By: VanDeaver, Fallon, Springer H.B. No. 2087
        (Senate Sponsor - Taylor of Galveston)
         (In the Senate - Received from the House May 12, 2017;
  May 12, 2017, read first time and referred to Committee on
  Education; May 19, 2017, reported favorably by the following vote:  
  Yeas 10, Nays 0; May 19, 2017, sent to printer.)
Click here to see the committee vote
 
 
A BILL TO BE ENTITLED
 
AN ACT
 
  relating to restricting the use of covered information, including
  student personally identifiable information, by an operator of a
  website, online service, online application, or mobile application
  for a school purpose.
         BE IT ENACTED BY THE LEGISLATURE OF THE STATE OF TEXAS:
         SECTION 1.  The heading to Chapter 32, Education Code, is
  amended to read as follows:
  CHAPTER 32. COMPUTERS, [AND] COMPUTER-RELATED EQUIPMENT, AND
  STUDENT INFORMATION PROTECTION
         SECTION 2.  Chapter 32, Education Code, is amended by adding
  Subchapter D to read as follows:
  SUBCHAPTER D. STUDENT INFORMATION
         Sec. 32.151.  DEFINITIONS. In this subchapter:
               (1)  "Covered information" means personally
  identifiable information or information that is linked to
  personally identifiable information, in any media or format, that
  is not publicly available and is:
                     (A)  created by or provided to an operator by a
  student or the student's parent in the course of the student's or
  parent's use of the operator's website, online service, online
  application, or mobile application for a school purpose;
                     (B)  created by or provided to an operator by an
  employee of a school district or school campus for a school purpose;
  or
                     (C)  gathered by an operator through the operation
  of the operator's website, online service, online application, or
  mobile application for a school purpose and personally identifies a
  student, including the student's educational record, electronic
  mail, first and last name, home address, telephone number,
  electronic mail address, information that allows physical or online
  contact, discipline records, test results, special education data,
  juvenile delinquency records, grades, evaluations, criminal
  records, medical records, health records, social security number,
  biometric information, disabilities, socioeconomic information,
  food purchases, political affiliations, religious information,
  text messages, student identifiers, search activity, photograph,
  voice recordings, or geolocation information.
               (2)  "Interactive computer service" has the meaning
  assigned by 47 U.S.C. Section 230.
               (3)  "Operator" means, to the extent operating in this
  capacity, the operator of a website, online service, online
  application, or mobile application who has actual knowledge that
  the website, online service, online application, or mobile
  application is used primarily for a school purpose and was designed
  and marketed for a school purpose.
               (4)  "Parent" includes a person standing in parental
  relation.
               (5)  "School purpose" means a purpose that is directed
  by or customarily takes place at the direction of a school district,
  school campus, or teacher or assists in the administration of
  school activities, including instruction in the classroom or at
  home, administrative activities, and collaboration between
  students, school personnel, or parents, or is otherwise for the use
  and benefit of the school.
               (6)  "Targeted advertising" means presenting an
  advertisement to a student in which the advertisement is selected
  for the student based on information obtained or inferred over time
  from the student's online behavior, usage of applications, or
  covered information.  The term does not include advertising to a
  student at an online location based on the student's visit to that
  location at that time, or in response to the student's request for
  information or feedback, without the retention of the student's
  online activities or requests over time for the purpose of
  targeting subsequent advertisements.
         Sec. 32.152.  PROHIBITED USE OF COVERED INFORMATION. (a) An
  operator may not knowingly:
               (1)  engage in targeted advertising on any website,
  online service, online application, or mobile application if the
  target of the advertising is based on any information, including
  covered information and persistent unique identifiers, that the
  operator has acquired through the use of the operator's website,
  online service, online application, or mobile application for a
  school purpose;
               (2)  use information, including persistent unique
  identifiers, created or gathered by the operator's website, online
  service, online application, or mobile application, to create a
  profile about a student unless the profile is created for a school
  purpose; or
               (3)  except as provided by Subsection (c), sell or rent
  any student's covered information.
         (b)  For purposes of Subsection (a)(2), the collection and
  retention of account information by an operator that remains under
  the control of the student, the student's parent, or the campus or
  district is not an attempt to create a profile by the operator.
         (c)  Subsection (a)(3) does not apply to:
               (1)  the purchase, merger, or any other type of
  acquisition of an operator by another entity, if the operator or
  successor entity complies with this subchapter regarding
  previously acquired student information; or
               (2)  a national assessment provider if the provider
  secures the express affirmative consent of the student or the
  student's parent, given in response to clear and conspicuous
  notice, and if the information is used solely to provide access to
  employment, educational scholarships, financial aid, or
  postsecondary educational opportunities.
         Sec. 32.153.  ALLOWED DISCLOSURE OF COVERED INFORMATION.
  (a) An operator may use or disclose covered information under the
  following circumstances:
               (1)  to further a school purpose of the website, online
  service, online application, or mobile application and the
  recipient of the covered information disclosed under this
  subsection does not further disclose the information unless the
  disclosure is to allow or improve operability and functionality of
  the operator's website, online service, online application, or
  mobile application;
               (2)  to ensure legal and regulatory compliance;
               (3)  to protect against liability;
               (4)  to respond to or participate in the judicial
