Bill Summary – FastDemocracy

SECOND REGULAR SESSION
                        HOUSE BILL NO. 3281
                               103RD GENERAL ASSEMBLY


                               INTRODUCED BY REPRESENTATIVE BYRNES.

     7041H.01I                                                                    JOSEPH ENGLER, Chief Clerk


                                                AN ACT
     To amend chapter 160, RSMo, by adding thereto one new section relating to software
           accountability for education, with penalty provisions.


     Be it enacted by the General Assembly of the state of Missouri, as follows:

            Section A. Chapter 160, RSMo, is amended by adding thereto one new section, to be
 known as section 160.071, to read as follows:
            160.071. 1. This section shall be known and may be cited as the "PROTECT
 Students Act".
        2. As used in this section, the following terms mean:
        (1) "Addictive design feature", any feature or component of a digital or online
 product that encourages or increases a student's frequency, time spent, or engagement
 with the product including, but not limited to:
        (a) Infinite scroll or autoplay;
        (b) Points, badges, or other gamification rewards tied to time spent on the
 product;
        (c) Persistent notifications or push alerts prompting reengagement when not
 actively in use; and
        (d) Personalized recommendation systems or addictive algorithms that promote
 extended or compulsive use;
        (2) "Contracting entity", a local educational agency or the Missouri state board
 of education;
        (3) "Digital privacy agreement", a required contract between a local educational
 agency and a digital provider that strictly governs access, use, protection, retention, and

     EXPLANATION — Matter enclosed in bold-faced brackets [thus] in the above bill is not enacted and is
     intended to be omitted from the law. Matter in bold-face type in the above bill is proposed language.
HB 3281                                          2

 disclosure of student data and ensures compliance with applicable laws. Digital privacy
 agreements prohibit advertising use, profiling, resale, or any noneducational use of
 student data and termination clause;
         (4) (a) "Educational purpose", a purpose directly tied to:
         a. Instruction;
         b. Assessment;
         c. Student learning; or
         d. School operations necessary for instruction.
         (b) "Educational purpose" does not include:
         a. Marketing;
         b. Advertising;
         c. Behavioral profiling; or
         d. Any commercial purpose;
         (5) "Independently verified", a product that has been checked for its safety,
 effectiveness, and compliance by an impartial, separate third party who is not involved
 with its creation or management, ensuring objectivity and trust by removing potential
 bias from the original source;
         (6) "Instructional software":
         (a) Software that has successfully:
         a. Executed a digital privacy agreement; and
         b. Been verified for academic effectiveness, compliant with the provisions of this
 section;
         (b) Any instructional software that has not successfully completed the steps
 under paragraph (a) of this subdivision shall be deemed noncompliant software and
 shall not be used for student learning or school-sponsored activities in Missouri schools;
         (7) "Local educational agency", the same meaning as defined in section 167.225;
         (8) "School-issued device", any laptop, tablet, mobile device, or hardware
 provided to a student by a local educational agency for educational use;
         (9) (a) "Software", any application, web-based service, cloud application,
 mobile application, plug-in, or other code-based product, whether free or paid, that:
         a. Runs on or is accessed from a school-issued device, or from a student-owned
 device when used under the authority of a local educational agency; and
         b. Is assigned, required, recommended, installed, or otherwise made available by
 a local educational agency for student use in connection with:
         (i) Classroom instruction;
         (ii) A school-sponsored activity; or
         (iii) Any curricular, co-curricular, or extracurricular activity.
HB 3281                                          3

         (b) "Software" includes, without limitation, software used for instruction,
 assessment, communication, collaboration, enrichment, or recreation in connection with
 school-related purposes.
         (c) "Software" does not include the physical device itself;
         (10) "Student data", includes:
         (a) Personally identifiable information;
         (b) Metadata, device identifiers, and clickstream data;
         (c) Behavioral, engagement, or usage data; and
         (d) Information collected, generated, or inferred by the software during student
 use;
         (11) "Vendor", any company, developer, organization, or individual who
 provides software, digital tools, digital services, or related technology to a contracting
 entity for student use, whether free or paid.
         3. (1) Before any software may be installed, assigned, recommended, or
 otherwise made available for student use, the vendor shall:
         (a) Execute a statewide digital privacy agreement; and
         (b) Complete an independent review demonstrating that the software is
 academically effective.
         (2) (a) The state board of education shall adopt a single statewide digital privacy
 agreement governing the use of software and digital services by students in Missouri
 public schools.
         (b) All vendors shall execute the statewide digital privacy agreement as a
 condition of providing software or digital services to any local educational agency or the
 state board of education.
         (c) The statewide digital privacy agreement shall not be altered, supplemented,
 replaced, modified, or negotiated by a vendor, local educational agency, or contracting
 entity.
         (d) Any vendor-proposed privacy agreement, end-user license agreement, click-
 through terms, terms of service, or substitute contract is void and unenforceable with
 respect to student data or student use.
         (e) The contracting entity shall execute the statewide digital privacy agreement
 before software may be installed, assigned, recommended, or otherwise made available
 for student use.
         (3) The statewide digital privacy agreement shall incorporate and comply with
 state statutes governing data minimization, secondary use limitations, targeted
 advertising prohibitions, security safeguards, privacy notices, breach response,
 retention and deletion, and directory-information protections, where applicable.
 HB 3281                                          4

