2025 SESSION
INTRODUCED
25101455D
SENATE BILL NO. 1486
Offered January 17, 2025
A BILL to amend the Code of Virginia by adding in Article 5 of Chapter 14 of Section 22.1 a section numbered 22.1-289.01:1, relating to public schools; student records and personal information; school-issued devices and school technology providers; protection of student personal information; policies and procedures.
—————
Patrons—Cifers and Aird
—————
Referred to Committee on Education and Health
—————
Be it enacted by the General Assembly of Virginia:
1. That the Code of Virginia is amended by adding in Article 5 of Chapter 14 of Section 22.1 a section numbered 22.1-289.01:1 as follows:
§ 22.1-289.01:1. School technology providers; school-issued devices; student personal information and privacy; protections and limitations.
A. As used in this section:
"Educational records" means the same as that term is defined in § 22.1-370.
"School-issued device" means any technological hardware or devices that a school board, acting independently or pursuant to a contract with a school technology provider, provides to individual students for their personal use on school property, at home, or both. "School-issued device" includes any laptop, tablet, or other technological device.
"School technology provider" means an entity that provides, pursuant to a contract with a school board in the Commonwealth, any technological hardware or devices intended for student use as school-issued devices.
"Student personal information" means information collected through a school technology provider that identifies a currently or formerly enrolled individual student or is linked to information that identifies a currently or formerly enrolled individual student.
"Targeted advertising" means advertising that is presented to a student and selected on the basis of information obtained or inferred over time from such student's online behavior, use of applications, or sharing of student personal information. "Targeted advertising" does not include advertising (i) that is presented to a student at an online location (a) on the basis of such student's online behavior, use of applications, or sharing of student personal information during his current visit to that online location or (b) in response to that student's request for information or feedback and (ii) for which a student's online activities or requests are not retained over time for the purpose of subsequent advertising.
B. Educational records or records of student personal information created, received, maintained, or disseminated by a school technology provider pursuant to a contract with a school board are solely the property of the school board and shall only be created, received, maintained, disseminated, or used pursuant to a contract between the school board and the school technology provider and in accordance with the provisions of this section. No school board shall enter into any contract with a school technology provider for the provision of school-issued devices except in accordance with the provisions of subsection C.
C. Any contract between a school board and any school technology provider for the provision of school-issued devices shall, at a minimum:
1. Require the school technology provider to:
a. Develop and maintain a privacy policy that (i) is designed to ensure the protection of student personal information and privacy in accordance with the provisions of this section and any other applicable state or federal law or regulation and (ii) details in a clear and easy-to-understand manner the types of student personal information it collects, how it maintains, uses, or disseminates such information, and the protocols or measures used to ensure the security and integrity of student personal information and privacy;
b. Notify the school board within a reasonable amount of time before making any material changes to the privacy policy developed and maintained pursuant to subdivision a;
c. Notify the school board within than 48 hours of any incident involving a breach of the contract adopted pursuant to this section, violation of the provisions of this section or other applicable state or federal law, or any other potential or actual compromise to the security and integrity of student personal information, privacy, or educational records;
d. Maintain a comprehensive information security program that is reasonably designed to protect the security, privacy, confidentiality, and integrity of student personal information and makes use of appropriate administrative, technological, and physical safeguards;
e. Delete or return to the school board any student personal information or educational records collected and maintained pursuant to the contract (i) within 90 days of the expiration of the contract, unless renewal of the contract is reasonably anticipated; (ii) within a reasonable period of time of receiving any request to delete or return such student personal information or educational records from the school board, a school within the school division, the parent of a student or, in the case of a student who is 18 years of age or older, the student; and (iii) for any applicable student, within five years of the date on which such student graduated from, aged out of, transferred out of, or otherwise left the school division; and
f. Require any successor entity or third party with whom it contracts to abide by the privacy policy and comprehensive information security program before accessing student personal information;
2. Prohibit the school technology provider from collecting, maintaining, using, or disseminating any student personal information or educational records except (i) with the informed, written consent of the student's parent or, in the case of a student who is 18 years of age or older, the student; (ii) as expressly authorized pursuant to the contract; and (iii) in accordance with the provisions of this section; and
3. Include a restriction on unauthorized access to any student personal information collected and maintained or any educational records created or maintained pursuant to the contract by the school technology provider's employees or contractor or any other third party.
