Caride, Singleton & Quijano Bill to Protect Students’ Digital Data Advanced by Assembly Committee

(TRENTON) – Legislation sponsored by Assembly Democrats Marlene Caride (D-Bergen/Passaic), Troy Singleton (D-Burlington) and Annette Quijano (D-Union) to help protect the privacy of students and prevent student digital data from ending up in the hands of private vendors was released Thursday by the Assembly Education Committee.

The bill, referred to as the “Student Online Personal Protection Act”, concerns the personally identifiable information of a public or nonpublic school student that is not publicly available, and is created or gathered by or provided to the operator of an Internet website, online service, online application, or mobile application designed and marketed for K-12 school purposes.

“We tell our young people to use the web responsibly, and yet website and app operators have free reign to do as they wish with sensitive student information,” said Caride (D-Bergen/Passaic), who chairs the committee. “These students did not provide this information directly, and did not consent to having it used for other means. This would help ensure that this information is not shared or sold to other entities by restricting its use to educational purposes only.”

“People are becoming more sensitive to how their personal information is being used by website and app operators, and rightfully so,” said Singleton (D-Burlington). “These entities should not be profiting off personal information that they acquired strictly for educational purposes.”

“It’s not fair that operators can use this information for purposes outside of what the district hired them to do, and students and parents have no control over it,” said Quijano (D-Union). “This would help protect the privacy of students by limiting how these operators can use personal data.”

Under the provisions of the bill (A-1272/3936), the operator would not be allowed to:

  • engage in targeted advertising if it is based on any information that the operator has acquired because of the use of that operator’s site, service, or application for K-12 school purposes;
  • use information created or gathered by the operator’s site, service, or application, to amass a profile about a student except in furtherance of K-12 school purposes;
  • sell or rent a student’s information; or
  • disclose certain information regarding a student.

In addition to the list of prohibited practices for an operator, the bill would require an operator to perform the following actions:

  • implement and maintain reasonable security procedures and practices which are designed to protect student information from unauthorized access, destruction, use, modification, or disclosure;
  • delete within a reasonable time period a student’s information if the school district or charter school requests deletion of covered information under the control of the school district or charter school;
  • disclose, in a manner that is clear and easy to understand, the types of information that is collected or generated, the purposes for which the information is used or disclosed to third parties, and the identity of such third parties;
  • implement policies for responding to data breaches involving unauthorized acquisition of or access to personally identifiable information; and
  • delete information in a reasonable timeframe after it ceases to provide services to a school district, school, or student.