SB 378 — An Act amending Title 24 (Education) of the Pennsylvania Consolidated Statutes, in preliminary provisions, providing for student data privacy and protection; conferring powers and imposing duties on the Department of Education; and imposing penalties.

PRINTER'S NO.   240

                     THE GENERAL ASSEMBLY OF PENNSYLVANIA



                        SENATE BILL
                        No. 378
                                                 Session of
                                                   2025

     INTRODUCED BY PHILLIPS-HILL, BROOKS, FONTANA, LAUGHLIN, J. WARD,
        STEFANO AND DUSH, FEBRUARY 26, 2025

     REFERRED TO EDUCATION, FEBRUARY 26, 2025


                                     AN ACT
 1   Amending Title 24 (Education) of the Pennsylvania Consolidated
 2      Statutes, in preliminary provisions, providing for student
 3      data privacy and protection; conferring powers and imposing
 4      duties on the Department of Education; and imposing
 5      penalties.
 6      The General Assembly of the Commonwealth of Pennsylvania
 7   hereby enacts as follows:
 8      Section 1.    Part I of Title 24 of the Pennsylvania
 9   Consolidated Statutes is amended by adding a chapter to read:
10                                 CHAPTER 5
11                    STUDENT DATA PRIVACY AND PROTECTION
12   Subchapter
13      A.   General Provisions
14      B.   Powers and Duties
15      C.   Disclosure and Use of Information
16      D.   Enforcement
17                                SUBCHAPTER A
18                            GENERAL PROVISIONS
19   Sec.
 1   501.   Scope of chapter.
 2   502.   Legislative intent.
 3   503.   Findings and declarations.
 4   504.   Definitions.
 5   505.   Effect of chapter.
 6   § 501.   Scope of chapter.
 7      This chapter relates to student data privacy and protection.
 8   § 502.   Legislative intent.
 9      It is the intent of the General Assembly to ensure that:
10            (1)   Only essential student data shall be collected.
11            (2)   Student data shall be safeguarded.
12            (3)   The privacy rights of students and their parents or
13      legal guardians shall be honored, respected and protected.
14   § 503.   Findings and declarations.
15      The General Assembly finds and declares as follows:
16            (1)   Educational entities in this Commonwealth are
17      custodians of vast amounts of personally identifiable
18      information through their collection and maintenance of
19      student data.
20            (2)   It is critically important to ensure that only
21      essential student data shall be collected and that personal
22      information shall be protected, safeguarded, kept private and
23      only accessed or used by appropriate authorized persons.
24            (3)   The Commonwealth lacks a sufficient plan to ensure
25      adequate protection of student data.
26            (4)   The Commonwealth lacks guarantees for the protection
27      of student data and the personally identifiable information
28      contained within that data.
29            (5)   Given the vast personally identifiable student
30      information held, educational entities are prime targets for

20250SB0378PN0240                    - 2 -
 1      data and information poaching by identity thieves and other
 2      hackers.
 3            (6)   In emergencies, certain information should be
 4      readily available to school officials and emergency personnel
 5      to assist students and their families.
 6   § 504.   Definitions.
 7      The following words and phrases when used in this chapter
 8   shall have the meanings given to them in this section unless the
 9   context clearly indicates otherwise:
10      "Aggregate student data."       Student data collected by an
11   educational entity which:
12            (1)   Is totaled and reported at the group, cohort,
13      school, school district, region or State level as determined
14      by the educational entity.
15            (2)   Does not reveal personally identifiable student
16      data.
17            (3)   Cannot reasonably be used to identify, contact,
18      single out or infer information about a student or device
19      used by a student.
20      "Biometric identifier."       A measurable biological or
21   behavioral characteristic that can be used for automated
22   recognition of an individual. The following apply:
23            (1)   The term includes any of the following:
24                  (i)    A retina or iris scan.
25                  (ii)    A fingerprint.
26                  (iii)    A human biological sample.
27                  (iv)    A scan of the hand.
28                  (v)    A voice print.
29                  (vi)    Facial geometry.
30            (2)   The term does not include any of the following:

