[Congressional Bills 114th Congress]
[From the U.S. Government Publishing Office]
[S. 1788 Introduced in Senate (IS)]

114th CONGRESS
  1st Session
                                S. 1788

   To require operators that provide online and similar services to 
educational agencies, institutions, or programs to protect the privacy 
  and security of personally identifiable information, and for other 
                               purposes.


_______________________________________________________________________


                   IN THE SENATE OF THE UNITED STATES

                             July 16, 2015

 Mr. Daines (for himself and Mr. Blumenthal) introduced the following 
 bill; which was read twice and referred to the Committee on Commerce, 
                      Science, and Transportation

_______________________________________________________________________

                                 A BILL


 
   To require operators that provide online and similar services to 
educational agencies, institutions, or programs to protect the privacy 
  and security of personally identifiable information, and for other 
                               purposes.

    Be it enacted by the Senate and House of Representatives of the 
United States of America in Congress assembled,

SECTION 1. SHORT TITLE.

    This Act may be cited as the ``Safeguarding American Families from 
Exposure by Keeping Information and Data Secure Act'' or the ``SAFE 
KIDS Act''.

SEC. 2. DEFINITIONS.

    (a) In General.--In this Act:
            (1) Commission.--The term ``Commission'' means the Federal 
        Trade Commission.
            (2) Covered information.--The term ``covered information'' 
        means personally identifiable information, and information that 
        is linked or linkable to personally identifiable information, 
        that--
                    (A) is collected or generated through a school 
                service; and
                    (B)(i) the operator of the school service knows or 
                should know relates to a student; or
                    (ii) is collected, generated, or maintained at the 
                direction of an educational agency, institution, or 
                program serving the student or officials of such an 
                agency, institution, or program, including teachers.
            (3) Early childhood education program.--The term ``early 
        childhood education program'' means a program that meets the 
        requirements of clauses (i) and (ii)(III) of section 103(8)(C) 
        of the Higher Education Act of 1965 (20 U.S.C. 1003).
            (4) Educational agency, institution, or program.--The term 
        ``educational agency, institution, or program'' means--
                    (A) an educational agency or institution, as 
                defined in section 444(a)(3) of the General Education 
                Provisions Act (20 U.S.C. 1232g(a)(3)), except that 
                such term does not include an institution of higher 
                education; or
                    (B) an early childhood education program.
            (5) Eligible student.--The term ``eligible student'' means 
        a student who--
                    (A) is 18 years of age or older;
                    (B) is enrolled in an institution of higher 
                education; or
                    (C) has graduated from a secondary school.
            (6) Institution of higher education.--The term 
        ``institution of higher education'' has the meaning given such 
        term in section 102 of the Higher Education Act of 1965 (20 
        U.S.C. 1002).
            (7) PreK-12 purposes.--The term ``PreK-12 purposes'' means 
        purposes that--
                    (A) aid in the administration of activities by an 
                educational agency, institution, or program, including 
                instruction in the classroom or at home, administrative 
                activities, and collaboration between students, school 
                personnel, or parents; or
                    (B) are for the use and benefit of the educational 
                agency, institution, or program.
            (8) Online contact information.--The term ``online contact 
        information'' means, with respect to a student, an email 
        address or any other substantially similar identifier that 
        permits direct contact with the student online, including an 
        instant messaging user identifier, a voice over Internet 
        protocol identifier, a video chat user identifier, or a screen 
        name or user name that permits such contact.
            (9) Operator.--The term ``operator'' means an entity that 
        operates a school service, except that such term does not 
        include an educational agency, institution, or program.
            (10) Personally identifiable information.--The term 
        ``personally identifiable information'' includes, with respect 
        to a student--
                    (A) the student's first and last name;
                    (B) the first and last name of the student's parent 
                or another family member;
                    (C) the home or physical address of the student or 
                student's family;
                    (D) online contact information for the student;
                    (E) a personal identifier, such as the student's 
                social security number, student number, or biometric 
                record;
                    (F) a persistent identifier that can be used to 
                recognize a user over time and across different 
                Internet websites, online services, online 
                applications, or mobile applications, including a 
                customer number held in a cookie, an Internet Protocol 
                address, a processor or device serial number, or 
                another unique identifier;
                    (G) a photograph, video, or audio recording that 
                contains the student's image or voice;
                    (H) geolocation information sufficient to identify 
                the street name and name of a city or town;
                    (I) other indirect identifiers, such as the 
                student's date of birth, place of birth, or mother's 
                maiden name;
                    (J) other information that, alone or in 
                combination, would allow an operator or a reasonable 
                person in the school community, who does not have 
                personal knowledge of the relevant circumstances, to 
                identify a specific student with reasonable certainty; 
                and
                    (K) information requested by a person who the 
                educational agency, institution, or program reasonably 
                believes knows the identity of the student to whom the 
                information relates.
            (11) School service.--The term ``school service'' means an 
        Internet website, online service (including a cloud computing 
        service), online application, or mobile application that is 
        used for PreK-12 purposes and was designed and marketed for 
        PreK-12 purposes.
            (12) State.--The term ``State'' means each State of the 
        United States, the District of Columbia, each territory or 
        possession of the United States, and each federally recognized 
        Indian tribe.
            (13) Student.--The term ``student'' means any individual 
        who is or has been enrolled in an early childhood education 
        program, elementary school, or secondary school.
            (14) Targeted advertising.--
                    (A) In general.--The term ``targeted advertising'' 
                means presenting advertisements to a student or the 
                student's parent, where the advertisements are selected 
                based on information obtained or inferred from the 
                student's online behavior or use of online applications 
                or mobile applications or from covered information 
                about the student maintained by the operator of a 
                school service.
                    (B) Exclusion.--Such term does not include 
                presenting advertisements to a student or the student's 
                parent at an online location or through an online 
                application or mobile application, if--
                            (i) the advertisements are contextually 
                        relevant;
                            (ii) the advertisements are selected based 
                        on a single visit or session of use during 
                        which the advertisements are presented; and
                            (iii) information about the student's 
                        online behavior or use of online applications 
                        or mobile applications is not collected or 
                        retained over time.
    (b) Terms Defined in Elementary and Secondary Education Act of 
1965.--In this Act, the terms ``elementary school'', ``parent'', and 
``secondary school'' have the meanings given such terms in section 9101 
of the Elementary and Secondary Education Act of 1965 (20 U.S.C. 7801).