  process;
               (5)  to protect:
                     (A)  the safety or integrity of users of the
  website, online service, online application, or mobile
  application; or
                     (B)  the security of the website, online service,
  online application, or mobile application;
               (6)  for a school, education, or employment purpose
  requested by the student or the student's parent and the
  information is not used or disclosed for any other purpose;
               (7)  to use the covered information for:
                     (A)  a legitimate research purpose; or
                     (B)  a school purpose or postsecondary
  educational purpose; or
               (8)  for a request by the agency or the school district
  for a school purpose.
         (b)  A national assessment provider or a provider of a
  college and career counseling service may, in response to a request
  of a student, and on receiving the express affirmative consent of
  the student or the student's parent given in response to clear and
  conspicuous notice, use or disclose covered information solely to
  provide access to employment, educational scholarships, financial
  aid, or postsecondary educational opportunities.
         (c)  An operator may disclose covered information if a
  provision of federal or state law requires the operator to disclose
  the information. The operator must comply with the requirements of
  federal and state law to protect the information being disclosed.
         (d)  An operator may disclose covered information to a third
  party if the operator has contracted with the third party to provide
  a service for a school purpose for or on behalf of the operator. The
  contract must prohibit the third party from using any covered
  information for any purpose other than providing the contracted
  service. The operator must require the third party to implement and
  maintain reasonable procedures and practices designed to prevent
  disclosure of covered information.
         (e)  Nothing in this subchapter prohibits the operator's use
  of covered information for maintaining, developing, supporting,
  improving, or diagnosing the operator's website, online service,
  online application, or mobile application.
         Sec. 32.154.  ALLOWED USE OF COVERED INFORMATION. This
  subchapter does not prohibit an operator from:
               (1)  using covered information:
                     (A)  to improve educational products if that
  information is not associated with an identified student using the
  operator's website, online service, online application, or mobile
  application; and
                     (B)  that is not associated with an identified
  student to demonstrate the effectiveness of the operator's products
  or services and to market the operator's services;
               (2)  sharing covered information that is not associated
  with an identified student for the development and improvement of
  educational websites, online services, online applications, or
  mobile applications;
               (3)  recommending to a student additional services or
  content relating to an educational, learning, or employment
  opportunity within a website, online service, online application,
  or mobile application if the recommendation is not determined by
  payment or other consideration from a third party;
               (4)  responding to a student's request for information
  or for feedback without the information or response being
  determined by payment or other consideration from a third party; or
               (5)  if the operator is a national assessment provider
  or a provider of a college and career counseling service,
  identifying for a student, with the express affirmative consent of
  the student or the student's parent, institutions of higher
  education or scholarship providers that are seeking students who
  meet specific criteria, regardless of whether the identified
  institution of higher education or scholarship provider provides
  consideration to the operator.
         Sec. 32.155.  PROTECTION OF COVERED INFORMATION. An
  operator must implement and maintain reasonable security
  procedures and practices designed to protect any covered
  information from unauthorized access, deletion, use, modification,
  or disclosure.
         Sec. 32.156.  DELETION OF COVERED INFORMATION. If a school
  district requests the deletion of a student's covered information
  under the control of the school district and maintained by the
  operator, the operator shall delete the information not later than
  the 60th day after the date of the request, or as otherwise
  specified in the contract or terms of service, unless the student or
  the student's parent consents to the operator's maintenance of the
  covered information.
         Sec. 32.157.  APPLICABILITY. This subchapter does not:
               (1)  limit the authority of a law enforcement agency to
  obtain any information from an operator as authorized by law or
  under a court order;
               (2)  limit the ability of an operator to use student
  data, including covered information, for adaptive learning or
  customized student learning purposes;
               (3)  apply to general audience:
                     (A)  websites;
                     (B)  online services;
                     (C)  online applications; or
                     (D)  mobile applications;
               (4)  limit service providers from providing Internet
  connection to school districts or students and students' families;
               (5)  prohibit an operator from marketing educational
  products directly to a student's parent if the marketing is not a
  result of the use of covered information obtained by the operator
  through providing services to the school district;
               (6)  impose a duty on a provider of an electronic store,
  gateway, marketplace, or other means of purchasing or downloading
  software or applications to review or enforce compliance with this
  subchapter on those applications or software;
               (7)  impose a duty on a provider of an interactive
  computer service to review or enforce compliance with this
  subchapter by third-party content providers;
               (8)  prohibit a student from downloading, exporting,
  transferring, saving, or maintaining the student's data or
  documents; or
               (9)  alter the rights or duties of the operator,
  provider, school, parent, or student under the Family Educational
  Rights and Privacy Act of 1974 (20 U.S.C. Section 1232g) or other
  federal law.
         SECTION 3.  This Act takes effect September 1, 2017.
 
  * * * * *