Md. Code, Educ. § 4-131

Current with changes from the 2024 Legislative Session
Section 4-131 - Student data privacy
(a)
(1) In this section the following words have the meanings indicated.
(2)
(i) "Covered information" means information or material that, alone or in combination with other information or material, is linked or could be linked to a student in a manner that would allow an employee or a student of the student's school to identify the student with reasonable certainty.
(ii) "Covered information" includes a student's:
1. Educational records as defined in § 7-1303 of this article;
2. First and last name;
3. Home address and geolocation information;
4. Telephone number;
5. Electronic mail address or other information that allows physical or online contact;
6. Test results, grades, and student evaluations;
7. Special education information;
8. Criminal records;
9. Medical records and health records;
10. Social Security number;
11. Biometric information;
12. Socioeconomic information;
13. Food purchases;
14. Political and religious affiliations;
15. Text messages;
16. Student identifiers;
17. Search activity;
18. Photos;
19. Voice recordings;
20. Disciplinary information;
21. Online behavior or usage of applications when linked or linkable to a specific student;
22. Persistent unique identifiers; and
23. Confidential information as defined by the Department of Information Technology.
(3)
(i) "Operator" means an individual or an entity who engages with institutions under the school official exception of the federal Family Educational Rights and Privacy Act and is operating in accordance with a contract or an agreement with a public school or local school system in the State to provide an Internet website, an online service, an online application, or a mobile application that:
1. Processes covered information; and
2.
A. Is used for a PreK-12 school purpose; or
B. Is issued at the direction of a public school, a teacher, or any other employee of a public school, local school system, or the Department.
(ii) "Operator" includes a division of a parent entity if the division:
1. Serves education clients; and
2. Does not share covered information with the parent entity.
(4)
(i) "Persistent unique identifier" means an identifier that can be used to identify, recognize, track, single out, or make references about a student enrolled in prekindergarten through grade 12, the parent or guardian of the student, and any other student of whom the parent or guardian has custody.
(ii) "Persistent unique identifier" includes:
1. Cookie identifiers;
2. Customer numbers;
3. Device identifiers;
4. Hashed e-mail addresses;
5. Hashed phone numbers;
6. Identifiers generated through probabilistic methods;
7. Mobile ad identifiers;
8. Unique pseudonyms; and
9. User aliases.
(5)
(i) "PreK-12 school purpose" means an activity that:
1. Takes place at the direction of a public school, a teacher, an administrator, or a local school system; or
2. Aids in the administration of public school activities.
(ii) "PreK-12 school purpose" includes:
1. Instruction in the classroom;
2. Home instruction;
3. Administrative activities;
4. Collaboration among students, public school employees, and parents;
5. Maintaining, developing, supporting, improving, or diagnosing the operator's site, service, or application; and
6. An activity that is for the use and benefit of the public school.
(6)
(i) "Targeted advertising" means presenting advertisements to an individual student that are selected based on information obtained or inferred from the student's covered information.
(ii) "Targeted advertising" does not include advertisements presented to an individual student at an online location:
1. Based on the student's current visit to the online location if there is no collection or retention of the student's covered information over time; or
2. In response to a single search query if there is no collection or retention of the student's covered information over time.
(b) This section does not apply to a general audience Internet website, general audience online service, general audience online application, or general audience mobile application, even if log-in credentials created for an operator's site, service, or application may be used to access the general audience site, service, or application.
(c) An operator shall:
(1) Protect covered information from unauthorized access, destruction, use, modification, or disclosure;
(2) Implement and maintain reasonable security procedures and practices to protect covered information; and
(3) If covered information is under the authority of a public school or local school system in accordance with a contract or an agreement, delete within a reasonable time the covered information if the public school or local school system requests deletion of the covered information.
(d)
(1) An operator may not knowingly engage in any of the following activities with respect to the operator's site, service, or application:
(i) Engage in targeted advertising if the advertising is based on information, including covered information and persistent unique identifiers, that the operator has acquired because of the use of the operator's site, service, or application;
(ii) Except in furtherance of a PreK-12 school purpose, use information, including covered information and persistent unique identifiers, created or gathered by the operator's site, service, or application, to make a profile about a student;
(iii) Subject to paragraph (2) of this subsection and except as provided in subsection (f) of this section, sell a student's information; or
(iv) Except as provided in subsection (e) of this section, disclose covered information.
(2) Nothing in this subsection shall be construed to prohibit the operator's use of information for maintaining, developing, supporting, improving, or diagnosing the operator's site, service, or application.
