O.C.G.A. § 20-2-666 — Activities by operators; limitations

(a) An operator shall not knowingly engage in any of the following activities with respect to such operator’s site, service, or application 621 20-2-666 without explicit written consent from the student’s parent or guardian, or an eligible student: (1) Use student data to engage in behaviorally targeted advertising on the operator’s site, service, or application or target advertising on any other site, service, or application when the targeting of the advertising is based upon any student data and state-assigned student identiﬁers or other persistent unique identiﬁers that the operator has acquired because of the use of such operator’s site, service, or application; (2) Use information, including state-assigned student identiﬁers or other persistent unique identiﬁers, created or gathered by the operator’s site, service, or application, to amass a proﬁle about a student except in furtherance of K-12 school purposes. For purposes of this paragraph, “amass a proﬁle” does not include collection and retention of account records or information that remains under the control of the student, parent, or local board of education; (3) Sell a student’s data. This prohibition does not apply to the purchase, merger, or other type of acquisition of an operator by another entity, provided that the operator or successor entity continues to be subject to the provisions of this Code section with respect to previously acquired student data that is subject to this article; or (4) Disclose student personally identiﬁable data without explicit written or electronic consent from a student over the age of 13 or a student’s parent or guardian, given in response to clear and conspicuous notice of the activity, unless the disclosure is made: (A) In furtherance of the K-12 school purposes of the site, service, or application; provided, however, that the recipient of the student data disclosed (i) shall not further disclose the student data unless done to allow or improve the operability and functionality within that student’s classroom or school, and (ii) is legally required to comply with the requirements of this article and not use the student information in violation of this article; (B) To ensure legal or regulatory compliance or protect against liability; (C) To respond to or participate in judicial process; (D) To protect the security or integrity of the entity’s website, service, or application; (E) To protect the safety of users or others or security of the site; (F) To a service provider, provided that the operator contractually (i) prohibits the service provider from using any student data for any purpose other than providing the contracted service to, or 622 20-2-666 ELEMENTARY & SECONDARY EDUC. 20-2-666 on behalf of, the operator, (ii) requires such service provider to impose the same restrictions as in this paragraph on its own service providers, and (iii) requires the service provider to implement and maintain reasonable security procedures and practices as provided in subsection (b) of this Code section; or (G) For an educational, public health, or employment purpose requested by the student’s parent or guardian, provided that the information is not used or further disclosed for any purpose. (b) An operator shall: (1) Implement and maintain reasonable security procedures and practices appropriate to the nature of the student data to protect that information from unauthorized access, destruction, use, modiﬁcation, or disclosure; and (2) Delete a student’s data within a reasonable timeframe not to exceed 45 days if the school or local board of education requests deletion of data under the control of the school or local board of education. (c) Notwithstanding paragraph (4) of subsection (a) of this Code section, an operator may disclose student data, so long as paragraphs (1) through (3) of subsection (a) of this Code section are not violated, under the following circumstances: (1) If another provision of federal or state law requires the operator to disclose the student data, and the operator complies with applicable requirements of federal and state law in protecting and disclosing that information; (2) For legitimate research purposes: (A) As required by state or federal law and subject to the restrictions under applicable state and federal law; or (B) As allowed by state or federal law and under the direction of a school, a local board of education, or the department, subject to compliance with subsection (a) of this Code section; or (3) To a state agency, local board of education, or school, for K-12 school purposes, as permitted by state or federal law. (d) Nothing in this Code section prohibits an operator from using student data, including student personally identiﬁable data, as follows: (1) For maintaining, delivering, developing, supporting, evaluating, improving, or diagnosing the operator’s site, service, or application; (2) Within other sites, services, or applications owned by the operator, and intended for the school or student use, to evaluate and 623 20-2-666 improve educational products or services intended for the school or student use; (3) For adaptive learning or customized student learning purposes; (4) For recommendation engines to recommend additional content or services to students within a school service’s site, service, or application without the response being determined in whole or in part by payment or other consideration from a third party; (5) To respond to a student’s request for information or for feedback without the information or response being determined in whole or in part by payment or other consideration from a third party; or (6) To ensure legal or regulatory compliance or to retain such data for these purposes. (e) Nothing in this Code section prohibits an operator from using or sharing aggregate data or de-identiﬁed data as follows: (1) For the development and improvement of the operator’s site, service, or application or other educational sites, services, or applications; or (2) To demonstrate the effectiveness of the operator’s products or