certain school employee information under certain circumstances; prohibiting 6
24	24	certain operators from knowingly engaging in certain activities with respect to 7
25	25	certain sites, services, and applications relating to targeted advertising, selling 8
26	26	certain school employee information, and disclosing certain school employee 9
27	27	information under certain circumstances; providing that certain operators may use 10
28	28	certain de–identified or aggregated school employee information under certain 11
29	29	circumstances; and generally relating to student and school employee data privacy. 12
30	30
31	31	BY repealing and reenacting, with amendments, 13
32	32	Article – Education 14
33	33	Section 4–131 15
34	34	Annotated Code of Maryland 16
35	35	(2022 Replacement Volume and 2023 Supplement) 17
36	36
37	37	SECTION 1. BE IT ENACTED BY THE GENERAL ASSEMBLY OF MARYLAND, 18
38	38	That the Laws of Maryland read as follows: 19
39	39
40	40	Article – Education 20
41	41
42	42	4–131. 21
43	43
44	44	(a) (1) In this section the following words have the meanings indicated. 22
45	45
46	46	(2) (i) “Covered information” means information or material that, alone 23
47	47	or in combination with other information or material, is linked or could be linked to a 24 2 SENATE BILL 1089
48	48
49	49
50	50	student OR SCHOOL EMPLOYEE in a manner that would allow an employee or a student 1
51	51	of the student’s school to identify the student OR SCHOOL EMPLOYEE with reasonable 2
52	52	certainty. 3
53	53
54	54	(ii) “Covered information” includes, AS APPLICABLE, a student’s OR 4
55	55	SCHOOL EMPLOYEE ’S: 5
56	56
57	57	1. Educational records as defined in § 7–1303 of this article; 6
58	58
59	59	2. First and last name; 7
60	60
61	61	3. Home address and geolocation information; 8
62	62
63	63	4. Telephone number; 9
64	64
65	65	5. Electronic mail address or other information that allows 10
66	66	physical or online contact; 11
67	67
68	68	6. Test results, grades, and student evaluations; 12
69	69
70	70	7. Special education information; 13
71	71
72	72	8. Criminal records; 14
73	73
74	74	9. Medical records and health records; 15
75	75
76	76	10. Social Security number; 16
77	77
78	78	11. Biometric information; 17
79	79
80	80	12. Socioeconomic information; 18
81	81
82	82	13. Food purchases; 19
83	83
84	84	14. Political and religious affiliations; 20
85	85
86	86	15. Text messages; 21
87	87
88	88	16. Student OR SCHOOL EMPLOYEE identifiers; 22
89	89
90	90	17. Search activity; 23
91	91
92	92	18. Photos; 24
93	93
94	94	19. Voice recordings; 25
95	95
96	96	20. Disciplinary information; 26 SENATE BILL 1089 3
97	97
98	98
99	99
100	100	21. Online behavior or usage of applications when linked or 1
101	101	linkable to a specific student OR SCHOOL EMPLOYEE ; 2
102	102
103	103	22. Persistent unique identifiers; and 3
104	104
105	105	23. Confidential information as defined by the Department of 4
106	106	Information Technology. 5
107	107
108	108	(3) (i) “Operator” means an individual or an entity who engages with 6
109	109	institutions [under the school official exception of the federal Family Educational Rights 7
110	110	and Privacy Act], INCLUDING A VIRTUAL SCHOOL UNDER TITLE 7, SUBTITLE 14 OF 8
111	111	THIS ARTICLE and is operating in accordance with a contract or an agreement with a 9
112	112	public school or local school system in the State to provide an Internet website, an online 10
113	113	service, an online application, or a mobile application, INCLUDING A WEBSITE, A 11
114	114	SERVICE, OR AN APPLICATION THAT U TILIZES ARTIFICIAL INTELLIGENCE , that: 12
115	115
116	116	1. Processes covered information; and 13
117	117
118	118	2. A. Is used for a PreK–12 school purpose; or 14
119	119
120	120	B. Is issued at the direction of a public school, a teacher, or 15
121	121	any other employee of a public school, local school system, or the Department. 16
122	122
123	123	(ii) “Operator” includes [a]: 17
124	124
125	125	1. A division of a parent entity if the division: 18
126	126
127	127	[1.] A. Serves education clients; and 19
128	128
129	129	[2.] B. Does not share covered information with the parent 20
130	130	entity; AND 21
131	131
132	132	2. AN INDIVIDUAL OR ENTI TY WHO ENGAGES WITH 22
133	133	INSTITUTIONS UNDER THE SCHOOL OFFICIAL EXCEPTION OF THE FED ERAL FAMILY 23
134	134	EDUCATIONAL RIGHTS AND PRIVACY ACT AND IN ACCORDANCE WITH 24