20250SB0378PN0240                       - 3 -
 1                (i)    A physical description, including height,
 2          weight, hair color or eye color.
 3                (ii)    A writing sample.
 4                (iii)    A written signature.
 5                (iv)    Demographic data.
 6      "Data authorization."     A written authorization by a student
 7   or a student's parent or legal guardian if the student is under
 8   18 years of age to collect or share the student's student data.
 9      "Department."     The Department of Education of the
10   Commonwealth.
11      "Educational entity."     An organized education provider,
12   including a public school. The term does not include an
13   institution of higher education.
14      "Educational record."     Student data or other student
15   information created and maintained by an educational entity or a
16   third party.
17      "Institution of higher education."        Any of the following:
18          (1)     A community college operating under Article XIX-A of
19      the act of March 10, 1949 (P.L.30, No.14), known as the
20      Public School Code of 1949.
21          (2)     A State-owned institution.
22          (3)     A State-related institution.
23          (4)     Any other institution that is designated as State-
24      related by the Commonwealth.
25          (5)     An accredited private or independent college or
26      university.
27          (6)     A private licensed school as defined in the act of
28      December 15, 1986 (P.L.1585, No.174), known as the Private
29      Licensed Schools Act.
30      "Necessary student data."     Student data required by Federal

20250SB0378PN0240                     - 4 -
 1   or State law to conduct the regular activities of an educational
 2   entity.
 3      "Personally identifiable student data."          Student data that,
 4   by itself or in connection with other information, would enable
 5   a specific student or other individual to be reasonably
 6   identified.
 7      "Public school."         A school operated by a school district of
 8   any class, intermediate unit, charter school, cyber charter
 9   school or an area career and technical school.
10      "State-owned institution."         An institution which is part of
11   the State System of Higher Education under Article XX-A of the
12   Public School Code of 1949 and all branches and campuses of a
13   State-owned institution.
14      "State-related institution."          The Pennsylvania State
15   University, including the Pennsylvania College of Technology,
16   the University of Pittsburgh, Temple University and Lincoln
17   University, and their branch campuses.
18      "Student."         An individual who attends a public school.
19      "Student data."         Information regarding a student that is
20   descriptive of the student and collected and maintained at the
21   individual student level, regardless of physical, electronic or
22   other media or format, including any of the following:
23             (1)   The following information regarding the student:
24                   (i)    Name.
25                   (ii)    Date and location of birth.
26                   (iii)    Social Security number.
27                   (iv)    Gender.
28                   (v)    Race.
29                   (vi)    Ethnicity.
30                   (vii)    Tribal affiliation.

20250SB0378PN0240                         - 5 -
 1             (viii)    Sexual identity or orientation.
 2             (ix)    Migrant status.
 3             (x)    English language learner status.
 4             (xi)    Disability status.
 5             (xii)    Mother's maiden name.
 6             (xiii)    Contact information, including telephone
 7        numbers, email addresses, physical addresses and other
 8        distinct contact identifiers.
 9             (xiv)    Special education records or an applicable
10        mandate under 20 U.S.C. Ch. 33 (relating to education of
11        individuals with disabilities).
12             (xv)    An individualized education program or other
13        written education plan, including special education
14        evaluation data for the program or plan.
15             (xvi)    The student's identification number.
16             (xvii)    Local or State assessment results or the
17        reason for an exception from taking a local or State
18        assessment.
19             (xviii)    Courses taken and completed, credits earned
20        or other transcript information.
21             (xix)    Course grades, grade point average or another
22        indicator of academic achievement.
23             (xx)    Grade level and expected graduation date.
24             (xxi)    Cohort graduation rate or related information.
25             (xxii)    Degree, diploma, credential attainment or
26        other school exit information.
27             (xxiii)    Attendance and mobility.
28             (xxiv)    Dropout data.
29             (xxv)    An immunization record or the reason for an
30        exception from receiving an immunization.

