1 of 1
HOUSE DOCKET, NO. 842 FILED ON: 1/13/2025
HOUSE . . . . . . . . . . . . . . . No. 633
The Commonwealth of Massachusetts
_________________
PRESENTED BY:
Kate Lipper-Garabedian and Jeffrey N. Roy
_________________
To the Honorable Senate and House of Representatives of the Commonwealth of Massachusetts in General
Court assembled:
The undersigned legislators and/or citizens respectfully petition for the adoption of the accompanying bill:
An Act relative to student and educator data privacy.
_______________
PETITION OF:
NAME:DISTRICT/ADDRESS :DATE ADDED:Kate Lipper-Garabedian32nd Middlesex1/13/2025Jeffrey N. Roy10th Norfolk1/13/2025Lindsay N. Sabadosa1st Hampshire1/29/2025 1 of 12
HOUSE DOCKET, NO. 842 FILED ON: 1/13/2025
HOUSE . . . . . . . . . . . . . . . No. 633
By Representatives Lipper-Garabedian of Melrose and Roy of Franklin, a petition (accompanied
by bill, House, No. 633) of Kate Lipper-Garabedian, Jeffrey N. Roy and Lindsay N. Sabadosa
relative to student and educator data privacy. Education.
[SIMILAR MATTER FILED IN PREVIOUS SESSION
SEE HOUSE, NO. 532 OF 2023-2024.]
The Commonwealth of Massachusetts
_______________
In the One Hundred and Ninety-Fourth General Court
(2025-2026)
_______________
An Act relative to student and educator data privacy.
Be it enacted by the Senate and House of Representatives in General Court assembled, and by the authority
of the same, as follows:
1 Chapter 71 of the General Laws is hereby amended by inserting after section 34H the
2following four sections:-
3 Section 34I. As used in sections 34I through 34L, the following words shall, unless the
4context clearly requires otherwise, have the following meanings:
5 “Aggregated data”, data collected and reported at the group, cohort, school, school
6district, region or state level that is aggregated using protocols that are both intended and
7reasonably likely to preserve the anonymity of each individual.
8 “Board”, the board of elementary and secondary education. 2 of 12
9 “Commissioner”, the commissioner of the department of elementary and secondary
10education.
11 "Covered information", information, data or records, inclusive of student records as
12defined in the board’s regulations, that, alone or in combination, can be used to identify a
13specific student, teacher, principal, administrator or student’s family member and that is: (i)
14created by or provided to an operator by a student, or the student's parent or legal guardian, in the
15course of the student's, parent's or legal guardian's use of the operator's site, service or
16application for K-12 school purposes; (ii) created by or provided to an operator by an employee
17or agent of a school district or K-12 school for K-12 school purposes; (iii) gathered by an
18operator through the operation of its site, service or application for K-12 school purposes and
19personally identifies a student; or (iv) gathered by an operator through the operation of its site,
20service or application in connection with performance evaluations conducted pursuant to section
2138 of this chapter and that personally identifies a teacher, principal or administrator.
22 For a student, covered information includes, but is not limited to, information in the
23student's educational record or electronic mail, including student-generated work; first and last
24name; home address and geolocation information; telephone number; electronic mail address or
25other information that allows physical or online contact; discipline records; test results, grades
26and student evaluations; special education data; juvenile dependency records; criminal records;
27medical records and health records; social security number; student identifiers; biometric
28information; socioeconomic information; food purchases; political and religious affiliations; text
29messages; student identifiers; search activity and online behavior or usage of applications when
30linked or linkable to a student; photographs; voice recordings; and persistent unique identifiers. 3 of 12
31 “De-identified data”, records and information from which all personally identifiable
32information has been removed or obscured such that the remaining information does not
33reasonably identify a specific individual, including, but not limited to, any information that alone
34or in combination is linkable to a specific individual.
35 “Department”, the department of elementary and secondary education.
36 “Destroy”, action taken in the normal course of business that is intended, and what a
37reasonable person would believe in the context of the information’s medium, to make such
38information permanently irretrievable.
39 “District” or “school district”, the school department of a city or town, regional school
40district, vocational or agricultural school, independent vocational school or charter school.