135	135	SUBPARAGRAPH (I) OF THIS PARAGRAPH . 25
136	136
137	137	(4) (i) “Persistent unique identifier” means an identifier that can be 26
138	138	used to identify, recognize, track, single out, or make references about A SCHOOL 27
139	139	EMPLOYEE OR a student enrolled in prekindergarten through grade 12, the parent or 28
140	140	guardian of the student, and any other student of whom the parent or guardian has custody. 29
141	141
142	142	(ii) “Persistent unique identifier” includes: 30
143	143	4 SENATE BILL 1089
144	144
145	145
146	146	1. Cookie identifiers; 1
147	147
148	148	2. Customer numbers; 2
149	149
150	150	3. Device identifiers; 3
151	151
152	152	4. Hashed e–mail addresses; 4
153	153
154	154	5. Hashed phone numbers; 5
155	155
156	156	6. Identifiers generated through probabilistic methods; 6
157	157
158	158	7. Mobile ad identifiers; 7
159	159
160	160	8. Unique pseudonyms; and 8
161	161
162	162	9. User aliases. 9
163	163
164	164	(5) (i) “PreK–12 school purpose” means an activity that: 10
165	165
166	166	1. Takes place at the direction of a public school, a teacher, 11
167	167	an administrator, or a local school system; or 12
168	168
169	169	2. Aids in the administration of public school activities. 13
170	170
171	171	(ii) “PreK–12 school purpose” includes: 14
172	172
173	173	1. Instruction in the classroom; 15
174	174
175	175	2. Home instruction; 16
176	176
177	177	3. Administrative activities; 17
178	178
179	179	4. Collaboration among students, public school employees, 18
180	180	and parents; 19
181	181
182	182	5. Maintaining, developing, supporting, improving, or 20
183	183	diagnosing the operator’s site, service, or application; and 21
184	184
185	185	6. An activity that is for the use and benefit of the public 22
186	186	school. 23
187	187
188	188	(6) “SCHOOL EMPLOYEE ” MEANS AN EMPLOYEE OF A STUDENT’S 24
189	189	SCHOOL. 25
190	190
191	191	(7) (i) “Targeted advertising” means presenting advertisements to an 26
192	192	individual student OR SCHOOL EMPLOYEE that are selected based on information 27 SENATE BILL 1089 5
193	193
194	194
195	195	obtained or inferred from the student’s OR SCHOOL EMPLOYEE ’S covered information. 1
196	196
197	197	(ii) “Targeted advertising” does not include advertisements 2
198	198	presented to an individual student OR SCHOOL EMPLOYEE at an online location: 3
199	199
200	200	1. Based on the student’s OR SCHOOL EMPLOYEE ’S current 4
201	201	visit to the online location if there is no collection or retention of the student’s OR SCHOOL 5
202	202	EMPLOYEE’S covered information over time; or 6
203	203
204	204	2. In response to a single search query if there is no collection 7
205	205	or retention of the student’s OR SCHOOL EMPLOYEE ’S covered information over time. 8
206	206
207	207	(b) This section does not apply to a general audience Internet website, general 9
208	208	audience online service, general audience online application, or general audience mobile 10
209	209	application, even if log–in credentials created for an operator’s site, service, or application 11
210	210	may be used to access the general audience site, service, or application. 12
211	211
212	212	(c) An operator shall: 13
213	213
214	214	(1) Protect covered information from unauthorized access, destruction, use, 14
215	215	modification, or disclosure; 15
216	216
217	217	(2) Implement and maintain reasonable security procedures and practices 16
218	218	to protect covered information; and 17
219	219
220	220	(3) If covered information is under the authority of a public school or local 18
221	221	school system in accordance with a contract or an agreement, delete within a reasonable 19
222	222	time the covered information if the public school or local school system requests deletion of 20
223	223	the covered information. 21
224	224
225	225	(d) (1) An operator may not knowingly engage in any of the following activities 22
226	226	with respect to the operator’s site, service, or application: 23
227	227
228	228	(i) Engage in targeted advertising if the advertising is based on 24
229	229	information, including covered information and persistent unique identifiers, that the 25
230	230	operator has acquired because of the use of the operator’s site, service, or application; 26
231	231
232	232	(ii) Except in furtherance of a PreK–12 school purpose, use 27
233	233	information, including covered information and persistent unique identifiers, created or 28
