D.C. Law 21-218. Protecting Students Digital Privacy Act of 2016.

D.C. Law 21-218. Protecting Students Digital Privacy Act of 2016.

AN ACT

To require an operator of an Internet website, online service, online application, or mobile application used for prekindergarten through grade 12 purposes to implement and maintain appropriate security measures to protect personally identifiable student information, to refrain from using personally identifiable student information for targeted advertising, and to refrain from disclosing personally identifiable student information except in limited circumstances; to prohibit an educational institution that provides a technological device to a student for overnight or at-home use from accessing or tracking the device, or activity or data on the device, except in limited circumstances; and to prohibit an educational institution from searching or compelling a student or prospective student to disclose account authentication information for a student's personal media account or personal technological device, share content accessible from the student's personal media account or technological device, add a person to the list of users who may view or access the student's personal media account or personal technological device, or change the privacy settings associated with the student's personal media account or personal technological device, except in limited circumstances.

BE IT ENACTED BY THE COUNCIL OF THE DISTRICT OF COLUMBIA, That this act may be cited as the "Protecting Students Digital Privacy Act of 2016".

New Chapter 8B of Title 38

New § 38-831.01

Sec. 2. Definitions.

For the purposes of this act, the term:

(1) "1-to-1 device" means a technological device provided to a student pursuant to a 1-to-1 program.

(2) "1-to-1 device provider" means a person or entity, or its agent, parent company, or subsidiary, that provides a 1-to-1 device to a student or educational institution pursuant to a 1-to-1 program.

(3) "1-to-1 program" means a program authorized by an educational institution in which a student is provided with a 1-to-1 device for overnight or at-home use.

(4) "De-identified student information" means data or other information related to a specific student from which all personally identifiable student information has been removed.

(5) "Disclose personally identifiable student information" means to share, transfer, or otherwise communicate personally identifiable student information to a third-party other than the LEA, educational institution, student, or student's parent.

(6) "Educational institution" means a public school or public charter school in the District of Columbia.

(7) "Interactive computer service" shall have the same meaning as provided in section 230(f)(2) of the Communications Act of 1934, approved February 8, 1996 (110 Stat. 139; 47 U.S.C. § 230(f)(2)).

(8) "Local education agency" or "LEA" means the District of Columbia Public Schools system or any individual or group of public charter schools operating under a single charter.

(9) "Location tracking technology" means hardware, software, or an application that collects or reports data that identifies the geophysical location of a technological device.

(10) "Operator" means a person that operates an Internet website, online service, online application, or mobile application:

(A) That is designed, marketed, and primarily used for pre-k through 12 purposes; and

(B) Who has actual knowledge that the person's website, online service, online application, or mobile application is being used for pre-k through 12 purposes.

(11) "Parent" includes a student's legal guardian.

(12) "Personal media account" means a student-created account with an electronic medium or service through which users may create, share, and view user-generated content, including videos, photographs, blogs, video blogs, podcasts, messages, e-mails, or Internet website profiles or locations. The term "personal media account" does not include an account opened at an educational institution's behest or provided by an educational institution.

(13) "Personal technological device" means a technological device in the possession of a student that is not the property of an educational institution or a 1-to-1 provider.

(14) "Personally identifiable student information" means data or other information that alone or in combination with other data is linked to a specific student that would allow a reasonable person, who does not have personal knowledge of the relevant circumstances, to identify the student with reasonable certainty, including:

(A) A student's name;

(B) The name of a student's parent or other family member;

(C) The address of a student or student's parent or other family member;

(D) A photograph, video, or audio recording that contains the student's image or voice; and

(E) Indirect identifiers, including a student's social security number, student number, telephone number, credit card account number, insurance account number, financial services account number, customer number, geolocation information, persistent unique identifier, email address, social media address, online username, or other personal electronic identifier.

(15) "Pre-k through 12 purposes" means uses that promote the functions of an educational institution serving grades prekindergarten through 12, or its agents, including uses that promote curricular, extra-curricular, and administrative activities.

(16) "School-based personnel" means an employee or volunteer of an educational institution or an employee of an entity with whom the educational institution contracts, who acts as an agent of the educational institution at the educational institution or activities sponsored by the educational institution.

(17) "Targeted advertising" means promoting for remuneration content, products, or services to a student based on information the operator obtained or inferred over time from a student's online behavior, usage of applications, or personally identifiable student information. The term "targeted advertising" does not include advertising to a student based on the student's real-time use of an operator's services or in response to a student's request for information or feedback; provided, that the operator does not retain data about the student's real-time activity for the purpose of targeting subsequent advertisements.

