| 1 | 1 | | Stricken language would be deleted from and underlined language would be added to present law. |
|---|
| 2 | 2 | | *TNL312* 3/27/2023 4:36:02 PM TNL312 |
|---|
| 3 | 3 | | |
|---|
| 4 | 4 | | State of Arkansas 1 |
|---|
| 5 | 5 | | 94th General Assembly A Bill 2 |
|---|
| 6 | 6 | | Regular Session, 2023 SENATE BILL 500 3 |
|---|
| 7 | 7 | | 4 |
|---|
| 8 | 8 | | By: Senator J. Bryant 5 |
|---|
| 9 | 9 | | By: Representative G. Hodges 6 |
|---|
| 10 | 10 | | 7 |
|---|
| 11 | 11 | | For An Act To Be Entitled 8 |
|---|
| 12 | 12 | | AN ACT TO CREATE THE STUDENT DATA VENDOR SECURITY 9 |
|---|
| 13 | 13 | | ACT; AND FOR OTHER P URPOSES. 10 |
|---|
| 14 | 14 | | 11 |
|---|
| 15 | 15 | | 12 |
|---|
| 16 | 16 | | Subtitle 13 |
|---|
| 17 | 17 | | TO CREATE THE STUDENT DATA VENDOR 14 |
|---|
| 18 | 18 | | SECURITY ACT. 15 |
|---|
| 19 | 19 | | 16 |
|---|
| 20 | 20 | | 17 |
|---|
| 21 | 21 | | BE IT ENACTED BY THE GENERAL ASSEMBLY OF THE STATE OF ARKANSAS: 18 |
|---|
| 22 | 22 | | 19 |
|---|
| 23 | 23 | | SECTION 1. Arkansas Code Title 6, Chapter 18, is amended to add an 20 |
|---|
| 24 | 24 | | additional subchapter to read as follows: 21 |
|---|
| 25 | 25 | | Subchapter 25 — Student Data Vendor Security Act 22 |
|---|
| 26 | 26 | | 23 |
|---|
| 27 | 27 | | 6-18-2501. Title. 24 |
|---|
| 28 | 28 | | This subchapter shall be known and may be cited as the “Student Data 25 |
|---|
| 29 | 29 | | Vendor Security Act”. 26 |
|---|
| 30 | 30 | | 27 |
|---|
| 31 | 31 | | 6-18-2502. Purpose. 28 |
|---|
| 32 | 32 | | The purpose of this subchapter is to increase security and transparency 29 |
|---|
| 33 | 33 | | in the sharing and use of student data with and by third party vendors. 30 |
|---|
| 34 | 34 | | 31 |
|---|
| 35 | 35 | | 6-18-2503. Definitions. 32 |
|---|
| 36 | 36 | | As used in this subchapter: 33 |
|---|
| 37 | 37 | | (1) “Affiliate” means a legal enti ty that controls, is 34 |
|---|
| 38 | 38 | | controlled by, or is under common control with another legal entity; 35 |
|---|
| 39 | 39 | | (2) “Control” means: 36 SB500 |
|---|
| 40 | 40 | | |
|---|
| 41 | 41 | | 2 3/27/2023 4:36:02 PM TNL312 |
|---|
| 42 | 42 | | |
|---|
| 43 | 43 | | |
|---|
| 44 | 44 | | (A) Ownership of, or the power to vote, more than fifty 1 |
|---|
| 45 | 45 | | percent (50%) of the outstanding voting securities of a company; or 2 |
|---|
| 46 | 46 | | (B) Control in any manner over the election of a majority 3 |
|---|
| 47 | 47 | | of the directors or of individuals exercising similar management functions of 4 |
|---|
| 48 | 48 | | a company; 5 |
|---|
| 49 | 49 | | (3) “Deidentified data” means data that cannot reasonably be 6 |
|---|
| 50 | 50 | | linked to an identified or identifiable natural person ; 7 |
|---|
| 51 | 51 | | (4) “Destroy” means to remove student personally identifiable 8 |
|---|
| 52 | 52 | | information so that the information is permanently irretrievable in the 9 |
|---|
| 53 | 53 | | normal course of business; 10 |
|---|
| 54 | 54 | | (5) "Local education agency" means: 11 |
|---|
| 55 | 55 | | (A) A public school district; or 12 |
|---|
| 56 | 56 | | (B) An open-enrollment public charter school; 13 |
|---|
| 57 | 57 | | (6) “Parent” means: 14 |
|---|
| 58 | 58 | | (A) The biological or adoptive parent of a student; 15 |
|---|
| 59 | 59 | | (B) A student's legal guardian; or 16 |
|---|
| 60 | 60 | | (C) A person standing in loco parentis to a student; 17 |
|---|
| 61 | 61 | | (7) “Public education entity” means: 18 |
|---|
| 62 | 62 | | (A) The Department of Education; 19 |
|---|
| 63 | 63 | | (B) A public school within a public school district; or 20 |
|---|
| 64 | 64 | | (C) An open-enrollment public charter school; 21 |
|---|
| 65 | 65 | | (8)(A) “School service” means a website, online service, online 22 |
|---|
| 66 | 66 | | application, or mobile application that: 23 |
|---|
| 67 | 67 | | (i) Is designed and marketed primarily for use in a 24 |
|---|
| 68 | 68 | | preschool, elementary school, or secondary school; 25 |
|---|
| 69 | 69 | | (ii) Is used at the direction of teachers or other 26 |
|---|
| 70 | 70 | | employees of a local education agency; and 27 |
|---|
| 71 | 71 | | (iii) Collects, maintains, or uses student 28 |
|---|
| 72 | 72 | | personally identifiable information. 29 |
|---|
| 73 | 73 | | (B) “School service” does not include a website, online 30 |
|---|
| 74 | 74 | | service, online application, or mobile application that is designed and 31 |
|---|
