[Congressional Bills 115th Congress]
[From the U.S. Government Publishing Office]
[S. 2640 Introduced in Senate (IS)]
<DOC>
115th CONGRESS
2d Session
S. 2640
To require operators that provide online and similar services to
educational agencies, institutions, or programs to protect the privacy
and security of personally identifiable information, and for other
purposes.
_______________________________________________________________________
IN THE SENATE OF THE UNITED STATES
April 10, 2018
Mr. Daines (for himself and Mr. Blumenthal) introduced the following
bill; which was read twice and referred to the Committee on Commerce,
Science, and Transportation
_______________________________________________________________________
A BILL
To require operators that provide online and similar services to
educational agencies, institutions, or programs to protect the privacy
and security of personally identifiable information, and for other
purposes.
Be it enacted by the Senate and House of Representatives of the
United States of America in Congress assembled,
SECTION 1. SHORT TITLE.
This Act may be cited as the ``Safeguarding American Families from
Exposure by Keeping Information and Data Secure Act'' or the ``SAFE
KIDS Act''.
SEC. 2. DEFINITIONS.
(a) In General.--In this Act:
(1) Commission.--The term ``Commission'' means the Federal
Trade Commission.
(2) Covered information.--The term ``covered information''
means personally identifiable information or material, or
information that is linked or reasonably linkable to personally
identifiable information or material, in any media or format,
that--
(A) is created by or provided to an operator by a
student, or the student's parent, in the course of the
student's or parent's use of the operator's site or
service for preK-12 purposes;
(B) is collected, generated, or maintained by an
educational agency, institution, or program, including
teachers of such agency, institution, or program; or
(C) is collected by an operator through the
operation of its site or service for preK-12 purposes
and personally identifies a student, including--
(i) the student's first and last name;
(ii) the first and last name of the
student's parent or another family member;
(iii) the home or physical address of the
student or student's family;
(iv) online contact information, as defined
in section 1302 of the Children's Online
Privacy Protection Act of 1998 (15 U.S.C.
6501), for the student;
(v) a personal identifier, such as the
student's Social Security number, student
number, or biometric record;
(vi) an identifier described in
subparagraph (D), (F), or (G) of section
1302(8) of such Act (15 U.S.C. 6501(8)) for the
student;
(vii) a photograph, video, or audio
recording that contains the student's image or
voice;
(viii) geolocation information sufficient
to identify the street name and name of a city
or town; and
(ix) other indirect identifiers, such as
the student's date of birth, place of birth, or
mother's maiden name.
(3) De-identified covered information.--The term ``de-
identified covered information'' means covered information
that--
(A) has been de-identified by reasonable measures;
(B) is maintained in a de-identified fashion
without attempt to re-identify; and
(C) is not made available to other entities absent
contractual agreement to not re-identify the covered
information.
(4) Early childhood education program.--The term ``early
childhood education program'' means a program that meets the
requirements of clauses (i) and (ii)(III) of section 103(8)(C)
of the Higher Education Act of 1965 (20 U.S.C. 1003(8)(C)).
(5) Educational agency, institution, or program.--The term
``educational agency, institution, or program'' means--
(A) an educational agency or institution, as
defined in section 444(a)(3) of the General Education
Provisions Act (20 U.S.C. 1232g(a)(3)), except that
such term does not include an institution of higher
education; or
(B) an early childhood education program.
(6) Eligible student.--The term ``eligible student'' means
a student who--
(A) is 18 years of age or older;
(B) is enrolled in an institution of higher
education; or
(C) has graduated from a secondary school.
(7) Institution of higher education.--The term
``institution of higher education'' has the meaning given such
term in section 102 of the Higher Education Act of 1965 (20
U.S.C. 1002).
(8) Operator.--The term ``operator''--
(A) means the operator of a website located on the
Internet or online service that is used primarily for
preK-12 purposes and was designed and marketed for
preK-12 purposes, to the extent that it is operating in
this capacity; and
(B) does not include an educational agency,
institution, or program.
