§ 49-1-708. Student online personal protection act.

TN Code § 49-1-708 (2019) (N/A)
Copy with citation
Copy as parenthetical citation

(a) An operator shall not knowingly:

(1) Engage in targeted advertising on the operator's site, service, or application, or target advertising on any other site, service, or application if the targeting of the advertising is based on any information, including covered information and persistent unique identifiers, that the operator has acquired because of the use of that operator's site, service, or application for K-12 school purposes;

(2) Use information, including persistent unique identifiers, created or gathered by the operator's site, service, or application, to amass a profile about a student except in furtherance of K-12 school purposes. As used in this subdivision (a)(2) and subdivision (d)(2), “amass a profile” does not include the collection and retention of account information that remains under the control of the student, the student's parent or guardian, or the K-12 school;

(3) Sell or rent a student's information, including covered information. This subdivision (a)(3) does not apply to the purchase, merger, or other type of acquisition of an operator by another entity, if the operator or successor entity complies with this section regarding previously acquired student information; or

(4) Except as otherwise provided in subsection (d), disclose covered information unless the disclosure is made:

(A) In furtherance of the K-12 school purpose of the site, service, or application, if the recipient of the covered information disclosed under this subdivision (a)(4)(A) does not further disclose the information unless done to allow or improve operability and functionality of the operator's site, service, or application;

(B) To ensure legal and regulatory compliance or protect against liability;

(C) To respond to or participate in the judicial process;

(D) To protect the safety or integrity of users of the site or others or the security of the site, service, or application;

(E) For a school, educational, or employment purpose requested by the student or the student's parent or guardian; provided, that the information is not used or further disclosed for any other purpose; or

(F) To a third party, if the operator contractually prohibits the third party from using any covered information for any purpose other than providing the contracted service to or on behalf of the operator, prohibits the third party from disclosing any covered information provided by the operator with subsequent third parties, and requires the third party to implement and maintain reasonable security procedures and practices.

(b) Nothing in subsection (a) shall prohibit the operator's use of information for maintaining, developing, supporting, improving, or diagnosing the operator's site, service, or application.

(c) An operator shall:

(1) Implement and maintain reasonable security procedures and practices appropriate to the nature of the covered information, designed to protect that covered information from unauthorized access, destruction, use, modification, or disclosure; and

(2) Delete within a reasonable time period a student's covered information if the K-12 school or LEA requests deletion of covered information under the control of the K-12 school or LEA, unless a student or parent or legal guardian consents to the maintenance of the covered information.

(d) An operator may use or disclose covered information of a student:

(1) If federal or state law requires the operator to disclose the information, and the operator complies with the requirements of federal or state law in protecting and disclosing that information;

(2) For legitimate research purposes as required by state or federal law and subject to the restrictions under applicable state or federal law or as allowed by state or federal law and under the direction of a K-12 school, LEA, or the department of education, if covered information is not used for advertising or to amass a profile on the student for purposes other than K-12 school purposes; or

(3) To the department, an LEA, or a K-12 school for K-12 school purposes, as permitted by state or federal law.

(e) An operator is not prohibited from:

(1) Using covered information to improve educational products if that information is not associated with an identified student within the operator's site, service, or application or other sites, services, or applications owned by the operator;

(2) Using covered information that is not associated with an identified student to demonstrate the effectiveness of the operator's products or services, including in its marketing;

(3) Sharing covered information that is not associated with an identified student for the development and improvement of educational sites, services, or applications;

(4) Using recommendation engines to recommend to a student:

(A) Additional content relating to an educational, other learning, or employment opportunity purpose within an online site, service, or application if the recommendation is not determined in whole or in part by payment or other consideration from a third party; or

(B) Additional services relating to an educational, other learning, or employment opportunity purpose within an online site, service, or application if the recommendation is not determined in whole or in part by payment or other consideration from a third party; or

(5) Responding to a student's request for information or for feedback without the information or response being determined in whole or in part by payment or other consideration from a third party.

(f) This section does not:

(1) Limit the authority of a law enforcement agency to obtain any content or information from an operator as authorized by law or under a court order;

(2) Limit the ability of an operator to use student data, including covered information, for adaptive learning or customized student learning purposes;

(3) Apply to general audience Internet web sites, general audience online services, general audience online applications, or general audience mobile applications, even if login credentials created for an operator's site, service, or application may be used to access those general audience sites, services, or applications;

(4) Limit service providers from providing Internet connectivity to schools or students and their families;

(5) Prohibit an operator of a web site, online service, online application, or mobile application from marketing educational products directly to parents if the marketing did not result from the use of covered information obtained by the operator through the provision of services covered under this section;

(6) Impose a duty upon a provider of an electronic store, gateway, marketplace, or other means of purchasing or downloading software or applications to review or enforce compliance with this section on those applications or software;

(7) Impose a duty upon a provider of an interactive computer service to review or enforce compliance with this section by third-party content providers; or

(8) Prohibit students from downloading, exporting, transferring, saving, or maintaining their own student data or documents.

(g)

(1) Any violation of this section shall be construed to constitute an unfair or deceptive act or practice affecting the conduct of trade or commerce under the Tennessee Consumer Protection Act of 1977, compiled in title 47, chapter 18, part 1, and shall be enforced solely by the attorney general and reporter in the attorney general's discretion. The attorney general and reporter shall have the authority to conduct civil investigations and bring civil actions, as provided in § 8-6-109 and title 8, chapter 6, part 4; and §§ 47-18-106 and 47-18-108.

(2) In an action brought by the attorney general under this chapter, the court may award or impose any relief available under the Tennessee Consumer Protection Act of 1977.