Stricken language would be deleted from and underlined language would be added to present law.
*TNL312* 3/27/2023 4:36:02 PM TNL312
State of Arkansas 1
94th General Assembly A Bill 2
Regular Session, 2023 SENATE BILL 500 3
4
By: Senator J. Bryant 5
By: Representative G. Hodges 6
7
For An Act To Be Entitled 8
AN ACT TO CREATE THE STUDENT DATA VENDOR SECURITY 9
ACT; AND FOR OTHER P URPOSES. 10
11
12
Subtitle 13
TO CREATE THE STUDENT DATA VENDOR 14
SECURITY ACT. 15
16
17
BE IT ENACTED BY THE GENERAL ASSEMBLY OF THE STATE OF ARKANSAS: 18
19
SECTION 1. Arkansas Code Title 6, Chapter 18, is amended to add an 20
additional subchapter to read as follows: 21
Subchapter 25 — Student Data Vendor Security Act 22
23
6-18-2501. Title. 24
This subchapter shall be known and may be cited as the “Student Data 25
Vendor Security Act”. 26
27
6-18-2502. Purpose. 28
The purpose of this subchapter is to increase security and transparency 29
in the sharing and use of student data with and by third party vendors. 30
31
6-18-2503. Definitions. 32
As used in this subchapter: 33
(1) “Affiliate” means a legal enti ty that controls, is 34
controlled by, or is under common control with another legal entity; 35
(2) “Control” means: 36 SB500
2 3/27/2023 4:36:02 PM TNL312
(A) Ownership of, or the power to vote, more than fifty 1
percent (50%) of the outstanding voting securities of a company; or 2
(B) Control in any manner over the election of a majority 3
of the directors or of individuals exercising similar management functions of 4
a company; 5
(3) “Deidentified data” means data that cannot reasonably be 6
linked to an identified or identifiable natural person ; 7
(4) “Destroy” means to remove student personally identifiable 8
information so that the information is permanently irretrievable in the 9
normal course of business; 10
(5) "Local education agency" means: 11
(A) A public school district; or 12
(B) An open-enrollment public charter school; 13
(6) “Parent” means: 14
(A) The biological or adoptive parent of a student; 15
(B) A student's legal guardian; or 16
(C) A person standing in loco parentis to a student; 17
(7) “Public education entity” means: 18
(A) The Department of Education; 19
(B) A public school within a public school district; or 20
(C) An open-enrollment public charter school; 21
(8)(A) “School service” means a website, online service, online 22
application, or mobile application that: 23
(i) Is designed and marketed primarily for use in a 24
preschool, elementary school, or secondary school; 25
(ii) Is used at the direction of teachers or other 26
employees of a local education agency; and 27
(iii) Collects, maintains, or uses student 28
personally identifiable information. 29
(B) “School service” does not include a website, online 30
service, online application, or mobile application that is designed and 31
marketed for use by individuals or entities generally, even if the website, 32
online service, online application, or mobile application is also marketed to 33
a preschool, elementary school, or secondary school; 34
(9) “School service contract provider” means an entity, other 35
than a local education agency or an institution of higher education, that 36 SB500
3 3/27/2023 4:36:02 PM TNL312
enters into a formal, negotiated contract with a public education entity to 1
provide a school service; 2
(10) “School service on -demand provider” means an entity, other 3
than a public education entity or an institution of higher education, that 4
provides a school service to a public education entity, subject to agreement 5
by the public education entity, or an employee of the public education 6
entity, to standard, nonnegotiable terms and conditions of service 7
established by the entity; 8
(11)(A) “Student personal ly identifiable information” means 9
information that, alone or in combination, personally identifies an 10
individual student or the student’s parent or family, and that is collected, 11
maintained, generated, or inferred by: 12
(i) A public education entity, e ither directly or 13
through a school service; 14
(ii) A school service contract provider; or 15
(iii) A school service on -demand provider. 16
(B) “Student personally identifiable information” does not 17
include deidentified data; 18
(12)(A) “Targeted adve rtising” means selecting and sending 19
advertisements to a student based on personal data obtained or inferred over 20
time from the student’s online behavior, use of applications, or student 21
personally identifiable information. 22
(B) “Targeted advertising” d oes not include: 23
(i) Advertising to a student: 24
(a) At an online location based on the 25
student’s current visit to that location or in response to the student’s 26
request for information or feedback; and 27
(b) Without the collection and retention of a 28
student’s online activities over time; 29
(ii) Adaptive learning, personalized learning, or 30
customized education; 31