(9) PreK-12 purposes.--The term ``preK-12 purposes'' means
purposes that--
(A) are directed by or that customarily take place
at the direction of an educational agency, institution,
or program;
(B) aid in the administration of activities by an
educational agency, institution, or program, including
instruction in the classroom or at home, administrative
activities, and collaboration between students, school
personnel, or parents; or
(C) are otherwise for the use and benefit of the
educational agency, institution, or program.
(10) State.--The term ``State'' means each State of the
United States, the District of Columbia, each territory or
possession of the United States, and each federally recognized
Indian tribe.
(11) Student.--The term ``student'' means any individual
who attends or has attended an early childhood education
program, elementary school, or secondary school.
(12) Targeted advertising.--
(A) In general.--The term ``targeted advertising''
means presenting advertisements to a student or the
student's parent, where the advertisements are selected
based on information obtained or inferred over time
from the student's online behavior, use of online
services, or covered information.
(B) Exclusion.--Such term does not include
presenting advertisements to a student or the student's
parent at an online location or through an online
service, as long as--
(i) information about the student's online
behavior or use of the online location or
online service is not retained over time for
the purpose of targeting subsequent
advertisements; and
(ii)(I) the advertisements are based solely
upon that student's current visit to the online
location; or
(II) the advertisements are in response to
a student's request for information or
feedback.
(b) Terms Defined in Elementary and Secondary Education Act of
1965.--In this Act, the terms ``elementary school'', ``parent'', and
``secondary school'' have the meanings given such terms in section 8101
of the Elementary and Secondary Education Act of 1965 (20 U.S.C. 7801).
SEC. 3. PROTECTING STUDENT PRIVACY.
(a) Prohibited Practices.--An operator may not--
(1) collect, generate, use or disclose any covered
information, or allow third parties to do so, for purposes of
engaging in or permitting targeted advertising on the
operator's site or online service, or target advertising on any
other site or service, if the targeting of the advertising is
based on any information, including covered information and
persistent unique identifiers, that the operator has acquired
because of the use of that operator's site or service for preK-
12 purposes;
(2) sell or rent covered information to a third party,
except this paragraph shall not apply to a nationally
recognized high school academic assessment provider solely to
the extent that the provider secures the express written
consent of the parent or student, given in response to clear
and conspicuous notice, only to provide access to employment,
educational scholarships or financial aid, or postsecondary
educational opportunities;
(3) use information, including covered information and
persistent unique identifiers, created or gathered by the
operator's site or service to create a personal profile of a
student other than for preK-12 purposes, except that for
purposes of this paragraph, creating a personal profile shall
not include the collection and retention of account information
that remains under the control of the student, the student's
parent, or the educational agency, institution, or program; or
(4) disclose covered information, unless the disclosure is
made--
(A) pursuant to lawful process or to ensure legal
and regulatory compliance with Federal or State law;
(B)(i) in furtherance of the preK-12 purpose of the
site or service; and
(ii) if the recipient of the covered information
disclosed under this paragraph does not further
disclose the information unless the disclosure is done
to allow or improve operability and functionality of
the operator's site or service;
(C) for a school, educational, or employment
purpose requested by the student or the student's
parent, as long as the information is not used or
further disclosed for any other purpose;
(D) to protect the safety or integrity of users or
others or the security of the school service; or
(E) to a State or local educational agency,
including elementary schools and secondary schools, for
preK-12 purposes, as permitted by Federal or State law;
or
(5) notwithstanding paragraph (4), disclose covered
information to a third-party service provider of the school
service for purposes of maintaining, developing, supporting,
improving, or diagnosing the operator's site or service unless
the operator contractually requires the provider to comply with
all the provisions of this Act (including such paragraph).
