Bill H.4642

FILED ON: 3/5/2020

HOUSE . . . . . . . . . . . . . . . No. 4642

The Commonwealth of Massachusetts

_______________

In the One Hundred and Ninety-First General Court
(2019-2020)

_______________

An Act relative to student data privacy.

Be it enacted by the Senate and House of Representatives in General Court assembled, and by the authority of the same, as follows:

Chapter 71 of the General Laws, as appearing in the 2018 Official Edition, is hereby amended by inserting after section 34H the following five sections:--

Section 34I. As used in sections 34I through 34M, the following words shall, unless the context clearly requires otherwise, have the following meanings:

“Board”, the board of elementary and secondary education.

"Covered information", student personally identifiable information or material, or information that is linked to student personally identifiable information or material, in any media or format that is not publicly available and is: (i) created by or provided to an operator by a student, or the student's parent or legal guardian, in the course of the student's, parent's, or legal guardian's use of the operator's site, service, or application for K–12 school purposes; (ii) created by or provided to an operator by an employee or agent of a K-12 school or school district for K-12 school purposes; or (iii) gathered by an operator through the operation of its site, service, or application for K-12 school purposes and personally identifies a student, including, but not limited to, information in the student's educational record or electronic mail, first and last name, home address, telephone number, electronic mail address, or other information that allows physical or online contact, discipline records, test results, special education data, juvenile dependency records, grades, evaluations, criminal records, medical records, health records, social security number, biometric information, disabilities, socioeconomic information, food purchases, political affiliations, religious information, text messages, documents, student identifiers, search activity, photos, voice recordings, or geolocation information.

“Department”, the department of elementary and secondary education.

“District” or “school district”, the school department of a city, town, regional school district, vocational or agricultural school, independent vocational school, charter school, or private school.

“Educational entity”, a K-12 school, district, department, or any subdivision thereof, as well as employees acting under the authority or on behalf of an educational entity.

"Interactive computer service", any information service, system, or access software provider that provides or enables computer access by multiple users to a computer server, including specifically a service or system that provides access to the Internet and such systems operated or services offered by libraries or educational institutions.

"K-12 school", a school that offers any of grades kindergarten to 12 and that is operated by a school district.

"K-12 school purposes", uses that are directed by or that customarily take place at the direction of a K-12 school, teacher, or school district or aid in the administration of school activities, including, but not limited to, instruction in the classroom or at home, administrative activities, and collaboration between students, school personnel, or parents, or are otherwise for the use and benefit of the school.

"Operator", an entity other than the department, district, school, or other educational entity that operates an Internet website, online service, online application, or mobile application with actual knowledge that the site, service, or application is used primarily for K–12 school purposes and was designed and marketed for K–12 school purposes.

“Personal social media account”, an account, service, or profile that is used by a student exclusively for personal communications unrelated to any K-12 school purpose, as defined herein; provided, however, that a personal social media account shall not include any account, service, or profile created, maintained, used or accessed by a student exclusively for any K-12 purposes or any education related communications.

"Targeted advertising", presenting advertisements to a student where the advertisement is selected based on information obtained or inferred over time from that student's online behavior, usage of applications, or covered information. It does not include advertising to a student at an online location based upon that student's current visit to that location, or in response to that student’s request for information or feedback, without the retention of that student's online activities or requests over time for the purpose of targeting subsequent ads.

“Social media”, an electronic medium allowing users to create, share and view user-generated content, including, but not limited to, uploading or downloading videos or still photographs, audio content, blogs, video blogs, podcasts, messages, e-mails or internet website profiles or locations.

“Student personally identifiable information”, data or information that alone, or in combination, is linked to a specific student and would allow a reasonable person, with no personal knowledge of the relevant circumstances, to identify the student.

Section 34J. (a) An operator shall not engage in any of the following activities with respect to their site, service or application:

(1) Engage in targeted advertising on the operator's site, service, or application, or target advertising on any other site, service, or application if the targeting of the advertising is based on any information, including covered information and persistent unique identifiers, that the operator has acquired because of the use of that operator's site, service, or application for K-12 school purposes.

(2) Use information, including persistent unique identifiers, created or gathered by the operator's site, service, or application, to amass a profile about a student except in furtherance of K–12 school purposes. "Amass a profile" does not include the collection and retention of account information that remains under the control of the student, the student's parent or guardian, or K-12 school.