234	234	gathered by the operator’s site, service, or application, to make a profile about a student 29
235	235	OR SCHOOL EMPLOYEE ; 30
236	236
237	237	(iii) Subject to paragraph (2) of this subsection and except as provided 31
238	238	in subsection (f) of this section, sell a student’s OR SCHOOL EMPLOYEE ’S information; or 32
239	239
240	240	(iv) Except as provided in subsection (e) of this section, disclose 33 6 SENATE BILL 1089
241	241
242	242
243	243	covered information. 1
244	244
245	245	(2) Nothing in this subsection shall be construed to prohibit the operator’s 2
246	246	use of information for maintaining, developing, supporting, improving, or diagnosing the 3
247	247	operator’s site, service, or application. 4
248	248
249	249	(3) For purposes of paragraph (1)(ii) of this subsection, making a profile of 5
250	250	a student OR SCHOOL EMPLOYEE does not include the collection and retention of account 6
251	251	information that remains under the authority of a student, a student’s parent or guardian, 7
252	252	A SCHOOL EMPLOYEE , a public school, or a local school system. 8
253	253
254	254	(e) Notwithstanding subsection (d)(1)(iv) of this section, an operator may disclose 9
255	255	a student’s OR SCHOOL EMPLOYEE ’S covered information: 10
256	256
257	257	(1) If the disclosure is made only in furtherance of the PreK–12 school 11
258	258	purpose of the site, service, or application and the recipient of the covered information: 12
259	259
260	260	(i) Does not further disclose the information; and 13
261	261
262	262	(ii) Is legally required to comply with subsections (c) and (d)(1) of this 14
263	263	section; 15
264	264
265	265	(2) To ensure legal or regulatory compliance; 16
266	266
267	267	(3) To take precautions against liability; 17
268	268
269	269	(4) To respond to or participate in judicial process; 18
270	270
271	271	(5) To protect the safety of users or others or the security or integrity of the 19
272	272	site, service, or application; 20
273	273
274	274	(6) To a service provider, provided the operator contractually: 21
275	275
276	276	(i) Prohibits the service provider from using any covered 22
277	277	information for any purpose other than providing the contracted service to, or on behalf of, 23
278	278	the operator; 24
279	279
280	280	(ii) Except for a purpose expressly permitted under this subsection, 25
281	281	prohibits the service provider from disclosing covered information provided by the operator 26
282	282	with a third party; and 27
283	283
284	284	(iii) Requires the service provider to comply with the requirements of 28
285	285	subsections (c) and (d)(1)(i) through (iii) of this section; 29
286	286
287	287	(7) If subsection (d)(1)(i) through (iii) of this section is not violated; 30
288	288
289	289	(8) If federal or State law requires the operator to disclose the information, 31 SENATE BILL 1089 7
290	290
291	291
292	292	and the operator complies with the requirements of federal and State law in protecting and 1
293	293	disclosing the information; 2
294	294
295	295	(9) For a legitimate research purpose as: 3
296	296
297	297	(i) Required by federal or State law; or 4
298	298
299	299	(ii) Allowed by federal or State law and under the direction of a 5
300	300	public school, local school system, or the Department, if a student’s OR SCHOOL 6
301	301	EMPLOYEE’S covered information is not used for advertising or to make a profile on the 7
302	302	student for a purpose other than a PreK–12 school purpose; or 8
303	303
304	304	(10) To a State or local education agency, including public schools and local 9
305	305	school systems, for a PreK–12 school purpose, as permitted by federal and State law. 10
306	306
307	307	(f) If an operator of a site, a service, or an application used for a PreK–12 school 11
308	308	purpose is merged with or acquired by another entity, the successor entity is subject to this 12
309	309	section for previously collected covered information. 13
310	310
311	311	(g) Nothing in this section prohibits an operator from: 14
312	312
313	313	(1) Using aggregated or de–identified covered information: 15
314	314
315	315	(i) To develop or improve an educational product or service within 16
316	316	any site, service, or application the operator owns; or 17
317	317
318	318	(ii) To demonstrate the effectiveness of the operator’s products or 18
