A. For the purposes of this section:
"Elementary and secondary school purposes" means purposes that (i) customarily take place at the direction of an elementary or secondary school, elementary or secondary school teacher, or school division; (ii) aid in the administration of school activities, including instruction in the classroom or at home; administrative activities; and collaboration between students, school personnel, or parents; or (iii) are otherwise for the use and benefit of an elementary or secondary school.
"Machine-readable format" means a structured format that can automatically be read and processed by a computer such as comma-separated values (CSV), Javascript Object Notation (JSON), or Extensible Markup Language (XML). "Machine-readable format" does not include portable document format (PDF).
"Personal profile" does not include account information that is collected and retained by a school service provider and remains under control of a student, parent, or elementary or secondary school.
"School-affiliated entity" means any private entity that provides support to a local school division or a public elementary or secondary school in the Commonwealth. "School-affiliated entity" includes alumni associations, booster clubs, parent-teacher associations, parent-teacher-student associations, parent-teacher organizations, public education foundations, public education funds, and scholarship organizations.
"School service" means a website, mobile application, or online service that (i) is designed and marketed primarily for use in elementary or secondary schools; (ii) is used (a) at the direction of teachers or other employees at elementary or secondary schools or (b) by any school-affiliated entity; and (iii) collects and maintains, uses, or shares student personal information. "School service" does not include a website, mobile application, or online service that is (a) used for the purposes of college and career readiness assessment or (b) designed and marketed for use by individuals or entities generally, even if it is also marketed for use in elementary or secondary schools.
"School service provider" means an entity that operates a school service pursuant to a contract with a local school division in the Commonwealth.
"Student personal information" means information collected through a school service that identifies a currently or formerly enrolled individual student or is linked to information that identifies a currently or formerly enrolled individual student.
"Targeted advertising" means advertising that is presented to a student and selected on the basis of information obtained or inferred over time from such student's online behavior, use of applications, or sharing of student personal information. "Targeted advertising" does not include advertising (i) that is presented to a student at an online location (a) on the basis of such student's online behavior, use of applications, or sharing of student personal information during his current visit to that online location or (b) in response to that student's request for information or feedback and (ii) for which a student's online activities or requests are not retained over time for the purpose of subsequent advertising.
B. In operating a school service pursuant to a contract with a local school division, each school service provider shall:
1. Provide clear and easy-to-understand information about the types of student personal information it collects through any school service and how it maintains, uses, or shares such student personal information;
2. Maintain a policy for the privacy of student personal information for each school service and provide prominent notice before making material changes to its policy for the privacy of student personal information for the relevant school service;
3. Maintain a comprehensive information security program that is reasonably designed to protect the security, privacy, confidentiality, and integrity of student personal information and makes use of appropriate administrative, technological, and physical safeguards;
4. Facilitate access to and correction of student personal information by each student whose student personal information has been collected, maintained, used, or shared by the school service provider, or by such student's parent, either directly or through the student's school or teacher;
5. Collect, maintain, use, and share student personal information only with the consent of the student or, if the student is less than 18 years of age, his parent or for the purposes authorized in the contract between the school division and the school service provider;
6. When it collects student personal information directly from the student, obtain the consent of the student or, if the student is less than 18 years of age, his parent before using student personal information in a manner that is inconsistent with its policy for the privacy of student personal information for the relevant school service, and when it collects student personal information from an individual or entity other than the student, obtain the consent of the school division before using student personal information in a manner that is inconsistent with its policy for the privacy of student personal information for the relevant school service;
7. Require any successor entity or third party with whom it contracts to abide by its policy for the privacy of student personal information and comprehensive information security program before accessing student personal information;
8. Upon the request of the school or school division, delete student personal information within a reasonable period of time after such request unless the student or, if the student is less than 18 years of age, his parent consents to the maintenance of the student personal information by the school service provider; and
9. Provide, either directly to the student or his parent or through the school, access to an electronic copy of such student's personal information in a manner consistent with the functionality of the school service. Contracts between local school boards and school service providers may require that such electronic copy be in a machine-readable format.
C. In operating a school service pursuant to a contract with a local school division, no school service provider shall knowingly:
1. Use or share any student personal information for the purpose of targeted advertising to students;
2. Use or share any student personal information to create a personal profile of a student other than for elementary and secondary school purposes authorized by the school division, with the consent of the student or, if the student is less than 18 years of age, his parent, or as otherwise authorized in the contract between the school division and the school service provider; or
3. Sell student personal information, except to the extent that such student personal information is sold to or acquired by a successor entity that purchases, merges with, or otherwise acquires the school service provider, subject to the provisions of subdivision B 7.
D. Nothing in this section shall be construed to prohibit school service providers from:
1. Using student personal information for purposes of adaptive learning, personalized learning, or customized education;
2. Using student personal information for maintaining, developing, supporting, improving, or diagnosing the school service;
3. Providing recommendations for employment, school, educational, or other learning purposes within a school service when such recommendation is not determined in whole or in part by payment or other consideration from a third party;
4. Disclosing student personal information to (i) ensure legal or regulatory compliance, (ii) protect against liability, or (iii) protect the security or integrity of its school service; or
5. Disclosing student personal information pursuant to a contract with a service provider, provided that the school service provider (i) contractually prohibits the service provider from using any student personal information for any purpose other than providing the contracted service to or on behalf of the school service provider, (ii) contractually prohibits the service provider from disclosing any student personal information provided by the school service provider to any third party unless such disclosure is permitted by subdivision B 7, and (iii) requires the service provider to comply with the requirements set forth in subsection B and prohibitions set forth in subsection C.
E. Nothing in this section shall be construed to:
1. Impose a duty upon a provider of an electronic store, gateway, marketplace, forum, or means for purchasing or downloading software or applications to review or enforce compliance with this section with regard to any school service provider whose school service is available for purchase or download on such electronic store, gateway, marketplace, forum, or means;
2. Impose liability on an interactive computer service, as that term is defined in 47 U.S.C. § 230(f), for content provided by another individual; or
3. Prohibit any student from downloading, exporting, transferring, saving, or maintaining his personal information, data, or documents.
F. No school service provider in operation on June 30, 2016, shall be subject to the provisions of this section until such time as the contract to operate a school service is renewed.
2015, c. 728; 2016, cc. 438, 439, 468; 2017, c. 518.