New § 38-831.02

Sec. 3. Operator obligations.

(a) An operator providing services to an educational institution, LEA, or its agent shall:

(1) Implement and maintain reasonable security policies and procedures appropriate to the nature of the personally identifiable student information, and designed to protect that information from unauthorized access, destruction, use, modification, or disclosure; provided, that such policies and procedures shall include provisions for notifying educational institutions and LEAs in the event of unauthorized access to personally identifiable student information consistent with the requirements of the Consumer Personal Information Security Breach Notification Act of 2006, effective March 8, 2007 (D.C. Law 16-237; D.C. Official Code § 28-3851 et seq.);

(2) Agree that personally identifiable student information provided to an operator by a student or educational institution to facilitate the use of the operator's pre-k through 12 purposes website, service, or application is under the control of the LEA;

(3) Delete personally identifiable student information under the control of an LEA within a reasonable period of time after termination or completion of services, unless otherwise requested by the LEA to preserve such information; and

(4) Comply with all the applicable obligations and restrictions established for operators in this act.

(b)(1) An operator shall not knowingly engage in the following activities:

(A) Sell, rent, or trade any personally identifiable student information, unless:

(i) The transaction is part of a sale, merger, or other type of acquisition of an operator by another entity; or

(ii) The operator obtained verified consent from the student, where the student is 13 years of age or older, or the student's parent, where the student is younger than 13 years of age, to sell, rent, or trade specific personally identifiable student information for the purpose of providing the student with information about employment, educational scholarship, financial aid, or postsecondary educational opportunities;

(B) Conduct targeted advertising on an operator's website, service, or application, or target advertising on any other website, service, or application when the advertising is based on information that the operator has acquired through a student's use of the operator's pre-k through 12 purposes website, service, or application;

(C) Except in furtherance of pre-k through 12 purposes, use data, including personally identifiable student information, created, gathered, or stored on the operator's pre-k through 12 purposes website, service, or application, to develop, in full or in part, a profile of a student or group of students; provided, that developing a profile does not include the collection or retention of account information generated by a student, a student's parent, or an educational institution; and

(D) Disclose personally identifiable student information unless the disclosure is consistent with the requirements of this section, and is:

(i) To further the pre-k through 12 purposes of the operator's website, service, or application, or to improve the operability or functionality of the operator's pre-k through 12 purposes website, service, or application; provided, that the operator:

(I) Prohibits the recipient from using personally identifiable student information for any purpose other than providing the contracted service;

(II) Prohibits the recipient from disclosing personally identifiable student information except in accordance with this subparagraph;

(III) Requires the recipient to implement and maintain reasonable security measures consistent with those in subsection (a)(1) of this section; and

(IV) Requires the recipient to delete the personally identifiable student information upon completion or termination of the recipient's services to the operator;

(ii) Necessary to comply with applicable District or federal laws or regulations;

(iii) In response to legal process, a judicial order, or a warrant;

(iv) Necessary to protect the safety of individuals or the security or integrity of the website, service, or application;

(v) Pursuant to the written request or consent of the LEA; or

(vi) For legitimate research purposes:

(I) As required by District or federal law; or

(II) As allowed by District or federal law under the direction or with the consent of the LEA; provided, that no personally identifiable student information is used for commercial gain or to develop a profile on a student or group of students for purposes other than pre-k through 12 purposes.

(2) A sale, merger, or acquisition of an operator shall not void or nullify any contracts or agreements entered into pursuant to this act or regulations issued to enforce it.

(c) An operator that provides digital storage, management, and retrieval of student records shall comply with subsections (a) and (b) of this section.

(d) Nothing in this section shall be construed to prohibit the operator from:

(1) Internally using personally identifiable student information to maintain, develop, support, improve, or diagnose the operator's pre-k through 12 purposes website, service, or application;

(2) Internally using personally identifiable student information for adaptive learning or customized student learning purposes;

(3) Using, sharing, or selling de-identified student information;

(4) Using its pre-k through 12 purposes website, service, or application to recommend products, content, or services to a student related to educational, learning, or employment opportunities; provided, that the recommendation is not determined, in whole or in part, by remuneration from a third party;

(5) Responding to a student's request for information or feedback; provided, that the response is not determined, in whole or in part, by remuneration from a third party; or

(6) Marketing products directly to parents if the marketing did not result from the use of personally identifiable student information obtained by the operator through the provision of services covered under this section.

