[Congressional Bills 114th Congress]
[From the U.S. Government Publishing Office]
[S. 1788 Introduced in Senate (IS)]
114th CONGRESS
1st Session
S. 1788
To require operators that provide online and similar services to
educational agencies, institutions, or programs to protect the privacy
and security of personally identifiable information, and for other
purposes.
_______________________________________________________________________
IN THE SENATE OF THE UNITED STATES
July 16, 2015
Mr. Daines (for himself and Mr. Blumenthal) introduced the following
bill; which was read twice and referred to the Committee on Commerce,
Science, and Transportation
_______________________________________________________________________
A BILL
To require operators that provide online and similar services to
educational agencies, institutions, or programs to protect the privacy
and security of personally identifiable information, and for other
purposes.
Be it enacted by the Senate and House of Representatives of the
United States of America in Congress assembled,
SECTION 1. SHORT TITLE.
This Act may be cited as the ``Safeguarding American Families from
Exposure by Keeping Information and Data Secure Act'' or the ``SAFE
KIDS Act''.
SEC. 2. DEFINITIONS.
(a) In General.--In this Act:
(1) Commission.--The term ``Commission'' means the Federal
Trade Commission.
(2) Covered information.--The term ``covered information''
means personally identifiable information, and information that
is linked or linkable to personally identifiable information,
that--
(A) is collected or generated through a school
service; and
(B)(i) the operator of the school service knows or
should know relates to a student; or
(ii) is collected, generated, or maintained at the
direction of an educational agency, institution, or
program serving the student or officials of such an
agency, institution, or program, including teachers.
(3) Early childhood education program.--The term ``early
childhood education program'' means a program that meets the
requirements of clauses (i) and (ii)(III) of section 103(8)(C)
of the Higher Education Act of 1965 (20 U.S.C. 1003).
(4) Educational agency, institution, or program.--The term
``educational agency, institution, or program'' means--
(A) an educational agency or institution, as
defined in section 444(a)(3) of the General Education
Provisions Act (20 U.S.C. 1232g(a)(3)), except that
such term does not include an institution of higher
education; or
(B) an early childhood education program.
(5) Eligible student.--The term ``eligible student'' means
a student who--
(A) is 18 years of age or older;
(B) is enrolled in an institution of higher
education; or
(C) has graduated from a secondary school.
(6) Institution of higher education.--The term
``institution of higher education'' has the meaning given such
term in section 102 of the Higher Education Act of 1965 (20
U.S.C. 1002).
(7) PreK-12 purposes.--The term ``PreK-12 purposes'' means
purposes that--
(A) aid in the administration of activities by an
educational agency, institution, or program, including
instruction in the classroom or at home, administrative
activities, and collaboration between students, school
personnel, or parents; or
(B) are for the use and benefit of the educational
agency, institution, or program.
(8) Online contact information.--The term ``online contact
information'' means, with respect to a student, an email
address or any other substantially similar identifier that
permits direct contact with the student online, including an
instant messaging user identifier, a voice over Internet
protocol identifier, a video chat user identifier, or a screen
name or user name that permits such contact.
(9) Operator.--The term ``operator'' means an entity that
operates a school service, except that such term does not
include an educational agency, institution, or program.
(10) Personally identifiable information.--The term
``personally identifiable information'' includes, with respect
to a student--
(A) the student's first and last name;
(B) the first and last name of the student's parent
or another family member;
(C) the home or physical address of the student or
student's family;
(D) online contact information for the student;
(E) a personal identifier, such as the student's
social security number, student number, or biometric
record;
(F) a persistent identifier that can be used to
recognize a user over time and across different
Internet websites, online services, online
applications, or mobile applications, including a
customer number held in a cookie, an Internet Protocol
address, a processor or device serial number, or
another unique identifier;
(G) a photograph, video, or audio recording that
contains the student's image or voice;
(H) geolocation information sufficient to identify
the street name and name of a city or town;
(I) other indirect identifiers, such as the
student's date of birth, place of birth, or mother's
maiden name;
(J) other information that, alone or in
combination, would allow an operator or a reasonable
person in the school community, who does not have
personal knowledge of the relevant circumstances, to
identify a specific student with reasonable certainty;
and
(K) information requested by a person who the
educational agency, institution, or program reasonably
believes knows the identity of the student to whom the
information relates.
(11) School service.--The term ``school service'' means an
Internet website, online service (including a cloud computing
service), online application, or mobile application that is
used for PreK-12 purposes and was designed and marketed for
PreK-12 purposes.
(12) State.--The term ``State'' means each State of the
United States, the District of Columbia, each territory or
possession of the United States, and each federally recognized
Indian tribe.
(13) Student.--The term ``student'' means any individual
who is or has been enrolled in an early childhood education
program, elementary school, or secondary school.
(14) Targeted advertising.--
(A) In general.--The term ``targeted advertising''
means presenting advertisements to a student or the
student's parent, where the advertisements are selected
based on information obtained or inferred from the
student's online behavior or use of online applications
or mobile applications or from covered information
about the student maintained by the operator of a
school service.