| 75 | 75 | | marketed for use by individuals or entities generally, even if the website, 32 |
|---|
| 76 | 76 | | online service, online application, or mobile application is also marketed to 33 |
|---|
| 77 | 77 | | a preschool, elementary school, or secondary school; 34 |
|---|
| 78 | 78 | | (9) “School service contract provider” means an entity, other 35 |
|---|
| 79 | 79 | | than a local education agency or an institution of higher education, that 36 SB500 |
|---|
| 80 | 80 | | |
|---|
| 81 | 81 | | 3 3/27/2023 4:36:02 PM TNL312 |
|---|
| 82 | 82 | | |
|---|
| 83 | 83 | | |
|---|
| 84 | 84 | | enters into a formal, negotiated contract with a public education entity to 1 |
|---|
| 85 | 85 | | provide a school service; 2 |
|---|
| 86 | 86 | | (10) “School service on -demand provider” means an entity, other 3 |
|---|
| 87 | 87 | | than a public education entity or an institution of higher education, that 4 |
|---|
| 88 | 88 | | provides a school service to a public education entity, subject to agreement 5 |
|---|
| 89 | 89 | | by the public education entity, or an employee of the public education 6 |
|---|
| 90 | 90 | | entity, to standard, nonnegotiable terms and conditions of service 7 |
|---|
| 91 | 91 | | established by the entity; 8 |
|---|
| 92 | 92 | | (11)(A) “Student personal ly identifiable information” means 9 |
|---|
| 93 | 93 | | information that, alone or in combination, personally identifies an 10 |
|---|
| 94 | 94 | | individual student or the student’s parent or family, and that is collected, 11 |
|---|
| 95 | 95 | | maintained, generated, or inferred by: 12 |
|---|
| 96 | 96 | | (i) A public education entity, e ither directly or 13 |
|---|
| 97 | 97 | | through a school service; 14 |
|---|
| 98 | 98 | | (ii) A school service contract provider; or 15 |
|---|
| 99 | 99 | | (iii) A school service on -demand provider. 16 |
|---|
| 100 | 100 | | (B) “Student personally identifiable information” does not 17 |
|---|
| 101 | 101 | | include deidentified data; 18 |
|---|
| 102 | 102 | | (12)(A) “Targeted adve rtising” means selecting and sending 19 |
|---|
| 103 | 103 | | advertisements to a student based on personal data obtained or inferred over 20 |
|---|
| 104 | 104 | | time from the student’s online behavior, use of applications, or student 21 |
|---|
| 105 | 105 | | personally identifiable information. 22 |
|---|
| 106 | 106 | | (B) “Targeted advertising” d oes not include: 23 |
|---|
| 107 | 107 | | (i) Advertising to a student: 24 |
|---|
| 108 | 108 | | (a) At an online location based on the 25 |
|---|
| 109 | 109 | | student’s current visit to that location or in response to the student’s 26 |
|---|
| 110 | 110 | | request for information or feedback; and 27 |
|---|
| 111 | 111 | | (b) Without the collection and retention of a 28 |
|---|
| 112 | 112 | | student’s online activities over time; 29 |
|---|
| 113 | 113 | | (ii) Adaptive learning, personalized learning, or 30 |
|---|
| 114 | 114 | | customized education; 31 |
|---|
| 115 | 115 | | (iii) With the consent of a student or the student’s 32 |
|---|
| 116 | 116 | | parent, using the student’s personally identifiable information to identify 33 |
|---|
| 117 | 117 | | for the student institutions of higher education or scholarship providers 34 |
|---|
| 118 | 118 | | that are seeking students who meet specific criteria; or 35 |
|---|
| 119 | 119 | | (iv) Processing personal data solely for measuring 36 SB500 |
|---|
| 120 | 120 | | |
|---|
| 121 | 121 | | 4 3/27/2023 4:36:02 PM TNL312 |
|---|
| 122 | 122 | | |
|---|
| 123 | 123 | | |
|---|
| 124 | 124 | | or reporting advertising performance, reach, or frequency; a nd 1 |
|---|
| 125 | 125 | | (13)(A) “Vendor” means a business or other organization with 2 |
|---|
| 126 | 126 | | which a public education entity contracts for a product or service. 3 |
|---|
| 127 | 127 | | (B) “Vendor” includes a school service contract provider 4 |
|---|
| 128 | 128 | | and a school service on -demand provider. 5 |
|---|
| 129 | 129 | | 6 |
|---|
| 130 | 130 | | 6-18-2504. Local education agency — Vendor security and transparency. 7 |
|---|
| 131 | 131 | | (a) Each local education agency shall ensure that all contracts that 8 |
|---|
| 132 | 132 | | disclose or make available student personally identifiable information to 9 |
|---|
| 133 | 133 | | vendors, including school service contract providers, sch ool service on-10 |
|---|
| 134 | 134 | | demand providers, and other third parties, including without limitation 11 |
|---|
