BILL ANALYSIS

 

 

 

C.S.H.B. 2087

By: VanDeaver

Public Education

Committee Report (Substituted)

 

 

 

BACKGROUND AND PURPOSE

 

Interested parties contend that as new technologies allow personal information to flow within schools and beyond, schools and operators of such technologies must maintain responsible privacy practices to safeguard student data. C.S.H.B. 2087 seeks to provide a safety standards and accountability framework to ensure student data is secured.

 

CRIMINAL JUSTICE IMPACT

 

It is the committee's opinion that this bill does not expressly create a criminal offense, increase the punishment for an existing criminal offense or category of offenses, or change the eligibility of a person for community supervision, parole, or mandatory supervision.

 

RULEMAKING AUTHORITY

 

It is the committee's opinion that this bill does not expressly grant any additional rulemaking authority to a state officer, department, agency, or institution.

 

ANALYSIS

 

C.S.H.B. 2087 amends the Education Code to prohibit the operator of a website, online service, online application, or mobile application who has actual knowledge that the website, online service, online application, or mobile application is used primarily for a school purpose and was designed and marketed for a school purpose from knowingly taking the following actions:

·         engaging in targeted advertising on any website, online service, online application, or mobile application if the target of the advertising is based on any information, including certain covered information and persistent unique identifiers, that the operator has acquired through the use of the operator's website, online service, online application, or mobile application for a school purpose;

·         using information created or gathered by the operator's website, online service, online application, or mobile application to create a profile about a student unless the profile is created for a school purpose; or

·         selling or renting any student's covered information, except as otherwise provided.

 

C.S.H.B. 2087 defines "school purpose" as a purpose that is directed by or customarily takes place at the direction of a public school district, school campus, or teacher or assists in the administration of school activities, including instruction in the classroom or at home, administrative activities, and collaboration between students, school personnel, or parents, or is otherwise for the use and benefit of the school. The bill defines "targeted advertising" as presenting an advertisement to a student in which the advertisement is selected for the student based on information obtained or inferred over time from the student's online behavior, usage of applications, or covered information. The term expressly does not include advertising to a student at an online location based on the student's visit to that location at that time, or in response to the student's request for information or feedback, without the retention of the student's online activities or requests over time for the purpose of targeting subsequent advertisements. The bill defines "covered information" as personally identifiable information or information that is linked to personally identifiable information, in any media or format, that is not publicly available and is created by or provided to an operator by a student or the student's parent in the course of the student's or parent's use of the operator's website, online service, online application, or mobile application for a school purpose; is created by or provided to an operator by an employee of a district or campus for a school purpose; or is gathered by an operator through the operation of the operator's website, online service, online application, or mobile application for a school purpose and personally identifies a student.

 

C.S.H.B. 2087 establishes that, for purposes of the prohibition against using information created or gathered by the operator's website, online service, online application, or mobile application to create a profile about the student unless the profile is created for a school purpose, the collection and retention of account information by an operator that remains under the control of the student, the student's parent, or the campus or district is not an attempt to create a profile by the operator. The bill exempts from the prohibition against selling or renting any student's covered information the purchase, merger, or any other type of acquisition of an operator by another entity, if the operator or successor entity complies with the bill's provisions regarding previously acquired student information, and a national assessment provider if the provider secures the express affirmative consent of the student or the student's parent, given in response to clear and conspicuous notice, and if the information is used solely to provide access to employment, educational scholarships, financial aid, or postsecondary educational opportunities.

 

C.S.H.B. 2087 sets out certain circumstances under which an operator, including a national assessment provider or a provider of a college and career counseling service, may use or disclose covered information and certain allowed uses of covered information by those parties. The bill requires an operator to implement and maintain reasonable security procedures and practices designed to protect any covered information from unauthorized access, deletion, use, modification, or disclosure. The bill requires the operator, if a public school district requests the deletion of a student's covered information under the control of the district and maintained by the operator, to delete the information not later than the 60th day after the date of the request, or as otherwise specified in the contract or terms of service, unless the student or the student's parent consents to the operator's maintenance of the covered information. The bill's provisions expressly do not take any of the following actions:

