HOUSE OF REPRESENTATIVES

H.B. NO.

1528

TWENTY-EIGHTH LEGISLATURE, 2016

 

STATE OF HAWAII

 

 

 

 

 

 

A BILL FOR AN ACT

 

 

relating to student privacy.

 

 

BE IT ENACTED BY THE LEGISLATURE OF THE STATE OF HAWAII:

 


     SECTION 1.  The Hawaii Revised Statutes is amended by adding a new chapter to title 26 to be appropriately designated and to read as follows:

"Chapter

Student Online Personal Information Protection Act

     §   -1  Definitions.  As used in this chapter, unless the context otherwise requires:

     "Covered information" means personally identifiable information or materials, in any media or format, that meets any of the following criteria:

     (1)  It is created or provided by a student, or the student's parent or legal guardian, to an operator in the course of the student's, parent's, or legal guardian's use of the operator's site, service, or application for K–12 school purposes;

     (2)  It is created or provided by an employee or agent of the K–12 school or the department to an operator;

     (3)  It is gathered by an operator through the operation of a site, service, or application and is descriptive of a student or otherwise identifies a student, including:

         (A)  Information in the student's educational record or e-mail;

         (B)  First and last name;

         (C)  Home address, telephone number, e-mail address, or other information that allows physical or online contact; or

         (D)  Discipline records, test results, special education data, juvenile dependency records, grades, evaluations, criminal records, medical records, health records, social security number, biometric information, disabilities, socioeconomic information, food purchases, political affiliations, religious information, text messages, documents, student identifiers, search activity, photos, voice recordings, or geolocation information.

     "Department" means the department of education.

     "K-12 school" means a public school, public charter school, or a private school that provides instruction to students at any level from kindergarten up to the twelfth grade.

     "K–12 school purposes" means purposes that customarily take place at the direction of the K–12 school, teacher, or the department or aid in the administration of school activities, including instruction in the classroom or at home, administrative activities, and collaboration between students, school personnel, or parents, or are for the use and benefit of the school.

     "Online service" includes cloud computing services.

     "Operator" means the operator of an internet web site, online service, online application, or mobile application with actual knowledge that the site, service, or application is used primarily for K–12 school purposes and was designed and marketed for K–12 school purposes.

     "Student" means a student at a K-12 school.

     §   -2  Prohibited activities.  (a)  No operator shall knowingly engage in any of the following activities with respect to any site, service, or application that it operates for K-12 purposes:

     (1)  Engage in targeted advertising on the site, service, or application;

     (2)  Target advertising on any other site, service, or application when the targeting of the advertising is based upon any information, including covered information and persistent unique identifiers, that the operator has acquired because of the use of any site, service, or application operated by the operator for K-12 purposes;

     (3)  Use information, including persistent unique identifiers, created or gathered by the operator's site, service, or application, to create a profile about a student except in furtherance of K–12 school purposes;

     (4)  Sell a student's information, including covered information, except that this paragraph shall not apply to the purchase, merger, or other type of acquisition of an operator by another entity; provided that the operator or successor entity shall continue to be subject to this chapter with respect to previously acquired student information; or

     (5)  Disclose covered information except:

         (A)  In furtherance of the K–12 purpose of the site, service, or application; provided that the recipient of the covered information disclosed pursuant to this subparagraph:

              (i)  Shall not further disclose the information except to allow or improve operability and functionality within that student's classroom or school; and

             (ii)  Is legally required to comply with section    -3;

         (B)  To ensure statutory and regulatory compliance;

         (C)  To respond to or participate in judicial process;

         (D)  To protect the safety of users or others, or the security of the site, service, or application; or

         (E)  To disclose the covered information to an internet service provider; provided that the operator contractually:

              (i)  Prohibits the internet service provider from using any covered information for any purpose other than providing the contracted service to, or on behalf of, the operator;

             (ii)  Prohibits the internet service provider from disclosing any covered information provided by the operator to subsequent third parties; and

            (iii)  Requires the internet service provider to implement and maintain reasonable security procedures and practices as provided in section    -3.

     (b)  Subsection (a) shall not be construed to prohibit the operator's use of information for maintaining, developing, supporting, improving, or diagnosing the operator's site, service, or application.