| 135 | 135 | | subcontractors of contract providers, include express provisions that 12 |
|---|
| 136 | 136 | | safeguard the privacy and security of student personally identifiable 13 |
|---|
| 137 | 137 | | information. 14 |
|---|
| 138 | 138 | | (b)(1)(A) Each local education agency shall maintain a list of the 15 |
|---|
| 139 | 139 | | school service contract providers that the local education agency contracts 16 |
|---|
| 140 | 140 | | with for school services that include or make available student personally 17 |
|---|
| 141 | 141 | | identifiable information. 18 |
|---|
| 142 | 142 | | (B) A local education agency shall: 19 |
|---|
| 143 | 143 | | (i) At a minimum, update the list of school service 20 |
|---|
| 144 | 144 | | contract providers required under subdivision (b)(1)(A) of this section at 21 |
|---|
| 145 | 145 | | the beginning and mid -point of each school year; 22 |
|---|
| 146 | 146 | | (ii) Upon the request of a parent, provide a copy of 23 |
|---|
| 147 | 147 | | the list required under subdivision (b)(1)(A) of this section; and 24 |
|---|
| 148 | 148 | | (iii) Maintain a copy of each contract between the 25 |
|---|
| 149 | 149 | | local education agency and a school service contract provider. 26 |
|---|
| 150 | 150 | | (2)(A) A local education agency shall ensure that the terms of a 27 |
|---|
| 151 | 151 | | contract entered into or renewed by the local education agency with a school 28 |
|---|
| 152 | 152 | | service contract provider on and after the effective date of this act, at a 29 |
|---|
| 153 | 153 | | minimum, require the school service contract provider to comply with the 30 |
|---|
| 154 | 154 | | requirements in § 6-18-2505 and § 6-18-2507. 31 |
|---|
| 155 | 155 | | (B)(i) If a school service contract provider commits a 32 |
|---|
| 156 | 156 | | material breach of a contract that involves the misuse or unauthorized 33 |
|---|
| 157 | 157 | | release of student personally identifiable information, the local education 34 |
|---|
| 158 | 158 | | agency shall determine whether to term inate the contract at the direction of, 35 |
|---|
| 159 | 159 | | or in accordance with a policy adopted by, the governing body of the local 36 SB500 |
|---|
| 160 | 160 | | |
|---|
| 161 | 161 | | 5 3/27/2023 4:36:02 PM TNL312 |
|---|
| 162 | 162 | | |
|---|
| 163 | 163 | | |
|---|
| 164 | 164 | | education agency. 1 |
|---|
| 165 | 165 | | (ii) At a minimum, within a reasonable time after 2 |
|---|
| 166 | 166 | | the local education agency identifies the existence of a material br each of 3 |
|---|
| 167 | 167 | | contract, the local education agency shall: 4 |
|---|
| 168 | 168 | | (a) Investigate the nature of the material 5 |
|---|
| 169 | 169 | | breach; 6 |
|---|
| 170 | 170 | | (b) Provide an opportunity for the school 7 |
|---|
| 171 | 171 | | service contract provider to respond concerning the alleged material breach; 8 |
|---|
| 172 | 172 | | (c) Obtain the advice and direction of the 9 |
|---|
| 173 | 173 | | governing body of the local education agency; and 10 |
|---|
| 174 | 174 | | (d) Determine whether to terminate or continue 11 |
|---|
| 175 | 175 | | the contract with the school service contract provider. 12 |
|---|
| 176 | 176 | | (3) On and after the effective date of this act, a local 13 |
|---|
| 177 | 177 | | education agency shall not enter into or renew a contract with a school 14 |
|---|
| 178 | 178 | | service contract provider that: 15 |
|---|
| 179 | 179 | | (A) Refuses to accept the terms specified in subdivision 16 |
|---|
| 180 | 180 | | (b)(2) of this section; or 17 |
|---|
| 181 | 181 | | (B) Has substantially failed to comply with one (1) or 18 |
|---|
| 182 | 182 | | more of the requirements in § 6-18-2505 and § 6-18-2507. 19 |
|---|
| 183 | 183 | | (c)(1)(A) Each local education agency shall maintain a list of the 20 |
|---|
| 184 | 184 | | school service on-demand providers that the local education agency or an 21 |
|---|
| 185 | 185 | | employee of the local education agency uses for school services that inc lude 22 |
|---|
| 186 | 186 | | or make available student personally identifiable information. 23 |
|---|
| 187 | 187 | | (B) A local education agency shall: 24 |
|---|
| 188 | 188 | | (i) At a minimum, update the list of school service 25 |
|---|
| 189 | 189 | | on-demand providers required under subdivision (c)(1)(A) of this section at 26 |
|---|
| 190 | 190 | | the beginning and mid-point of each school year; and 27 |
|---|
| 191 | 191 | | (ii) Upon the request of a parent, provide a copy of 28 |