SEC. 3. PROTECTING STUDENT PRIVACY.

    (a) Prohibited Practices.--An operator may not knowingly--
            (1) engage in or permit targeted advertising on a school 
        service;
            (2) collect, generate, use, or disclose any covered 
        information for purposes of targeted advertising;
            (3) sell covered information to a third party;
            (4) collect, generate, or use covered information 
        (including using covered information to create a personal 
        profile of a student) other than for PreK-12 purposes;
            (5) disclose covered information, unless the disclosure is 
        made--
                    (A) pursuant to lawful process or to ensure legal 
                and regulatory compliance with Federal or State law;
                    (B) in accordance with subsection (e), pursuant to 
                an affirmative express request through a student's 
                educational agency, institution, or program for 
                disclosure of information specified in the request--
                            (i) in the case of information about a 
                        student, from the student's parent; or
                            (ii) in the case of information about a 
                        student's parent or another user of the school 
                        service, from the parent or such other user, as 
                        the case may be;
                    (C) in accordance with subsection (e), pursuant to 
                an affirmative express request through a student's 
                educational agency, institution, or program from a 
                student who is or has been enrolled in a secondary 
                school, or the parent of such student, to disclose 
                covered information specified in the request about the 
                student to a third party in furtherance of 
                postsecondary education or employment opportunities, 
                for the purpose of--
                            (i) providing or authenticating the 
                        student's transcript, standardized test scores, 
                        letters of recommendation, or other information 
                        required by an institution of higher education 
                        for an application for admission or by a 
                        potential employer for an application for 
                        employment; or
                            (ii) providing information relating to--
                                    (I) admission to an institution of 
                                higher education; or
                                    (II) a scholarship or financial aid 
                                for attendance at an institution of 
                                higher education; or
                    (D) to protect the safety of users or others or the 
                security of the school service; or
            (6) notwithstanding paragraph (5), disclose covered 
        information to a third-party service provider of the school 
        service unless the operator contractually requires the provider 
        to comply with all the provisions of this Act (including such 
        paragraph).
    (b) Requirements.--An operator shall--
            (1) establish, implement, and maintain reasonable security 
        procedures appropriate to the nature of covered information to 
        protect the confidentiality, security, and integrity of covered 
        information;
            (2) delete a student's covered information that is not 
        included in a student's education records (as defined in 
        section 444(a)(4) of the General Education Provisions Act (20 
        U.S.C. 1232g(a)(4))) (commonly known as the ``Family 
        Educational Rights and Privacy Act of 1974'') within--
                    (A) a reasonable time, not to exceed 45 days, after 
                receiving a request for deletion through an educational 
                agency, institution, or program from the student's 
                parent; or
                    (B) within a reasonable time, not to exceed 2 
                years, after--
                            (i) the information is no longer being used 
                        for PreK-12 purposes; and
                            (ii) providing notification, through an 
                        educational agency, institution, or program, to 
                        each student's parent of the impending deletion 
                        of the student's covered information;
            (3) obtain consent from the educational agency, 
        institution, or program, through contracts or privacy policies 
        in a manner that is clear and easy to understand, regarding the 
        types of covered information collected or generated (if any), 
        the purposes for which the covered information is used or 
        disclosed to third parties, and the identity of any such third 
        party;
            (4) disclose publicly, on the website of the operator, 
        every privacy policy that the operator has established with an 
        educational agency, institution, or program;
            (5) obtain consent from the educational agency, 
        institution, or program and provide sufficient notice on its 
        website before making material changes to a contract or privacy 
        policy for a school service; and
            (6) facilitate access to and correction of covered 
        information, through an educational agency, institution, or 
        program--
                    (A) in the case of information about a student, by 
                the student's parent; or
