| 11 | 4 | | AN ACT |
|---|
| 12 | 5 | | relating to restricting the use of covered information, including |
|---|
| 13 | 6 | | student personally identifiable information, by an operator of a |
|---|
| 14 | 7 | | website, online service, online application, or mobile application |
|---|
| 15 | 8 | | for a school purpose. |
|---|
| 16 | 9 | | BE IT ENACTED BY THE LEGISLATURE OF THE STATE OF TEXAS: |
|---|
| 17 | 10 | | SECTION 1. The heading to Chapter 32, Education Code, is |
|---|
| 18 | 11 | | amended to read as follows: |
|---|
| 19 | 12 | | CHAPTER 32. COMPUTERS, [AND] COMPUTER-RELATED EQUIPMENT, AND |
|---|
| 20 | 13 | | STUDENT INFORMATION PROTECTION |
|---|
| 21 | 14 | | SECTION 2. Chapter 32, Education Code, is amended by adding |
|---|
| 22 | 15 | | Subchapter D to read as follows: |
|---|
| 23 | 16 | | SUBCHAPTER D. STUDENT INFORMATION |
|---|
| 24 | 17 | | Sec. 32.151. DEFINITIONS. In this subchapter: |
|---|
| 25 | 18 | | (1) "Covered information" means personally |
|---|
| 26 | 19 | | identifiable information or information that is linked to |
|---|
| 27 | 20 | | personally identifiable information, in any media or format, that |
|---|
| 28 | 21 | | is not publicly available and is: |
|---|
| 29 | 22 | | (A) created by or provided to an operator by a |
|---|
| 30 | 23 | | student or the student's parent in the course of the student's or |
|---|
| 31 | 24 | | parent's use of the operator's website, online service, online |
|---|
| 32 | 25 | | application, or mobile application for a school purpose; |
|---|
| 33 | 26 | | (B) created by or provided to an operator by an |
|---|
| 34 | 27 | | employee of a school district or school campus for a school purpose; |
|---|
| 35 | 28 | | or |
|---|
| 36 | 29 | | (C) gathered by an operator through the operation |
|---|
| 37 | 30 | | of the operator's website, online service, online application, or |
|---|
| 38 | 31 | | mobile application for a school purpose and personally identifies a |
|---|
| 39 | 32 | | student, including the student's educational record, electronic |
|---|
| 40 | 33 | | mail, first and last name, home address, telephone number, |
|---|
| 41 | 34 | | electronic mail address, information that allows physical or online |
|---|
| 42 | 35 | | contact, discipline records, test results, special education data, |
|---|
| 43 | 36 | | juvenile delinquency records, grades, evaluations, criminal |
|---|
| 44 | 37 | | records, medical records, health records, social security number, |
|---|
| 45 | 38 | | biometric information, disabilities, socioeconomic information, |
|---|
| 46 | 39 | | food purchases, political affiliations, religious information, |
|---|
| 47 | 40 | | text messages, student identifiers, search activity, photograph, |
|---|
| 48 | 41 | | voice recordings, or geolocation information. |
|---|
| 49 | 42 | | (2) "Interactive computer service" has the meaning |
|---|
| 50 | 43 | | assigned by 47 U.S.C. Section 230. |
|---|
| 51 | 44 | | (3) "Operator" means, to the extent operating in this |
|---|
| 52 | 45 | | capacity, the operator of a website, online service, online |
|---|
| 53 | 46 | | application, or mobile application who has actual knowledge that |
|---|
| 54 | 47 | | the website, online service, online application, or mobile |
|---|
| 55 | 48 | | application is used primarily for a school purpose and was designed |
|---|
| 56 | 49 | | and marketed for a school purpose. |
|---|
| 57 | 50 | | (4) "Parent" includes a person standing in parental |
|---|
| 58 | 51 | | relation. |
|---|
| 59 | 52 | | (5) "School purpose" means a purpose that is directed |
|---|
| 60 | 53 | | by or customarily takes place at the direction of a school district, |
|---|
| 61 | 54 | | school campus, or teacher or assists in the administration of |
|---|
| 62 | 55 | | school activities, including instruction in the classroom or at |
|---|
| 63 | 56 | | home, administrative activities, and collaboration between |
|---|
| 64 | 57 | | students, school personnel, or parents, or is otherwise for the use |
|---|
| 65 | 58 | | and benefit of the school. |
|---|
| 66 | 59 | | (6) "Targeted advertising" means presenting an |
|---|
| 67 | 60 | | advertisement to a student in which the advertisement is selected |