319	319	services; or 19
320	320
321	321	(2) Sharing aggregated or de–identified covered information for the 20
322	322	development or improvement of educational sites, services, or applications. 21
323	323
324	324	(h) (1) Except for subsection (d)(1)(iii) of this section and subject to paragraph 22
325	325	(2) of this subsection, nothing in subsections (d) and (e) of this section may be construed to 23
326	326	prohibit the use or disclosure of a student’s OR SCHOOL EMPLOYEE ’S covered information 24
327	327	by an operator. 25
328	328
329	329	(2) An operator may use or disclose covered information under paragraph 26
330	330	(1) of this subsection if the operator: 27
331	331
332	332	(i) Provided clear and conspicuous notice of the use or disclosure of 28
333	333	[the]: 29
334	334
335	335	1. THE student’s covered information to the student or the 30
336	336	student’s parent or guardian; OR 31
337	337	8 SENATE BILL 1089
338	338
339	339
340	340	2. THE SCHOOL EMPLOYEE’S COVERED INFORMAT ION 1
341	341	TO THE SCHOOL EMPLOYEE; and 2
342	342
343	343	(ii) Obtained the affirmative consent of [the]: 3
344	344
345	345	1. THE student, if the student is at least 18 years old, or the 4
346	346	student’s parent or guardian to use or disclose the student’s covered information; OR 5
347	347
348	348	2. THE SCHOOL EMPLOYEE. 6
349	349
350	350	(i) This section may not be construed to limit the authority of a law enforcement 7
351	351	agency to obtain content or information from an operator as authorized by federal or State 8
352	352	law or in accordance with an order of a court of competent jurisdiction. 9
353	353
354	354	(j) This section does not limit the ability of an operator to: 10
355	355
356	356	(1) Use a student’s covered information for adaptive learning or customized 11
357	357	student learning purposes; 12
358	358
359	359	(2) Use recommendation engines to recommend to a student OR SCHOOL 13
360	360	EMPLOYEE additional content or services relating to an educational, other learning, or 14
361	361	employment opportunity purpose within an operator’s site, service, or application if the 15
362	362	recommendation is not determined in whole or in part by payment or other consideration 16
363	363	from a third party; 17
364	364
365	365	(3) Respond to a student’s OR SCHOOL EMPLOYEE ’S search query, other 18
366	366	request for information, or request for feedback if the information or response is not 19
367	367	determined in whole or in part by payment or other consideration from a third party; or 20
368	368
369	369	(4) Use or retain covered information to: 21
370	370
371	371	(i) Ensure legal or regulatory compliance; or 22
372	372
373	373	(ii) Take precautions against liability. 23
374	374
375	375	(k) This section may not be construed to prohibit an operator of an Internet 24
376	376	website, an online service, an online application, or a mobile application from marketing 25
377	377	educational products directly to parents if the marketing was not a result of the use of 26
378	378	covered information obtained by the operator through the provision of services covered 27
379	379	under this section. 28
380	380
381	381	(l) This section may not be construed to impose a duty on a provider of an 29
382	382	electronic store, a gateway, a marketplace, or any other means of purchasing or 30
383	383	downloading software or applications to review or enforce compliance of this section. 31
384	384
385	385	(m) This section may not be construed to impose a duty on a provider of an 32 SENATE BILL 1089 9
386	386
387	387
388	388	interactive computer service, as defined in Chapter 5, Title 47 of the United States Code, 1
389	389	to review or enforce compliance with this section by third–party content providers. 2
390	390
391	391	(n) This section may not be construed to impede the ability of students OR 3
392	392	SCHOOL EMPLOYEES to download, export, transfer, or otherwise save or maintain their 4
393	393	own data or documents. 5
394	394
395	395	(o) The provisions of this section may not be construed to prohibit an Internet 6
396	396	service provider from providing Internet connectivity to public schools, students, [or] 7
397	397	students’ families, SCHOOL EMPLOYEES , OR SCHOOL EMPLOYEES ’ FAMILIES. 8
398	398
399	399	SECTION 2. AND BE IT FURTHER ENACTED, That this Act shall take effect 9
400	400	October 1, 2024. 10