D. No student personal information or educational records collected or maintained pursuant to a contract with a school board to provide any school-issued device shall be used for any commercial purpose, including for (i) the purpose of targeted advertising to students or the parents of students or (ii) for any other pecuniary benefit. For the purposes of this section, "commercial purpose" does not include the extent to which any student personal information or educational records are sold to or acquired by a successor entity that purchases, merges with, or otherwise acquires the school technology provider in accordance with subdivision C 1 f.
E. Any school board that, pursuant to a contract with a school technology provider, provides school-issued devices to students shall:
1. Ensure that student personal information or educational records collected, maintained, or otherwise available through any school-issued device or pursuant to any contract for the provision of any school-issued device is not used or accessed by (i) any school board employee except as permitted by this section and other applicable state or federal law and (ii) any school technology provider except as authorized pursuant to its contract with the school board pursuant to subsection C;
2. No later than the first day of the school year, provide to the parent of each student to whom a school-issued device shall be provided and post in a conspicuous, publicly accessible location on its website notice of the provision of any school-issued device. Such notice shall include (i) a copy of the privacy policy adopted by the school technology provider pursuant to subdivision C 1 a; (ii) the official name of the school technology provider; (iii) information relating to the comprehensive information security program used by the school technology provider pursuant to subdivision C 1 d; (iv) notification of the parent's or, if the student is 18 years of age or older, the student's right to receive a copy of the contract between the school board and the school technology provider; and (v) contact information by which the parent of any student can immediately reach a school board employee or an employee of the school technology provider to report or seek assistance with any concern relating to a school-issued device;
3. Notify within 24 hours of receiving notice from the school technology provider pursuant to subdivision C 1 c the parent of each student of any (i) breach of the school technology provider's privacy policy or contract, whether or not such breach actually compromises the security or integrity of any student personal information, educational records, or privacy, or (ii) other incident that leads the school board to reasonably believe that any electronic records containing student personal information have been disclosed or compromised in violation of the federal Family Educational Rights and Privacy Act (20 U.S.C. § 1232g). Such notification shall include the (a) date, estimated date, or date range of the disclosure or breach; (b) type of information that was or is reasonably believed to have been disclosed or compromised; and (c) remedial measures taken or planned in response to the disclosure or breach; and
4. Obtain informed, written consent from the parent of any student or, in the case of a student who is 18 years of age or older, the student prior to taking any action relating to any school-issued devices that may impact student personal information or educational records that, pursuant to the contract with the school technology provider, is not expressly authorized or requires informed, written consent.
F. Except as provided in subsection G, no school board or school technology provider shall use any school-issued device to electronically access or monitor any of the following:
1. Location-tracking features;
2. Audio or visual receiving, transmitting, or recording features; or
3. Student interactions with a school-issued device, including keystrokes and web-browsing activity.
G. Subsection F shall not apply to any such use of a school-issued device if:
1. The use is limited to a noncommercial, educational, or instructional purpose, to the provision of technical support, or to exam-proctoring by a school board employee or a third party pursuant to a contract with the school board and notice of such use is provided in advance; or
2. The use is (i) (a) permitted under a judicial warrant or is necessary to comply with state or federal law, (b) in response to the school board receiving notification that the school-issued device is missing or stolen, or (c) necessary to prevent or respond to a threat to life or safety and is limited to such purpose and (ii) the school board provides within 72 hours of such use of any school-issued device notification to the parent of each student whose school-issued device was affected, including a description of the circumstances and the features of the device that were accessed, and such other information as deemed relevant by the school board.
HI. Nothing in this section shall be construed to:
1. Prohibit any school technology provider or school board from disclosing any information necessary to (i) ensure legal or regulatory compliance or (ii) protect against liability;
2. Prohibit any student from downloading, exporting, transferring, saving, or maintaining his personal information, data, or documents on any school-issued device, provided that any such activity does not violate any student code of conduct or school-issued device use policy adopted by such student's school; or
3. Prohibit any school board or public school from making any disclosure of any information or educational records.