|---|
| 68 | 61 | | for the student based on information obtained or inferred over time |
|---|
| 69 | 62 | | from the student's online behavior, usage of applications, or |
|---|
| 70 | 63 | | covered information. The term does not include advertising to a |
|---|
| 71 | 64 | | student at an online location based on the student's visit to that |
|---|
| 72 | 65 | | location at that time, or in response to the student's request for |
|---|
| 73 | 66 | | information or feedback, without the retention of the student's |
|---|
| 74 | 67 | | online activities or requests over time for the purpose of |
|---|
| 75 | 68 | | targeting subsequent advertisements. |
|---|
| 76 | 69 | | Sec. 32.152. PROHIBITED USE OF COVERED INFORMATION. (a) An |
|---|
| 77 | 70 | | operator may not knowingly: |
|---|
| 78 | 71 | | (1) engage in targeted advertising on any website, |
|---|
| 79 | 72 | | online service, online application, or mobile application if the |
|---|
| 80 | 73 | | target of the advertising is based on any information, including |
|---|
| 81 | 74 | | covered information and persistent unique identifiers, that the |
|---|
| 82 | 75 | | operator has acquired through the use of the operator's website, |
|---|
| 83 | 76 | | online service, online application, or mobile application for a |
|---|
| 84 | 77 | | school purpose; |
|---|
| 85 | 78 | | (2) use information, including persistent unique |
|---|
| 86 | 79 | | identifiers, created or gathered by the operator's website, online |
|---|
| 87 | 80 | | service, online application, or mobile application, to create a |
|---|
| 88 | 81 | | profile about a student unless the profile is created for a school |
|---|
| 89 | 82 | | purpose; or |
|---|
| 90 | 83 | | (3) except as provided by Subsection (c), sell or rent |
|---|
| 91 | 84 | | any student's covered information. |
|---|
| 92 | 85 | | (b) For purposes of Subsection (a)(2), the collection and |
|---|
| 93 | 86 | | retention of account information by an operator that remains under |
|---|
| 94 | 87 | | the control of the student, the student's parent, or the campus or |
|---|
| 95 | 88 | | district is not an attempt to create a profile by the operator. |
|---|
| 96 | 89 | | (c) Subsection (a)(3) does not apply to: |
|---|
| 97 | 90 | | (1) the purchase, merger, or any other type of |
|---|
| 98 | 91 | | acquisition of an operator by another entity, if the operator or |
|---|
| 99 | 92 | | successor entity complies with this subchapter regarding |
|---|
| 100 | 93 | | previously acquired student information; or |
|---|
| 101 | 94 | | (2) a national assessment provider if the provider |
|---|
| 102 | 95 | | secures the express affirmative consent of the student or the |
|---|
| 103 | 96 | | student's parent, given in response to clear and conspicuous |
|---|
| 104 | 97 | | notice, and if the information is used solely to provide access to |
|---|
| 105 | 98 | | employment, educational scholarships, financial aid, or |
|---|
| 106 | 99 | | postsecondary educational opportunities. |
|---|
| 107 | 100 | | Sec. 32.153. ALLOWED DISCLOSURE OF COVERED INFORMATION. |
|---|
| 108 | 101 | | (a) An operator may use or disclose covered information under the |
|---|
| 109 | 102 | | following circumstances: |
|---|
| 110 | 103 | | (1) to further a school purpose of the website, online |
|---|
| 111 | 104 | | service, online application, or mobile application and the |
|---|
| 112 | 105 | | recipient of the covered information disclosed under this |
|---|
| 113 | 106 | | subsection does not further disclose the information unless the |
|---|
| 114 | 107 | | disclosure is to allow or improve operability and functionality of |
|---|
| 115 | 108 | | the operator's website, online service, online application, or |
|---|
| 116 | 109 | | mobile application; |
|---|
| 117 | 110 | | (2) to ensure legal and regulatory compliance; |
|---|
| 118 | 111 | | (3) to protect against liability; |
|---|
| 119 | 112 | | (4) to respond to or participate in the judicial |
|---|
| 120 | 113 | | process; |
|---|
| 121 | 114 | | (5) to protect: |
|---|
| 122 | 115 | | (A) the safety or integrity of users of the |
|---|
| 123 | 116 | | website, online service, online application, or mobile |
|---|
