[Congressional Bills 114th Congress]
[From the U.S. Government Publishing Office]
[H.R. 2092 Introduced in House (IH)]

114th CONGRESS
  1st Session
                                H. R. 2092

   To require operators that provide online and similar services to 
    educational agencies or institutions to protect the privacy and 
    security of personally identifiable information, and for other 
                               purposes.


_______________________________________________________________________


                    IN THE HOUSE OF REPRESENTATIVES

                             April 29, 2015

 Mr. Messer (for himself and Mr. Polis) introduced the following bill; 
  which was referred to the Committee on Energy and Commerce, and in 
addition to the Committee on Education and the Workforce, for a period 
    to be subsequently determined by the Speaker, in each case for 
consideration of such provisions as fall within the jurisdiction of the 
                          committee concerned

_______________________________________________________________________

                                 A BILL


 
   To require operators that provide online and similar services to 
    educational agencies or institutions to protect the privacy and 
    security of personally identifiable information, and for other 
                               purposes.

    Be it enacted by the Senate and House of Representatives of the 
United States of America in Congress assembled,

SECTION 1. SHORT TITLE.

    This Act may be cited as the ``Student Digital Privacy and Parental 
Rights Act of 2015''.

SEC. 2. DEFINITIONS.

    (a) In General.--In this Act:
            (1) Commission.--The term ``Commission'' means the Federal 
        Trade Commission.
            (2) Covered information.--The term ``covered information'' 
        means personally identifiable information, and information that 
        is linked or linkable to personally identifiable information, 
        that--
                    (A) is collected or generated through a school 
                service; and
                    (B)(i) the operator of the school service knows or 
                should know relates to a student; or
                    (ii) is collected, generated, or maintained at the 
                direction of an educational agency or institution 
                serving the student or officials of such an agency or 
                institution, including teachers.
            (3) Educational agency or institution.--The term 
        ``educational agency or institution'' has the meaning given 
        such term in section 444 of the General Education Provisions 
        Act (20 U.S.C. 1232g), except that such term does not include 
        an institution of higher education.
            (4) Eligible student.--The term ``eligible student'' means 
        a student who--
                    (A) is 18 years of age or older;
                    (B) is enrolled in an institution of higher 
                education; or
                    (C) has graduated from a secondary school.
            (5) Institution of higher education.--The term 
        ``institution of higher education'' has the meaning given such 
        term in section 102 of the Higher Education Act of 1965 (20 
        U.S.C. 1002).
            (6) K-12 purposes.--The term ``K-12 purposes'' means 
        purposes that--
                    (A) aid in the administration of activities by an 
                educational agency or institution, including 
                instruction in the classroom or at home, administrative 
                activities, and collaboration between students, school 
                personnel, or parents; or
                    (B) are for the use and benefit of the educational 
                agency or institution.
            (7) Online contact information.--The term ``online contact 
        information'' means, with respect to a student, an email 
        address or any other substantially similar identifier that 
        permits direct contact with the student online, including an 
        instant messaging user identifier, a voice over Internet 
        Protocol identifier, a video chat user identifier, or a screen 
        name or user name that permits such contact.
            (8) Operator.--The term ``operator'' means an entity that 
        operates a school service, except that such term does not 
        include an educational agency or institution.
            (9) Personally identifiable information.--The term 
        ``personally identifiable information'' includes, with respect 
        to a student--
                    (A) the student's first and last name;
                    (B) the first and last name of the student's parent 
                or another family member;
                    (C) the home or physical address of the student or 
                student's family;
                    (D) online contact information for the student;
                    (E) a personal identifier, such as the student's 
                social security number, student number, or biometric 
                record;
                    (F) a persistent identifier that can be used to 
                recognize a user over time and across different 
                Internet Web sites, online services, online 
                applications, or mobile applications, including a 
                customer number held in a cookie, an Internet Protocol 
                address, a processor or device serial number, or 
                another unique identifier;
                    (G) a photograph, video, or audio recording that 
                contains the student's image or voice;
                    (H) geolocation information sufficient to identify 
                street name and name of a city or town;
                    (I) other indirect identifiers, such as the 
                student's date of birth, place of birth, or mother's 
                maiden name;
                    (J) other information that, alone or in 
                combination, would allow an operator or a reasonable 
                person in the school community, who does not have 
                personal knowledge of the relevant circumstances, to 
                identify a specific student with reasonable certainty; 
                and
                    (K) information requested by a person who the 
                educational agency or institution reasonably believes 
                knows the identity of the student to whom the 
                information relates.
            (10) School service.--The term ``school service'' means an 
        Internet Web site, online service (including a cloud computing 
        service), online application, or mobile application that is 
        used for K-12 purposes and was designed and marketed for K-12 
        purposes.
            (11) State.--The term ``State'' means each State of the 
        United States, the District of Columbia, each territory or 
        possession of the United States, and each federally recognized 
        Indian tribe.
            (12) Student.--The term ``student'' means any individual 
        who is or has been enrolled in an elementary school or 
        secondary school.
            (13) Targeted advertising.--
                    (A) In general.--The term ``targeted advertising'' 
                means presenting advertisements to a student or the 
                student's parent, where the advertisements are selected 
                based on information obtained or inferred from the 
                student's online behavior or use of online applications 
                or mobile applications or from covered information 
                about the student maintained by the operator of a 
                school service.
                    (B) Exclusion.--Such term does not include 
                presenting advertisements to a student or the student's 
                parent at an online location or through an online 
                application or mobile application, if--
                            (i) the advertisements are contextually 
                        relevant;
                            (ii) the advertisements are selected based 
                        on a single visit or session of use during 
                        which the advertisements are presented; and
                            (iii) information about the student's 
                        online behavior or use of online applications 
                        or mobile applications is not collected or 
                        retained over time.
    (b) Terms Defined in Elementary and Secondary Education Act of 
1965.--In this Act, the terms ``elementary school'', ``parent'', and 
``secondary school'' have the meanings given such terms in section 9101 
of the Elementary and Secondary Education Act of 1965 (20 U.S.C. 7801).