|---|
| 192 | 192 | | the list required under subdivision (c)(1)(A) of this section and, upon 29 |
|---|
| 193 | 193 | | further request of the parent, assist the parent in obtaining the data 30 |
|---|
| 194 | 194 | | privacy policy of the school service on -demand providers. 31 |
|---|
| 195 | 195 | | (2) If a parent has evidence demonstrating that a school service 32 |
|---|
| 196 | 196 | | on-demand provider with which a local education agency or an employee of a 33 |
|---|
| 197 | 197 | | local education agency acting on behalf of a local education agency cont racts 34 |
|---|
| 198 | 198 | | does not substantially comply with the school service on -demand provider’s 35 |
|---|
| 199 | 199 | | privacy policy or does not meet the requirements in § 6 -18-2506(b) and § 6-36 SB500 |
|---|
| 200 | 200 | | |
|---|
| 201 | 201 | | 6 3/27/2023 4:36:02 PM TNL312 |
|---|
| 202 | 202 | | |
|---|
| 203 | 203 | | |
|---|
| 204 | 204 | | 18-2507(a), the parent may notify the local education agency and provide the 1 |
|---|
| 205 | 205 | | evidence for the parent ’s conclusion. 2 |
|---|
| 206 | 206 | | (3)(A) If a local education agency has evidence demonstrating 3 |
|---|
| 207 | 207 | | that a school service on -demand provider does not substantially comply with 4 |
|---|
| 208 | 208 | | the school service on -demand provider’s privacy policy or does not meet the 5 |
|---|
| 209 | 209 | | requirements in § 6-18-2506(b) and § 6-18-2507(a), the local education agency 6 |
|---|
| 210 | 210 | | may cease using or refuse to use the school service on -demand provider and 7 |
|---|
| 211 | 211 | | prohibit employees of the local education agency from using the school 8 |
|---|
| 212 | 212 | | service on-demand provider. 9 |
|---|
| 213 | 213 | | (B) The local education agency shall notify the school 10 |
|---|
| 214 | 214 | | service on-demand provider that the: 11 |
|---|
| 215 | 215 | | (i) Local education agency is ceasing or refusing to 12 |
|---|
| 216 | 216 | | use the school service on -demand provider under subdivision (c)(3)(A) of this 13 |
|---|
| 217 | 217 | | section; and 14 |
|---|
| 218 | 218 | | (ii) School service on -demand provider may submit a 15 |
|---|
| 219 | 219 | | written response to the local education agency. 16 |
|---|
| 220 | 220 | | (C) The local education agency shall: 17 |
|---|
| 221 | 221 | | (i) Notify the Department of Education if the local 18 |
|---|
| 222 | 222 | | education agency ceases using a school service on -demand provider for the 19 |
|---|
| 223 | 223 | | reasons described in subdivision (c)(3) of this section; and 20 |
|---|
| 224 | 224 | | (ii) Provide a copy of any written response that a 21 |
|---|
| 225 | 225 | | school service on-demand provider submits to the local education agency under 22 |
|---|
| 226 | 226 | | subdivision (c)(3)(b)(ii) of this section. 23 |
|---|
| 227 | 227 | | 24 |
|---|
| 228 | 228 | | 6-18-2505. School service contr act provider — Data transparency. 25 |
|---|
| 229 | 229 | | (a)(1) Each school service contract provider shall provide clear 26 |
|---|
| 230 | 230 | | information that is understandable by a layperson explaining: 27 |
|---|
| 231 | 231 | | (A) The elements of student personally identifiable 28 |
|---|
| 232 | 232 | | information that the school service c ontract provider collects; 29 |
|---|
| 233 | 233 | | (B) The purpose for which the school service contract 30 |
|---|
| 234 | 234 | | provider collects the student personally identifiable information; and 31 |
|---|
| 235 | 235 | | (C) How the school service contract provider uses and 32 |
|---|
| 236 | 236 | | shares the student personally identifiable information. 33 |
|---|
| 237 | 237 | | (2) The information required under subdivision (a)(1) of this 34 |
|---|
| 238 | 238 | | section shall include all student personally identifiable information that 35 |
|---|
| 239 | 239 | | the school service contract provider collects regardless of whether it is 36 SB500 |
|---|
| 240 | 240 | | |
|---|
| 241 | 241 | | 7 3/27/2023 4:36:02 PM TNL312 |
|---|
| 242 | 242 | | |
|---|
| 243 | 243 | | |
|---|
| 244 | 244 | | initially collected or ultim ately held individually or in the aggregate. 1 |
|---|
| 245 | 245 | | (3) A school service contract provider shall: 2 |
|---|
| 246 | 246 | | (A) Provide the information required under subdivision 3 |
|---|
| 247 | 247 | | (a)(1) of this section to each public education entity that the school 4 |
|---|
