72-6333. Same; operator prohibitions; exceptions. (a) An operator shall not knowingly:
(1) Engage in targeted advertising on the operator's educational online product, or target advertising on any other educational online product if the targeting of the advertising is based on any information, including student information and persistent unique identifiers, that the operator has acquired because of the use of such operator's educational online product for educational purposes;
(2) use information, including student information and persistent unique identifiers, created or gathered through the operation of such operator's educational online product, to amass a profile about a student, except in furtherance of educational purposes;
(3) sell or rent student information to a third party, except when such information is part of the assets being transferred during the purchase, merger or other acquisition of an operator by another entity, provided, the successor entity complies with the provisions of this subsection as though it were an operator with respect to the acquired student information; or
(4) disclose student information unless the disclosure is made for the following purposes:
(A) For legitimate research purposes subject to and as allowed by federal and state law, and under the direction of a school district or the state department of education, provided the student information is not used for advertising or to amass a profile on the student for purposes other than educational purposes, or for any other purposes other than educational purposes;
(B) that information described in K.S.A. 72-6332(e)(2) and (e)(8), and amendments thereto, upon request by a school district or state agency for educational purposes;
(C) to law enforcement agencies or to a court of competent jurisdiction to protect the safety or integrity of users of the operator's educational online product or other individuals, or the security of such educational online product;
(D) for educational or employment purposes upon request by the student or the student's parent or legal guardian, provided the student information is not used or further disclosed for any other purpose;
(E) to a service provider, provided the operator contractually: (i) Prohibits the service provider from using any student information for any purpose other than providing the contracted service to or on behalf of the operator; (ii) prohibits the service provider from disclosing any student information provided by the operator with subsequent third parties; and (iii) requires the service provider to implement and maintain reasonable security procedures and practices to ensure the confidentiality of the student information; or
(F) in the course of transferring assets as a part of a business purchase, merger or other acquisition as described in subsection (a)(3).
(b) An operator shall:
(1) Implement and maintain reasonable security procedures and practices appropriate to the nature of the student information which are designed to protect such information from unauthorized access, destruction, use, modification or disclosure; and
(2) delete within a reasonable period of time student information upon request by the school district, unless the student or the student's parent or legal guardian requests that such information continue to be maintained.
(c) Nothing in this section shall be construed to prohibit an operator from:
(1) Using student information to maintain, develop, support, improve or diagnose the operator's educational online product;
(2) using student information to improve educational products, provided such information is not associated with an identified student within the operator's educational online product or within other online products owned by the operator;
(3) using student information to demonstrate the effectiveness of the operator's educational online products, including in their marketing, provided such information is not associated with an identified student within the operator's educational online product or within other online products owned by the operator;
(4) sharing student information for purposes of development and improvement of educational online products, provided such information is not associated with an identified student within the operator's educational online product or within other online products owned by the operator;
(5) using recommendation engines to suggest to a student additional content or services within the operator's educational online product related to an educational, other learning or employment opportunity purpose, provided the recommendation is not determined in whole or in part by payment or other consideration from a third party; or
(6) responding to a student's request for information or feedback, provided such response is not determined in whole or in part by payment or other consideration from a third party.
(d) Nothing in this section shall be construed to:
(1) Limit the authority of a law enforcement agency to obtain any content or information from an operator as authorized by law or pursuant to a court order;
(2) limit the ability of an operator to use student information for adaptive learning or customized student learning purposes;
(3) apply to general audience internet websites, general audience online services, general audience online applications or general audience mobile applications, even if login credentials created for an operator's educational online product may be used to access those general audience websites, online services or online applications;
(4) limit service providers from providing internet connectivity to schools or to students and the students' parents or legal guardians;
(5) prohibit an operator from marketing educational products directly to parents and legal guardians, provided such marketing does not result from the use of student information obtained by the operator through the operation of such operator's educational online products;
(6) impose a duty upon a provider of an electronic store, gateway, marketplace or other means of purchasing or downloading software or applications to review or enforce the compliance with this section on such software or applications;
(7) impose a duty upon a provider of an interactive computer service to review or enforce the compliance with this section by third-party content providers; or
(8) prohibit students from downloading, exporting, transferring, saving or maintaining such student's own student information or documents.
(e) As used in this section, the term "amass a profile" shall not include the collection and retention of account information that remains under the control of the student, the student's parent or legal guardian or the school district.
History: L. 2016, ch. 57, § 3; July 1.