(b) Requirements.--An operator shall--
(1) establish, implement, and maintain reasonable security
procedures appropriate to the nature of the covered information
that are designed to protect the covered information from
unauthorized access, destruction, use, modification, or
disclosure;
(2) unless the educational agency, institution, or program
or a student's parent consents to the maintenance of the
covered information, delete a student's covered information--
(A) within a reasonable time after receiving a
request for deletion through an educational agency,
institution, or program, or from the student's parent;
or
(B) once the data has outlived the legitimate
purpose for which the data was collected;
(3) obtain consent from the educational agency,
institution, or program, through contracts or privacy policies
in a manner that is clear and easy to understand, regarding the
types of covered information collected, the purposes for which
the covered information is used or disclosed to third parties,
and the identity of any such third parties;
(4) disclose publicly, on the website of the operator,
every privacy policy that the operator has established with an
educational agency, institution, or program;
(5) obtain consent from the educational agency,
institution, or program and provide sufficient notice on its
website before making material changes to a contract or privacy
policy for a school service; and
(6) support access to and correction of covered information
through an educational agency, institution, or program.
(c) Authorized Uses.--
(1) Uses of covered information.--An operator may use or
disclose covered information of a student under the following
circumstances:
(A) If other provisions of Federal or State law
require the operator to disclose the information, and
the operator complies with the requirements of Federal
and State law in protecting and disclosing that
information.
(B) For legitimate research purposes, as required
by Federal or State law and subject to the restrictions
under applicable Federal and State law or as allowed by
Federal or State law and under the direction of an
educational agency, institution, or program (including
a State educational agency), if covered information is
not used for advertising or to amass a profile on the
student for purposes other than preK-12 purposes.
(C) To an educational agency, institution, or
program for preK-12 purposes, as permitted by Federal
or State law.
(d) Effect on Mergers and Acquisitions.--The prohibitions of this
section on sale and disclosure of covered information do not apply to
the merger of an operator with another entity or the acquisition of the
operator by another entity (including any subsequent merger or
acquisition), provided that the operator or successor entity continues
to be subject to the provisions of this section with respect to covered
information acquired before the merger or acquisition.
(e) Continued Application.--This section shall continue to apply,
after a student is no longer enrolled in an educational agency,
institution, or program, to covered information relating to the student
that was collected or generated while the student was enrolled.
SEC. 4. RULES OF CONSTRUCTION.
(a) In General.--This Act shall not--
(1) be construed to affect or otherwise alter the
protections and guarantees set forth in section 444 of the
General Education Provisions Act (20 U.S.C. 1232g) (commonly
known as the ``Family Educational Rights and Privacy Act of
1974''), the Children's Online Privacy Protection Act of 1998
(15 U.S.C. 6501 et seq.), or any other Federal statute relating
to privacy protection;
(2) be construed to limit the authority of a law
enforcement agency to obtain content or information from an
operator as authorized by law or pursuant to an order of a
court of competent jurisdiction;
(3) limit the ability of an operator to use information,
including covered information, for adaptive or personalized
student learning purposes;
(4) limit an educational agency, institution, or program
from providing Internet access service for its own use, to
other educational agencies or institutions, or to students and
their families;
(5) be construed to prohibit an operator's use of
information, including covered information, for maintaining,
developing, supporting, improving, or diagnosing the operator's
school service;
(6) impose a duty upon a provider of an electronic store,
gateway, marketplace, or other means of purchasing or
downloading software or applications, to review or enforce
compliance with this Act by operators of school services;
(7) impede the ability of a student or the student's parent
to download, export, transfer, or otherwise save or maintain
data or documents created by or about the student or
noncommercial applications created by the student;
(8) be construed to apply to general audience Internet
websites or general audience online services, even if login
credentials created for an operator's site or service may be
used to access those general audience sites or services;
(9) prohibit an operator of a website or online service
from marketing educational products directly to parents if the
marketing did not result from the use of covered information
obtained by the operator through the provision of services
covered under this Act;
(10) limit service providers from providing Internet
connectivity to schools or students and their families; or
(11) be construed to apply to the sale, under the direction
and control of the educational agency, institution, or program,
of student and class pictures, yearbooks, memory books, and
similar traditional school-sanctioned commemorative activities.