| 248 | 248 | | service contract provider contra cts with in a format that is easily 5 |
|---|
| 249 | 249 | | accessible; and 6 |
|---|
| 250 | 250 | | (B) Update the information required under subdivision 7 |
|---|
| 251 | 251 | | (a)(1) of this section as necessary to maintain accuracy. 8 |
|---|
| 252 | 252 | | (b) A school service contract provider shall: 9 |
|---|
| 253 | 253 | | (1) Provide clear notice to each public education entity that it 10 |
|---|
| 254 | 254 | | contracts with before making material changes to its privacy policy for 11 |
|---|
| 255 | 255 | | school services that would result in a material reduction in the level of 12 |
|---|
| 256 | 256 | | privacy and security provided for student personally identifiable 13 |
|---|
| 257 | 257 | | information; and 14 |
|---|
| 258 | 258 | | (2) Facilitate access to and the correction of any factually 15 |
|---|
| 259 | 259 | | inaccurate student personally identifiable information by a contracting local 16 |
|---|
| 260 | 260 | | education agency in response to a request for correction that the local 17 |
|---|
| 261 | 261 | | education agency receives and to whic h the local education agency responds. 18 |
|---|
| 262 | 262 | | (d) Upon discovering the misuse or unauthorized release of student 19 |
|---|
| 263 | 263 | | personally identifiable information held by a school service contract 20 |
|---|
| 264 | 264 | | provider, a subcontractor of a school service contract provider, or a 21 |
|---|
| 265 | 265 | | subsequent subcontractor of a school service contract provider, the school 22 |
|---|
| 266 | 266 | | service contract provider shall notify the contracting public education 23 |
|---|
| 267 | 267 | | entity as soon as possible, regardless of whether the misuse or unauthorized 24 |
|---|
| 268 | 268 | | release is a result of a material breach of the terms of a contract. 25 |
|---|
| 269 | 269 | | 26 |
|---|
| 270 | 270 | | 6-18-2506. School service contract provider — Use of data. 27 |
|---|
| 271 | 271 | | (a)(1) A school service contract provider may collect, use, and share 28 |
|---|
| 272 | 272 | | student personally identifiable information only: 29 |
|---|
| 273 | 273 | | (A) For the purposes authorized in the contract between 30 |
|---|
| 274 | 274 | | the school service contract provider and a public education entity; or 31 |
|---|
| 275 | 275 | | (B) With the consent of the student who is the subject of 32 |
|---|
| 276 | 276 | | the information or the student’s parent. 33 |
|---|
| 277 | 277 | | (2) A school service contract provider shall obtain the consen t 34 |
|---|
| 278 | 278 | | of a student or a student’s parent before using student personally 35 |
|---|
| 279 | 279 | | identifiable information in a manner that is materially inconsistent with the 36 SB500 |
|---|
| 280 | 280 | | |
|---|
| 281 | 281 | | 8 3/27/2023 4:36:02 PM TNL312 |
|---|
| 282 | 282 | | |
|---|
| 283 | 283 | | |
|---|
| 284 | 284 | | contract between the school service contract provider and the public 1 |
|---|
| 285 | 285 | | education entity that applies to the col lection of the student personally 2 |
|---|
| 286 | 286 | | identifiable information. 3 |
|---|
| 287 | 287 | | (b)(1) A school service contract provider shall not: 4 |
|---|
| 288 | 288 | | (A) Sell student personally identifiable information; 5 |
|---|
| 289 | 289 | | (B) Use or share student personally identifiable 6 |
|---|
| 290 | 290 | | information for purposes of ta rgeted advertising to students; or 7 |
|---|
| 291 | 291 | | (C) Use student personally identifiable information to 8 |
|---|
| 292 | 292 | | create a personal profile of a student other than for supporting purposes 9 |
|---|
| 293 | 293 | | authorized by the contracting public education entity or with the consent of 10 |
|---|
| 294 | 294 | | the student or the student’s parent. 11 |
|---|
| 295 | 295 | | (2) Notwithstanding anything in this subchapter to the contrary, 12 |
|---|
| 296 | 296 | | selling student personally identifiable information does not include a school 13 |
|---|
| 297 | 297 | | service contract provider's use, sharing, or transfer of student personally 14 |
|---|
| 298 | 298 | | identifiable information: 15 |
|---|
| 299 | 299 | | (A) With or to an affiliate of the school service contract 16 |
|---|
| 300 | 300 | | provider; 17 |
|---|
| 301 | 301 | | (B) For any purpose permitted under subdivision (a)(1) of 18 |
|---|
| 302 | 302 | | this section; 19 |
|---|
| 303 | 303 | | (C) With or to a third party that processes the student 20 |
|---|