41 “Educational entity”, a state educational agency, school district, K-12 school or
42subdivision thereof, education collaborative as defined in section 4E of chapter 40, approved
43public or private day and residential school providing special education services to publicly
44funded eligible students pursuant to chapter 71B or institutional K-12 school program overseen
45by a state agency including the department of youth services, the department of mental health or
46the department of public health as well as employees acting under the authority or on behalf of
47an educational entity.
48 “K-12 school”, a school that offers any of grades kindergarten to 12 and that is operated
49by a school district; provided, further, that a K-12 school shall include any preschool or
50prekindergarten program or course of instruction provided by a school district. 4 of 12
51 “K-12 school purposes”, uses that are directed by or that customarily take place at the
52direction of a school district, K-12 school or teacher or that aid in the administration of school
53activities, including, but not limited to, instruction in the classroom or at home, administrative
54activities and collaboration between students, school personnel or parents, or that are otherwise
55for the use and benefit of the K-12 school; provided, further, that K-12 school purposes shall
56include comparable purposes in the administration of any preschool or prekindergarten program
57or course of instruction provided by a school district.
58 “Operator”, a person or entity operating in accordance with an agreement with an
59educational entity to provide an Internet website, online service, online application or mobile
60application for K-12 school purposes or at the direction of an educational entity or an employee
61of an educational entity; provided, however, that this definition shall not apply to the department,
62school district, K-12 school or other educational entity.
63 “Persistent unique identifier”, an identifier that can be used to recognize a consumer, a
64family or a device that is linked to a consumer or family over time and across different services,
65including, but not limited to: (i) a device identifier; (ii) an Internet Protocol address; (iii) cookies,
66beacons, pixel tags, mobile ad identifiers or similar technology; (iv) customer number, unique
67pseudonym or user alias; or (v) telephone number or other forms of persistent or probabilistic
68identifiers that can be used to identify a particular consumer or device; provided, however, that
69for the purposes of this definition “family” means a custodial parent or guardian and any minor
70children over which the parent or guardian has custody.
71 “Targeted advertising”, presenting or serving advertisements to a student where the
72substance, time or manner of the advertisement is determined based in whole or in part on 5 of 12
73information obtained or inferred over time from that student's online behavior, usage of
74applications or covered information. It does not include advertising to a student at an online
75location based upon that student's current visit to that location or in response to that student’s
76request for information or feedback without the retention of that student's online activities or
77requests over time for the purpose of targeting subsequent advertisements.
78 Section 34J. (a) An operator shall not, with respect to its site, service or application:
79 (1) engage in targeted advertising on the operator’s site, service or application, or
80targeted advertising on any other site, service or application if the targeting of the advertising is
81based on any information, including covered information and persistent unique identifiers, that
82the operator has acquired because of the use of that operator's site, service or application for K-
8312 school purposes;
84 (2) use covered information, including persistent unique identifiers, created or gathered
85by the operator's site, service or application, to amass a profile about a student or a teacher,
86principal or administrator except in furtherance of K-12 school purposes;
87 (3) sell or rent a student’s information, including covered information; provided,
88however, that this subsection shall not apply to the purchase, merger or other type of acquisition
89of an operator by another entity, if the operator or successor entity complies with sections 34I
90through 34L of this chapter, or to national assessment providers if the national assessment
91provider secures the express written consent of the parent or student if 18 years old, given in
92response to clear and conspicuous notice solely to provide access to employment, educational
93scholarships or financial aid or postsecondary educational opportunities; or 6 of 12
94 (4) disclose covered information; provided, however, that an operator may disclose
95covered information of a student so long as clauses (1) through (3), inclusive, of this subsection
96are not violated, under the following circumstances:
97 (i) if provisions of federal or state law require the operator to disclose the information,
98and the operator complies with the requirements of federal and state law in protecting and
99disclosing that information;
100 (ii) for research purposes with the approval of the relevant educational entity and in
101compliance with and subject to the restrictions of state and federal law; provided, however, that
102the information shall be de-identified prior to being disclosed and that the operator shall share
103research results with the educational entity in advance of any public dissemination; or
104 (iii) to an educational entity, including a K-12 school and school district, for K-12 school
105purposes, as permitted by state or federal law.
