(a) An operator providing services to an educational institution, LEA, or its agent shall:
(1) Implement and maintain reasonable security policies and procedures appropriate to the nature of the personally identifiable student information, and designed to protect that information from unauthorized access, destruction, use, modification, or disclosure; provided, that such policies and procedures shall include provisions for notifying educational institutions and LEAs in the event of unauthorized access to personally identifiable student information consistent with the requirements of subchapter II of Chapter 38 of Title 28;
(2) Agree that personally identifiable student information provided to an operator by a student or educational institution to facilitate the use of the operator's pre-k through 12 purposes website, service, or application is under the control of the LEA;
(3) Delete personally identifiable student information under the control of an LEA within a reasonable period of time after termination or completion of services, unless otherwise requested by the LEA to preserve such information; and
(4) Comply with all the applicable obligations and restrictions established for operators in this subchapter.
(b)(1) An operator shall not knowingly engage in the following activities:
(A) Sell, rent, or trade any personally identifiable student information, unless:
(i) The transaction is part of a sale, merger, or other type of acquisition of an operator by another entity; or
(ii) The operator obtained verified consent from the student, where the student is 13 years of age or older, or the student's parent, where the student is younger than 13 years of age, to sell, rent, or trade specific personally identifiable student information for the purpose of providing the student with information about employment, educational scholarship, financial aid, or postsecondary educational opportunities;
(B) Conduct targeted advertising on an operator's website, service, or application, or target advertising on any other website, service, or application when the advertising is based on information that the operator has acquired through a student's use of the operator's pre-k through 12 purposes website, service, or application;
(C) Except in furtherance of pre-k through 12 purposes, use data, including personally identifiable student information, created, gathered, or stored on the operator's pre-k through 12 purposes website, service, or application, to develop, in full or in part, a profile of a student or group of students; provided, that developing a profile does not include the collection or retention of account information generated by a student, a student's parent, or an educational institution; and
(D) Disclose personally identifiable student information unless the disclosure is consistent with the requirements of this section, and is:
(i) To further the pre-k through 12 purposes of the operator's website, service, or application, or to improve the operability or functionality of the operator's pre-k through 12 purposes website, service, or application; provided, that the operator:
(I) Prohibits the recipient from using personally identifiable student information for any purpose other than providing the contracted service;
(II) Prohibits the recipient from disclosing personally identifiable student information except in accordance with this subparagraph;
(III) Requires the recipient to implement and maintain reasonable security measures consistent with those in subsection (a)(1) of this section; and
(IV) Requires the recipient to delete the personally identifiable student information upon completion or termination of the recipient's services to the operator;
(ii) Necessary to comply with applicable District or federal laws or regulations;
(iii) In response to legal process, a judicial order, or a warrant;
(iv) Necessary to protect the safety of individuals or the security or integrity of the website, service, or application;
(v) Pursuant to the written request or consent of the LEA; or
(vi) For legitimate research purposes:
(I) As required by District or federal law; or
(II) As allowed by District or federal law under the direction or with the consent of the LEA; provided, that no personally identifiable student information is used for commercial gain or to develop a profile on a student or group of students for purposes other than pre-k through 12 purposes.
(2) A sale, merger, or acquisition of an operator shall not void or nullify any contracts or agreements entered into pursuant to this subchapter or regulations issued to enforce it.
(c) An operator that provides digital storage, management, and retrieval of student records shall comply with subsections (a) and (b) of this section.
(d) Nothing in this section shall be construed to prohibit the operator from:
(1) Internally using personally identifiable student information to maintain, develop, support, improve, or diagnose the operator's pre-k through 12 purposes website, service, or application;
(2) Internally using personally identifiable student information for adaptive learning or customized student learning purposes;
(3) Using, sharing, or selling de-identified student information;
(4) Using its pre-k through 12 purposes website, service, or application to recommend products, content, or services to a student related to educational, learning, or employment opportunities; provided, that the recommendation is not determined, in whole or in part, by remuneration from a third party;
(5) Responding to a student's request for information or feedback; provided, that the response is not determined, in whole or in part, by remuneration from a third party; or
(6) Marketing products directly to parents if the marketing did not result from the use of personally identifiable student information obtained by the operator through the provision of services covered under this section.
(e) Nothing in this section shall be construed to:
(1) Limit the authority of a law enforcement agency to obtain content or information from an operator as authorized by law or pursuant to a judicial order or warrant;
(2) Prohibit a student from downloading, editing, exporting, transferring, saving, or otherwise maintaining the student's own student-created data or documents on an operator's website, service, or application;
(3) Limit Internet service providers from providing Internet connectivity to schools or students and their families;
(4) Apply to general audience Internet websites, general audience online services, general audience online applications, or general audience mobile applications, even if login credentials created for an operator's website, service, or application may be used to access those general audience sites, services, or applications;
(5) Impose a duty upon a provider of an electronic store, gateway, marketplace, or other means of purchasing or downloading an operator's software or applications to review or enforce a third-party operator's compliance with this section;
(6) Impose a duty upon a provider of an interactive computer service to review or enforce a third-party operator's compliance with this section;
(7) Impose a duty on an operator to comply with the provisions of this section with respect to sites, services, or applications it operates that are not primarily used for pre-k through 12 purposes; or
(8) Affect the rights or obligations of operators, educational institutions, parents, or students in a manner inconsistent with otherwise applicable federal law.
(Feb. 18, 2017, D.C. Law 21-218, § 3, 63 DCR 16013.)