| 304 | 304 | | personally identifiable information on behalf of the school service contract 21 |
|---|
| 305 | 305 | | provider; 22 |
|---|
| 306 | 306 | | (D) For any purpose at the direction of the contracting 23 |
|---|
| 307 | 307 | | public education entity or with the consent of the student or the student’s 24 |
|---|
| 308 | 308 | | parent; or 25 |
|---|
| 309 | 309 | | (E) In connection with the purchase, merge r, or other type 26 |
|---|
| 310 | 310 | | of acquisition of a school service contract provider, or any assets of a 27 |
|---|
| 311 | 311 | | school service contract provider, by another entity, so long as the successor 28 |
|---|
| 312 | 312 | | entity continues to be subject to the provisions of this subchapter with 29 |
|---|
| 313 | 313 | | respect to student personally identifiable information that the school 30 |
|---|
| 314 | 314 | | service contract provider acquired while subject to this subchapter. 31 |
|---|
| 315 | 315 | | (c) Notwithstanding subdivision (a)(2) or subsection (b) of this 32 |
|---|
| 316 | 316 | | section to the contrary, a school service contract provider may use or 33 |
|---|
| 317 | 317 | | disclose student personally identifiable information: 34 |
|---|
| 318 | 318 | | (1)(A) To: 35 |
|---|
| 319 | 319 | | (i) Ensure legal or regulatory compliance or to take 36 SB500 |
|---|
| 320 | 320 | | |
|---|
| 321 | 321 | | 9 3/27/2023 4:36:02 PM TNL312 |
|---|
| 322 | 322 | | |
|---|
| 323 | 323 | | |
|---|
| 324 | 324 | | precautions against liability; 1 |
|---|
| 325 | 325 | | (ii) Respond to or participate in the judicial 2 |
|---|
| 326 | 326 | | process; 3 |
|---|
| 327 | 327 | | (iii) Protect the safety o f users or others on the 4 |
|---|
| 328 | 328 | | school service contract provider’s website, online service, online 5 |
|---|
| 329 | 329 | | application, or mobile application; or 6 |
|---|
| 330 | 330 | | (iv) Investigate a matter related to public safety. 7 |
|---|
| 331 | 331 | | (B) If a school service contract provider uses or 8 |
|---|
| 332 | 332 | | discloses student personally identifiable information as permitted under 9 |
|---|
| 333 | 333 | | subdivision (c)(1)(A) of this section, the school service contract provider 10 |
|---|
| 334 | 334 | | shall notify the contracting public education entity as soon as possible 11 |
|---|
| 335 | 335 | | after the use or disclosure of the information; and 12 |
|---|
| 336 | 336 | | (2)(A) To a subcontractor only if the school service contract 13 |
|---|
| 337 | 337 | | provider contractually requires the subcontractor to comply with this 14 |
|---|
| 338 | 338 | | subchapter. 15 |
|---|
| 339 | 339 | | (B) Subdivision (c)(2)(A) of this section shall apply to 16 |
|---|
| 340 | 340 | | the ability of an initial or subsequent subc ontractor to further subcontract. 17 |
|---|
| 341 | 341 | | (C)(i) If a public education entity determines that an 18 |
|---|
| 342 | 342 | | initial or subsequent subcontractor has committed a material breach of 19 |
|---|
| 343 | 343 | | contract that involves the misuse or unauthorized disclosure of student 20 |
|---|
| 344 | 344 | | personally identifia ble information, the public education entity shall comply 21 |
|---|
| 345 | 345 | | with the requirements of § 6 -18-2504. 22 |
|---|
| 346 | 346 | | (ii) However, the public education entity is not 23 |
|---|
| 347 | 347 | | required to consider terminating the contract if the school service contract 24 |
|---|
| 348 | 348 | | provider terminates the contr act with the subcontractor as soon as possible 25 |
|---|
| 349 | 349 | | after the school service contract provider knows or has reason to know of the 26 |
|---|
| 350 | 350 | | initial or subsequent subcontractor’s material breach. 27 |
|---|
| 351 | 351 | | (d) A student may consent to the use, sharing, or retention of the 28 |
|---|
| 352 | 352 | | student’s student personally identifiable information only if the student is 29 |
|---|
| 353 | 353 | | eighteen (18) years of age or older or legally emancipated for purposes of 30 |
|---|
| 354 | 354 | | this section. 31 |
|---|
| 355 | 355 | | 32 |
|---|
| 356 | 356 | | 6-18-2507. School service contract provider — Data security and 33 |
|---|
| 357 | 357 | | destruction. 34 |
|---|
| 358 | 358 | | (a)(1) A school service contract provider shall maintain a 35 |
|---|
| 359 | 359 | | comprehensive information security program that is reasonably designed to 36 SB500 |
|---|
| 360 | 360 | | |
|---|
| 361 | 361 | | 10 3/27/2023 4:36:02 PM TNL312 |