SEC. 3. PROTECTING STUDENT PRIVACY.

    (a) Prohibited Practices.--An operator may not knowingly--
            (1) engage in or permit targeted advertising on a school 
        service;
            (2) collect, generate, use, or disclose any covered 
        information for purposes of targeted advertising;
            (3) sell covered information to a third party;
            (4) collect, generate, or use covered information 
        (including using covered information to create a personal 
        profile of a student) other than for K-12 purposes; or
            (5) disclose covered information, unless the disclosure is 
        made--
                    (A) pursuant to lawful process or to ensure legal 
                and regulatory compliance with Federal or State law;
                    (B) in accordance with subsection (c), pursuant to 
                a request for disclosure--
                            (i) in the case of information about a 
                        student, from the student's parent; or
                            (ii) in the case of information about a 
                        student's parent or another user of the school 
                        service, from the parent or such other user, as 
                        the case may be;
                    (C) in accordance with subsection (c), pursuant to 
                a request for disclosure from a student who is or has 
                been enrolled in a secondary school or from the 
                student's parent for the exclusive purpose of--
                            (i) providing or authenticating the 
                        student's transcript, standardized test scores, 
                        letters of recommendation, or other information 
                        required by an institution of higher education 
                        for an application for admission or by a 
                        potential employer for an application for 
                        employment; or
                            (ii) providing information relating to--
                                    (I) admission to an institution of 
                                higher education; or
                                    (II) a scholarship or financial aid 
                                for attendance at an institution of 
                                higher education;
                    (D) to protect the safety of users or others or the 
                security of the school service;
                    (E) to an educational agency or institution, as 
                permitted by Federal and State law; or
                    (F) to a third-party service provider of the 
                operator, and the operator contractually--
                            (i) prohibits the service provider from 
                        using any covered information for any purpose 
                        other than providing the contracted service to, 
                        or on behalf of, the operator;
                            (ii) prohibits the service provider from 
                        disclosing to subsequent third parties any 
                        covered information disclosed by the operator 
                        to the service provider; and
                            (iii) requires the service provider to 
                        establish, implement, and maintain reasonable 
                        security procedures as described in subsection 
                        (b)(1).
    (b) Requirements.--An operator shall--
            (1) establish, implement, and maintain reasonable security 
        procedures appropriate to the nature of covered information to 
        protect the confidentiality, security, and integrity of covered 
        information;
            (2) delete a student's covered information (except for 
        information that is required to be maintained by Federal or 
        State law) within a reasonable time, not to exceed 45 days, 
        after receiving--
                    (A) a request from an educational agency or 
                institution serving the student; or
                    (B) a request (either directly or through the 
                educational agency or institution) from the student's 
                parent, except in the case of information that is 
                included in the student's education records (as defined 
                in section 444 of the General Education Provisions Act 
                (20 U.S.C. 1232g)), such as the student's test scores 
                or grades, or that is directed by the educational 
                agency or institution to be maintained for educational 
                or administrative purposes;
            (3) disclose publicly and to each educational agency or 
        institution to which the operator provides a school service, in 
        contracts or privacy policies in a manner that is clear and 
        easy to understand, the types of covered information collected 