     §   -3  Required activities.  An operator shall:

     (1)  Implement and maintain reasonable security procedures and practices appropriate to the nature of the covered information and protect that information from unauthorized access, destruction, use, modification, or disclosure; and

     (2)  Delete a student's covered information if the school or the department requests deletion of data under the control of the school or the department.

     §   -4  Permissible disclosures of covered information.  Notwithstanding section    -2(a)(5), an operator may disclose covered information of a student if disclosure is:

     (1)  Required under other provisions of federal or state law, and the operator complies with the requirements of federal and state law in protecting and disclosing that information;

     (2)  Made for legitimate research purposes:

         (A)  As required by state or federal law and subject to the restrictions under applicable state and federal law; or

         (B)  As allowed by state or federal law and under the direction of a school or the department, if no covered information is used for any purpose in furtherance of advertising or to amass a profile on the student for purposes other than K–12 school purposes; or

     (3)  Made to a state or local educational agency, including schools and the department, for K–12 school purposes, as permitted by state or federal law.

     §   -5  Penalties; civil action.  (a)  Any operator that violates this chapter shall be subject to penalties of not more than $2,500 for each violation.  Except as otherwise provided in subsection (e), the attorney general or the executive director of the office of consumer protection may bring an action pursuant to this section.

     (b)  In addition to any penalty provided for in subsection (a), any operator that violates this chapter shall be liable to the injured party in an amount equal to the sum of any actual damages sustained by the injured party as a result of the violation.

     (c)  The penalties provided in this section shall be cumulative to the remedies or penalties available under all other laws of this State.

     (d)  The court in any action brought under this section may award reasonable attorneys' fees to the prevailing party.

     (e)  No action under this chapter may be brought against a government agency.

     §   -6  Limits and applicability of chapter.  (a)  Nothing in this chapter shall be construed to prohibit or limit an operator from:

     (1)  Using de-identified student covered information as follows:

         (A)  Within the operator's site, service, or application for K-12 school purposes or other sites, services, or applications owned by the operator to improve educational products; or

         (B)  To demonstrate the effectiveness of the operator's products or services, including their marketing;

     (2)  Sharing aggregated de-identified student covered information for the development and improvement of educational sites, services, or applications;

     (3)  Marketing educational products directly to parents, provided that the marketing did not result from the use of covered information obtained by the operator through the provision of services covered under this chapter; or

     (4)  Using student data, including covered information, for adaptive learning or customized student learning purposes.

     (b)  Nothing in this chapter shall be construed to:

     (1)  Limit the authority of the attorney general, the executive director of the office of consumer protection, or other law enforcement agency to obtain any content or information from an operator as authorized by law or pursuant to an order of a court of competent jurisdiction;

     (2)  Apply to general audience internet web sites, general audience online services, general audience online applications, or general audience mobile applications, notwithstanding that the login credentials created for an operator's site, service, or application may be used to access those general audience sites, services, or applications;

     (3)  Limit internet service providers from providing internet connectivity to schools or students and their families;

     (4)  Require a provider of an electronic store, gateway, marketplace, or other means of purchasing or downloading software or applications to review or enforce compliance of this chapter on those applications or software;

     (5)  Require a provider of an interactive computer service, as defined in 47 U.S.C. section 230(f)(2), to review or enforce compliance with this chapter by third-party content providers; or

     (6)  Limit the ability of students to download, export, or otherwise save or maintain their own student-created data or documents."

     SECTION 2.  This Act shall take effect on January 1, 2017.

 

INTRODUCED BY:

_____________________________

 

 


 


 

Report Title:

Student Privacy; Consumer Protection

 

Description:

Prohibits an operator of an internet web site, online service, online application, or mobile application used for K-12 school purposes from knowingly engaging in targeted advertising to students or their parents or legal guardians, using covered information to create a profile about a student, selling a student's information, or disclosing covered information.  Defines "covered information."  Authorizes the disclosure of covered information of a student under specified circumstances.

 

 

 

The summary description of legislation appearing on this page is for informational purposes only and is not legislation or evidence of legislative intent.