|---|
| 362 | 362 | | |
|---|
| 363 | 363 | | |
|---|
| 364 | 364 | | protect the security, privacy, confidentiality, and integrity of student 1 |
|---|
| 365 | 365 | | personally identifiable information. 2 |
|---|
| 366 | 366 | | (2) The comprehensive inf ormation security program required 3 |
|---|
| 367 | 367 | | under subdivision (a)(1) of this section shall make use of appropriate 4 |
|---|
| 368 | 368 | | administrative, technological, and physical safeguards. 5 |
|---|
| 369 | 369 | | (b) During the term of a contract between a school service contract 6 |
|---|
| 370 | 370 | | provider and a public ed ucation entity, if the contracting public education 7 |
|---|
| 371 | 371 | | entity requests destruction of a student’s student personally identifiable 8 |
|---|
| 372 | 372 | | information collected, generated, or inferred as a result of the contract, 9 |
|---|
| 373 | 373 | | the contracting school service contract provider shall destroy the 10 |
|---|
| 374 | 374 | | information as soon as practicable after the date of the request unless: 11 |
|---|
| 375 | 375 | | (1) The school service contract provider obtains the consent of 12 |
|---|
| 376 | 376 | | the student or the student’s parent to retain the student’s student 13 |
|---|
| 377 | 377 | | personally identifiable information ; or 14 |
|---|
| 378 | 378 | | (2) The student has transferred to another public education 15 |
|---|
| 379 | 379 | | entity and the receiving public education entity has requested that the 16 |
|---|
| 380 | 380 | | school service contract provider retain the student’s student personally 17 |
|---|
| 381 | 381 | | identifiable information. 18 |
|---|
| 382 | 382 | | (c)(1) Following the termination or conclusion of a contract between a 19 |
|---|
| 383 | 383 | | school service contract provider and a public education entity, the school 20 |
|---|
| 384 | 384 | | service contract provider shall, within the time period specified in the 21 |
|---|
| 385 | 385 | | contract, destroy all student personally identifiabl e information collected, 22 |
|---|
| 386 | 386 | | generated, or inferred as a result of the contract. 23 |
|---|
| 387 | 387 | | (2) If the contract does not specify a period for destruction of 24 |
|---|
| 388 | 388 | | student personally identifiable information, the school service contract 25 |
|---|
| 389 | 389 | | provider shall destroy the information as soon as practicable after the 26 |
|---|
| 390 | 390 | | information is no longer needed for the purpose of the contract between the 27 |
|---|
| 391 | 391 | | school service contract provider and the public education entity. 28 |
|---|
| 392 | 392 | | (3) Upon request of the public education entity, the school 29 |
|---|
| 393 | 393 | | service contract provider shall notify the public education entity of the 30 |
|---|
| 394 | 394 | | date upon which all of the student personally identifiable information is 31 |
|---|
| 395 | 395 | | destroyed. 32 |
|---|
| 396 | 396 | | 33 |
|---|
| 397 | 397 | | 6-18-2508. Exceptions — Applicability. 34 |
|---|
| 398 | 398 | | (a) Notwithstanding any provision of this subchapter to the contrary, 35 |
|---|
| 399 | 399 | | this subchapter does not prohibit the use of student personally identifiable 36 SB500 |
|---|
| 400 | 400 | | |
|---|
| 401 | 401 | | 11 3/27/2023 4:36:02 PM TNL312 |
|---|
| 402 | 402 | | |
|---|
| 403 | 403 | | |
|---|
| 404 | 404 | | information to: 1 |
|---|
| 405 | 405 | | (1) Use adaptive learning or design personalized or customized 2 |
|---|
| 406 | 406 | | education; 3 |
|---|
| 407 | 407 | | (2) Maintain, develop, support, improve, or diagnose a school 4 |
|---|
| 408 | 408 | | service contract provider’s website, online service, online application, or 5 |
|---|
| 409 | 409 | | mobile application; 6 |
|---|
| 410 | 410 | | (3) Provide recommendations for school, educational, or 7 |
|---|
| 411 | 411 | | employment purposes within a school service, so long as the response is not 8 |
|---|
| 412 | 412 | | determined in whole or in part by payment or other consideration from a third 9 |
|---|
| 413 | 413 | | party; 10 |
|---|
| 414 | 414 | | (4) Respond to a student’s request for information or for 11 |
|---|
| 415 | 415 | | feedback so long as the information or response is not determined in whole or 12 |
|---|
| 416 | 416 | | in part by payment or other consideration from a third party; 13 |
|---|
| 417 | 417 | | (5) Identify for the student, only with the written consent of 14 |
|---|