(iii) With the consent of a student or the student’s 32
parent, using the student’s personally identifiable information to identify 33
for the student institutions of higher education or scholarship providers 34
that are seeking students who meet specific criteria; or 35
(iv) Processing personal data solely for measuring 36 SB500
4 3/27/2023 4:36:02 PM TNL312
or reporting advertising performance, reach, or frequency; a nd 1
(13)(A) “Vendor” means a business or other organization with 2
which a public education entity contracts for a product or service. 3
(B) “Vendor” includes a school service contract provider 4
and a school service on -demand provider. 5
6
6-18-2504. Local education agency — Vendor security and transparency. 7
(a) Each local education agency shall ensure that all contracts that 8
disclose or make available student personally identifiable information to 9
vendors, including school service contract providers, sch ool service on-10
demand providers, and other third parties, including without limitation 11
subcontractors of contract providers, include express provisions that 12
safeguard the privacy and security of student personally identifiable 13
information. 14
(b)(1)(A) Each local education agency shall maintain a list of the 15
school service contract providers that the local education agency contracts 16
with for school services that include or make available student personally 17
identifiable information. 18
(B) A local education agency shall: 19
(i) At a minimum, update the list of school service 20
contract providers required under subdivision (b)(1)(A) of this section at 21
the beginning and mid -point of each school year; 22
(ii) Upon the request of a parent, provide a copy of 23
the list required under subdivision (b)(1)(A) of this section; and 24
(iii) Maintain a copy of each contract between the 25
local education agency and a school service contract provider. 26
(2)(A) A local education agency shall ensure that the terms of a 27
contract entered into or renewed by the local education agency with a school 28
service contract provider on and after the effective date of this act, at a 29
minimum, require the school service contract provider to comply with the 30
requirements in § 6-18-2505 and § 6-18-2507. 31
(B)(i) If a school service contract provider commits a 32
material breach of a contract that involves the misuse or unauthorized 33
release of student personally identifiable information, the local education 34
agency shall determine whether to term inate the contract at the direction of, 35
or in accordance with a policy adopted by, the governing body of the local 36 SB500
5 3/27/2023 4:36:02 PM TNL312
education agency. 1
(ii) At a minimum, within a reasonable time after 2
the local education agency identifies the existence of a material br each of 3
contract, the local education agency shall: 4
(a) Investigate the nature of the material 5
breach; 6
(b) Provide an opportunity for the school 7
service contract provider to respond concerning the alleged material breach; 8
(c) Obtain the advice and direction of the 9
governing body of the local education agency; and 10
(d) Determine whether to terminate or continue 11
the contract with the school service contract provider. 12
(3) On and after the effective date of this act, a local 13
education agency shall not enter into or renew a contract with a school 14
service contract provider that: 15
(A) Refuses to accept the terms specified in subdivision 16
(b)(2) of this section; or 17
(B) Has substantially failed to comply with one (1) or 18
more of the requirements in § 6-18-2505 and § 6-18-2507. 19
(c)(1)(A) Each local education agency shall maintain a list of the 20
school service on-demand providers that the local education agency or an 21
employee of the local education agency uses for school services that inc lude 22
or make available student personally identifiable information. 23
(B) A local education agency shall: 24
(i) At a minimum, update the list of school service 25
on-demand providers required under subdivision (c)(1)(A) of this section at 26
the beginning and mid-point of each school year; and 27
(ii) Upon the request of a parent, provide a copy of 28
the list required under subdivision (c)(1)(A) of this section and, upon 29
further request of the parent, assist the parent in obtaining the data 30
privacy policy of the school service on -demand providers. 31
(2) If a parent has evidence demonstrating that a school service 32
on-demand provider with which a local education agency or an employee of a 33
local education agency acting on behalf of a local education agency cont racts 34
does not substantially comply with the school service on -demand provider’s 35
privacy policy or does not meet the requirements in § 6 -18-2506(b) and § 6-36 SB500
6 3/27/2023 4:36:02 PM TNL312
18-2507(a), the parent may notify the local education agency and provide the 1
evidence for the parent ’s conclusion. 2