         (4) The statewide digital privacy agreement shall require full compliance with
 state statues and state board of education rules governing sensitive materials in schools.
 Software shall not display, recommend, algorithmically generate, link to, embed, or
 provide access to any material that:
         (a) Is pornographic;
         (b) Is harmful to minors;
         (c) Is indecent or obscene;
         (d) Contains descriptions or depictions of sexual conduct, sexual excitement,
 arousal, or stimulation;
         (e) Contains violent, graphic, or self-harm or suicidal content inconsistent with
 safety standards; or
         (f) Otherwise is prohibited under Missouri law.
         (5) (a) The statewide digital privacy agreement shall require that software shall
 not display, recommend, algorithmically generate, or provide access to any instructional
 or supplemental content that constitutes:
         a. Human sexuality instruction;
         b. Sexual education;
         c. Maturation instruction;
         d. Content relating to reproduction, contraception, sexual activity, or sexually
 transmitted diseases; or
         e. Sexual- or health-related information
113
 unless affirmative written parental consent has been obtained by the local educational
 agency in accordance with any rule or law.
        (b) Such requirement applies to core content, supplemental content, adaptive
 learning pathways, embedded media, hyperlinks, and AI-generated or AI-recommended
 content.
        (6) The statewide digital privacy agreement shall also include the following
 protections:
        (a) Software shall not require open-internet access for core educational
 functions. All external links, embedded media, and third-party content shall be
 reviewed and approved by the contracting entity;
        (b) Software shall not include:
        a. Infinite scroll;
        b. Auto-play video;
        c. Gamified reward loops unrelated to learning; or
 HB 3281                                           5

         d. Behavioral nudges or engagement mechanics designed to increase screen
 time;
         (c) Vendors shall not collect, store, or analyze:
         a. Biometric identifiers;
         b. Behavioral or emotional signals;
         c. Voiceprints or keystroke dynamics; or
         d. Precise geolocation
135
 unless strictly necessary for the educational purpose and disclosed in the digital privacy
 agreement;
        (d) Software shall not:
        a. Use student data to train machine-learning models;
        b. Employ AI systems that analyze or influence a student's emotions, behavior,
 or attention;
        c. Generate or recommend content intended to shape student beliefs or
 preferences;
        d. Produce or enable content that circumvents Missouri laws relating to sensitive
 materials or instructional materials;
        (e) Software shall not:
        a. Display commercial or sponsored content;
        b. Use session replay, heat-mapping, or behavioral analytics;
        c. Create persistent identifiers; or
        d. Track students outside the educational purpose;
        (f) Vendors shall:
        a. Use encryption for data in transit and at rest;
        b. Store and process all student data within the United States;
        c. Disclose all subprocessors and obtain approval before use; and
        d. Prohibit background data collection when software is minimized or inactive;
        (g) Vendors shall disclose to the contracting entity:
        a. All data elements collected;
        b. All third-party recipients;
        c. All embedded libraries, software development kits, and analytics tools;
        d. All device-level permissions; and
        e. All AI components and functions;
        (h) Camera, microphone, and system-level access shall not be used unless strictly
 necessary for the educational function and disclosed in the digital privacy agreement;
 and
 HB 3281                                          6

        (i) A vendor shall not condition access, features, pricing, or support on any form
 of usage quota or screen-time expectation.
        (7) The statewide digital privacy agreement shall include a termination-for-
 cause provision that:
        (a) Requires the vendor to cure any violation of the digital privacy agreement
 within a timeline established by rule;
        (b) Authorizes the contracting entity to terminate the contract if the vendor fails
 to cure the violation;
        (c) Provides that termination under this subdivision may occur without penalty,
 early-termination fee, or additional obligation to the contracting entity;
        (d) Requires the vendor to acknowledge that termination under this subdivision
 does not constitute a breach by the contracting entity; and
        (e) In order to protect students and ensure compliance with this section,
 authorizes the state board of education when a local educational agency does not cure or
 terminate a noncompliant contract within the required timeline to:
        a. Direct the contracting entity to terminate the contract; or
        b. Terminate the contracting entity's participation in the contract on its behalf.
        (8) (a) The independent review of academic effectiveness shall be performed by
 an evaluator that:
        a. Has no financial or contractual relationship with the vendor or any subsidiary
 of the vendor;
        b. Is not compensated by the vendor whose product is being reviewed;
        c. Uses transparent, publicly available evaluation methods; and
        d. Demonstrates expertise appropriate to the type of software being evaluated.
        (b) a. For purposes of this paragraph, "academic effectiveness" means:
        (i) Evidence, supported by independent studies, research, or evaluation,
 demonstrating that the software measurably improves student learning, skill
 development, or academic performance in the intended subject area;
        (ii) Alignment with Missouri core standards or state board of education–adopted
 standards for the relevant grade level or course;
        (iii) Demonstrated instructional value that meaningfully supplements or
 improves upon traditional, nondigital instructional practices;
        (iv) Absence of addictive design features that interfere with learning, distract
 from instruction, or reduce academic focus; and
        (v) Independent findings, based on transparent methodology, showing that the
 software produces positive, reliable, and replicable academic outcomes when used as
 intended in a classroom setting.
 HB 3281                                         7