20250SB0378PN0240                  - 6 -
 1              (xxvi)    Remediation efforts.
 2              (xxvii)    Cumulative disciplinary records.
 3              (xxviii)    Juvenile delinquency or dependency records.
 4              (xxix)    Criminal records.
 5              (xxx)    Medical or health records created or
 6        maintained by an educational entity.
 7              (xxxi)    Political affiliation, voter registration
 8        information or voting history.
 9              (xxxii)    Income or other socioeconomic information,
10        except as required by law or if an educational entity
11        determines income information is required to apply for,
12        administer, research or evaluate programs to assist
13        students from low-income families.
14              (xxxiii)    Religious information or beliefs.
15              (xxxiv)    A biometric identifier or other biometric
16        information.
17              (xxxv)    Food purchases.
18              (xxxvi)    Geolocation data.
19              (xxxvii)    Any other information that either on its
20        own or collectively could reasonably be used to identify
21        a specific student.
22        (2)   The following information regarding family members,
23    including parents and legal guardians, of the student:
24              (i)    Name of family members.
25              (ii)    Contact information for family members,
26        including telephone numbers, email addresses, physical
27        addresses and other distinct contact identifiers.
28              (iii)    Education status, an educational record or
29        student data of a family member who is a student.
30    "Targeted marketing."     Advertising to a student or a

20250SB0378PN0240                   - 7 -
 1   student's parent or guardian that is selected based on
 2   information obtained or inferred from the student's online or
 3   offline behavior, usage of applications or student data. The
 4   term does not include advertising to a student at an online
 5   location based on the student's current visit to that location
 6   or single search query without collection and retention of the
 7   student's online activities over time. The term does not include
 8   using the student's personally identifiable student data to
 9   identify for the student institutions of higher education or
10   scholarship providers that are seeking students who meet
11   specific criteria, provided a written data authorization by the
12   student, or the student's parent or legal guardian if the
13   student is under 18 years of age, permits the disclosure and
14   use.
15      "Third party."   A person that enters into a contract with an
16   educational entity to provide a good or service. The term
17   includes a subsequent subcontractor that may accompany the
18   person in the provision of the good or service.
19   § 505.   Effect of chapter.
20      Nothing in this chapter shall be construed to prohibit or
21   otherwise limit the ability of an educational entity from
22   reporting or making available aggregate student data or other
23   collective data for reasonable usage.
24                                 SUBCHAPTER B
25                           POWERS AND DUTIES
26   Sec.
27   511.   Chief data privacy officer.
28   512.   Data inventory and data elements.
29   513.   Forms.
30   514.   Rules and regulations.

20250SB0378PN0240                     - 8 -
 1   515.   Educational entities.
 2   § 511.   Chief data privacy officer.
 3      (a)   Designation.--The Secretary of Education shall designate
 4   an individual to serve as the chief data privacy officer within
 5   the department to assume primary responsibility for student data
 6   privacy and security policy.
 7      (b)   Specific duties.--The chief data privacy officer within
 8   the department shall:
 9            (1)   Ensure that student data contained in the State data
10      system shall be handled in full compliance with:
11                  (i)    This chapter.
12                  (ii)    20 U.S.C. § 1232g (relating to family
13            educational and privacy rights) and its associated
14            regulations.
15                  (iii)    Other Federal and State data privacy and
16            security laws.
17            (2)   Establish, publish and make easily available
18      policies necessary to assure that the use of technologies
19      sustain, enhance and do not erode privacy protections
20      relating to the use, collection and disclosure of student
21      data.
22            (3)   Develop and provide to educational entities a model
23      student data privacy and security plan.
24            (4)   Evaluate legislative and regulatory proposals
25      involving use, collection and disclosure of student data by
26      educational entities.
27            (5)   Conduct a privacy impact assessment on legislative
28      proposals and regulations and program initiatives of the
29      department, including the type of personal information
30      collected and the number of students affected.