(3) For purposes of paragraph (1)(ii) of this subsection, making a profile of a student does not include the collection and retention of account information that remains under the authority of a student, a student's parent or guardian, a public school, or a local school system.
(e) Notwithstanding subsection (d)(1)(iv) of this section, an operator may disclose a student's covered information:
(1) If the disclosure is made only in furtherance of the PreK-12 school purpose of the site, service, or application and the recipient of the covered information:
(i) Does not further disclose the information; and
(ii) Is legally required to comply with subsections (c) and (d)(1) of this section;
(2) To ensure legal or regulatory compliance;
(3) To take precautions against liability;
(4) To respond to or participate in judicial process;
(5) To protect the safety of users or others or the security or integrity of the site, service, or application;
(6) To a service provider, provided the operator contractually:
(i) Prohibits the service provider from using any covered information for any purpose other than providing the contracted service to, or on behalf of, the operator;
(ii) Except for a purpose expressly permitted under this subsection, prohibits the service provider from disclosing covered information provided by the operator with a third party; and
(iii) Requires the service provider to comply with the requirements of subsections (c) and (d)(1)(i) through (iii) of this section;
(7) If subsection (d)(1)(i) through (iii) of this section is not violated;
(8) If federal or State law requires the operator to disclose the information, and the operator complies with the requirements of federal and State law in protecting and disclosing the information;
(9) For a legitimate research purpose as:
(i) Required by federal or State law; or
(ii) Allowed by federal or State law and under the direction of a public school, local school system, or the Department, if a student's covered information is not used for advertising or to make a profile on the student for a purpose other than a PreK-12 school purpose; or
(10) To a State or local education agency, including public schools and local school systems, for a PreK-12 school purpose, as permitted by federal and State law.
(f) If an operator of a site, a service, or an application used for a PreK-12 school purpose is merged with or acquired by another entity, the successor entity is subject to this section for previously collected covered information.
(g) Nothing in this section prohibits an operator from:
(1) Using aggregated or de-identified covered information:
(i) To develop or improve an educational product or service within any site, service, or application the operator owns; or
(ii) To demonstrate the effectiveness of the operator's products or services; or
(2) Sharing aggregated or de-identified covered information for the development or improvement of educational sites, services, or applications.
(h)
(1) Except for subsection (d)(1)(iii) of this section and subject to paragraph (2) of this subsection, nothing in subsections (d) and (e) of this section may be construed to prohibit the use or disclosure of a student's covered information by an operator.
(2) An operator may use or disclose covered information under paragraph (1) of this subsection if the operator:
(i) Provided clear and conspicuous notice of the use or disclosure of the student's covered information to the student or the student's parent or guardian; and
(ii) Obtained the affirmative consent of the student, if the student is at least 18 years old, or the student's parent or guardian to use or disclose the student's covered information.
(i) This section may not be construed to limit the authority of a law enforcement agency to obtain content or information from an operator as authorized by federal or State law or in accordance with an order of a court of competent jurisdiction.
(j) This section does not limit the ability of an operator to:
(1) Use a student's covered information for adaptive learning or customized student learning purposes;
(2) Use recommendation engines to recommend to a student additional content or services relating to an educational, other learning, or employment opportunity purpose within an operator's site, service, or application if the recommendation is not determined in whole or in part by payment or other consideration from a third party;
(3) Respond to a student's search query, other request for information, or request for feedback if the information or response is not determined in whole or in part by payment or other consideration from a third party; or
(4) Use or retain covered information to:
(i) Ensure legal or regulatory compliance; or
(ii) Take precautions against liability.
(k) This section may not be construed to prohibit an operator of an Internet website, an online service, an online application, or a mobile application from marketing educational products directly to parents if the marketing was not a result of the use of covered information obtained by the operator through the provision of services covered under this section.
(l) This section may not be construed to impose a duty on a provider of an electronic store, a gateway, a marketplace, or any other means of purchasing or downloading software or applications to review or enforce compliance of this section.
(m) This section may not be construed to impose a duty on a provider of an interactive computer service, as defined in Chapter 5, Title 47 of the United States Code, to review or enforce compliance with this section by third-party content providers.
(n) This section may not be construed to impede the ability of students to download, export, transfer, or otherwise save or maintain their own data or documents.
(o) The provisions of this section may not be construed to prohibit an Internet service provider from providing Internet connectivity to public schools, students, or students' families.

Md. Code, ED § 4-131

Amended by 2022 Md. Laws, Ch. 164, Sec. 1, eff. 6/1/2022.
Amended by 2022 Md. Laws, Ch. 163, Sec. 1, eff. 6/1/2022.
Added by 2015 Md. Laws, Ch. 413, Sec. 1, eff. 7/1/2015.