                    (B) in the case of information about a parent or 
                another user of the school service, by the parent or 
                such other user, as the case may be.
    (c) Effect on Mergers and Acquisitions.--The prohibitions of this 
section on sale and disclosure of covered information do not apply to 
the merger of an operator with another entity or the acquisition of the 
operator by another entity (including any subsequent merger or 
acquisition), provided that the operator or successor entity continues 
to be subject to the provisions of this section with respect to covered 
information acquired before the merger or acquisition.
    (d) Continued Application.--This section shall continue to apply, 
after a student is no longer enrolled in an educational agency, 
institution, or program, to covered information relating to the student 
that was collected or generated while the student was enrolled.
    (e) Requirements for Certain Disclosures.--An operator may disclose 
covered information under subparagraph (B) or (C) of subsection (a)(5) 
only after the operator--
            (1) ensures that the third-party recipient has provided 
        assurances that it will not further disclose covered 
        information to subsequent third parties, use any covered 
        information pursuant to the request for any purpose other than 
        fulfilling the purpose for which the request was made, nor take 
        any other action inconsistent with this Act;
            (2) ensures that the third-party recipient has provided 
        assurances that it will establish, implement and maintain 
        reasonable security procedures as described in subsection 
        (b)(1); and
            (3) provides a readily available mechanism for the 
        requesting party to revoke the request.

SEC. 4. RULES OF CONSTRUCTION.

    (a) In General.--This Act shall not--
            (1) be construed to affect or otherwise alter the 
        protections and guarantees set forth in section 444 of the 
        General Education Provisions Act (20 U.S.C. 1232g) (commonly 
        known as the ``Family Educational Rights and Privacy Act of 
        1974''), the Children's Online Privacy Protection Act of 1998 
        (15 U.S.C. 6501 et seq.), or any other Federal statute relating 
        to privacy protection;
            (2) be construed to limit the authority of a law 
        enforcement agency to obtain content or information from an 
        operator as authorized by law or pursuant to an order of a 
        court of competent jurisdiction;
            (3) limit the ability of an operator to use information, 
        including covered information, for adaptive or personalized 
        student learning purposes;
            (4) limit an educational agency, institution, or program 
        from providing Internet access service for its own use, to 
        other educational agencies or institutions, or to students and 
        their families;
            (5) be construed to prohibit an operator's use of covered 
        information for maintaining, developing, supporting, improving, 
        or diagnosing the operator's school service;
            (6) impose a duty upon a provider of an electronic store, 
        gateway, marketplace, or other means of purchasing or 
        downloading software or applications to review or enforce 
        compliance with this Act by operators of school services; or
            (7) impede the ability of a student or the student's parent 
        to download, export, create, or otherwise save or maintain data 
        or documents created by or about the student or noncommercial 
        applications created by the student, except to the extent any 
        such activity would result in disclosure prohibited by this Act 
        of covered information of other students or users of a school 
        service.
    (b) De-Identified Covered Information.--
            (1) In general.--Nothing in this Act prohibits an operator 
        from--
                    (A) using de-identified covered information within 
                the operator's school service or other sites, services, 
                or applications owned by the operator to improve 
                educational products;
                    (B) using de-identified covered information to 
                demonstrate the effectiveness of the operator's 
                products or services, including in the marketing of 
                such products or services; or
                    (C) disclosing de-identified covered information 
                for research and development, including--
                            (i) research, development, and improvement 
                        of educational sites, services, and 
                        applications; and
                            (ii) advancements in the science of 
                        learning.
    (c) Power To Consent and Rights Regarding Information About 
Eligible Student.--Any provision of this Act that refers to the consent 
of the student's parent for the use or disclosure of covered 
information or the right of the student's parent to access or otherwise 
obtain, use, correct, request disclosure of, or request deletion of 
covered information, shall, in the case of covered information about an 
eligible student, be considered to refer to the consent or right of the 
student and not the student's parent.
    (d) No Effect on Consent Under Other Law.--This Act does not modify 
the requirements or standards for consent, including consent from 
minors and employees on behalf of educational institutions, under any 
other provision of Federal law or under State law.