(3)(A) If a local education agency has evidence demonstrating 3
that a school service on -demand provider does not substantially comply with 4
the school service on -demand provider’s privacy policy or does not meet the 5
requirements in § 6-18-2506(b) and § 6-18-2507(a), the local education agency 6
may cease using or refuse to use the school service on -demand provider and 7
prohibit employees of the local education agency from using the school 8
service on-demand provider. 9
(B) The local education agency shall notify the school 10
service on-demand provider that the: 11
(i) Local education agency is ceasing or refusing to 12
use the school service on -demand provider under subdivision (c)(3)(A) of this 13
section; and 14
(ii) School service on -demand provider may submit a 15
written response to the local education agency. 16
(C) The local education agency shall: 17
(i) Notify the Department of Education if the local 18
education agency ceases using a school service on -demand provider for the 19
reasons described in subdivision (c)(3) of this section; and 20
(ii) Provide a copy of any written response that a 21
school service on-demand provider submits to the local education agency under 22
subdivision (c)(3)(b)(ii) of this section. 23
24
6-18-2505. School service contr act provider — Data transparency. 25
(a)(1) Each school service contract provider shall provide clear 26
information that is understandable by a layperson explaining: 27
(A) The elements of student personally identifiable 28
information that the school service c ontract provider collects; 29
(B) The purpose for which the school service contract 30
provider collects the student personally identifiable information; and 31
(C) How the school service contract provider uses and 32
shares the student personally identifiable information. 33
(2) The information required under subdivision (a)(1) of this 34
section shall include all student personally identifiable information that 35
the school service contract provider collects regardless of whether it is 36 SB500
7 3/27/2023 4:36:02 PM TNL312
initially collected or ultim ately held individually or in the aggregate. 1
(3) A school service contract provider shall: 2
(A) Provide the information required under subdivision 3
(a)(1) of this section to each public education entity that the school 4
service contract provider contra cts with in a format that is easily 5
accessible; and 6
(B) Update the information required under subdivision 7
(a)(1) of this section as necessary to maintain accuracy. 8
(b) A school service contract provider shall: 9
(1) Provide clear notice to each public education entity that it 10
contracts with before making material changes to its privacy policy for 11
school services that would result in a material reduction in the level of 12
privacy and security provided for student personally identifiable 13
information; and 14
(2) Facilitate access to and the correction of any factually 15
inaccurate student personally identifiable information by a contracting local 16
education agency in response to a request for correction that the local 17
education agency receives and to whic h the local education agency responds. 18
(d) Upon discovering the misuse or unauthorized release of student 19
personally identifiable information held by a school service contract 20
provider, a subcontractor of a school service contract provider, or a 21
subsequent subcontractor of a school service contract provider, the school 22
service contract provider shall notify the contracting public education 23
entity as soon as possible, regardless of whether the misuse or unauthorized 24
release is a result of a material breach of the terms of a contract. 25
26
6-18-2506. School service contract provider — Use of data. 27
(a)(1) A school service contract provider may collect, use, and share 28
student personally identifiable information only: 29
(A) For the purposes authorized in the contract between 30
the school service contract provider and a public education entity; or 31
(B) With the consent of the student who is the subject of 32
the information or the student’s parent. 33
(2) A school service contract provider shall obtain the consen t 34
of a student or a student’s parent before using student personally 35
identifiable information in a manner that is materially inconsistent with the 36 SB500
8 3/27/2023 4:36:02 PM TNL312
contract between the school service contract provider and the public 1
education entity that applies to the col lection of the student personally 2
identifiable information. 3
(b)(1) A school service contract provider shall not: 4
(A) Sell student personally identifiable information; 5
(B) Use or share student personally identifiable 6
information for purposes of ta rgeted advertising to students; or 7
(C) Use student personally identifiable information to 8
create a personal profile of a student other than for supporting purposes 9
