An operator shall not knowingly engage in any of the following activities with respect to such operator's internet website, online or cloud computing service, online application, or mobile application:
(1) Engage in targeted advertising on the operator's, or any other, internet website, online or cloud computing service, online application, or mobile application when the targeting of the advertising is based upon any information, including student data and state-assigned student identifiers or other persistent unique identifiers, that the operator has acquired because of the use of an internet website, online or cloud computing service, online application, or mobile application as described in § 8102A(10)a. of this title.
(2) Use information, including state-assigned student identifiers or other persistent unique identifiers, created or gathered by an internet website, online or cloud computing service, online application, or mobile application as described in § 8102A(10)a. of this title, to amass a profile about a student except in furtherance of K-12 school purposes.
(3) Sell student data. This prohibition does not apply to the purchase, merger, or other type of acquisition of an operator by another entity, provided that the operator or successor entity continues to be subject to the provisions of this chapter with respect to previously-acquired student data that is subject to this chapter.
(4) Disclose student data, unless the disclosure is made for any of the following reasons:
a. In furtherance of the K-12 school purposes of the internet website, online or cloud computing service, online application, or mobile application. The recipient of the student data disclosed for this reason shall not further disclose the student data unless done to allow or improve the operability and functionality within that student's classroom or school, and is legally required to comply with the requirements of § 8104A of this title and paragraphs (1) through (3) of this section.
b. To ensure legal or regulatory compliance.
c. To respond to or participate in judicial process.
d. To protect the security or integrity of the operator's internet website, online or cloud computing service, online application, or mobile application.
e. To protect the safety of users or others or security of the internet website, online or cloud computing service, online application, or mobile application.
f. To a service provider, provided that the operator, by contract, does all of the following:
1. Prohibits the service provider from using any student data for any purpose other than providing the contracted service to, or on behalf of, the operator.
2. Prohibits the service provider from disclosing to subsequent third parties any student data provided by the operator.
3. Requires the service provider to comply with the requirements of paragraphs (1) through (3) of this section and to implement and maintain the security procedures and practices as provided in § 8104A(1) of this title.
(5) Notwithstanding paragraph (4) of this section, an operator may disclose student data under the following circumstances, so long as paragraphs (1) through (3) of this section are not violated:
a. When another provision of state or federal law requires the operator to disclose the student data, and the operator complies with the requirements of applicable state and federal law in protecting and disclosing that information.
b. For legitimate research purposes:
1. As required by state or federal law and subject to the restrictions under applicable state or federal law.
2. As allowed by state or federal law and under the direction of a school district, school, or the Department, if no student data is used for any purpose in furtherance of advertising or to amass a profile on the student for purposes other than K-12 school purposes.
c. To a state agency, school district, or school, for K-12 school purposes, as permitted by state or federal law.
(6) Nothing in this section prohibits an operator from using student data for any of the following:
a. Maintaining, delivering, supporting, evaluating, or diagnosing the operator's internet website, online or cloud computing service, online application, or mobile application.
b. Adaptive learning or customized student learning purposes.
(7) Nothing in this section prohibits an operator from using or sharing aggregate student data or de-identified student data for any of the following:
a. The development and improvement of the operator's internet website, online or cloud computing service, online application, or mobile application, or other educational internet websites, online or cloud computing services, online applications, or mobile applications.
b. Within other internet websites, online or cloud computing services, online applications, or mobile applications owned by the operator, and intended for school district, school, or student use, to evaluate and improve educational products or services intended for school district, school, or student use.
c. To demonstrate the effectiveness of the operator's products or services, including their marketing.
Structure Delaware Code
§ 8101A. Short title [For applicability of chapter, see 80 Del. Laws, c. 149, § 2].
§ 8102A. Definitions [For applicability of chapter, see 80 Del. Laws, c. 149, § 2].
§ 8103A. Enforcement [For applicability of chapter, see 80 Del. Laws, c. 149, § 2].
§ 8104A. Operator duties [For applicability of chapter, see 80 Del. Laws, c. 149, § 2].
§ 8106A. Exclusions [For applicability of chapter, see 80 Del. Laws, c. 149, § 2].