SEC. 5. IMPLEMENTATION AND ENFORCEMENT.

    (a) Enforcement by Federal Trade Commission.--
            (1) Unfair or deceptive acts or practices.--A violation of 
        this Act or a regulation promulgated under this Act shall be 
        treated as a violation of a regulation under section 
        18(a)(1)(B) of the Federal Trade Commission Act (15 U.S.C. 
        57a(a)(1)(B)) regarding unfair or deceptive acts or practices.
            (2) Powers of the commission.--The Commission shall enforce 
        this Act and the regulations promulgated under this Act in the 
        same manner, by the same means, and with the same jurisdiction, 
        powers, and duties as though all applicable terms and 
        provisions of the Federal Trade Commission Act (15 U.S.C. 41 et 
        seq.) were incorporated into and made a part of this Act, and 
        any person who violates this Act or a regulation promulgated 
        under this Act shall be subject to the penalties entitled to 
        the privileges and immunities provided in the Federal Trade 
        Commission Act, except as provided in paragraph (3).
            (3) Enforcement with respect to nonprofit organizations.--
        Notwithstanding sections 4 and 5(a)(2) of the Federal Trade 
        Commission Act (15 U.S.C. 44; 45(a)(2)), any jurisdictional 
        limitation of the Commission with respect to nonprofit 
        organizations shall not apply for purposes of this Act.
    (b) Preservation of Commission Authority.--Nothing in this Act may 
be construed in any way to limit or affect the Commission's authority 
under any other provision of law.
    (c) Regulations.--The Commission may promulgate regulations under 
section 553 of title 5, United States Code, to carry out this Act. Such 
regulations shall further define the terms ``targeted advertising'', 
``research, development, and improvement of educational sites, 
services, and applications'', ``advancements in the science of 
learning'', ``postsecondary education or employment opportunities'', 
and ``adaptive or personalized student learning purposes'', as used in 
this Act.
    (d) Consultation and Cooperation With Secretary of Education.--The 
Commission shall consult and cooperate with the Secretary of Education 
in implementing and enforcing this Act, including in promulgating any 
regulations to carry out this Act, in matters involving educational 
agencies or institutions.
    (e) Relationship to State Law.--
            (1) In general.--This Act does not annul, alter, or affect, 
        or exempt any person subject to the provisions of this Act from 
        complying with, the laws of any State with respect to the 
        treatment of covered information by operators of school 
        services, except to the extent that such laws are inconsistent 
        with any provision of this Act, and then only to the extent of 
        the inconsistency. For purposes of this paragraph, a law of a 
        State is not inconsistent with this Act if the protection such 
        law affords any user of a school service is greater than the 
        protection provided by this Act.
            (2) Rule of construction.--Any reference in this Act to 
        State law shall be considered also to refer to the law of a 
        political subdivision of a State.

SEC. 6. EFFECTIVE DATE.

    This Act shall take effect on the date that is 18 months after the 
date of the enactment of this Act.
                                 <all>