services, including their marketing. (f) This Code section shall not be construed to limit the authority of a law enforcement agency to obtain any content or student data from an operator as authorized by law or pursuant to an order of a court of competent jurisdiction. (g) This Code section does not apply to general audience Internet websites, general audience online services, general audience online applications, or general audience mobile applications, even if login credentials created for an operator’s site, service, or application may be used to access those general audience sites, services, or applications. (h) This Code section shall not be construed to limit Internet service providers from providing Internet connectivity to schools or students and their families. (i) This Code section shall not be construed to prohibit an operator from marketing educational products directly to parents so long as the marketing did not result from the use of student data obtained without parental consent by the operator through the provision of services covered under this Code section. (j) This Code section shall not be construed to impose a duty upon a provider of an electronic store, gateway, marketplace, or other means of purchasing or downloading software or applications to review or enforce compliance of this Code section on those applications or software. 624 20-2-666 ELEMENTARY & SECONDARY EDUC. 20-2-667 (k) This Code section shall not be construed to impose a duty upon a provider of an interactive computer service, as deﬁned in Section 230 of Title 47 of the United States Code, to review or enforce compliance with this Code section by third-party content providers. (l) This Code section shall not be construed to impede the ability of a student or parent or guardian to download, transfer, or otherwise save or maintain their own student data or documents. (m) Nothing in this Code section or this article prevents the department or local board of education and their employees from recommending, directly or via a product or service, any educational materials, online content, services, or other products to any student or his or her family if the department or local board of education determines that such products will beneﬁt the student and does not receive compensation for developing, enabling, or communicating such recommendations. History. Code 1981, § 20-2-666, enacted by Ga. L. 2015, p. 1031, § 1-1/SB 89; Ga. L. 2016, p. 846, § 20/HB 737. 20-2-667. Parental and student review of education record; model policies. (a) A parent shall have the right to inspect and review his or her child’s education record maintained by the school or local board of education. (b) A parent may request from the school or local board of education student data included in his or her child’s education record, including student data maintained by an operator, except when the local board of education determines that the requested data maintained by the operator cannot reasonably be made available to the parent. (c) Local boards of education shall provide a parent or guardian with an electronic copy of his or her child’s education record upon request, unless the local board of education does not maintain a record in electronic format and reproducing the record in an electronic format would be unduly burdensome. (d) A parent or eligible student shall have the right to request corrections to inaccurate education records maintained by a school or local board of education. After receiving a request demonstrating any such inaccuracy, the school or local board of education that maintains the data shall correct the inaccuracy and conﬁrm such correction to the parent or eligible student within a reasonable amount of time. (e) The rights contained in subsections (a) through (d) of this Code section shall extend also to eligible students seeking to access their own education records. 625 20-2-667 (f) The department shall develop model policies for local boards of education that: (1) Support local boards of education in fulﬁlling their responsibility to annually notify parents of their right to request student information; (2) Assist local boards of education with ensuring security when providing student data to parents; (3) Provide guidance and best practices to local boards of education in order to ensure that local boards of education provide student data only to authorized individuals; (4) Support local boards of education in their responsibility to produce education records and student data included in such education records to parents and eligible students, ideally within three business days of the request; and (5) Assist schools and local boards of education with implementing technologies and programs that allow a parent to view online, download, and transmit data speciﬁc to his or her child’s education record. (g)(1) The department shall develop model policies and procedures for a parent or eligible student to ﬁle a complaint with a local school system regarding a possible violation of rights under this article or under other federal or state student data privacy and security laws which shall ensure that: (A) Each local school system designates at least one individual with responsibility to address complaints ﬁled by parents or eligible students; (B) A written response is provided to the parent’s or student’s complaint; (C) An appeal may be ﬁled with the local school superintendent; and (D) An appeal for a ﬁnal decision may be made to the local board of education. (2) Within six months of adoption by the department of model policies and procedures pursuant to paragraph (1) of this subsection, each local board of education shall adopt policies and procedures that include, at a minimum, such department model policies and procedures. (h) Nothing in this Code section shall authorize any additional cause of action beyond the process described in this Code section or as otherwise authorized by state law. 626 20-2-667 ELEMENTARY & SECONDARY EDUC. T.20, C.2, A.16, P.1, S.1 History. Code 1981, § 20-2-667, enacted by Ga. L. 2015, p. 1031, § 1-1/SB 89. 20-2-668. Rules and regulations.