        or generated (if any), the purposes for which the covered 
        information is used or disclosed to third parties, and the 
        identity of any such party;
            (4) facilitate access to and correction of covered 
        information, either directly or through an educational agency 
        or institution--
                    (A) in the case of information about a student, by 
                the student's parent; or
                    (B) in the case of information about a parent or 
                another user of the school service, by the parent or 
                such other user, as the case may be;
            (5) implement policies and procedures for responding to 
        data breaches involving unauthorized acquisition of or access 
        to personally identifiable information that occur on a school 
        service, in compliance with any obligations imposed by Federal 
        or State law;
            (6) notify the Commission and, as appropriate, students, 
        parents, educational agencies or institutions, or officials of 
        such agencies or institutions (including teachers) of each data 
        breach involving unauthorized acquisition of or access to 
        personally identifiable information that occurs on a school 
        service, in compliance with any obligations imposed by Federal 
        or State law; and
            (7) delete any covered information maintained by a school 
        service (except for information that is required to be 
        maintained by Federal or State law)--
                    (A) except as provided in subparagraph (B), within 
                a reasonable time, not to exceed one year, after the 
                operator ceases to provide the service to the 
                educational agency or institution, unless the 
                information is required to be maintained at the 
                direction of the educational agency or institution or 
                the student's parent; or
                    (B) if the operator continues providing the service 
                in whole or in part to a student after ceasing to 
                provide the service to the educational agency or 
                institution, within a reasonable time, not to exceed 
                one year, after the operator ceases to provide the 
                service to the student, unless the information is 
                required to be maintained at the direction of the 
                student's parent.
    (c) Requirements for Certain Disclosures.--An operator may disclose 
covered information under subparagraph (B) or (C) of subsection (a)(5) 
only after the operator--
            (1) receives from the student, the student's parent, or 
        other user of the school service, as the case may be (in this 
        subsection referred to as the ``requesting party''), an 
        affirmative express request (whether made directly or through 
        an educational agency or institution serving the student) to 
        disclose information specified in the request;
            (2) provides to the requesting party, in a manner that is 
        clear and easy to understand, a description of the types of 
        covered information that will be disclosed to a third party, 
        any fees collected by the operator to cover administrative 
        costs, and the purposes for which the covered information will 
        be disclosed to and used by the third party;
            (3) ensures that the third party agrees, in writing or an 
        electronic equivalent--
                    (A) not to use any covered information received 
                pursuant to the request for any purpose other than 
                fulfilling the purpose for which the request was made;
                    (B) not to disclose to subsequent third parties any 
                covered information received pursuant to the request; 
                and
                    (C) to establish, implement, and maintain 
                reasonable security procedures as described in 
                subsection (b)(1); and
            (4) provides a readily available mechanism for the 
        requesting party to revoke the request.
    (d) Effect on Mergers and Acquisitions.--The prohibitions of this 
section on sale and disclosure of covered information do not apply to 
the merger of an operator with another entity or the acquisition of the 
operator by another entity (including any subsequent merger or 
acquisition), provided that the operator or successor entity continues 
to be subject to the provisions of this section with respect to covered 
information acquired before the merger or acquisition.
    (e) Continued Application.--This section shall continue to apply, 
after a student is no longer enrolled in an elementary school or 
secondary school, to covered information relating to the student that 
was collected or generated while the student was enrolled.