authorized by the contracting public education entity or with the consent of 10
the student or the student’s parent. 11
(2) Notwithstanding anything in this subchapter to the contrary, 12
selling student personally identifiable information does not include a school 13
service contract provider's use, sharing, or transfer of student personally 14
identifiable information: 15
(A) With or to an affiliate of the school service contract 16
provider; 17
(B) For any purpose permitted under subdivision (a)(1) of 18
this section; 19
(C) With or to a third party that processes the student 20
personally identifiable information on behalf of the school service contract 21
provider; 22
(D) For any purpose at the direction of the contracting 23
public education entity or with the consent of the student or the student’s 24
parent; or 25
(E) In connection with the purchase, merge r, or other type 26
of acquisition of a school service contract provider, or any assets of a 27
school service contract provider, by another entity, so long as the successor 28
entity continues to be subject to the provisions of this subchapter with 29
respect to student personally identifiable information that the school 30
service contract provider acquired while subject to this subchapter. 31
(c) Notwithstanding subdivision (a)(2) or subsection (b) of this 32
section to the contrary, a school service contract provider may use or 33
disclose student personally identifiable information: 34
(1)(A) To: 35
(i) Ensure legal or regulatory compliance or to take 36 SB500
9 3/27/2023 4:36:02 PM TNL312
precautions against liability; 1
(ii) Respond to or participate in the judicial 2
process; 3
(iii) Protect the safety o f users or others on the 4
school service contract provider’s website, online service, online 5
application, or mobile application; or 6
(iv) Investigate a matter related to public safety. 7
(B) If a school service contract provider uses or 8
discloses student personally identifiable information as permitted under 9
subdivision (c)(1)(A) of this section, the school service contract provider 10
shall notify the contracting public education entity as soon as possible 11
after the use or disclosure of the information; and 12
(2)(A) To a subcontractor only if the school service contract 13
provider contractually requires the subcontractor to comply with this 14
subchapter. 15
(B) Subdivision (c)(2)(A) of this section shall apply to 16
the ability of an initial or subsequent subc ontractor to further subcontract. 17
(C)(i) If a public education entity determines that an 18
initial or subsequent subcontractor has committed a material breach of 19
contract that involves the misuse or unauthorized disclosure of student 20
personally identifia ble information, the public education entity shall comply 21
with the requirements of § 6 -18-2504. 22
(ii) However, the public education entity is not 23
required to consider terminating the contract if the school service contract 24
provider terminates the contr act with the subcontractor as soon as possible 25
after the school service contract provider knows or has reason to know of the 26
initial or subsequent subcontractor’s material breach. 27
(d) A student may consent to the use, sharing, or retention of the 28
student’s student personally identifiable information only if the student is 29
eighteen (18) years of age or older or legally emancipated for purposes of 30
this section. 31
32
6-18-2507. School service contract provider — Data security and 33
destruction. 34
(a)(1) A school service contract provider shall maintain a 35
comprehensive information security program that is reasonably designed to 36 SB500
10 3/27/2023 4:36:02 PM TNL312
protect the security, privacy, confidentiality, and integrity of student 1
personally identifiable information. 2
(2) The comprehensive inf ormation security program required 3
under subdivision (a)(1) of this section shall make use of appropriate 4
administrative, technological, and physical safeguards. 5
(b) During the term of a contract between a school service contract 6
provider and a public ed ucation entity, if the contracting public education 7
entity requests destruction of a student’s student personally identifiable 8
information collected, generated, or inferred as a result of the contract, 9
the contracting school service contract provider shall destroy the 10
information as soon as practicable after the date of the request unless: 11
(1) The school service contract provider obtains the consent of 12
the student or the student’s parent to retain the student’s student 13
personally identifiable information ; or 14
(2) The student has transferred to another public education 15
entity and the receiving public education entity has requested that the 16
school service contract provider retain the student’s student personally 17
identifiable information. 18
