Missouri State Senate

Introduced

SB 546 - This act creates the "Student User Privacy in Education Rights Act."

This act defines a school service provider as an entity that operates a website, mobile application, or online service that is designed and marketed for use in United States elementary or secondary educational institutions, is used at the direction of teachers or other employees, and collects, maintains, or uses student personal information.

This act requires school service providers to provide clear information about the types of student personal information they collect and about how they use and share such student personal information. School service providers must provide prominent notice before making material changes to their privacy policies for school services. School service providers must facilitate access to and correction of student personal information by students or their parent or guardian.

School service providers may collect, use, and share student personal information only for purposes authorized by the educational institution or teacher, or with the consent of the student or parent or guardian.

School service providers are prohibited from selling student personal information, from using or sharing it for purposes of behaviorally targeting advertisements to students, and from using it to create a personal profile of a student other than for supporting purposes, as described in the act.

School service providers must maintain a comprehensive information security program that is reasonably designed to protect the security, privacy, confidentiality, and integrity of student personal information. School service providers are prohibited from knowingly retaining student personal information beyond the time period authorized by the relevant educational institution or teacher, unless the school service provider has obtained student consent or the consent of the student's parent or guardian. Before permitting a successor entity to access student personal information, a school service provider must ensure that the successor entity will abide by all privacy and security commitments related to previously collected student personal information.

MICHAEL RUFF

HyperLink