(b) Nonprohibited Actions.--Nothing in this Act prohibits an
operator from--
(1) using de-identified covered information within the
operator's school service or other sites or online services
owned by the operator to improve educational products;
(2) using de-identified covered information to demonstrate
the effectiveness of the operator's products or services,
including in the marketing of such products or services;
(3) disclosing de-identified covered information for the
development and improvement of educational sites and services;
or
(4) disclosing de-identified covered information for
research and development, including--
(A) research, development, and improvement of
educational sites, services, and applications; and
(B) advancements in the science of learning;
(5) using recommendation engines to recommend to a student
additional content, websites, or online services for preK-12
purposes offered by an operator within a website or online
service if the recommendation is based on educational
improvement and is not determined in whole or in part by
financial gain from a third party; and
(6) responding to a student's request for information or
for feedback without the information or response being
determined in whole or in part by payment or other
consideration from a third party.
(c) Power To Consent and Rights Regarding Information About
Eligible Student.--Any provision of this Act that refers to the consent
of the student's parent for the use or disclosure of covered
information or the right of the student's parent to access or otherwise
obtain, use, correct, request disclosure of, or request deletion of
covered information, shall, in the case of covered information about an
eligible student, be considered to refer to the consent or right of the
student and not the student's parent.
(d) No Effect on Consent Under Other Law.--This Act does not modify
the requirements or standards for consent, including consent from
minors and employees on behalf of educational institutions, under any
other provision of Federal law or under State law.
SEC. 5. IMPLEMENTATION AND ENFORCEMENT.
(a) Enforcement by Federal Trade Commission.--
(1) Unfair or deceptive acts or practices.--A violation of
this Act shall be treated as a violation of a rule prescribed
under section 18(a)(1)(B) of the Federal Trade Commission Act
(15 U.S.C. 57a(a)(1)(B)) regarding unfair or deceptive acts or
practices.
(2) Powers of the commission.--
(A) In general.--The Commission shall enforce this
Act in the same manner, by the same means, and with the
same jurisdiction, powers, and duties as though all
applicable terms and provisions of the Federal Trade
Commission Act (15 U.S.C. 41 et seq.) were incorporated
into and made a part of this Act.
(B) Privileges and immunities.--Any person who
violates this Act shall be subject to the penalties
entitled to the privileges and immunities provided in
the Federal Trade Commission Act, except as provided in
paragraph (3).
(3) Enforcement with respect to nonprofit organizations.--
Notwithstanding sections 4, 5(a)(2), and 6 of the Federal Trade
Commission Act (15 U.S.C. 44; 45(a)(2); 46), any jurisdictional
limitation of the Commission with respect to nonprofit
organizations or common carriers subject to the Communications
Act of 1934, or Acts amending or supplementing that Act, shall
not apply for purposes of this Act.
(b) Preservation of Commission Authority.--Nothing in this Act may
be construed in any way to limit or affect the Commission's authority
under any other provision of law.
(c) Consultation and Cooperation With Secretary of Education.--The
Commission shall consult and cooperate with the Secretary of Education
in enforcing this Act in matters involving educational agencies,
institutions, or programs.
(d) Relationship to State Law.--
(1) In general.--This Act does not annul, alter, or affect,
or exempt any person subject to the provisions of this Act from
complying with, the laws of any State with respect to the
treatment of covered information by operators of school
services, except to the extent that such laws are inconsistent
with any provision of this Act, and then only to the extent of
the inconsistency. For purposes of this paragraph, a law of a
State is not inconsistent with this Act if the protection such
law affords any user of a school service is greater than the
protection provided by this Act.
(2) Rule of construction.--Any reference in this Act to
State law shall be considered also to refer to the law of a
political subdivision of a State.
SEC. 6. EFFECTIVE DATE.
This Act shall take effect on the date that is 18 months after the
date of the enactment of this Act.
<all>