2
3
4
5
6
7 LONG TITLE
8 General Description:
9 This bill enacts the Student User Privacy in Education Rights Act.
10 Highlighted Provisions:
11 This bill:
12 ▸ defines terms; and
13 ▸ requires the State Board of Education to make rules regarding requirements of and
14 prohibitions on the collection and use of student personal information by private
15 website, mobile application, or online service providers.
16 Money Appropriated in this Bill:
17 None
18 Other Special Clauses:
19 None
20 Utah Code Sections Affected:
21 ENACTS:
22 53A-13-401, Utah Code Annotated 1953
23 53A-13-402, Utah Code Annotated 1953
24 53A-13-403, Utah Code Annotated 1953
25
26 Be it enacted by the Legislature of the state of Utah:
27 Section 1. Section 53A-13-401 is enacted to read:
28
29 53A-13-401. Title.
30 This part is known as "Student User Privacy in Education Rights Act" or "SUPER Act."
31 Section 2. Section 53A-13-402 is enacted to read:
32 53A-13-402. Definitions.
33 As used in this part:
34 (1) "Adult student" means a student who is at least 18 years old.
35 (2) "Authorization agreement" means an agreement between an educational institution
36 and a school service provider to provide a school service.
37 (3) "Consent" means:
38 (a) for student personal information collected directly from a student, written consent
39 of:
40 (i) the student, if the student is an adult student; or
41 (ii) the parent or guardian of the student, if the student is a minor student; or
42 (b) for student personal information not collected directly from a student, written
43 consent of an educational institution employee who uses the school service.
44 (4) "Educational institution" means:
45 (a) the State Board of Education;
46 (b) a local school board or charter school governing board;
47 (c) a school district;
48 (d) a public school; or
49 (e) the Utah Schools for the Deaf and the Blind.
50 (5) "Minor student" means a student who is less than 18 years old.
51 (6) (a) "School service" means a website, mobile application, or online service that:
52 (i) is designed and marketed for use in a United States elementary or secondary school
53 by a person that is not an educational institution;
54 (ii) is used at the direction of teachers or other employees of a public school; and
55 (iii) collects, maintains, or uses student personal information.
56 (b) "School service" does not include a website, mobile application, or online service
57 that is designed and marketed for use by individuals or entities generally, even if the website,
58 mobile application, or online service is also marketed to United States elementary or secondary
59 schools.
60 (7) "School service provider" means a person that operates a school service.
61 (8) "Student" means a Utah public school student.
62 (9) "Student personal information" means information:
63 (a) collected through a school service; and
64 (b) that identifies a certain student or is linked to information that identifies a certain
65 student.
66 (10) "Successor entity" means a school service provider that operates a school service
67 directly after a previous school service provider operated the school service.
68 (11) "Third party entity" means a person that assists a school service provider to
69 operate a school service.
70 (12) "User" means any of the following that use a school service:
71 (a) an educational institution;
72 (b) an adult student;
73 (c) a minor student;
74 (d) an educational institution employee; or
75 (e) the parent or guardian of a minor student, if the minor student uses the school
76 service.
77 Section 3. Section 53A-13-403 is enacted to read:
78 53A-13-403. Student personal information privacy requirements for school
79 service providers -- Board rulemaking authority.
80 In accordance with Title 63G, Chapter 3, Utah Administrative Rulemaking Act, the
81 State Board of Education shall make rules that:
82 (1) require a school service provider to:
83 (a) include in an authorization agreement clear and easy-to-understand information
84 about:
85 (i) the specific type of student personal information the school service provider
86 collects;
87 (ii) how the school service provider uses and shares student personal information; and
88 (iii) how long the school service provider will retain the student personal information;
89 (b) create and adhere to a privacy policy;
90 (c) provide prominent notice to a user before making material changes to the school
91 service provider's privacy policy;
92 (d) distribute to users or allow a user to access the authorization agreement information
93 described in Subsection (1)(a) and the privacy policy;
94 (e) allow a student or a minor student's parent or guardian to access and correct student
95 personal information:
96 (i) through the school service provider; or
97 (ii) indirectly through an educational institution or educational institution employee;
98 (f) maintain a comprehensive information security program:
99 (i) reasonably designed to protect the security, privacy, confidentiality, and integrity of
100 student personal information; and
101 (ii) that uses appropriate administrative, technological, and physical safeguards of
102 student personal information;
103 (g) ensure that a third party entity adheres to the requirements and prohibitions
104 described in this section as established by State Board of Education rule; and
105 (h) before allowing a successor entity to access student personal information collected
106 by the school service provider, ensure that the successor entity will abide by the same privacy
107 and security commitments as the school service provider; and
108 (2) prohibit a school service provider from:
109 (a) collecting, using, or sharing student personal information, without consent, for a
110 purpose not authorized in the school service provider's authorization agreement;
111 (b) collecting, using, or sharing student personal information, without consent, in a way
112 that conflicts with the school service provider's privacy policy at the time the school service
113 provider collects, uses, or shares the student personal information;
114 (c) selling student personal information;
115 (d) using or sharing student personal information to behaviorally target an
116 advertisement to a student;
117 (e) using student personal information to create a personal profile of a student, without
118 consent, if creating the personal profile is not within the scope of the authorization agreement;
119 and
120 (f) knowingly retaining student personal information, without consent, beyond the time
121 period described in the authorization agreement.
Legislative Review Note
as of 2-27-15 11:53 AM
Office of Legislative Research and General Counsel