20250SB0378PN0240                          - 9 -
 1            (6)    Prepare an annual report for submission to the
 2      General Assembly on activities of the department that affect
 3      privacy, including complaints of privacy violations, internal
 4      controls and other related matters.
 5            (7)    Consult and coordinate with other representatives of
 6      the department and the Commonwealth and other persons
 7      regarding the quality, usefulness, openness and privacy of
 8      data and the implementation of this chapter.
 9            (8)    Establish and operate a privacy incident response
10      program to ensure that each data-related incident involving
11      the department is properly reported, investigated and
12      mitigated.
13            (9)    Establish a model process and policy for a student
14      and a student's parent or legal guardian if the student is
15      under 18 years of age to file a complaint regarding a
16      violation of data privacy or an inability to access, review
17      or correct the student's student data or other information
18      contained in the student's educational record.
19            (10)    Provide training, guidance, technical assistance
20      and outreach to build a culture of data privacy protection
21      and data security among educational entities and third
22      parties.
23      (c)   Investigations.--The chief data privacy officer may
24   investigate issues of compliance with this chapter or another
25   data privacy or security law concerning a matter related to this
26   chapter. In conducting the investigation, the chief data privacy
27   officer shall:
28            (1)    Have access to all records, reports, audits,
29      reviews, documents, papers, recommendations and other
30      materials available to the educational entity or third party

20250SB0378PN0240                     - 10 -
 1      under investigation.
 2            (2)   Limit the investigation and any accompanying report
 3      to those matters which are necessary or desirable to the
 4      effective administration of this chapter.
 5            (3)   In matters related to compliance with Federal law,
 6      refer the matter to the appropriate Federal agency and
 7      cooperate with any investigation by the Federal agency.
 8   § 512.   Data inventory and data elements.
 9      The department shall create and post on its publicly
10   accessible Internet website a data inventory and dictionary of
11   data elements with definitions of individual student data fields
12   currently in the student data system, including information
13   which:
14            (1)   is required to be reported by Federal or State
15      education mandates;
16            (2)   has been proposed for inclusion in the student data
17      system with a statement regarding the purpose or reason for
18      the proposed collection; and
19            (3)   the department collects or maintains with no current
20      purpose or reason.
21   § 513.   Forms.
22      The department shall develop forms, including the following:
23            (1)   The notice of disclosure and acknowledgment under
24      section 522 (relating to notice of disclosure).
25            (2)   The written data authorization to permit the
26      disclosure of information.
27   § 514.   Rules and regulations.
28      The department shall promulgate rules and regulations
29   necessary to implement the provisions of this chapter.
30   § 515.   Educational entities.

20250SB0378PN0240                     - 11 -
 1      An educational entity shall:
 2           (1)   Subject to the approval of the chief data privacy
 3      officer within the department and taking into account the
 4      specific needs and priorities of the educational entity,
 5      adopt and implement reasonable security policies and
 6      procedures to protect educational records and student data in
 7      accordance with this chapter to protect information from
 8      unauthorized access, destruction, use, modification or
 9      disclosure.
10           (2)   Designate an individual to act as a student data
11      manager to fulfill the responsibilities under this section.
12           (3)   Create, maintain and submit to the chief data
13      privacy officer under the department a data governance plan
14      addressing the protection of existing data and future data
15      records.
16           (4)   Establish a review process for all requests for data
17      for the purpose of external research or evaluation.
18           (5)   Prepare an annual report for submission to the chief
19      data privacy officer within the department. Each annual
20      report must include:
21                 (i)    Any proposed changes to data security policies.
22                 (ii)    Attempted occurrences of a data security
23           breach.
24                                  SUBCHAPTER C
25                        DISCLOSURE AND USE OF INFORMATION
26   Sec.
27   521.   Data ownership.
28   522.   Notice of disclosure.
29   523.   Disclosure by educational entity.
30   524.   Biometric identifiers.

20250SB0378PN0240                      - 12 -
 1   525.   Targeted marketing.
 2   526.   Review and correction of educational records.
 3   527.   Use of information by third parties.
 4   528.   Third-party contracts.
 5   529.   Law enforcement.
 6   530.   Exception for use of personally identifiable student data.
 7   § 521.   Data ownership.
 8      (a)   Authority of student.--A student is the owner of the
 9   student's student data and may download, export, transfer or
10   otherwise save or maintain any document, data or other
11   information created by the student that may be held or
12   maintained, in whole or in part, by an educational entity.
13      (b)   Work or product.--Any work or intellectual product
14   created by a student, whether for academic credit or otherwise,
15   shall be the property of the student.
16   § 522.   Notice of disclosure.
17      (a)   Distribution.--An educational entity which collects
18   student data, regardless of whether that information is
19   developed and maintained as aggregate student data, shall
20   provide to each student and each student's parent or legal
21   guardian if the student is under 18 years of age an annual
22   written notice outlining the conditions under which the
23   student's student data may be disclosed.
24      (b)   Form.--The notice under this section must be:
25            (1)   Prominent and provided as a stand-alone document.
26            (2)   Annually updated and distributed.
27            (3)   Written in plain language that is easily
28      comprehended by an average individual.
29      (c)   Contents.--The notice under this section must:
30            (1)   List the necessary student data and optional student