         b. Each evaluation of academic effectiveness shall include:
         (i) A description of the research or evaluation methods used;
         (ii) Identification of the student populations, grade levels, or instructional
 contexts evaluated;
         (iii) Evidence that the results were not produced, funded, or influenced by the
 vendor;
         (iv) Disclosure of any limitations in the evidence or methodology; and
         (v) A determination of whether the software provides educational value
 sufficient to justify classroom use.
         c. The state board of education shall maintain a public list of independent
 evaluators that meet the standards described in this subdivision. Inclusion on the list
 does not constitute endorsement of an evaluator's findings.
         d. Before software may be installed, assigned, recommended, or otherwise made
 available for student use, the contracting entity shall obtain documentation of an
 independent evaluation demonstrating that the software meets the academic-
 effectiveness standards described in this subsection.
         4. (1) The state board of education shall create and maintain a statewide master
 list of software used by students in Missouri public schools. The master list is a
 transparency tool and does not constitute an approval or endorsement by the state
 board.
         (2) (a) Software shall be placed on the master list when the contracting entity
 has:
         a. Executed the statewide digital privacy agreement required under subsection 3
 of this section; and
         b. Obtained the academic-effectiveness verification required under subsection 3
 of this section.
         (b) Completion of the requirements under paragraph (a) of this subdivision shall
 be met before student use.
         (3) (a) The contracting entity shall:
         a. Execute the statewide digital privacy agreement for any software it adopts;
         b. Obtain the academic-effectiveness verification; and
         c. Submit the digital privacy agreement, verification, and required software
 information to the state board of education for listing.
         (b) Local educational agencies shall continue to maintain their local software
 inventory.
         (4) (a) The state board of education shall:
         a. Receive documentation submitted by contracting entities;
 HB 3281                                          8

         b. Publish and update the statewide master list on an ongoing basis; and
         c. Conduct compliance audits as provided in this subsection.
         (b) The state board of education does not approve or certify software and is not
 responsible for a local educational agency's contracting decisions.
         5. (1) The state board of education shall monitor and enforce compliance with
 this section through periodic audits of contracting entities and software vendors.
         (2) (a) The state board of education shall audit each local education agency to
 confirm that, for every software product used by students, the local educational agency
 has:
         a. Executed the statewide digital privacy agreement required under subsection 3
 of this section; and
         b. Obtained the academic-effectiveness verification required under subsection 3
 of this section.
         (b) Audits shall occur at least once every three years, with additional spot checks
 as needed.
         (3) As part of the audit process, the state board of education shall review vendor
 compliance with:
         (a) The statewide digital privacy agreement; and
         (b) The academic-effectiveness verification requirements established under
 subsection 3 of this section.
         (4) As part of vendor compliance reviews under subdivision (3) of this
 subsection, the state board of education shall verify whether the vendor discloses
 student data to unauthorized third parties in violation of the statewide digital privacy
 agreement or any rule or law.
         (5) Contracting entities and vendors shall provide the state board of education
 access to all records, documents, and data necessary to complete compliance audits and
 vendor reviews.
         (6) Following each audit, the state board of education shall issue a written
 compliance report identifying:
         (a) Findings of noncompliance;
         (b) Required corrective actions; and
         (c) Applicable timelines for remediation.
         (7) The state board of education may publish summary audit findings to support
 statewide transparency and allow parents and the public to identify compliant and
 noncompliant practices.
         6. (1) A local educational agency is out of compliance with this section if the
 local educational agency:
 HB 3281                                           9

         (a) Uses or assigns software for student use without a fully executed statewide
 digital privacy agreement; or
         (b) Uses or assigns software for student use without obtaining the academic-
 effectiveness verification required under subsection 3 of this section.
         (2) Upon finding a local educational agency is in noncompliance, the state board
 of education shall req