(B) Exclusion.--Such term does not include
presenting advertisements to a student or the student's
parent at an online location or through an online
application or mobile application, if--
(i) the advertisements are contextually
relevant;
(ii) the advertisements are selected based
on a single visit or session of use during
which the advertisements are presented; and
(iii) information about the student's
online behavior or use of online applications
or mobile applications is not collected or
retained over time.
(b) Terms Defined in Elementary and Secondary Education Act of
1965.--In this Act, the terms ``elementary school'', ``parent'', and
``secondary school'' have the meanings given such terms in section 9101
of the Elementary and Secondary Education Act of 1965 (20 U.S.C. 7801).
SEC. 3. PROTECTING STUDENT PRIVACY.
(a) Prohibited Practices.--An operator may not knowingly--
(1) engage in or permit targeted advertising on a school
service;
(2) collect, generate, use, or disclose any covered
information for purposes of targeted advertising;
(3) sell covered information to a third party;
(4) collect, generate, or use covered information
(including using covered information to create a personal
profile of a student) other than for PreK-12 purposes;
(5) disclose covered information, unless the disclosure is
made--
(A) pursuant to lawful process or to ensure legal
and regulatory compliance with Federal or State law;
(B) in accordance with subsection (e), pursuant to
an affirmative express request through a student's
educational agency, institution, or program for
disclosure of information specified in the request--
(i) in the case of information about a
student, from the student's parent; or
(ii) in the case of information about a
student's parent or another user of the school
service, from the parent or such other user, as
the case may be;
(C) in accordance with subsection (e), pursuant to
an affirmative express request through a student's
educational agency, institution, or program from a
student who is or has been enrolled in a secondary
school, or the parent of such student, to disclose
covered information specified in the request about the
student to a third party in furtherance of
postsecondary education or employment opportunities,
for the purpose of--
(i) providing or authenticating the
student's transcript, standardized test scores,
letters of recommendation, or other information
required by an institution of higher education
for an application for admission or by a
potential employer for an application for
employment; or
(ii) providing information relating to--
(I) admission to an institution of
higher education; or
(II) a scholarship or financial aid
for attendance at an institution of
higher education; or
(D) to protect the safety of users or others or the
security of the school service; or
(6) notwithstanding paragraph (5), disclose covered
information to a third-party service provider of the school
service unless the operator contractually requires the provider
to comply with all the provisions of this Act (including such
paragraph).
(b) Requirements.--An operator shall--
(1) establish, implement, and maintain reasonable security
procedures appropriate to the nature of covered information to
protect the confidentiality, security, and integrity of covered
information;
(2) delete a student's covered information that is not
included in a student's education records (as defined in
section 444(a)(4) of the General Education Provisions Act (20
U.S.C. 1232g(a)(4))) (commonly known as the ``Family
Educational Rights and Privacy Act of 1974'') within--
(A) a reasonable time, not to exceed 45 days, after
receiving a request for deletion through an educational
agency, institution, or program from the student's
parent; or
(B) within a reasonable time, not to exceed 2
years, after--
(i) the information is no longer being used
for PreK-12 purposes; and
(ii) providing notification, through an
educational agency, institution, or program, to
each student's parent of the impending deletion
of the student's covered information;
(3) obtain consent from the educational agency,
institution, or program, through contracts or privacy policies
in a manner that is clear and easy to understand, regarding the
types of covered information collected or generated (if any),
the purposes for which the covered information is used or
disclosed to third parties, and the identity of any such third
party;
(4) disclose publicly, on the website of the operator,
every privacy policy that the operator has established with an
educational agency, institution, or program;
(5) obtain consent from the educational agency,
institution, or program and provide sufficient notice on its
website before making material changes to a contract or privacy
policy for a school service; and
(6) facilitate access to and correction of covered
information, through an educational agency, institution, or
program--
(A) in the case of information about a student, by
the student's parent; or
(B) in the case of information about a parent or
another user of the school service, by the parent or
such other user, as the case may be.
(c) Effect on Mergers and Acquisitions.--The prohibitions of this
section on sale and disclosure of covered information do not apply to
the merger of an operator with another entity or the acquisition of the
operator by another entity (including any subsequent merger or
acquisition), provided that the operator or successor entity continues
to be subject to the provisions of this section with respect to covered
information acquired before the merger or acquisition.
(d) Continued Application.--This section shall continue to apply,
after a student is no longer enrolled in an educational agency,
institution, or program, to covered information relating to the student
that was collected or generated while the student was enrolled.
(e) Requirements for Certain Disclosures.--An operator may disclose
covered information under subparagraph (B) or (C) of subsection (a)(5)
only after the operator--
(1) ensures that the third-party recipient has provided
assurances that it will not further disclose covered
information to subsequent third parties, use any covered
information pursuant to the request for any purpose other than
fulfilling the purpose for which the request was made, nor take
any other action inconsistent with this Act;
(2) ensures that the third-party recipient has provided
assurances that it will establish, implement and maintain
reasonable security procedures as described in subsection
(b)(1); and
(3) provides a readily available mechanism for the
requesting party to revoke the request.
SEC. 4. RULES OF CONSTRUCTION.