·         limit the authority of a law enforcement agency to obtain any information from an operator as authorized by law or under a court order;

·         limit the ability of an operator to use student data, including covered information, for adaptive learning or customized student learning purposes;

·         apply to general audience websites, online services, online applications, or mobile applications;

·         limit service providers from providing Internet connection to districts or students and students' families;

·         prohibit an operator from marketing educational products directly to a student's parent if the marketing is not a result of the use of covered information obtained by the operator through providing services to the district;

·         impose a duty on a provider of an electronic store, gateway, marketplace, or other means of purchasing or downloading software or applications to review or enforce compliance with the bill's provisions on those applications or software;

·         impose a duty on a provider of an interactive computer service to review or enforce compliance with the bill's provisions by third-party content providers;

·         prohibit a student from downloading, exporting, transferring, saving, or maintaining the student's data or documents; or

·         alter the rights or duties of the operator, provider, school, parent, or student under the federal Family Educational Rights and Privacy Act of 1974 or other federal law.

 

EFFECTIVE DATE

 

September 1, 2017.

 

COMPARISON OF ORIGINAL AND SUBSTITUTE

 

While C.S.H.B. 2087 may differ from the original in minor or nonsubstantive ways, the following comparison is organized and formatted in a manner that indicates the substantial differences between the introduced and committee substitute versions of the bill.

 

INTRODUCED

HOUSE COMMITTEE SUBSTITUTE

SECTION 1. The heading to Chapter 32, Education Code, is amended.

SECTION 1. Same as introduced version.

 

SECTION 2. Chapter 32, Education Code, is amended by adding Subchapter D to read as follows:

SUBCHAPTER D. STUDENT INFORMATION

Sec. 32.151. DEFINITIONS.

 

Sec. 32.152. PROHIBITED USE OF COVERED INFORMATION. (a) An operator may not knowingly:

(1) engage in targeted advertising on any website, online service, online application, or mobile application if the target of the advertising is based on any information, including covered information and persistent unique identifiers, that the operator has acquired through the use of the operator's website, online service, online application, or mobile application for a school purpose;

(2) use information, including persistent unique identifiers, created or gathered by the operator's website, online service, online application, or mobile application, to create a profile about a student unless the profile is created for a school purpose; or

(3) except as provided by Subsection (c), sell or rent any student's covered information.

(b) For purposes of Subsection (a)(2), the collection and retention of account information by an operator that remains under the control of the student, the student's parent, or the campus or district is not an attempt to create a profile by the operator.

(c) Subsection (a)(3) does not apply to:

(1) the purchase, merger, or any other type of acquisition of an operator by another entity, if the operator or successor entity complies with this subchapter regarding previously acquired student information; or

(2) a national assessment provider if the provider secures the express written consent of the student if the student is 18 years of age or older or the student's parent if the student is 17 years of age or younger, given in response to clear and conspicuous notice, if the information is used solely to provide access to employment, educational scholarships, financial aid, or postsecondary educational opportunities.

 

Sec. 32.153. ALLOWED DISCLOSURE OF COVERED INFORMATION. (a) An operator may use or disclose covered information if the disclosure is:

 

(1) to further a school purpose of the website, online service, online application, or mobile application and the recipient of the covered information disclosed under this subsection does not further disclose the information unless the disclosure is to allow or improve operability and functionality of the operator's website, online service, online application, or mobile application;

(2) to ensure legal and regulatory compliance;

(3) to protect against liability;

(4) to respond to or participate in the judicial process;

(5) to protect:

(A) the safety or integrity of users of the website, online service, online application, or mobile application; or

(B) the security of the website, online service, online application, or mobile application;

(6) for a school, education, or employment purpose requested by the student or the student's parent and the information is not used or disclosed for any other purpose;

(7) to use the covered information for:

(A) a legitimate research purpose; or

(B) a school purpose or postsecondary educational purpose; or

(8) requested by the agency or the school district for a school purpose.

 

 

 

 

 

 

 

 

 

 

 

(b) An operator may disclose covered information if a provision of federal or state law requires the operator to disclose the information. The operator must comply with the requirements of federal and state law to protect the information being disclosed.

