ORS § 336.184

Current through 2024 Regular Session legislation effective June 6, 2024
Section 336.184 - Oregon Student Information Protection Act; definitions; prohibitions; exemptions
(1) This section shall be known and may be cited as the Oregon Student Information Protection Act.
(2) As used in this section:
(a) "Covered information" means personally identifiable information or materials that regard a student in this state and that are in any media or format that meet any of the following:
(A) Are created or provided by a student, or the student's parent or legal guardian, to an operator in the course of the student's, parent's or legal guardian's use of the operator's site, service or application for kindergarten through grade 12 purposes;
(B) Are created for an operator or provided to an operator by an employee or agent of the kindergarten through grade 12 school, school district or education service district for kindergarten through grade 12 purposes; or
(C) Are gathered by an operator and personally identify a student, or are linked to information that personally identifies a student, including, but not limited to:
(i) Information in the student's educational record or electronic mail;
(ii) The student's first and last name, home address, telephone number, electronic mail address or other information that allows physical or online contact; or
(iii) The student's discipline records, test results, special education data, juvenile dependency records, grades, evaluations, criminal records, medical records, health records, Social Security number, biometric information, disabilities, socioeconomic information, food purchases, political affiliations, religious information, text messages, documents, student identifiers, search activity, photographs, voice recordings or geolocation information.
(b) "Kindergarten through grade 12 school purposes" means purposes that:
(A) Are directed by, or that customarily take place at the direction of, a kindergarten through grade 12 school, teacher, school district or education service district;
(B) Aid in the administration of school activities, including instruction in the classroom or at home, administrative activities and collaboration between students, school personnel or parents; or
(C) Are primarily for the use and benefit of the school.
(c) "Operator" means the operator of an Internet website, online service, online application or mobile application with actual knowledge that the site, service or application:
(A) Is used primarily for kindergarten through grade 12 school purposes; and
(B) Was designed and marketed for kindergarten through grade 12 school purposes, to the extent that the site, service or application is operating in that capacity.
(d) "Student" means a student in any grade from kindergarten through grade 12.
(e)
(A) "Targeted advertising" means advertising presented to a student based on information obtained or inferred from the student's online behavior, usage of applications or covered information.
(B) "Targeted advertising" does not include advertising presented to a student:
(i) At an online location based upon the student's current visit to that location; or
(ii) As a single search query, as long as the student's online activities are not collected or retained over time.
(3)
(a) An operator may not knowingly engage in any of the following activities with respect to the operator's site, service or application:
(A) Engage in targeted advertising on the operator's site, service or application.
(B) Target advertising on any other site, service or application when the targeting of the advertising is based upon any information, including covered information and persistent unique identifiers, that the operator has acquired because of the use of that operator's site, service or application for kindergarten through grade 12 school purposes.
(C) Use information, including persistent unique identifiers, created or gathered by the operator's site, service or application, to amass a profile about a student, except in furtherance of kindergarten through grade 12 school purposes.
(D) Sell a student's information, including covered information. The prohibition of this subparagraph does not apply to the purchase, merger or other type of acquisition of an operator by another entity, provided that the operator or successor entity continues to be subject to the provisions of this section with respect to previously acquired student information that is subject to this section.
(E) Disclose covered information, unless the disclosure is made:
(i) In furtherance of the kindergarten through grade 12 school purposes of the site, service or application, provided the recipient of the covered information:
(I) Does not further disclose covered information, unless the disclosure is to allow or improve the operability and functionality within the student's classroom or school; and
(II) Is legally required to comply with the requirements of subsection (4) of this section and to not use that covered information in violation of this section;
(ii) To ensure legal and regulatory compliance;
(iii) To respond to or participate in the judicial process;
(iv) To protect the safety of users or others or the security or integrity of the site; or
(v) To a service provider, provided the operator contractually:
(I) Prohibits the service provider from using any covered information for any purpose other than providing the contracted service to, or on behalf of, the operator;
(II) Prohibits the service provider from disclosing any covered information provided by the operator to subsequent third parties, except in furtherance of kindergarten through grade 12 school purposes of the site, service or application or for a purpose permitted by subsection (3)(a), (6) or (7) of this section; and
(III) Requires the service provider to implement and maintain reasonable security procedures and practices as provided by subsection (4) of this section.
(b) Nothing in this subsection shall be construed to prohibit the operator's use of information for maintaining, developing, supporting, improving or diagnosing the operator's site, service or application.
(4) An operator shall:
(a) Implement and maintain reasonable security procedures and practices appropriate to the nature of the covered information and appropriate to protect the covered information from unauthorized access, destruction, use, modification or disclosure; and
(b) Delete a student's covered information within a reasonable time if the school or school district requests deletion of data that is under the control of the school or school district.
(5) Notwithstanding subsections (3)(a)(E) and (6) of this section, an operator may disclose covered information of a student if the disclosure:
(a) Does not violate subsection (3)(a)(A) to (D) of this section;
(b) Is required by federal or state law and the operator complies with the requirements of federal and state law in protecting and disclosing the information;
(c) Is for legitimate research purposes that are:
(A) Required by federal or state law and subject to the restrictions under applicable federal and state law; or
(B) Allowed by federal or state law and made under the direction of a school, school district, education service district or the Department of Education, if the covered information is not used for any purpose in furtherance of advertising or amassing a profile on the student for purposes other than kindergarten through grade 12 school purposes; or
(d) Is made to a state or local educational agency, including schools and school districts, for kindergarten through grade 12 school purposes as permitted by federal or state law.
(6) Nothing in this section prohibits an operator from:
(a) Disclosing deidentified student covered information if the disclosure is:
(A) Within the operator's site, service or application or other sites, services or applications owned by the operator to develop or improve educational products or services; or
(B) Made to demonstrate the effectiveness of the operator's products or services, including marketing for the operator's products or services;
(b) Sharing aggregated deidentified student covered information for the development and improvement of educational sites, services or applications;
(c) Using student data, including covered information, for adaptive learning or customized student learning purposes; or
(d) Responding to a student-initiated request for information or for feedback without the information or response being determined in whole or in part by payment or other consideration from a third party.
(7) Nothing in this section shall be construed to limit the authority of:
(a) A law enforcement agency to obtain any content or information from an operator as authorized by law or pursuant to an order of a court of competent jurisdiction;
(b) An Internet service provider from providing Internet connectivity to schools or students and their families;
(c) An operator of an Internet website, online service, online application or mobile application from marketing educational products directly to parents or legal guardians, as long as the marketing does not result from the use of covered information obtained by the operator through the provision of services covered under this section; or
(d) Students, or the students' parents or legal guardians, to download, transfer, export or otherwise save or maintain their own student data or documents.
(8) Nothing in this section shall be construed to impose a duty upon:
(a) A provider of an electronic store, gateway, marketplace or other means of purchasing or downloading software or applications to review or enforce compliance with this section by those applications or software; or
(b) A provider of an interactive computer service to review or enforce compliance with this section by third-party content providers. As used in this paragraph, "interactive computer service" means any information service, system or access software provider that provides or enables computer access by multiple users to a computer server, including specifically a service or system that provides access to the Internet and such services or systems operated or offered by libraries or educational institutions.
(9) This section does not apply to general audience Internet websites, general audience online services, general audience online applications or general audience mobile applications, even if login credentials created for an operator's site, service or application may be used to access those general audience sites, services or applications.
(10) Violation of this section is an unlawful practice under ORS 646.607.

ORS 336.184

2015 c. 528, § 2

336.184 was added to and made a part of 646.605 to 646.652 by legislative action. See Preface to Oregon Revised Statutes for further explanation.