[Congressional Bills 115th Congress] [From the U.S. Government Publishing Office] [S. 2640 Introduced in Senate (IS)] <DOC> 115th CONGRESS 2d Session S. 2640 To require operators that provide online and similar services to educational agencies, institutions, or programs to protect the privacy and security of personally identifiable information, and for other purposes. _______________________________________________________________________ IN THE SENATE OF THE UNITED STATES April 10, 2018 Mr. Daines (for himself and Mr. Blumenthal) introduced the following bill; which was read twice and referred to the Committee on Commerce, Science, and Transportation _______________________________________________________________________ A BILL To require operators that provide online and similar services to educational agencies, institutions, or programs to protect the privacy and security of personally identifiable information, and for other purposes. Be it enacted by the Senate and House of Representatives of the United States of America in Congress assembled, SECTION 1. SHORT TITLE. This Act may be cited as the ``Safeguarding American Families from Exposure by Keeping Information and Data Secure Act'' or the ``SAFE KIDS Act''. SEC. 2. DEFINITIONS. (a) In General.--In this Act: (1) Commission.--The term ``Commission'' means the Federal Trade Commission. (2) Covered information.--The term ``covered information'' means personally identifiable information or material, or information that is linked or reasonably linkable to personally identifiable information or material, in any media or format, that-- (A) is created by or provided to an operator by a student, or the student's parent, in the course of the student's or parent's use of the operator's site or service for preK-12 purposes; (B) is collected, generated, or maintained by an educational agency, institution, or program, including teachers of such agency, institution, or program; or (C) is collected by an operator through the operation of its site or service for preK-12 purposes and personally identifies a student, including-- (i) the student's first and last name; (ii) the first and last name of the student's parent or another family member; (iii) the home or physical address of the student or student's family; (iv) online contact information, as defined in section 1302 of the Children's Online Privacy Protection Act of 1998 (15 U.S.C. 6501), for the student; (v) a personal identifier, such as the student's Social Security number, student number, or biometric record; (vi) an identifier described in subparagraph (D), (F), or (G) of section 1302(8) of such Act (15 U.S.C. 6501(8)) for the student; (vii) a photograph, video, or audio recording that contains the student's image or voice; (viii) geolocation information sufficient to identify the street name and name of a city or town; and (ix) other indirect identifiers, such as the student's date of birth, place of birth, or mother's maiden name. (3) De-identified covered information.--The term ``de- identified covered information'' means covered information that-- (A) has been de-identified by reasonable measures; (B) is maintained in a de-identified fashion without attempt to re-identify; and (C) is not made available to other entities absent contractual agreement to not re-identify the covered information. (4) Early childhood education program.--The term ``early childhood education program'' means a program that meets the requirements of clauses (i) and (ii)(III) of section 103(8)(C) of the Higher Education Act of 1965 (20 U.S.C. 1003(8)(C)). (5) Educational agency, institution, or program.--The term ``educational agency, institution, or program'' means-- (A) an educational agency or institution, as defined in section 444(a)(3) of the General Education Provisions Act (20 U.S.C. 1232g(a)(3)), except that such term does not include an institution of higher education; or (B) an early childhood education program. (6) Eligible student.--The term ``eligible student'' means a student who-- (A) is 18 years of age or older; (B) is enrolled in an institution of higher education; or (C) has graduated from a secondary school. (7) Institution of higher education.--The term ``institution of higher education'' has the meaning given such term in section 102 of the Higher Education Act of 1965 (20 U.S.C. 1002). (8) Operator.--The term ``operator''-- (A) means the operator of a website located on the Internet or online service that is used primarily for preK-12 purposes and was designed and marketed for preK-12 purposes, to the extent that it is operating in this capacity; and (B) does not include an educational agency, institution, or program. (9) PreK-12 purposes.--The term ``preK-12 purposes'' means purposes that-- (A) are directed by or that customarily take place at the direction of an educational agency, institution, or program; (B) aid in the administration of activities by an educational agency, institution, or program, including instruction in the classroom or at home, administrative activities, and collaboration between students, school personnel, or parents; or (C) are otherwise for the use and benefit of the educational agency, institution, or program. (10) State.--The term ``State'' means each State of the United States, the District of Columbia, each territory or possession of the United States, and each federally recognized Indian tribe. (11) Student.--The term ``student'' means any individual who attends or has attended an early childhood education program, elementary school, or secondary school. (12) Targeted advertising.-- (A) In general.--The term ``targeted advertising'' means presenting advertisements to a student or the student's parent, where the advertisements are selected based on information obtained or inferred over time from the student's online behavior, use of online services, or covered information. (B) Exclusion.--Such term does not include presenting advertisements to a student or the student's parent at an online location or through an online service, as long as-- (i) information about the student's online behavior or use of the online location or online service is not retained over time for the purpose of targeting subsequent advertisements; and (ii)(I) the advertisements are based solely upon that student's current visit to the online location; or (II) the advertisements are in response to a student's request for information or feedback. (b) Terms Defined in Elementary and Secondary Education Act of 1965.