Current through L. 2024, ch. 259
Section 15-1046 - Student data privacy; definitionsA. An operator may not knowingly do any of the following:1. Engage in targeted advertising on the operator's site, service or application or on any other site, service or application if the targeting of the advertising is based on any information, including covered information and persistent unique identifiers, that the operator has acquired because of the use of that operator's site, service or application for school purposes.2. Use information, including persistent unique identifiers, created or gathered by the operator's site, service or application to amass a profile about a student except in furtherance of school purposes. This paragraph does not apply to the collection and retention of account information that remains under the control of the student, the student's parent or guardian or the public school.3. Sell or rent a student's information, including covered information. This paragraph does not apply to the purchase, merger or other type of acquisition of an operator by another entity if the operator or successor entity complies with this section regarding previously acquired student information, or to national assessment providers if the provider secures the express written consent of the student's parent or guardian or the student that is given in response to a clear and conspicuous notice, solely to provide access to employment, educational scholarships or financial aid or postsecondary educational opportunities.4. Except as otherwise provided in paragraph 3 of this subsection, disclose or use covered information unless the disclosure or use is made for any of the following purposes: (a) In furtherance of the school purpose of the site, service or application if the recipient of the disclosed covered information does not further disclose the information except to allow or improve operability and functionality of the operator's site, service or application.(b) To ensure legal and regulatory compliance or protect against liability.(c) To respond to or participate in the judicial process.(d) To protect the safety or integrity of users of the site, service or application or others or the security of the site, service or application.(e) For a school, educational or employment purpose requested by the student or the student's parent or guardian if the information is not used or further disclosed for any other purpose.(f) To a third party if the operator contractually prohibits the third party from using any covered information for any purpose other than providing the contracted service to or on behalf of the operator, prohibits the third party from disclosing any covered information provided by the operator with subsequent third parties, and requires the third party to implement and maintain reasonable security procedures and practices.B. This section does not prohibit the operator's use of information for maintaining, developing, supporting, improving or diagnosing the operator's site, service or application. An operator may use student data, including covered information, for adaptive or customized student learning. This subsection does not allow an operator to disclose or use student data, including covered information, in violation of subsection A of this section.C. An operator shall do all of the following:1. Implement and maintain reasonable security procedures and practices that are appropriate to the nature of the covered information and that are designed to protect that covered information from unauthorized access, destruction, use, modification or disclosure.2. Delete, within a reasonable time period, a student's covered information if the public school requests deletion of covered information under the control of the public school, unless the student or the student's parent or guardian consents to the maintenance of the covered information.3. Provide prominent notice before making material changes to its privacy policies.D. An operator may use or disclose covered information of a student under the following circumstances: 1. Federal or state law requires the operator to disclose the information and the operator complies with the requirements of federal and state law in protecting and disclosing that information.2. The covered information is not used for advertising or to amass a profile on the student for purposes other than school purposes, for legitimate research purposes as required by state or federal law and subject to the restrictions under applicable state and federal law, or as allowed by state or federal law and in furtherance of school purposes.3. To a state or local educational agency for school purposes as permitted by state or federal law.E. This section does not prohibit an operator from doing any of the following: 1. Using covered information to improve educational products if that information is not associated with an identified student within the operator's site, service or application or other sites, services or applications owned by the operator.2. Using covered information that is not associated with an identified student to demonstrate the effectiveness of the operator's products or services, including in the operator's marketing.3. Sharing covered information that is not associated with an identified student for the development and improvement of educational sites, services or applications.4. Using recommendation engines to recommend to a student either of the following: (a) Additional content relating to an educational, other learning or employment opportunity purpose within an online site, service or application if the recommendation is not determined in whole or in part by payment or other consideration from a third party.(b) Additional services relating to an educational, other learning or employment opportunity purpose within an online site, service or application if the recommendation is not determined in whole or in part by payment or other consideration from a third party.5. Responding to a student's request for information or feedback without the information or response being determined in whole or in part by payment or other consideration from a third party.F. This section does not:1. Limit the authority of a law enforcement agency to obtain any content or information from an operator as authorized by law or under a court order.2. Apply to general audience internet websites, general audience online services, general audience online applications or general audience mobile applications, even if login credentials created for an operator's site, service or application may be used to access those general audience sites, services or applications.3. Limit service providers from providing Internet connectivity to schools, students and families.4. Prohibit an operator of an internet website, online service, online application or mobile application from marketing educational products directly to parents if the marketing does not result from the use of covered information obtained by the operator by providing services covered under this section.5. Impose a duty on a provider of an electronic store, gateway, marketplace or other means of purchasing or downloading software or applications to review or enforce compliance with this section on those applications or software.6. Impose a duty on a provider of an interactive computer service to review or enforce compliance with this section by third-party content providers.7. Prohibit students from downloading, exporting, transferring, saving or maintaining student data or documents.G. In addition to any enforcement or regulatory action authorized by state or federal law, a violation of this section constitutes an unlawful practice under section 44-1522, and the attorney general may investigate and take appropriate action under title 44, chapter 10, article 7.H. A local education agency shall adopt policies regarding the use of technology and the internet while at school. The policy shall include notifying a parent of the adopted policies and the parent's ability to prohibit the student from the use of technology and the internet while at school in which covered information may be shared with an operator. This subsection does not apply to software or technology that is used for the daily operations or administration of a local education agency or Arizona online instruction programs authorized pursuant to section 15-808.I. For the purposes of this section: 1. "Covered information" means personally identifiable information or material or information that is linked to personally identifiable information or material, in any medium or format that is not publicly available and that is any of the following: (a) Created by or provided to an operator by a student or the student's parent or legal guardian in the course of the student's, parent's or legal guardian's use of the operator's site, service or application for school purposes.(b) Created by or provided to an operator by an employee or agent of a public school for school purposes.(c) Gathered by an operator through the operation of the operator's site, service or application for school purposes and that personally identifies a student, including information in the student's educational record or e-mail or information relating to the student's first and last name, home address, telephone number, e-mail address or other information that allows physical or online contact, discipline records, test results, special education data, juvenile dependency records, grades, evaluations, criminal records, medical records, health records, social security number, biometric information, disabilities, socioeconomic information, food purchases, political affiliations, religious information, text messages, documents, student identifiers, search activity, photos, voice recordings or geographic information.2. "Interactive computer service" has the same meaning prescribed in 47 United States Code section 230.3. "Operator" means, to the extent that it is being operated in this capacity, the operator of an internet website, online service, online application or mobile application with actual knowledge that the site, service or application is used primarily for school purposes and was designed and marketed for school purposes.4. "School purposes" means purposes that are directed by or customarily take place at the direction of a public school or teacher or that aid in the administration of school activities, including instruction in the classroom, instruction at home, administrative activities and collaboration between students, school personnel or parents, or that are otherwise for the use and benefit of the school.5. "Service provider" means a person or entity that provides a service that enables users to access content, information, e-mail or other services offered over the internet or a computer network.6. "Targeted advertising" means advertisements that are presented to a student and that are selected based on information obtained or inferred over time from that student's online behavior, usage of applications or covered information. Targeted advertising does not include advertising to a student at an online location based on that student's current visit to that location or in response to that student's request for information or feedback if there is no retention of that student's online activities or requests over time for the purpose of targeting subsequent advertisements.Added by L. 2017, ch. 180,s. 1, eff. 8/9/2017.