(a) In General.--This Act shall not--
(1) be construed to affect or otherwise alter the
protections and guarantees set forth in section 444 of the
General Education Provisions Act (20 U.S.C. 1232g) (commonly
known as the ``Family Educational Rights and Privacy Act of
1974''), the Children's Online Privacy Protection Act of 1998
(15 U.S.C. 6501 et seq.), or any other Federal statute relating
to privacy protection;
(2) be construed to limit the authority of a law
enforcement agency to obtain content or information from an
operator as authorized by law or pursuant to an order of a
court of competent jurisdiction;
(3) limit the ability of an operator to use information,
including covered information, for adaptive or personalized
student learning purposes;
(4) limit an educational agency, institution, or program
from providing Internet access service for its own use, to
other educational agencies or institutions, or to students and
their families;
(5) be construed to prohibit an operator's use of covered
information for maintaining, developing, supporting, improving,
or diagnosing the operator's school service;
(6) impose a duty upon a provider of an electronic store,
gateway, marketplace, or other means of purchasing or
downloading software or applications to review or enforce
compliance with this Act by operators of school services; or
(7) impede the ability of a student or the student's parent
to download, export, create, or otherwise save or maintain data
or documents created by or about the student or noncommercial
applications created by the student, except to the extent any
such activity would result in disclosure prohibited by this Act
of covered information of other students or users of a school
service.
(b) De-Identified Covered Information.--
(1) In general.--Nothing in this Act prohibits an operator
from--
(A) using de-identified covered information within
the operator's school service or other sites, services,
or applications owned by the operator to improve
educational products;
(B) using de-identified covered information to
demonstrate the effectiveness of the operator's
products or services, including in the marketing of
such products or services; or
(C) disclosing de-identified covered information
for research and development, including--
(i) research, development, and improvement
of educational sites, services, and
applications; and
(ii) advancements in the science of
learning.
(c) Power To Consent and Rights Regarding Information About
Eligible Student.--Any provision of this Act that refers to the consent
of the student's parent for the use or disclosure of covered
information or the right of the student's parent to access or otherwise
obtain, use, correct, request disclosure of, or request deletion of
covered information, shall, in the case of covered information about an
eligible student, be considered to refer to the consent or right of the
student and not the student's parent.
(d) No Effect on Consent Under Other Law.--This Act does not modify
the requirements or standards for consent, including consent from
minors and employees on behalf of educational institutions, under any
other provision of Federal law or under State law.
SEC. 5. IMPLEMENTATION AND ENFORCEMENT.
(a) Enforcement by Federal Trade Commission.--
(1) Unfair or deceptive acts or practices.--A violation of
this Act or a regulation promulgated under this Act shall be
treated as a violation of a regulation under section
18(a)(1)(B) of the Federal Trade Commission Act (15 U.S.C.
57a(a)(1)(B)) regarding unfair or deceptive acts or practices.
(2) Powers of the commission.--The Commission shall enforce
this Act and the regulations promulgated under this Act in the
same manner, by the same means, and with the same jurisdiction,
powers, and duties as though all applicable terms and
provisions of the Federal Trade Commission Act (15 U.S.C. 41 et
seq.) were incorporated into and made a part of this Act, and
any person who violates this Act or a regulation promulgated
under this Act shall be subject to the penalties entitled to
the privileges and immunities provided in the Federal Trade
Commission Act, except as provided in paragraph (3).
(3) Enforcement with respect to nonprofit organizations.--
Notwithstanding sections 4 and 5(a)(2) of the Federal Trade
Commission Act (15 U.S.C. 44; 45(a)(2)), any jurisdictional
limitation of the Commission with respect to nonprofit
organizations shall not apply for purposes of this Act.
(b) Preservation of Commission Authority.--Nothing in this Act may
be construed in any way to limit or affect the Commission's authority
under any other provision of law.
(c) Regulations.--The Commission may promulgate regulations under
section 553 of title 5, United States Code, to carry out this Act. Such
regulations shall further define the terms ``targeted advertising'',
``research, development, and improvement of educational sites,
services, and applications'', ``advancements in the science of
learning'', ``postsecondary education or employment opportunities'',
and ``adaptive or personalized student learning purposes'', as used in
this Act.
(d) Consultation and Cooperation With Secretary of Education.--The
Commission shall consult and cooperate with the Secretary of Education
in implementing and enforcing this Act, including in promulgating any
regulations to carry out this Act, in matters involving educational
agencies or institutions.
(e) Relationship to State Law.--
(1) In general.--This Act does not annul, alter, or affect,
or exempt any person subject to the provisions of this Act from
complying with, the laws of any State with respect to the
treatment of covered information by operators of school
services, except to the extent that such laws are inconsistent
with any provision of this Act, and then only to the extent of
the inconsistency. For purposes of this paragraph, a law of a
State is not inconsistent with this Act if the protection such
law affords any user of a school service is greater than the
protection provided by this Act.
(2) Rule of construction.--Any reference in this Act to
State law shall be considered also to refer to the law of a
political subdivision of a State.
SEC. 6. EFFECTIVE DATE.
This Act shall take effect on the date that is 18 months after the
date of the enactment of this Act.
<all>