SEC. 4. RULES OF CONSTRUCTION.

    (a) In General.--This Act shall not--
            (1) be construed to affect or otherwise alter the 
        protections and guarantees set forth in section 444 of the 
        General Education Provisions Act (20 U.S.C. 1232g) (commonly 
        known as the ``Family Educational Rights and Privacy Act of 
        1974''), the Children's Online Privacy Protection Act of 1998 
        (15 U.S.C. 6501 et seq.), or any other Federal statute relating 
        to privacy protection;
            (2) be construed to limit the authority of a law 
        enforcement agency to obtain content or information from an 
        operator as authorized by law or pursuant to an order of a 
        court of competent jurisdiction;
            (3) limit the ability of an operator to use information, 
        including covered information, for adaptive or personalized 
        student learning purposes;
            (4) limit an educational agency or institution from 
        providing Internet access service for its own use, to other 
        educational agencies or institutions, or to students and their 
        families;
            (5) be construed to prohibit an operator's use of covered 
        information for maintaining, developing, supporting, improving, 
        or diagnosing the operator's school service;
            (6) be construed to prohibit an operator of a school 
        service from marketing educational products directly to 
        parents, provided that the marketing does not result from the 
        use of covered information;
            (7) impose a duty upon a provider of an electronic store, 
        gateway, marketplace, or other means of purchasing or 
        downloading software or applications to review or enforce 
        compliance with this Act by operators of school services;
            (8) impede the ability of a student or the student's parent 
        to download, export, create, or otherwise save or maintain data 
        or documents created by or about the student or noncommercial 
        applications created by the student, except to the extent any 
        such activity would result in disclosure prohibited by this Act 
        of covered information of other students or users of a school 
        service; or
            (9) be construed to prohibit an operator from collecting a 
        reasonable fee to cover the administrative costs of making a 
        disclosure under section 3(a)(5)(C).
    (b) De-Identified and Aggregated Covered Information.--
            (1) In general.--Nothing in this Act prohibits an operator 
        from--
                    (A) using de-identified and aggregated covered 
                information--
                            (i) within the operator's school service or 
                        other sites, services, or applications owned by 
                        the operator to improve educational products; 
                        or
                            (ii) to demonstrate the effectiveness of 
                        the operator's products or services, including 
                        in the marketing of such products or services; 
                        or
                    (B) disclosing de-identified and aggregated covered 
                information for research and development, including--
                            (i) research, development, and improvement 
                        of educational sites, services, and 
                        applications; and
                            (ii) advancements in the science of 
                        learning.
            (2) Steps to prevent re-identification or disaggregation.--
        If an operator uses or discloses covered information as 
        described in paragraph (1), the operator shall take reasonable 
        steps to ensure that the information cannot be manipulated in a 
        manner that would enable--
                    (A) identification of an individual to whom the 
                information relates; or
                    (B) disaggregation of aggregated information into 
                its component parts.
    (c) Power To Consent and Rights Regarding Information About 
Eligible Student.--Any provision of this Act that refers to the consent 
of the student's parent for the use or disclosure of covered 
information or the right of the student's parent to access or otherwise 
obtain, use, correct, request disclosure of, or request deletion of 
covered information, shall, in the case of covered information about an 
eligible student, be considered to refer to the consent or right of the 
student and not the student's parent.
    (d) No Effect on Consent Under Other Law.--Except as provided in 
section 5(g), this Act does not modify the requirements or standards 
for consent, including consent from minors and employees on behalf of 
educational institutions, under any other provision of Federal law or 
under State law.