(3) Sell or rent a student's information, including covered information. This subsection shall not apply to the purchase, merger, or other type of acquisition of an operator by another entity, if the operator or successor entity complies with this section regarding previously acquired student information, or to national assessment providers if the provider secures the express written consent of the parent or student, given in response to clear and conspicuous notice, solely to provide access to employment, educational scholarships or financial aid, or postsecondary educational opportunities.

(4) Disclose covered information.

(b) Notwithstanding subparagraph (4) of subsection (a), an operator may disclose covered information of a student, so long as subparagraphs (1) through (3) inclusive are not violated, under the following circumstances:

(1) If other provisions of federal or state law require the operator to disclose the information, and the operator complies with the requirements of federal and state law in protecting and disclosing that information;

(2) For legitimate research purposes as required by state or federal law and subject to the restrictions under applicable state and federal law; or as allowed by state or federal law and under the direction of the department, in furtherance of K–12 school purposes or postsecondary educational purposes; or

(3) To a state or local educational entity, including K-12 schools and school districts, for K–12 school purposes, as permitted by state or federal law.

(c) An operator shall: (1) implement and maintain reasonable security procedures and practices appropriate to the nature of the covered information designed to protect that covered information from unauthorized access, destruction, use, modification, or disclosure; and (2) immediately delete a student’s covered information if requested by the educational institution.

(d) Subject to the provisions of this section, an operator may use covered information to maintain, develop, support, improve, or diagnose the operator's site, service, or application. Subject to the provisions of this section, an operator may use aggregated or non-identifiable student information to demonstrate the effectiveness of the operator’s products or services, including marketing or within the operator’s site, service, or application or other sites, services, or applications owned by the operator to improve educational purposes.

(e) Nothing in this section shall be construed to: (i) limit the authority of a law enforcement agency to obtain any content or information from an operator as authorized by law or pursuant to an order of a court of competent jurisdiction; (ii) limit the ability of an operator to use student data, including covered information, for adaptive learning or customized student learning purposes; (iii) apply to general audience Internet websites, general audience online services, general audience online applications, or general audience mobile applications, even if login credentials created for an operator's site, service, or application may be used to access those general audience sites, services, or applications; (iv) limit service providers from providing Internet connectivity to schools or students and their families; (vi) prohibit an operator of an Internet website, online service, online application, or mobile application from marketing educational products directly to parents if the marketing did not result from the use of covered information obtained by the operator through the provision of services covered under this section; (vii) impose a duty upon a provider of an electronic store, gateway, marketplace, or other means of purchasing or downloading software or applications to review or enforce compliance with this section on those applications or software; (viii) impose a duty upon a provider of an interactive computer service to review or enforce compliance with this section by third-party content providers; or (ix) prohibit students from downloading, exporting, transferring, saving, or maintaining their own student data or documents.

(f) An aggrieved student or educational entity may institute a civil action for damages or to restrain a violation of this section and may recover: (i) up to $10,000 for each request that violates this section; (ii) up to $10,000 for each adverse action, which violates this section, or actual damages, whichever amount is higher; (iii) punitive damages if a court determines that a violation was willful; and (iv) reasonable attorneys’ fees and other litigation costs reasonably incurred.

Section 34K. (a) Any contract or agreement that is entered between an educational entity and a third party, including an operator as defined in section 34I of chapter 71, pursuant to which the third party sells, leases, provides, operates, or maintains a service that grants access to covered information, or creates any covered information, including, but not limited to (i) any cloud-based services for the digital storage, management, and retrieval of pupil records; or (ii) any digital software that authorizes a third-party provider to access and acquire student records, shall contain:

(1) a statement that student records continue to be the property and under the control of the educational entity;

(2) a prohibition against the third party using covered information for commercial or advertising purposes, or any information in the student record for any purpose other than for the requirements of the contract;

(3) a description of the procedures by which a parent, legal guardian, or eligible student may review the student’s records and correct erroneous information, in accordance with state and federal law;

(4) a description of the actions the third party will take to ensure the security of student records; however, compliance with this requirement shall not, in itself, absolve the third party of liability in the event of an unauthorized disclosure of records;

(5) a description of the procedures for notifying any and all affected parties in the event of an unauthorized disclosure of student records;

(6) a certification that student records shall not be retained or available to the third party upon completion of the terms of the contract;

(7) a description of how the educational entity and the third party will jointly ensure the compliance with applicable federal and state law, including, but not limited to 20 U.S.C. section 1232g, 15 U.S.C. section 6501 et. seq., and sections 34A through 34M inclusive of chapter 71.