(c) An operator may disclose covered information to a third party if the operator has contracted with the third party to provide a service for a school purpose for or on behalf of the operator. The contract must prohibit the third party from using any covered information for any purpose other than providing the contracted service. The operator must require the third party to implement and maintain reasonable procedures and practices designed to prevent disclosure of covered information.

(d) Nothing in this subchapter prohibits the operator's use of covered information for maintaining, developing, supporting, improving, or diagnosing the operator's website, online service, online application, or mobile application.

 

Sec. 32.154. ALLOWED USE OF COVERED INFORMATION. This subchapter does not prohibit an operator from:

(1) using covered information:

(A) to improve educational products if that information is not associated with an identified student using the operator's website, online service, online application, or mobile application; and

(B) that is not associated with an identified student to demonstrate the effectiveness of the operator's products or services and to market the operator's services;

(2) sharing covered information that is not associated with an identified student for the development and improvement of educational websites, online services, online applications, or mobile applications;

(3) recommending to a student additional services or content relating to an educational, learning, or employment opportunity within a website, online service, online application, or mobile application if the recommendation is not determined by payment or other consideration from a third party;

(4) responding to a student's request for information or for feedback without the information or response being determined by payment or other consideration from a third party; or

(5) identifying for a student, with the express affirmative consent of the student if the student is 18 years of age or older or the student's parent if the student is 17 years of age or younger, institutions of higher education or scholarship providers that are seeking students who meet specific criteria, regardless of whether the identified institution of higher education or scholarship provider provides consideration to the operator.

 

 

Sec. 32.155. PROTECTION OF COVERED INFORMATION.

 

Sec. 32.156. DELETION OF COVERED INFORMATION.

 

Sec. 32.157. APPLICABILITY. This subchapter does not:

(1) limit the authority of a law enforcement agency to obtain any information from an operator as authorized by law or under a court order;

(2) limit the ability of an operator to use student data, including covered information, for adaptive learning or customized student learning purposes;

(3) apply to general audience:

(A) websites;

(B) online services;

(C) online applications; or

(D) mobile applications;

(4) limit service providers from providing Internet connection to school districts or students and students' families;

(5) prohibit an operator from marketing educational products directly to a student's parent if the marketing is not a result of the use of covered information obtained by the operator through providing services to the school district;

(6) impose a duty on a provider of an electronic store, gateway, marketplace, or other means of purchasing or downloading software or applications to review or enforce compliance with this subchapter on those applications or software;

(7) impose a duty on a provider of an interactive computer service to review or enforce compliance with this subchapter by third-party content providers; or

(8) prohibit a student from downloading, exporting, transferring, saving, or maintaining the student's data or documents.

 

SECTION 2. Chapter 32, Education Code, is amended by adding Subchapter D to read as follows:

SUBCHAPTER D. STUDENT INFORMATION

Sec. 32.151. DEFINITIONS.

 

Sec. 32.152. PROHIBITED USE OF COVERED INFORMATION. (a) An operator may not knowingly:

(1) engage in targeted advertising on any website, online service, online application, or mobile application if the target of the advertising is based on any information, including covered information and persistent unique identifiers, that the operator has acquired through the use of the operator's website, online service, online application, or mobile application for a school purpose;

(2) use information, including persistent unique identifiers, created or gathered by the operator's website, online service, online application, or mobile application, to create a profile about a student unless the profile is created for a school purpose; or

(3) except as provided by Subsection (c), sell or rent any student's covered information.

(b) For purposes of Subsection (a)(2), the collection and retention of account information by an operator that remains under the control of the student, the student's parent, or the campus or district is not an attempt to create a profile by the operator.

(c) Subsection (a)(3) does not apply to:

(1) the purchase, merger, or any other type of acquisition of an operator by another entity, if the operator or successor entity complies with this subchapter regarding previously acquired student information; or

(2) a national assessment provider if the provider secures the express affirmative consent of the student or the student's parent, given in response to clear and conspicuous notice, and if the information is used solely to provide access to employment, educational scholarships, financial aid, or postsecondary educational opportunities.