20250SB0378PN0240                     - 13 -
 1      data which the educational entity collects and the rationale
 2      for the collection of the data.
 3             (2)   State that student data collected may not be shared
 4      without a written data authorization by the student or the
 5      student's parent or legal guardian if the student is under 18
 6      years of age.
 7             (3)   List each third party with access or control of
 8      student data under a contractual agreement.
 9             (4)   Outline the rights and responsibilities under this
10      chapter.
11             (5)   Contain an acknowledgment specifying that the
12      intended recipient of the notice actually received the notice
13      and understands its contents.
14      (d)    Receipt and acknowledgment.--Each recipient of the
15   notice under this section shall sign the acknowledgment and
16   return it to the appropriate educational entity as soon as
17   possible.
18      (e)    Maintenance.--An educational entity shall maintain on
19   file, electronically or otherwise, each signed acknowledgment
20   received under this section.
21   § 523.    Disclosure by educational entity.
22      (a)    Conditions for disclosure.--An educational entity may
23   not disclose student data unless the disclosure is:
24             (1)   authorized in writing by a student or a student's
25      parent or legal guardian if the student is under 18 years of
26      age;
27             (2)   authorized or required by Federal or State law;
28             (3)   determined to be necessary due to an imminent health
29      or safety emergency; or
30             (4)   ordered by a court of competent jurisdiction.

20250SB0378PN0240                     - 14 -
 1      (b)   Financial benefit.--Except as otherwise provided under
 2   this chapter, an educational entity may not release or otherwise
 3   disclose student data or information in an educational record in
 4   exchange for any good, product, application, service or any
 5   other thing of measurable value.
 6   § 524.   Biometric identifiers.
 7      An educational entity or third party may not collect any
 8   biometric identifier on a student except as may be required by
 9   law.
10   § 525.   Targeted marketing.
11      Student data may not be released or used for purposes of
12   targeted marketing unless the release is absolutely necessary
13   for education progression, which may include the use of adaptive
14   educational software or any other strictly educational endeavor
15   whose sole purpose is to provide a tailored education experience
16   to the student.
17   § 526.   Review and correction of educational records.
18      (a)   Request for inspection.--A student or a student's parent
19   or legal guardian if the student is under 18 years of age may
20   request the inspection and review of the student's student data
21   or other information contained in the student's educational
22   records and maintained by an educational entity or a third
23   party.
24      (b)   Transmittal of information.--Upon the request under
25   subsection (a), the educational entity or third party shall
26   provide the information in a timely manner and in electronic
27   form unless the requested information:
28            (1)   is not maintained in electronic format, in which
29      case arrangements shall be made for transmittal in another
30      format; or

20250SB0378PN0240                    - 15 -
 1            (2)   cannot reasonably be made available to the
 2      requesting individual or the reproduction of the requested
 3      information would be unduly burdensome.
 4      (c)   Corrections and expungement.--
 5            (1)   A requesting individual under subsection (a) may
 6      request that corrections be made to inaccurate or incomplete
 7      information contained in the student's student data or other
 8      educational record.
 9            (2)   A requesting individual under subsection (a) shall
10      have the right to expunge the student's student data or other
11      information contained in the student's educational record
12      that pertains to:
13                  (i)    an unsubstantiated accusation; or
14                  (ii)    an adjudicated matter if the student has been
15            found not at fault or not guilty of the charges raised.
16            (3)   After receiving the request under this subsection,
17      the educational entity or third party that maintains the
18      information shall make the necessary changes to the student
19      data or other educational record and confirm the changes with
20      the requesting individual within 90 days of the request under
21      this subsection.
22   § 527.   Use of information by third parties.
23      (a)   Personally identifiable student data.--A third party
24   shall use personally identifiable student data received under a
25   contract with an educational entity strictly for the purpose of
26   providing the contracted product or service to the educational
27   entity, unless a student or the student's parent affirmatively
28   chooses to disclose the student's data for a secondary purpose.
29      (b)   Prohibited uses.--A third party may not manage or use
30   student data or information from an educational record obtained

