Chapter 28A.604 RCW

STUDENT USER PRIVACY IN EDUCATION RIGHTS

Sections

28A.604.010Definitions.
28A.604.020Student personal informationInformation about collection and useChanges to privacy policiesAccess to and correction of informationApplication to education data center.
28A.604.030Collection, sharing, and use of student personal informationAuthorized purposes and usesConsent.
28A.604.040Comprehensive information security programDeletion of student personal information.
28A.604.050Allowable uses of student personal informationAdaptive learning and customized education.
28A.604.060Consent.
28A.604.900Short title2015 c 277.
28A.604.901ConstructionLimitations.
28A.604.902Transitional provisions.
28A.604.903Effective date2015 c 277.


Definitions.

The definitions in this section apply throughout this chapter unless the context clearly requires otherwise.
(1) "School service" means a web site, mobile application, or online service that: (a) Is designed and marketed primarily for use in a K-12 school; (b) is used at the direction of teachers or other employees of a K-12 school; and (c) collects, maintains, or uses student personal information. A "school service" does not include a web site, mobile application, or online service that is designed and marketed for use by individuals or entities generally, even if also marketed to a United States K-12 school.
(2) "School service provider" means an entity that operates a school service to the extent it is operating in that capacity.
(3) "Student personal information" means information collected through a school service that personally identifies an individual student or other information collected and maintained about an individual student that is linked to information that identifies an individual student.
(4) "Students" means students of K-12 schools in Washington state.
(5) "Targeted advertising" means sending advertisements to a student where the advertisement is selected based on information obtained or inferred from that student's online behavior, usage of applications, or student personal information. It does not include (a) advertising to a student at an online location based upon that student's current visit to that location without the collection and retention of a student's online activities over time or (b) adaptive learning, personalized learning, or customized education.



Student personal informationInformation about collection and useChanges to privacy policiesAccess to and correction of informationApplication to education data center.

(1) School service providers shall provide clear and easy to understand information about the types of student personal information they collect and about how they use and share the student personal information.
(2) School service providers shall provide prominent notice before making material changes to their privacy policies for school services.
(3) School service providers shall facilitate access to and correction of student personal information by students or their parent or guardian either directly or through the relevant educational institution or teacher.
(4) Where the school service is offered to an educational institution or teacher, information required by subsections (1) and (2) of this section may be provided to the educational institution or teacher.
(5) The provisions of this section do not apply to the education data center established under RCW 43.41.400, but do apply to any subcontractors of the education data center.



Collection, sharing, and use of student personal informationAuthorized purposes and usesConsent.

(1) School service providers may collect, use, and share student personal information only for purposes authorized by the relevant educational institution or teacher, or with the consent of the student or the student's parent or guardian.
(2) School service providers may not sell student personal information. This prohibition does not apply to the purchase, merger, or other type of acquisition of a school service provider, or any assets of a school service provider by another entity, as long as the successor entity continues to be subject to the provisions of this section with respect to previously acquired student personal information to the extent that the school service provider was regulated by this chapter with regard to its acquisition of student personal information.
(3) School service providers may not use or share any student personal information for purposes of targeted advertising to students. 
(4) School service providers may not use student personal information to create a personal profile of a student other than for supporting purposes authorized by the relevant educational institution or teacher, or with the consent of the student or the student's parent or guardian.
(5) School service providers must obtain consent before using student personal information in a manner that is materially inconsistent with the school service provider's privacy policy or school contract for the applicable school service in effect at the time of collection.
(6) The provisions of subsections (1), (2), (4), and (5) of this section may not apply to the use or disclosure of personal information by a school service provider to:
(a) Protect the security or integrity of its web site, mobile application, or online service;
(b) Ensure legal or regulatory compliance or to take precautions against liability;
(c) Respond to or participate in judicial process;
(d) Protect the safety of users or others on the web site, mobile application, or online service;
(e) Investigate a matter related to public safety; or
(f) A subcontractor, if the school service provider: (i) Contractually prohibits the subcontractor from using any student personal information for any purpose other than providing the contracted service to, or on behalf of, the school service provider; (ii) prohibits the subcontractor from disclosing any student personal information provided by the school service provider to subsequent third parties unless the disclosure is expressly permitted by (a) through (e) of this subsection or by RCW 28A.604.050 and 28A.604.060; and (iii) requires the subcontractor to comply with the requirements of this chapter.



Comprehensive information security programDeletion of student personal information.

(1) School service providers must maintain a comprehensive information security program that is reasonably designed to protect the security, privacy, confidentiality, and integrity of student personal information. The information security program should make use of appropriate administrative, technological, and physical safeguards.
(2) School service providers must delete student personal information within a reasonable period of time if the relevant educational institution requests deletion of the data under the control of the educational institution unless:
(a) The school service provider has obtained student consent or the consent of the student's parent or guardian to retain information related to that student; or
(b) The student has transferred to another educational institution and that educational institution has requested that the school service provider retain information related to that student.



Allowable uses of student personal informationAdaptive learning and customized education.

Notwithstanding RCW 28A.604.010 through 28A.604.060, nothing in this chapter is intended to prohibit the use of student personal information for purposes of:
(1) Adaptive learning or personalized or customized education;
(2) Maintaining, developing, supporting, improving, or diagnosing the school service provider's web site, mobile application, online service, or application;
(3) Providing recommendations for school, educational, or employment purposes within a school service without the response being determined in whole or in part by payment or other consideration from a third party; or
(4) Responding to a student's request for information or for feedback without the information or response being determined in whole or in part by payment or other consideration from a third party.



Consent.

This chapter adopts and does not modify existing law regarding consent, including consent from minors and employees on behalf of educational institutions.



Short title2015 c 277.

This act may be known and cited as the student user privacy in education rights act or SUPER act.



ConstructionLimitations.

This chapter shall not be construed to:
(1) Impose a duty upon a provider of an interactive computer service, as defined in 47 U.S.C. Sec. 230, to review or enforce compliance with this section by third-party content providers;
(2) Apply to general audience internet web sites, general audience mobile applications, or general audience online services even if login credentials created for a school service provider's web site, mobile application, or online service may be used to access those general audience web sites, mobile applications, or online services;
(3) Impede the ability of students to download, export, or otherwise save or maintain their own student data or documents;
(4) Limit internet service providers from providing internet connectivity to schools or students and their families;
(5) Prohibit a school service provider from marketing educational products directly to parents so long as the marketing did not result from use of student personal information obtained by the school service provider through the provision of its web site, mobile application, or online service; or
(6) Impose a duty on a school service provider of an electronic store, gateway, marketplace, or other means of purchasing or downloading software or applications to review or enforce compliance with this chapter on those applications or software.



Transitional provisions.

If a school service provider entered into a signed, written contract with an educational institution or teacher before July 1, 2016, the school service provider is not liable for the requirements of RCW 28A.604.010 through 28A.604.050 with respect to that contract until the next renewal date of the contract.



Effective date2015 c 277.

This act takes effect July 1, 2016.