--In this Act, the terms ``elementary school'', ``parent'', and ``secondary school'' have the meanings given such terms in section 8101 of the Elementary and Secondary Education Act of 1965 (20 U.S.C. 7801). SEC. 3. PROTECTING STUDENT PRIVACY. (a) Prohibited Practices.--An operator may not-- (1) collect, generate, use or disclose any covered information, or allow third parties to do so, for purposes of engaging in or permitting targeted advertising on the operator's site or online service, or target advertising on any other site or service, if the targeting of the advertising is based on any information, including covered information and persistent unique identifiers, that the operator has acquired because of the use of that operator's site or service for preK- 12 purposes; (2) sell or rent covered information to a third party, except this paragraph shall not apply to a nationally recognized high school academic assessment provider solely to the extent that the provider secures the express written consent of the parent or student, given in response to clear and conspicuous notice, only to provide access to employment, educational scholarships or financial aid, or postsecondary educational opportunities; (3) use information, including covered information and persistent unique identifiers, created or gathered by the operator's site or service to create a personal profile of a student other than for preK-12 purposes, except that for purposes of this paragraph, creating a personal profile shall not include the collection and retention of account information that remains under the control of the student, the student's parent, or the educational agency, institution, or program; or (4) disclose covered information, unless the disclosure is made-- (A) pursuant to lawful process or to ensure legal and regulatory compliance with Federal or State law; (B)(i) in furtherance of the preK-12 purpose of the site or service; and (ii) if the recipient of the covered information disclosed under this paragraph does not further disclose the information unless the disclosure is done to allow or improve operability and functionality of the operator's site or service; (C) for a school, educational, or employment purpose requested by the student or the student's parent, as long as the information is not used or further disclosed for any other purpose; (D) to protect the safety or integrity of users or others or the security of the school service; or (E) to a State or local educational agency, including elementary schools and secondary schools, for preK-12 purposes, as permitted by Federal or State law; or (5) notwithstanding paragraph (4), disclose covered information to a third-party service provider of the school service for purposes of maintaining, developing, supporting, improving, or diagnosing the operator's site or service unless the operator contractually requires the provider to comply with all the provisions of this Act (including such paragraph). (b) Requirements.--An operator shall-- (1) establish, implement, and maintain reasonable security procedures appropriate to the nature of the covered information that are designed to protect the covered information from unauthorized access, destruction, use, modification, or disclosure; (2) unless the educational agency, institution, or program or a student's parent consents to the maintenance of the covered information, delete a student's covered information-- (A) within a reasonable time after receiving a request for deletion through an educational agency, institution, or program, or from the student's parent; or (B) once the data has outlived the legitimate purpose for which the data was collected; (3) obtain consent from the educational agency, institution, or program, through contracts or privacy policies in a manner that is clear and easy to understand, regarding the types of covered information collected, the purposes for which the covered information is used or disclosed to third parties, and the identity of any such third parties; (4) disclose publicly, on the website of the operator, every privacy policy that the operator has established with an educational agency, institution, or program; (5) obtain consent from the educational agency, institution, or program and provide sufficient notice on its website before making material changes to a contract or privacy policy for a school service; and (6) support access to and correction of covered information through an educational agency, institution, or program. (c) Authorized Uses.-- (1) Uses of covered information.--An operator may use or disclose covered information of a student under the following circumstances: (A) If other provisions of Federal or State law require the operator to disclose the information, and the operator complies with the requirements of Federal and State law in protecting and disclosing that information. (B) For legitimate research purposes, as required by Federal or State law and subject to the restrictions under applicable Federal and State law or as allowed by Federal or State law and under the direction of an educational agency, institution, or program (including a State educational agency), if covered information is not used for advertising or to amass a profile on the student for purposes other than preK-12 purposes. (C) To an educational agency, institution, or program for preK-12 purposes, as permitted by Federal or State law. (d) Effect on Mergers and Acquisitions.--The prohibitions of this section on sale and disclosure of covered information do not apply to the merger of an operator with another entity or the acquisition of the operator by another entity (including any subsequent merger or acquisition), provided that the operator or successor entity continues to be subject to the provisions of this section with respect to covered information acquired before the merger or acquisition. (e) Continued Application.--This section shall continue to apply, after a student is no longer enrolled in an educational agency, institution, or program, to covered information relating to the student that was collected or generated while the student was enrolled. SEC. 4. RULES OF CONSTRUCTION. (a) In General.