(e) Nothing in this section shall be construed to:

(1) Limit the authority of a law enforcement agency to obtain content or information from an operator as authorized by law or pursuant to a judicial order or warrant;

(2) Prohibit a student from downloading, editing, exporting, transferring, saving, or otherwise maintaining the student's own student-created data or documents on an operator's website, service, or application;

(3) Limit Internet service providers from providing Internet connectivity to schools or students and their families;

(4) Apply to general audience Internet websites, general audience online services, general audience online applications, or general audience mobile applications, even if login credentials created for an operator's website, service, or application may be used to access those general audience sites, services, or applications;

(5) Impose a duty upon a provider of an electronic store, gateway, marketplace, or other means of purchasing or downloading an operator's software or applications to review or enforce a third-party operator's compliance with this section;

(6) Impose a duty upon a provider of an interactive computer service to review or enforce a third-party operator's compliance with this section;

(7) Impose a duty on an operator to comply with the provisions of this section with respect to sites, services, or applications it operates that are not primarily used for pre-k through 12 purposes; or

(8) Affect the rights or obligations of operators, educational institutions, parents, or students in a manner inconsistent with otherwise applicable federal law.

New § 38-831.03

Sec. 4. 1-to-1 programs.

(a) School-based personnel shall not access the data or functions of a 1-to-1 device provided to a student pursuant to a 1-to-1 program without the student or the student's parent's written consent except in accordance with the provisions of this section.

(b) School-based personnel shall not access, analyze, share, or transfer data on a student's 1-to-1 device, including its browser history, key stroke history, or location history, unless:

(1) The data will be used exclusively for an educational purpose consistent with the school-based personnel's professional duties;

(2) The data will be used exclusively to ensure compliance with District or federal law;

(3) Reasonable suspicion exists that the student has violated or is violating an educational institution policy or law and reasonable suspicion exists that the data on the 1-to-1 device contains evidence of the suspected violation;

(4) Doing so is necessary to update or upgrade the 1-to-1 device's software, or to protect the device from cyber-threats, and access is limited to that purpose;

(5)(A) Doing so is necessary in response to a threat to life or safety and access is limited to that purpose; and

(B) Within 72 hours of accessing, analyzing, sharing, or transferring a 1-to-1 device's data in response to a threat to life or safety, the educational institution that authorized access to the 1-to-1 device shall provide the student to whom the device was provided and the student's parent with a written description of the precise threat that prompted the access and what data was accessed; or

(6) The data is otherwise posted on an electronic medium that is accessible by the general public or by school-based personnel who are granted permission to view the content.

(c) School-based personnel shall not use a student's 1-to-1 device's location tracking technology to track a device's real-time or historical location, unless:

(1) The student to whom the device was provided, or the student's parent, has notified the educational institution or law enforcement that the device is missing or stolen;

(2) The device was not returned to the educational institution at the end of the permitted period of use;

(3) Such use is ordered pursuant to a judicial order or warrant; or

(4)(A) Doing so is necessary in response to a threat to life or safety and access is limited to that purpose; and

(B) Within 72 hours of accessing a 1-to-1 device's location tracking technology, the educational institution that authorized access to the device shall provide the student to whom the device was provided and the student's parent with a written description of the precise threat that prompted the access and what data and features were accessed.

(d) School-based personnel shall not activate or access any audio or video receiving, transmitting, or recording functions on a student's 1-to-1 device remotely, unless:

(1) A student initiates video or audio communication with the school-based personnel or 1-to-1 device provider;

(2) The activation or access is ordered pursuant to a judicial order or warrant; or

(3)(A) Doing so is necessary in response to an imminent threat to life or safety and access is limited to that purpose; and

(B) Within 72 hours of accessing or activating a 1-to-1 device's audio or video receiving, transmitting, or recording function, the educational institution that authorized the access or activation shall provide the student to whom the device was provided and the student's parent with a written description of the precise threat that prompted the access or activation and what data and features were accessed or activated.

(e) When a student permanently returns a 1-to-1 device to an educational institution, the educational institution shall erase all the data stored on the device.

(f) Before issuing a student a 1-to-1 device, an educational institution shall provide the student with written notice that the device can be searched, tracked, or accessed by school-based personnel pursuant to subsections (b), (c), and (d) of this section.

New § 38-831.04

Sec. 5. Privacy of student personal accounts and devices.

(a) An educational institution or school-based personnel shall not take or threaten to take action against a student or prospective student, including discipline, expulsion, unenrollment, refusal to admit, or prohibiting participation in a curricular or extracurricular activity, because the student or prospective student refused to:

(1) Disclose a username, password, or other means of account authentication used to access the student's personal media account or personal technological device;

(2) Access the student's personal media account or personal technological device in the presence of school-based personnel in a manner that enables the school-based personnel to observe data on the account or device;

(3) Add a person to the list of users who may view the student's personal media account or access a student's personal technological device; or

(4) Change the privacy settings associated with the student's personal media account or personal technological device.