20250SB0378PN0240                       - 16 -
 1   in the course of a contractual relationship with an educational
 2   entity to do any of the following:
 3            (1)   Conduct targeted marketing.
 4            (2)   Create a student profile except:
 5                  (i)    as allowed under the terms of the contractual
 6            relationship with the educational entity; or
 7                  (ii)    in furtherance of the purposes of the
 8            educational entity.
 9            (3)   Sell student data or information from an educational
10      record.
11            (4)   Exchange student data or information from an
12      educational record for any goods, services or applications.
13            (5)   Disclose student data or information from an
14      educational record except as provided under this chapter.
15            (6)   Impede the ability of a student, a student or a
16      student's parent or legal guardian, if the student is under
17      18 years of age from downloading, exporting or otherwise
18      saving or maintaining the student's student data or other
19      information from the student's educational record.
20      (c)   Limitation.--Subsection (b) shall not apply to nonprofit
21   organizations engaging in activities to provide students with
22   higher education, scholarship or other educational
23   opportunities.
24      (d)   Permissive uses.--A third-party contractor may:
25            (1)   Use student data for adaptive learning or customized
26      student learning purposes.
27            (2)   Market an educational application or product to a
28      student's parent or legal guardian if the student is under 18
29      years of age if the third party did not use student data,
30      shared by or collected on behalf of an educational entity, to

20250SB0378PN0240                       - 17 -
 1      develop the educational application or product.
 2            (3)   Use a recommendation engine to recommend to a
 3      student or a student's parent or legal guardian if the
 4      student is under 18 years of age any of the following:
 5                  (i)    Content that relates to learning or employment,
 6            within the third party's internal application, if the
 7            recommendation is not motivated by payment or other
 8            consideration from another party.
 9                  (ii)   Services that relate to learning or employment,
10            within the third party's internal application, if the
11            recommendation is not motivated by payment or other
12            consideration from another party.
13            (4)   Respond to a student or a student's parent or legal
14      guardian if the student is under 18 years of age regarding a
15      request for information or feedback, if the content of the
16      response is not motivated by payment or other consideration
17      from another party.
18            (5)   Use student data to allow or improve operability and
19      functionality of the third party's internal application.
20            (6)   Disclose a student's personally identifiable
21      information at the student's request to institutions of
22      higher education and other educational organizations,
23      including scholarship providers.
24            (7)   Disclose and utilize personally identifiable
25      information and aggregate student data when used solely for
26      research purposes that are compatible with the context in
27      which the information was collected.
28   § 528.   Third-party contracts.
29      When contracting with a third party, an educational entity
30   shall require the following provisions in the contract:

20250SB0378PN0240                       - 18 -
 1            (1)   Requirements and restrictions related to the
 2      collection, use, storage or sharing of student data by the
 3      third party that are necessary for the educational entity to
 4      ensure compliance with the provisions of this chapter and
 5      other State law.
 6            (2)   A description of a person, or type of person,
 7      including an affiliate or subcontractor of the third party,
 8      with whom the third party may share student data or other
 9      information.
10            (3)   When and how to delete student data or other
11      information received by the third party.
12            (4)   A prohibition on the secondary use of personally
13      identifiable student data by the third party except when used
14      for research purposes or for legitimate educational interests
15      compatible with the context in which the personal information
16      was collected.
17            (5)   An agreement by the third party that the educational
18      entity or the educational entity's designee may audit the
19      third party to verify compliance with the contract.
20            (6)   Requirements for the third party or a subcontractor
21      of the third party to effect security measures to prevent,
22      detect or mitigate a data breach.
23            (7)   Requirements for the third party or a subcontractor
24      of the third party to notify the educational entity of a
25      suspected data breach or intrusion.
26   § 529.   Law enforcement.
27      As authorized by law or court order, a third party shall
28   share student data as requested by law enforcement.
29   § 530.   Exception for use of personally identifiable student
30                  data.

