Description
The Student Online Personal Protection Act prohibits “operators” from engaging in targeted advertising, sale, rent, and use of protected information to protect privacy and security of student data.
“Operators” have various duties under the act, namely: (i) implement and maintain reasonable security measures to protect covered information from unauthorized access;
(ii) delete a student’s covered information if the school requests such deletion (unless a student or his or her parent consents to the maintenance of such covered information);
(iii) publicly disclose material information about its collection, use, and disclosure of covered information (e.g., terms of service agreement, privacy policy, or similar document);
(iv) Excepting nonpublic schools, requires any operator who seeks to receive any covered information to enter into a written agreement with the school before the covered information is transferred;
(v) in case of a breach, expedient notification to the school; and
(vi) excepting nonpublic schools, providing to the school a list of third parties to whom the operator is disclosing or has disclosed covered information.
Applicability
This law applies to “operators”, which is defined as:
To the extent that an entity is operating in this capacity, the operator of an Internet website, online service, online application, or mobile application with actual knowledge that the site, service, or application is used primarily for K through 12 school purposes, and was designed and marketed for K through 12 school purposes.