(c)(1) Following the termination or conclusion of a contract between a 19
school service contract provider and a public education entity, the school 20
service contract provider shall, within the time period specified in the 21
contract, destroy all student personally identifiabl e information collected, 22
generated, or inferred as a result of the contract. 23
(2) If the contract does not specify a period for destruction of 24
student personally identifiable information, the school service contract 25
provider shall destroy the information as soon as practicable after the 26
information is no longer needed for the purpose of the contract between the 27
school service contract provider and the public education entity. 28
(3) Upon request of the public education entity, the school 29
service contract provider shall notify the public education entity of the 30
date upon which all of the student personally identifiable information is 31
destroyed. 32
33
6-18-2508. Exceptions — Applicability. 34
(a) Notwithstanding any provision of this subchapter to the contrary, 35
this subchapter does not prohibit the use of student personally identifiable 36 SB500
11 3/27/2023 4:36:02 PM TNL312
information to: 1
(1) Use adaptive learning or design personalized or customized 2
education; 3
(2) Maintain, develop, support, improve, or diagnose a school 4
service contract provider’s website, online service, online application, or 5
mobile application; 6
(3) Provide recommendations for school, educational, or 7
employment purposes within a school service, so long as the response is not 8
determined in whole or in part by payment or other consideration from a third 9
party; 10
(4) Respond to a student’s request for information or for 11
feedback so long as the information or response is not determined in whole or 12
in part by payment or other consideration from a third party; 13
(5) Identify for the student, only with the written consent of 14
the student or the student’s parent, institutions of higher education or 15
scholarship providers that are seeking students who meet specific criteria, 16
regardless of whether the identified institution s of higher education or 17
scholarship providers provide consideration to the school service contract 18
provider; 19
(6) In accordance with the terms of a contract between the 20
school service contract provider and a public education entity, produce and 21
distribute, free or for consideration, student class photos and yearbooks 22
only to the public education entity, students, parents, or individuals 23
authorized by parents; or 24
(7)(A) Provide for the student, only with the express written 25
consent of the student or th e student’s parent given in response to clear and 26
conspicuous notice, access to employment opportunities, educational 27
scholarships or financial aid, or postsecondary education opportunities, 28
regardless of whether the school service contract provider receiv es 29
consideration from one or more third parties in exchange for the student 30
personally identifiable information. 31
(B) Subdivision (a)(7)(A) of this section applies only to 32
a school service contract provider that provides nationally recognized 33
assessments that postsecondary institutions of higher education use in making 34
admissions decisions. 35
(b) This subchapter does not: 36 SB500
12 3/27/2023 4:36:02 PM TNL312
(1) Impose a duty on a provider of interactive computer service, 1
as defined in 47 U.S.C. Sec. 230, as it existed on January 1, 2023, to review 2
or enforce compliance with this subchapter by school service contract 3
providers or school service on -demand providers; 4
(2) Impede the ability of a student to download, export, or 5
otherwise save or maintain his or her own student personally id entifiable 6
information or documents; 7
(3) Limit internet service providers from providing internet 8
connectivity to local education agencies or to students and their families; 9
(4) Prohibit a school service contract provider from marketing 10
educational products directly to parents so long as the marketing does not 11
result from the use of student personally identifiable information obtained 12
by the school service contract provider as a result of providing its website, 13
online service, online application, or m obile application to a public 14
education entity; or 15
(5) Impose a duty on a provider of an electronic store, gateway, 16
marketplace, or other means of purchasing or downloading software or 17
applications to review or enforce compliance with this subchapter on that 18
software or those applications. 19
(c) The requirements in § 6 -18-2505 and § 6-18-2507 shall apply to a 20
school service contract provider that enters or renews a contract with a 21
public education entity on or after the effective date of this act. 22
23
SECTION 2. DO NOT CODIFY. Effective date. This act shall be 24
effective on and after June 1, 2024. 25
26
27
28
29
30
31
32
33
34
35
36