(b) If an educational institution or school-based personnel inadvertently receives the username, password, or other means of account authentication for the personal media account or personal technological device of a student or prospective student through otherwise lawful means, the educational institution or school-based personnel shall:

(1) Not use the information to access the personal media account or personal technological device of the student or prospective student;

(2) Not share the information with anyone; and

(3) Delete the information immediately or as soon as is reasonably practicable.

(c) Notwithstanding subsection (a) of this section, school-based personnel may search a student's personal media account or personal technological device or compel a student to produce data accessible from the student's personal media account or personal technological device, in the following circumstances:

(1)(A) The school-based personnel has a reasonable suspicion that the student has used or is using the student's personal media account or personal technological device in furtherance of a violation of an educational institution policy and a reasonable suspicion that the personal media account or personal technological device contains evidence of the suspected violation;

(B) Before searching or compelling production, the school-based personnel:

(i) Documents the reasonable suspicion giving rise to the need for the search or production; and

(ii) Notifies the student and the student's parent of the suspected violation and the data or components to be searched or that the student will be compelled to produce;

(C) The search or compelled production is limited to data accessible from the account or device or components of the device reasonably likely to yield evidence of the suspected violation; and

(D) No person shall be permitted to copy, share, or transfer data obtained pursuant to a search or compelled production under this subsection that is unrelated to the suspected violation that prompted the search; or

(2)(A) Doing so is necessary in response to an imminent threat to life or safety;

(B) The scope of the search or compelled production is limited to that purpose; and

(C) Within 72 hours of compelling production or searching a student's personal media account or personal technological device, the educational institution that authorized access or compelled production shall provide the student and the student's parent with a written description of the precise threat that prompted the search and the data that was accessed.

(d) An educational institution may seize a student's personal technological device to prevent data deletion pending notification required by subsection (c)(1)(B) of this section; provided, that:

(1) The pre-notification seizure period is no greater than 48 hours; and

(2) The personal technological device is stored securely on the educational institution's property and not accessed during the pre-notification seizure period.

(e) Nothing in this section shall prevent an educational institution from:

(1) Accessing information about a student or prospective student that is publicly available;

(2) Requesting a student or prospective student to voluntarily share specific content accessible from a personal media account or personal technological device for the purpose of ensuring compliance with applicable laws or educational institution policies; provided, that the request complies with the prohibitions in subsection (a) of this section;

(3) Prohibiting a student or prospective student from accessing or operating a personal media account or personal technological device during school hours or while on school property;

(4) Monitoring the usage of the educational institution's computer network; or

(5) Revoking a student's access, in whole or in part, to equipment or computer networks owned or operated by the educational institution.

(f) This section shall apply to media accounts that are created or provided by or at the behest of the educational institution if the educational institution fails to provide a student with notice, at the time the account is created or within 60 days of the applicability date of this act, that the account may be monitored at any time by school-based personnel.

New § 38-831.05

Sec. 6. Rules.

Within 180-days of the effective date of this act, the Mayor, pursuant to Title I of the District of Columbia Administrative Procedure Act, approved October 21, 1968 (82 Stat. 1204; D.C. Official Code § 2-501 et seq.), shall issue rules to implement the provisions of this act. The proposed rules shall be submitted to the Council for a 45-day period of review, excluding Saturdays, Sundays, legal holidays, and days of Council recess. If the Council does not approve the proposed rules, in whole or in part, by resolution within the 45-day period, the proposed rules shall be deemed approved.

New § 38-831.06

Sec. 7. Applicability.

Sections 3, 4, and 5 shall apply as of August 1, 2017.

Sec. 8. Fiscal impact statement.

The Council adopts the fiscal impact statement in the committee report as the fiscal impact statement required by section 4a of the General Legislative Procedures Act of 1975, approved October 16, 2006 (120 Stat. 2038; D.C. Official Code § 1-301.47a).

Sec. 9. Effective date.

This act shall take effect following approval by the Mayor (or in the event of veto by the Mayor, action by the Council to override the veto), a 30-day period of congressional review as provided in section 602(c)(1) of the District of Columbia Home Rule Act, approved December 24, 1973 (87 Stat. 813; D.C. Official Code § 1-206.02(c)(1)), and publication in the District of Columbia Register.