(b) Any contract that fails to comply with the requirements of this section shall be voidable and all student records in possession of the third party shall be returned to the educational entity.

(c) For purposes of this section, “student records” means information directly related to a pupil that is maintained by the local educational agency or information acquired directly from the pupil through the use of instructional software or applications assigned to the pupil by a teacher or other local educational agency employee. “student records” do not include records of teachers and school administrators that are kept in their sole possession and not revealed to any other individual except a substitute teacher.

Section 34L. (a) a school district shall not: (i) require, request or cause a student to disclose a user name, password or other means for access, or provide access through a user name or password, to a personal social media account; (ii) compel a student , as a condition of acceptance or participation in curricular or extracurricular activities, to add a person, including, but not limited to, a coach, teacher, school administrator or other school employee or school volunteer, to the student’s or applicant’s list of contacts associated with a personal social media account; (iii) require, request or cause a student to reproduce in any manner photographs, videos, or information contained within a personal social media account; or (iv) take or threaten adverse action against a student , including, but not limited to, restraining the student’s participation in extracurricular activities, for refusing to disclose information specified in clause (i) or clause (iii) or for refusing to add a coach, teacher, school administrator or other school employee or school volunteer to a list of contacts associated with a personal social media account, as specified in clause (ii).

(b) This section shall not apply to information about a student that is publicly available.

(c) Nothing in this section shall limit a school district’s right to promulgate and maintain policies governing the use of the school district’s electronic equipment, including policies regarding use of the internet, email or social media.

(d) An aggrieved student may institute a civil action for damages or to restrain a violation of this section and may recover: (i) $1,000 for each request that violates clause (i) or (ii) of subsection (b); (ii) $1,000 for each adverse action, which violates clause (iii) of subsection (b), or actual damages, whichever amount is higher; (iii) punitive damages if a court determines that a violation was willful; and (iv) reasonable attorneys’ fees and other litigation costs reasonably incurred.

(e) Nothing in this section shall prevent the school district from requesting access to a student’s personal social media account to ensure compliance with applicable state or federal laws, judicial directives, or an order of a court of competent jurisdiction; provided, however, that a school district, prior to requesting access to a personal social media account, shall notify the student and the student’s parent or guardian of the grounds for the request; and provided further, that (i) the school district has no other means of obtaining the relevant information; (ii) information gained from access to the student’s personal social media account shall be used solely for purposes of the investigation or a related proceeding; and (iii) any access to a student’s personal social media account shall be limited to identifying relevant evidence. If a student does not permit access to a personal social media account, the school district shall not take or threaten adverse action against a student for refusing to permit access to said personal social media account.

(f) Nothing in this section shall limit or prevent a school district from completing an investigation pursuant to section 37O of chapter 71.

(g) The board shall promulgate regulations as needed to implement this section. The board shall submit any regulations to the house and senate committees on ways and means and the joint committee on education not less than 60 days before adoption. The joint committee on education shall review and may comment on these regulations during that time period.

Section 34M. (a) The department shall make publicly available a list of categories of student personally identifiable information collected by the department including, but not limited to, student personally identifiable information required to be collected or reported by state or federal law. The list shall contain the source of the information, the reason for the collection of the information, and the use of the information collected.

(b) The department shall issue guidance and recommendations to assist districts in complying with relevant state and federal law pertaining to student personally identifiable information including, but not limited to, 20 U.S.C. 1232g, sections 34A through 34M, inclusive, of chapter 71 of the General Laws, and chapter 66A of the General Laws.

(d) Each district shall make publicly available on their website a list of categories of student personally identifiable information collected at the school, district, or classroom level. The list shall contain the source of the information, the reason for collection of the information, and the use of the information. Each district shall develop a detailed security plan for the protection of student personally identifiable information that includes security breach planning, notice and procedures.