 

 

Sec. 32.153. ALLOWED DISCLOSURE OF COVERED INFORMATION. (a) An operator may use or disclose covered information under the following circumstances:

(1) to further a school purpose of the website, online service, online application, or mobile application and the recipient of the covered information disclosed under this subsection does not further disclose the information unless the disclosure is to allow or improve operability and functionality of the operator's website, online service, online application, or mobile application;

(2) to ensure legal and regulatory compliance;

(3) to protect against liability;

(4) to respond to or participate in the judicial process;

(5) to protect:

(A) the safety or integrity of users of the website, online service, online application, or mobile application; or

(B) the security of the website, online service, online application, or mobile application;

(6) for a school, education, or employment purpose requested by the student or the student's parent and the information is not used or disclosed for any other purpose;

(7) to use the covered information for:

(A) a legitimate research purpose; or

(B) a school purpose or postsecondary educational purpose; or

(8) for a request by the agency or the school district for a school purpose.

(b) A national assessment provider or a provider of a college and career counseling service may, in response to a request of a student, and on receiving the express affirmative consent of the student or the student's parent given in response to clear and conspicuous notice, use or disclose covered information solely to provide access to employment, educational scholarships, financial aid, or postsecondary educational opportunities.

(c) An operator may disclose covered information if a provision of federal or state law requires the operator to disclose the information. The operator must comply with the requirements of federal and state law to protect the information being disclosed.

(d) An operator may disclose covered information to a third party if the operator has contracted with the third party to provide a service for a school purpose for or on behalf of the operator. The contract must prohibit the third party from using any covered information for any purpose other than providing the contracted service. The operator must require the third party to implement and maintain reasonable procedures and practices designed to prevent disclosure of covered information.

(e) Nothing in this subchapter prohibits the operator's use of covered information for maintaining, developing, supporting, improving, or diagnosing the operator's website, online service, online application, or mobile application.

 

Sec. 32.154. ALLOWED USE OF COVERED INFORMATION. This subchapter does not prohibit an operator from:

(1) using covered information:

(A) to improve educational products if that information is not associated with an identified student using the operator's website, online service, online application, or mobile application; and

(B) that is not associated with an identified student to demonstrate the effectiveness of the operator's products or services and to market the operator's services;

(2) sharing covered information that is not associated with an identified student for the development and improvement of educational websites, online services, online applications, or mobile applications;

(3) recommending to a student additional services or content relating to an educational, learning, or employment opportunity within a website, online service, online application, or mobile application if the recommendation is not determined by payment or other consideration from a third party;

(4) responding to a student's request for information or for feedback without the information or response being determined by payment or other consideration from a third party; or

(5) if the operator is a national assessment provider or a provider of a college and career counseling service, identifying for a student, with the express affirmative consent of the student or the student's parent, institutions of higher education or scholarship providers that are seeking students who meet specific criteria, regardless of whether the identified institution of higher education or scholarship provider provides consideration to the operator.

 

Sec. 32.155. PROTECTION OF COVERED INFORMATION.

 

Sec. 32.156. DELETION OF COVERED INFORMATION.

 

Sec. 32.157. APPLICABILITY. This subchapter does not:

(1) limit the authority of a law enforcement agency to obtain any information from an operator as authorized by law or under a court order;

(2) limit the ability of an operator to use student data, including covered information, for adaptive learning or customized student learning purposes;

(3) apply to general audience:

(A) websites;

(B) online services;

(C) online applications; or

(D) mobile applications;

(4) limit service providers from providing Internet connection to school districts or students and students' families;

(5) prohibit an operator from marketing educational products directly to a student's parent if the marketing is not a result of the use of covered information obtained by the operator through providing services to the school district;

(6) impose a duty on a provider of an electronic store, gateway, marketplace, or other means of purchasing or downloading software or applications to review or enforce compliance with this subchapter on those applications or software;

(7) impose a duty on a provider of an interactive computer service to review or enforce compliance with this subchapter by third-party content providers;

(8) prohibit a student from downloading, exporting, transferring, saving, or maintaining the student's data or documents; or

(9) alter the rights or duties of the operator, provider, school, parent, or student under the Family Educational Rights and Privacy Act of 1974 (20 U.S.C. Section 1232g) or other federal law.

SECTION 3. This Act takes effect September 1, 2017.

SECTION 3. Same as introduced version.