| 418 | 418 | | the student or the student’s parent, institutions of higher education or 15 |
|---|
| 419 | 419 | | scholarship providers that are seeking students who meet specific criteria, 16 |
|---|
| 420 | 420 | | regardless of whether the identified institution s of higher education or 17 |
|---|
| 421 | 421 | | scholarship providers provide consideration to the school service contract 18 |
|---|
| 422 | 422 | | provider; 19 |
|---|
| 423 | 423 | | (6) In accordance with the terms of a contract between the 20 |
|---|
| 424 | 424 | | school service contract provider and a public education entity, produce and 21 |
|---|
| 425 | 425 | | distribute, free or for consideration, student class photos and yearbooks 22 |
|---|
| 426 | 426 | | only to the public education entity, students, parents, or individuals 23 |
|---|
| 427 | 427 | | authorized by parents; or 24 |
|---|
| 428 | 428 | | (7)(A) Provide for the student, only with the express written 25 |
|---|
| 429 | 429 | | consent of the student or th e student’s parent given in response to clear and 26 |
|---|
| 430 | 430 | | conspicuous notice, access to employment opportunities, educational 27 |
|---|
| 431 | 431 | | scholarships or financial aid, or postsecondary education opportunities, 28 |
|---|
| 432 | 432 | | regardless of whether the school service contract provider receiv es 29 |
|---|
| 433 | 433 | | consideration from one or more third parties in exchange for the student 30 |
|---|
| 434 | 434 | | personally identifiable information. 31 |
|---|
| 435 | 435 | | (B) Subdivision (a)(7)(A) of this section applies only to 32 |
|---|
| 436 | 436 | | a school service contract provider that provides nationally recognized 33 |
|---|
| 437 | 437 | | assessments that postsecondary institutions of higher education use in making 34 |
|---|
| 438 | 438 | | admissions decisions. 35 |
|---|
| 439 | 439 | | (b) This subchapter does not: 36 SB500 |
|---|
| 440 | 440 | | |
|---|
| 441 | 441 | | 12 3/27/2023 4:36:02 PM TNL312 |
|---|
| 442 | 442 | | |
|---|
| 443 | 443 | | |
|---|
| 444 | 444 | | (1) Impose a duty on a provider of interactive computer service, 1 |
|---|
| 445 | 445 | | as defined in 47 U.S.C. Sec. 230, as it existed on January 1, 2023, to review 2 |
|---|
| 446 | 446 | | or enforce compliance with this subchapter by school service contract 3 |
|---|
| 447 | 447 | | providers or school service on -demand providers; 4 |
|---|
| 448 | 448 | | (2) Impede the ability of a student to download, export, or 5 |
|---|
| 449 | 449 | | otherwise save or maintain his or her own student personally id entifiable 6 |
|---|
| 450 | 450 | | information or documents; 7 |
|---|
| 451 | 451 | | (3) Limit internet service providers from providing internet 8 |
|---|
| 452 | 452 | | connectivity to local education agencies or to students and their families; 9 |
|---|
| 453 | 453 | | (4) Prohibit a school service contract provider from marketing 10 |
|---|
| 454 | 454 | | educational products directly to parents so long as the marketing does not 11 |
|---|
| 455 | 455 | | result from the use of student personally identifiable information obtained 12 |
|---|
| 456 | 456 | | by the school service contract provider as a result of providing its website, 13 |
|---|
| 457 | 457 | | online service, online application, or m obile application to a public 14 |
|---|
| 458 | 458 | | education entity; or 15 |
|---|
| 459 | 459 | | (5) Impose a duty on a provider of an electronic store, gateway, 16 |
|---|
| 460 | 460 | | marketplace, or other means of purchasing or downloading software or 17 |
|---|
| 461 | 461 | | applications to review or enforce compliance with this subchapter on that 18 |
|---|
| 462 | 462 | | software or those applications. 19 |
|---|
| 463 | 463 | | (c) The requirements in § 6 -18-2505 and § 6-18-2507 shall apply to a 20 |
|---|
| 464 | 464 | | school service contract provider that enters or renews a contract with a 21 |
|---|
| 465 | 465 | | public education entity on or after the effective date of this act. 22 |
|---|
| 466 | 466 | | 23 |
|---|
| 467 | 467 | | SECTION 2. DO NOT CODIFY. Effective date. This act shall be 24 |
|---|
| 468 | 468 | | effective on and after June 1, 2024. 25 |
|---|
| 469 | 469 | | 26 |
|---|
| 470 | 470 | | 27 |
|---|
| 471 | 471 | | 28 |
|---|
| 472 | 472 | | 29 |
|---|
| 473 | 473 | | 30 |
|---|
| 474 | 474 | | 31 |
|---|
| 475 | 475 | | 32 |
|---|
| 476 | 476 | | 33 |
|---|
| 477 | 477 | | 34 |
|---|
| 478 | 478 | | 35 |
|---|
| 479 | 479 | | 36 |
|---|