SEC. 5. IMPLEMENTATION AND ENFORCEMENT.

    (a) Enforcement by Federal Trade Commission.--
            (1) Unfair or deceptive acts or practices.--A violation of 
        this Act or a regulation promulgated under this Act shall be 
        treated as a violation of a regulation under section 
        18(a)(1)(B) of the Federal Trade Commission Act (15 U.S.C. 
        57a(a)(1)(B)) regarding unfair or deceptive acts or practices.
            (2) Powers of the commission.--The Commission shall enforce 
        this Act and the regulations promulgated under this Act in the 
        same manner, by the same means, and with the same jurisdiction, 
        powers, and duties as though all applicable terms and 
        provisions of the Federal Trade Commission Act (15 U.S.C. 41 et 
        seq.) were incorporated into and made a part of this Act, and 
        any person who violates this Act or a regulation promulgated 
        under this Act shall be subject to the penalties entitled to 
        the privileges and immunities provided in the Federal Trade 
        Commission Act, except as provided in paragraph (3).
            (3) Enforcement with respect to non-profit organizations.--
        Notwithstanding sections 4 and 5(a)(2) of the Federal Trade 
        Commission Act (15 U.S.C. 44; 45(a)(2)), any jurisdictional 
        limitation of the Commission with respect to nonprofit 
        organizations shall not apply for purposes of this Act.
    (b) Preservation of Commission Authority.--Nothing in this Act may 
be construed in any way to limit or affect the Commission's authority 
under any other provision of law.
    (c) Regulations.--The Commission may promulgate regulations under 
section 553 of title 5, United States Code, to carry out this Act.
    (d) Consultation and Cooperation With Secretary of Education.--The 
Commission shall consult and cooperate with the Secretary of Education 
in implementing and enforcing this Act, including in promulgating any 
regulations to carry out this Act, in matters involving educational 
agencies or institutions.
    (e) Report by Commission.--Not later than 1 year after the 
effective date described in section 6, and annually thereafter, the 
Commission shall submit to Congress and make available on the Internet 
Web site of the Commission a report on the number, scope, and nature of 
the data breaches about which the Commission receives notice under 
section 3(b)(6).
    (f) Guidance and Technical Assistance From Secretary of 
Education.--The Secretary of Education shall provide educational 
agencies or institutions with reasonable guidance and technical 
assistance with respect to preventing and responding to data breaches 
involving unauthorized acquisition of or access to personally 
identifiable information that occur on a school service, in compliance 
with any obligations imposed by Federal or State law.
    (g) Relationship to State Law.--
            (1) In general.--This Act does not annul, alter, or affect, 
        or exempt any person subject to the provisions of this Act from 
        complying with, the laws of any State with respect to the 
        treatment of covered information by operators of school 
        services, except to the extent that such laws are inconsistent 
        with any provision of this Act, and then only to the extent of 
        the inconsistency. For purposes of this paragraph, a law of a 
        State is not inconsistent with this Act if the protection such 
        law affords any user of a school service is greater than the 
        protection provided by this Act.
            (2) Rule of construction.--Any reference in this Act to 
        State law shall be considered also to refer to the law of a 
        political subdivision of a State.

SEC. 6. EFFECTIVE DATE.

    This Act shall take effect on the date that is 18 months after the 
date of the enactment of this Act.
                                 <all>