S-0310.1
SENATE BILL 5419
| | |
State of Washington | 64th Legislature | 2015 Regular Session |
By Senators Litzow, McAuliffe, Rivers, Fain, Mullet, Frockt, Hill, Dammeier, Rolfes, Kohl-Welles, and Chase
Read first time 01/21/15. Referred to Committee on Early Learning & K-12 Education.
AN ACT Relating to the student user privacy in education rights act; adding new sections to chapter
28A.600 RCW; and creating a new section.
BE IT ENACTED BY THE LEGISLATURE OF THE STATE OF WASHINGTON:
NEW SECTION. Sec. 1. This act may be known and cited as the student user privacy in education rights act or SUPER act.
NEW SECTION. Sec. 2. The definitions in this section apply throughout sections 2 through 8 of this act unless the context clearly requires otherwise.
(1) "School service" means a web site, mobile application, or online service that: (a) Is designed and marketed for use in United States elementary or secondary educational institutions; (b) is used at the direction of teachers or other employees of an elementary or secondary educational institution; and (c) collects, maintains, or uses student personal information. A "school service" does not include a web site, mobile application, or online service that is designed and marketed for use by individuals or entities generally, even if also marketed to United States elementary or secondary educational institutions.
(2) "School service provider" means an entity that operates a school service.
(3) "Students" refer to students of United States elementary and secondary schools.
(4) "Student personal information" means information collected through a school service that identifies an individual student or that is linked to information that identifies an individual student.
NEW SECTION. Sec. 3. (1) School service providers must provide clear and easy to understand information about the types of student personal information they collect and about how they use and share the student personal information.
(2) School service providers must provide prominent notice before making material changes to their privacy policies for school services.
(3) School service providers must facilitate access to and correction of student personal information by students or their parent or guardian either directly or through the relevant educational institution or teacher.
(4) Where the school service is offered to an educational institution or teacher, information required by subsections (1) and (2) of this section may be provided to the educational institution or teacher.
NEW SECTION. Sec. 4. (1) School service providers may collect, use, and share student personal information only for purposes authorized by the relevant educational institution or teacher, or with the consent of the student or the student's parent or guardian.
(2) School service providers may not sell student personal information.
(3) School service providers may not use or share any student personal information for purposes of behaviorally targeting advertisements to students.
(4) School service providers may not use student personal information to create a personal profile of a student other than for supporting purposes authorized by the relevant educational institution or teacher, or with the consent of the student or the student's parent or guardian.
(5) School service providers must obtain consent before using student personal information in a manner that is inconsistent with the provider's privacy policy for the applicable school service in effect at the time of collection. Where the student personal information was collected directly from students, the school service provider must obtain consent from the student or the student's parent or guardian. In all other cases, consent may be obtained from the educational institution or teacher.
NEW SECTION. Sec. 5. (1) School service providers must maintain a comprehensive information security program that is reasonably designed to protect the security, privacy, confidentiality, and integrity of student personal information. The information security program should make use of appropriate administrative, technological, and physical safeguards.
(2) School service providers may not knowingly retain student personal information beyond the time period authorized by the relevant educational institution or teacher unless the school service provider has obtained student consent or the consent of the student's parent or guardian.
(3) School service providers must obligate any third parties involved on the providers' behalf in the supply of school services to adhere to and implement the obligations imposed under this section and sections 3 and 4 of this act.
(4) Before permitting a successor entity to access student personal information, a school service provider must ensure that the successor entity will abide by all privacy and security commitments related to previously collected student personal information.
NEW SECTION. Sec. 6. Nothing in sections 2 through 6 of this act is intended to prohibit the use of student personal information for purposes of adaptive learning or customized education.
NEW SECTION. Sec. 7. Sections 2 through 6 of this act adopt and do not modify existing law regarding consent, including consent from minors and employees on behalf of educational institutions.
NEW SECTION. Sec. 8. If a school service provider entered into a signed, written contract with an educational institution or teacher before the effective date of this section, the school service provider is not liable for the requirements of sections 2 through 6 of this act with respect to that contract until the next renewal date of the contract.
NEW SECTION. Sec. 9. Sections 2 through 8 of this act are each added to chapter 28A.600 RCW.
--- END ---