2019 Georgia Code
Title 20 - Education
Chapter 2 - Elementary and Secondary Education
Article 15 - Student Data Privacy, Accessibility, and Transparency
§ 20-2-666. Activities by operators; limitations
(a) An operator shall not knowingly engage in any of the following activities with respect to such operator's site, service, or application without explicit written consent from the student's parent or guardian, or an eligible student:
(1) Use student data to engage in behaviorally targeted advertising on the operator's site, service, or application or target advertising on any other site, service, or application when the targeting of the advertising is based upon any student data and state-assigned student identifiers or other persistent unique identifiers that the operator has acquired because of the use of such operator's site, service, or application;
(2) Use information, including state-assigned student identifiers or other persistent unique identifiers, created or gathered by the operator's site, service, or application, to amass a profile about a student except in furtherance of K-12 school purposes. For purposes of this paragraph, "amass a profile" does not include collection and retention of account records or information that remains under the control of the student, parent, or local board of education;
(3) Sell a student's data. This prohibition does not apply to the purchase, merger, or other type of acquisition of an operator by another entity, provided that the operator or successor entity continues to be subject to the provisions of this Code section with respect to previously acquired student data that is subject to this article; or
(4) Disclose student personally identifiable data without explicit written or electronic consent from a student over the age of 13 or a student's parent or guardian, given in response to clear and conspicuous notice of the activity, unless the disclosure is made:
(A) In furtherance of the K-12 school purposes of the site, service, or application; provided, however, that the recipient of the student data disclosed (i) shall not further disclose the student data unless done to allow or improve the operability and functionality within that student's classroom or school, and (ii) is legally required to comply with the requirements of this article and not use the student information in violation of this article;
(B) To ensure legal or regulatory compliance or protect against liability;
(C) To respond to or participate in judicial process;
(D) To protect the security or integrity of the entity's website, service, or application;
(E) To protect the safety of users or others or security of the site;
(F) To a service provider, provided that the operator contractually (i) prohibits the service provider from using any student data for any purpose other than providing the contracted service to, or on behalf of, the operator, (ii) requires such service provider to impose the same restrictions as in this paragraph on its own service providers, and (iii) requires the service provider to implement and maintain reasonable security procedures and practices as provided in subsection (b) of this Code section; or
(G) For an educational, public health, or employment purpose requested by the student's parent or guardian, provided that the information is not used or further disclosed for any purpose.
(b) An operator shall:
(1) Implement and maintain reasonable security procedures and practices appropriate to the nature of the student data to protect that information from unauthorized access, destruction, use, modification, or disclosure; and
(2) Delete a student's data within a reasonable timeframe not to exceed 45 days if the school or local board of education requests deletion of data under the control of the school or local board of education.
(c) Notwithstanding paragraph (4) of subsection (a) of this Code section, an operator may disclose student data, so long as paragraphs (1) through (3) of subsection (a) of this Code section are not violated, under the following circumstances:
(1) If another provision of federal or state law requires the operator to disclose the student data, and the operator complies with applicable requirements of federal and state law in protecting and disclosing that information;
(2) For legitimate research purposes:
(A) As required by state or federal law and subject to the restrictions under applicable state and federal law; or
(B) As allowed by state or federal law and under the direction of a school, a local board of education, or the department, subject to compliance with subsection (a) of this Code section; or
(3) To a state agency, local board of education, or school, for K-12 school purposes, as permitted by state or federal law.
(d) Nothing in this Code section prohibits an operator from using student data, including student personally identifiable data, as follows:
(1) For maintaining, delivering, developing, supporting, evaluating, improving, or diagnosing the operator's site, service, or application;
(2) Within other sites, services, or applications owned by the operator, and intended for the school or student use, to evaluate and improve educational products or services intended for the school or student use;
(3) For adaptive learning or customized student learning purposes;
(4) For recommendation engines to recommend additional content or services to students within a school service's site, service, or application without the response being determined in whole or in part by payment or other consideration from a third party;
(5) To respond to a student's request for information or for feedback without the information or response being determined in whole or in part by payment or other consideration from a third party; or
(6) To ensure legal or regulatory compliance or to retain such data for these purposes.
(e) Nothing in this Code section prohibits an operator from using or sharing aggregate data or de-identified data as follows:
(1) For the development and improvement of the operator's site, service, or application or other educational sites, services, or applications; or
(2) To demonstrate the effectiveness of the operator's products or services, including their marketing.
(f) This Code section shall not be construed to limit the authority of a law enforcement agency to obtain any content or student data from an operator as authorized by law or pursuant to an order of a court of competent jurisdiction.
(g) This Code section does not apply to general audience Internet websites, general audience online services, general audience online applications, or general audience mobile applications, even if login credentials created for an operator's site, service, or application may be used to access those general audience sites, services, or applications.
(h) This Code section shall not be construed to limit Internet service providers from providing Internet connectivity to schools or students and their families.
(i) This Code section shall not be construed to prohibit an operator from marketing educational products directly to parents so long as the marketing did not result from the use of student data obtained without parental consent by the operator through the provision of services covered under this Code section.
(j) This Code section shall not be construed to impose a duty upon a provider of an electronic store, gateway, marketplace, or other means of purchasing or downloading software or applications to review or enforce compliance of this Code section on those applications or software.
(k) This Code section shall not be construed to impose a duty upon a provider of an interactive computer service, as defined in Section 230 of Title 47 of the United States Code, to review or enforce compliance with this Code section by third-party content providers.
(l) This Code section shall not be construed to impede the ability of a student or parent or guardian to download, transfer, or otherwise save or maintain their own student data or documents.
(m) Nothing in this Code section or this article prevents the department or local board of education and their employees from recommending, directly or via a product or service, any educational materials, online content, services, or other products to any student or his or her family if the department or local board of education determines that such products will benefit the student and does not receive compensation for developing, enabling, or communicating such recommendations.
Code 1981, § 20-2-666, enacted by Ga. L. 2015, p. 1031, § 1-1/SB 89; Ga. L. 2016, p. 846, § 20/HB 737.