20250SB0378PN0240                    - 19 -
 1      Notwithstanding any other provision of this chapter, this
 2   chapter does not apply to nonprofit organizations using the
 3   student data for legitimate educational interests, including
 4   engaging in activities to provide students higher education and
 5   scholarship opportunities or prohibit the use of the student's
 6   personally identifiable student data to identify for the student
 7   institutions of higher education or scholarship providers that
 8   are seeking students who meet specific criteria, provided a
 9   written data authorization by the student or a student's parent
10   or legal guardian if the student is under 18 years of age
11   permits the use. This section shall apply regardless of whether
12   the identified institutions of higher education or scholarship
13   providers provide consideration to the school services contract
14   provider.
15                              SUBCHAPTER D
16                              ENFORCEMENT
17   Sec.
18   541.   Data breach or security compromise.
19   542.   Funding.
20   543.   Civil and administrative penalties.
21   544.   Effect on criminal liability.
22   § 541.   Data breach or security compromise.
23      (a)   Notification of chief data privacy officer.--An
24   educational entity shall notify the chief data privacy officer
25   within the department of a suspected or confirmed data breach or
26   security compromise within 24 hours of becoming aware of the
27   data breach or security compromise.
28      (b)   Notification of students, parents and legal guardians.--
29   If there is an unauthorized release or compromise of student
30   data by security breach or otherwise, the effected educational

20250SB0378PN0240                  - 20 -
 1   entity shall, within three business days of verification of the
 2   release or compromise, notify all of the following:
 3            (1)   Each student whose information has been released or
 4      compromised.
 5            (2)   Each student's parent or legal guardian if the
 6      student is under 18 years of age and the student's
 7      information has been released or compromised.
 8      (c)   Notification by third party.--If a suspected or
 9   confirmed data breach or security compromise of student data
10   held by a third party has occurred, the third party shall:
11            (1)   Notify the educational entity with whom the third
12      party has contracted regarding the information within 24
13      hours of becoming aware of the data breach or security
14      compromise.
15            (2)   Take action to determine the scope of data breached
16      or otherwise compromised.
17            (3)   Update the educational entity once the full scope of
18      the data breach and security compromise is known.
19            (4)   Take all reasonable steps to notify the affected
20      individuals of the data breach or security compromise.
21   § 542.   Funding.
22      Public money may not be made available under an applicable
23   program to an educational entity that has a policy that denies
24   or effectively prevents a student or a student's parent or legal
25   guardian if the student is under 18 years of age the right to
26   inspect, review or correct the student's student record or
27   information within the student's educational record.
28   § 543.   Civil and administrative penalties.
29      An educational entity or third party that fails to comply
30   with any duty or other provision under this chapter resulting in

20250SB0378PN0240                    - 21 -
 1   the intentional, knowing, reckless or negligent data breach or
 2   security compromise shall be subject to the following penalties:
 3            (1)   Civil penalties, which shall include the following:
 4                  (i)    The costs of identity protection for each
 5            individual affected by the data breach or security
 6            compromise.
 7                  (ii)    Legal fees and costs incurred by each
 8            individual affected by the data breach or security
 9            compromise.
10                  (iii)    Any other penalty that the court deems
11            reasonable or appropriate.
12            (2)   Administrative penalties by the department, which
13      shall include a fine of not less than $1,000 nor more than
14      $5,000 for each offense committed. The aggregate amount of
15      fines under this paragraph may not exceed $1,000,000 in any
16      calendar year.
17   § 544.   Effect on criminal liability.
18      Nothing in this subchapter shall be construed to limit,
19   preclude or supersede criminal liability as may be applicable to
20   or enforceable under this chapter.
21      Section 2.        This act shall take effect as follows:
22            (1)   The following shall take effect August 1, 2024:
23                  The addition of 24 Pa.C.S. §§ 511(c) and 515.
24                  The addition of 24 Pa.C.S. Ch. 5 Subchs. C and D.
25            (2)   This section shall take effect immediately.
26            (3)   The remainder of this act shall take effect in 120
27      days.




20250SB0378PN0240                       - 22 -