| 124 | 117 | | application; or |
|---|
| 125 | 118 | | (B) the security of the website, online service, |
|---|
| 126 | 119 | | online application, or mobile application; |
|---|
| 127 | 120 | | (6) for a school, education, or employment purpose |
|---|
| 128 | 121 | | requested by the student or the student's parent and the |
|---|
| 129 | 122 | | information is not used or disclosed for any other purpose; |
|---|
| 130 | 123 | | (7) to use the covered information for: |
|---|
| 131 | 124 | | (A) a legitimate research purpose; or |
|---|
| 132 | 125 | | (B) a school purpose or postsecondary |
|---|
| 133 | 126 | | educational purpose; or |
|---|
| 134 | 127 | | (8) for a request by the agency or the school district |
|---|
| 135 | 128 | | for a school purpose. |
|---|
| 136 | 129 | | (b) A national assessment provider or a provider of a |
|---|
| 137 | 130 | | college and career counseling service may, in response to a request |
|---|
| 138 | 131 | | of a student, and on receiving the express affirmative consent of |
|---|
| 139 | 132 | | the student or the student's parent given in response to clear and |
|---|
| 140 | 133 | | conspicuous notice, use or disclose covered information solely to |
|---|
| 141 | 134 | | provide access to employment, educational scholarships, financial |
|---|
| 142 | 135 | | aid, or postsecondary educational opportunities. |
|---|
| 143 | 136 | | (c) An operator may disclose covered information if a |
|---|
| 144 | 137 | | provision of federal or state law requires the operator to disclose |
|---|
| 145 | 138 | | the information. The operator must comply with the requirements of |
|---|
| 146 | 139 | | federal and state law to protect the information being disclosed. |
|---|
| 147 | 140 | | (d) An operator may disclose covered information to a third |
|---|
| 148 | 141 | | party if the operator has contracted with the third party to provide |
|---|
| 149 | 142 | | a service for a school purpose for or on behalf of the operator. The |
|---|
| 150 | 143 | | contract must prohibit the third party from using any covered |
|---|
| 151 | 144 | | information for any purpose other than providing the contracted |
|---|
| 152 | 145 | | service. The operator must require the third party to implement and |
|---|
| 153 | 146 | | maintain reasonable procedures and practices designed to prevent |
|---|
| 154 | 147 | | disclosure of covered information. |
|---|
| 155 | 148 | | (e) Nothing in this subchapter prohibits the operator's use |
|---|
| 156 | 149 | | of covered information for maintaining, developing, supporting, |
|---|
| 157 | 150 | | improving, or diagnosing the operator's website, online service, |
|---|
| 158 | 151 | | online application, or mobile application. |
|---|
| 159 | 152 | | Sec. 32.154. ALLOWED USE OF COVERED INFORMATION. This |
|---|
| 160 | 153 | | subchapter does not prohibit an operator from: |
|---|
| 161 | 154 | | (1) using covered information: |
|---|
| 162 | 155 | | (A) to improve educational products if that |
|---|
| 163 | 156 | | information is not associated with an identified student using the |
|---|
| 164 | 157 | | operator's website, online service, online application, or mobile |
|---|
| 165 | 158 | | application; and |
|---|
| 166 | 159 | | (B) that is not associated with an identified |
|---|
| 167 | 160 | | student to demonstrate the effectiveness of the operator's products |
|---|
| 168 | 161 | | or services and to market the operator's services; |
|---|
| 169 | 162 | | (2) sharing covered information that is not associated |
|---|
| 170 | 163 | | with an identified student for the development and improvement of |
|---|
| 171 | 164 | | educational websites, online services, online applications, or |
|---|
| 172 | 165 | | mobile applications; |
|---|
| 173 | 166 | | (3) recommending to a student additional services or |
|---|
| 174 | 167 | | content relating to an educational, learning, or employment |
|---|
| 175 | 168 | | opportunity within a website, online service, online application, |
|---|
| 176 | 169 | | or mobile application if the recommendation is not determined by |
|---|
| 177 | 170 | | payment or other consideration from a third party; |
|---|
| 178 | 171 | | (4) responding to a student's request for information |