--This Act shall not-- (1) be construed to affect or otherwise alter the protections and guarantees set forth in section 444 of the General Education Provisions Act (20 U.S.C. 1232g) (commonly known as the ``Family Educational Rights and Privacy Act of 1974''), the Children's Online Privacy Protection Act of 1998 (15 U.S.C. 6501 et seq.), or any other Federal statute relating to privacy protection; (2) be construed to limit the authority of a law enforcement agency to obtain content or information from an operator as authorized by law or pursuant to an order of a court of competent jurisdiction; (3) limit the ability of an operator to use information, including covered information, for adaptive or personalized student learning purposes; (4) limit an educational agency, institution, or program from providing Internet access service for its own use, to other educational agencies or institutions, or to students and their families; (5) be construed to prohibit an operator's use of information, including covered information, for maintaining, developing, supporting, improving, or diagnosing the operator's school service; (6) impose a duty upon a provider of an electronic store, gateway, marketplace, or other means of purchasing or downloading software or applications, to review or enforce compliance with this Act by operators of school services; (7) impede the ability of a student or the student's parent to download, export, transfer, or otherwise save or maintain data or documents created by or about the student or noncommercial applications created by the student; (8) be construed to apply to general audience Internet websites or general audience online services, even if login credentials created for an operator's site or service may be used to access those general audience sites or services; (9) prohibit an operator of a website or online service from marketing educational products directly to parents if the marketing did not result from the use of covered information obtained by the operator through the provision of services covered under this Act; (10) limit service providers from providing Internet connectivity to schools or students and their families; or (11) be construed to apply to the sale, under the direction and control of the educational agency, institution, or program, of student and class pictures, yearbooks, memory books, and similar traditional school-sanctioned commemorative activities. (b) Nonprohibited Actions.--Nothing in this Act prohibits an operator from-- (1) using de-identified covered information within the operator's school service or other sites or online services owned by the operator to improve educational products; (2) using de-identified covered information to demonstrate the effectiveness of the operator's products or services, including in the marketing of such products or services; (3) disclosing de-identified covered information for the development and improvement of educational sites and services; or (4) disclosing de-identified covered information for research and development, including-- (A) research, development, and improvement of educational sites, services, and applications; and (B) advancements in the science of learning; (5) using recommendation engines to recommend to a student additional content, websites, or online services for preK-12 purposes offered by an operator within a website or online service if the recommendation is based on educational improvement and is not determined in whole or in part by financial gain from a third party; and (6) responding to a student's request for information or for feedback without the information or response being determined in whole or in part by payment or other consideration from a third party. (c) Power To Consent and Rights Regarding Information About Eligible Student.--Any provision of this Act that refers to the consent of the student's parent for the use or disclosure of covered information or the right of the student's parent to access or otherwise obtain, use, correct, request disclosure of, or request deletion of covered information, shall, in the case of covered information about an eligible student, be considered to refer to the consent or right of the student and not the student's parent. (d) No Effect on Consent Under Other Law.--This Act does not modify the requirements or standards for consent, including consent from minors and employees on behalf of educational institutions, under any other provision of Federal law or under State law. SEC. 5. IMPLEMENTATION AND ENFORCEMENT. (a) Enforcement by Federal Trade Commission.-- (1) Unfair or deceptive acts or practices.--A violation of this Act shall be treated as a violation of a rule prescribed under section 18(a)(1)(B) of the Federal Trade Commission Act (15 U.S.C. 57a(a)(1)(B)) regarding unfair or deceptive acts or practices. (2) Powers of the commission.-- (A) In general.--The Commission shall enforce this Act in the same manner, by the same means, and with the same jurisdiction, powers, and duties as though all applicable terms and provisions of the Federal Trade Commission Act (15 U.S.C. 41 et seq.) were incorporated into and made a part of this Act. (B) Privileges and immunities.--Any person who violates this Act shall be subject to the penalties entitled to the privileges and immunities provided in the Federal Trade Commission Act, except as provided in paragraph (3). (3) Enforcement with respect to nonprofit organizations.-- Notwithstanding sections 4, 5(a)(2), and 6 of the Federal Trade Commission Act (15 U.S.C. 44; 45(a)(2); 46), any jurisdictional limitation of the Commission with respect to nonprofit organizations or common carriers subject to the Communications Act of 1934, or Acts amending or supplementing that Act, shall not apply for purposes of this Act. (b) Preservation of Commission Authority.--Nothing in this Act may be construed in any way to limit or affect the Commission's authority under any other provision of law. (c) Consultation and Cooperation With Secretary of Education.--The Commission shall consult and cooperate with the Secretary of Education in enforcing this Act in matters involving educational agencies, institutions, or programs. (d) Relationship to State Law.-- (1) In general.--This Act does not annul, alter, or affect, or exempt any person subject to the provisions of this Act from complying with, the laws of any State with respect to the treatment of covered information by operators of school services, except to the extent that such laws are inconsistent with any provision of this Act, and then only to the extent of the inconsistency. For purposes of this paragraph, a law of a State is not inconsistent with this Act if the protection such law affords any user of a school service is greater than the protection provided by this Act. (2) Rule of construction.--Any reference in this Act to State law shall be considered also to refer to the law of a political subdivision of a State. SEC. 6. EFFECTIVE DATE. This Act shall take effect on the date that is 18 months after the date of the enactment of this Act. <all>