|---|
| 179 | 172 | | or for feedback without the information or response being |
|---|
| 180 | 173 | | determined by payment or other consideration from a third party; or |
|---|
| 181 | 174 | | (5) if the operator is a national assessment provider |
|---|
| 182 | 175 | | or a provider of a college and career counseling service, |
|---|
| 183 | 176 | | identifying for a student, with the express affirmative consent of |
|---|
| 184 | 177 | | the student or the student's parent, institutions of higher |
|---|
| 185 | 178 | | education or scholarship providers that are seeking students who |
|---|
| 186 | 179 | | meet specific criteria, regardless of whether the identified |
|---|
| 187 | 180 | | institution of higher education or scholarship provider provides |
|---|
| 188 | 181 | | consideration to the operator. |
|---|
| 189 | 182 | | Sec. 32.155. PROTECTION OF COVERED INFORMATION. An |
|---|
| 190 | 183 | | operator must implement and maintain reasonable security |
|---|
| 191 | 184 | | procedures and practices designed to protect any covered |
|---|
| 192 | 185 | | information from unauthorized access, deletion, use, modification, |
|---|
| 193 | 186 | | or disclosure. |
|---|
| 194 | 187 | | Sec. 32.156. DELETION OF COVERED INFORMATION. If a school |
|---|
| 195 | 188 | | district requests the deletion of a student's covered information |
|---|
| 196 | 189 | | under the control of the school district and maintained by the |
|---|
| 197 | 190 | | operator, the operator shall delete the information not later than |
|---|
| 198 | 191 | | the 60th day after the date of the request, or as otherwise |
|---|
| 199 | 192 | | specified in the contract or terms of service, unless the student or |
|---|
| 200 | 193 | | the student's parent consents to the operator's maintenance of the |
|---|
| 201 | 194 | | covered information. |
|---|
| 202 | 195 | | Sec. 32.157. APPLICABILITY. This subchapter does not: |
|---|
| 203 | 196 | | (1) limit the authority of a law enforcement agency to |
|---|
| 204 | 197 | | obtain any information from an operator as authorized by law or |
|---|
| 205 | 198 | | under a court order; |
|---|
| 206 | 199 | | (2) limit the ability of an operator to use student |
|---|
| 207 | 200 | | data, including covered information, for adaptive learning or |
|---|
| 208 | 201 | | customized student learning purposes; |
|---|
| 209 | 202 | | (3) apply to general audience: |
|---|
| 210 | 203 | | (A) websites; |
|---|
| 211 | 204 | | (B) online services; |
|---|
| 212 | 205 | | (C) online applications; or |
|---|
| 213 | 206 | | (D) mobile applications; |
|---|
| 214 | 207 | | (4) limit service providers from providing Internet |
|---|
| 215 | 208 | | connection to school districts or students and students' families; |
|---|
| 216 | 209 | | (5) prohibit an operator from marketing educational |
|---|
| 217 | 210 | | products directly to a student's parent if the marketing is not a |
|---|
| 218 | 211 | | result of the use of covered information obtained by the operator |
|---|
| 219 | 212 | | through providing services to the school district; |
|---|
| 220 | 213 | | (6) impose a duty on a provider of an electronic store, |
|---|
| 221 | 214 | | gateway, marketplace, or other means of purchasing or downloading |
|---|
| 222 | 215 | | software or applications to review or enforce compliance with this |
|---|
| 223 | 216 | | subchapter on those applications or software; |
|---|
| 224 | 217 | | (7) impose a duty on a provider of an interactive |
|---|
| 225 | 218 | | computer service to review or enforce compliance with this |
|---|
| 226 | 219 | | subchapter by third-party content providers; |
|---|
| 227 | 220 | | (8) prohibit a student from downloading, exporting, |
|---|
| 228 | 221 | | transferring, saving, or maintaining the student's data or |
|---|
| 229 | 222 | | documents; or |
|---|
| 230 | 223 | | (9) alter the rights or duties of the operator, |
|---|
| 231 | 224 | | provider, school, parent, or student under the Family Educational |
|---|
| 232 | 225 | | Rights and Privacy Act of 1974 (20 U.S.C. Section 1232g) or other |
|---|
| 233 | 226 | | federal law. |
|---|
| 234 | 227 | | SECTION 3. This Act takes effect September 1, 2017. |
|---|