106 (b) An operator shall:
107 (1) implement and maintain reasonable security procedures and practices appropriate to
108the nature of the covered information designed to protect that covered information from
109unauthorized access, destruction, use, modification or disclosure and in compliance with
110regulations promulgated by the board pursuant to section 34L of this chapter; and
111 (2) immediately return or destroy covered information if requested by the educational
112entity or when covered information is no longer required for K-12 school purposes or other
113lawful purposes, such as complying with a judicial order or law enforcement request. 7 of 12
114 (c) Subject to the provisions of this section, an operator may use de-identified data to
115maintain, develop, support, improve or diagnose the operator’s site, service or application.
116Subject to the provisions of this section, an operator may use aggregated or de-identified student
117information to demonstrate the effectiveness of the operator’s products or services, including
118marketing or within the operator’s site, service or application or other sites, services or
119applications owned by the operator to improve educational purposes.
120 (d) Nothing in this section shall be construed to: (1) limit the authority of a law
121enforcement agency to obtain any content or information from an operator as authorized by law
122or pursuant to an order of a court of competent jurisdiction; (2) limit the ability of an operator to
123use student data, including covered information, for adaptive learning or customized student
124learning purposes; (3) apply to general audience Internet websites, general audience online
125services, general audience online applications or general audience mobile applications, even if
126login credentials created for an operator’s site, service or application may be used to access those
127general audience sites, services or applications; (4) limit service providers from providing
128Internet connectivity to schools or students and their families; (5) prohibit an operator of an
129Internet website, online service, online application or mobile application from marketing
130educational products directly to parents if the marketing did not result from the use of covered
131information obtained by the operator through the provision of services covered under this
132section; (6) impose a duty upon a provider of an electronic store, gateway, marketplace or other
133means of purchasing or downloading software or applications to review or enforce compliance
134with this section on those applications or software; or (7) prohibit students from downloading,
135exporting, transferring, saving or maintaining their own data or documents. 8 of 12
136 (e) An aggrieved student or educational entity may institute a civil action against an
137operator for damages or to restrain a violation of this section and may recover: (1) up to $10,000
138for each disclosure that violates this section; (2) up to $10,000 for each adverse action that
139violates this section, or actual damages, whichever amount is higher; (3) punitive damages if a
140court determines that a violation was willful; and (4) reasonable attorneys’ fees and other
141litigation costs reasonably incurred.
142 (f) The commissioner may bar an operator that improperly discloses covered information
143from receiving access to student and educator evaluation records of any educational entity in the
144commonwealth for a period of no less than five years.
145 Section 34K. (a) Any contract or agreement that is entered between an educational entity
146and an operator, as defined in section 34I, pursuant to which the operator sells, leases, provides,
147operates or maintains a service that grants access to covered information or creates any covered
148information, including, but not limited to (i) any cloud-based services for the digital storage,
149management and retrieval of pupil records or (ii) any digital software that authorizes an operator
150to access and acquire student records, shall contain:
151 (1) a description of the covered information collected, stored and managed and a
152statement that covered information and student records continue to be the property and under the
153control of the educational entity;
154 (2) a prohibition against the operator using covered information for commercial or
155advertising purposes or for any purpose other than K-12 school purposes; 9 of 12
156 (3) a description of the procedures by which a parent, legal guardian or eligible student
157may review the student’s records and work with the educational entity to correct erroneous
158information, in accordance with state and federal law;
159 (4) a requirement that only persons, whether they are employees of the operator or other
160persons, such as employees of subcontractors, with a legitimate need to access covered
161information to support professional roles consistent with the terms of the contract or agreement
162and federal and state law shall have access to it, with either the identification of said persons or
163an agreement to identify said persons upon request;
164 (5) a description of the reasonable administrative, technical and physical safeguards
165including with respect to encryption technology to protect covered information while in motion
166or in the operator’s custody that the operator will employ to protect the security, confidentiality
167and integrity of covered information in its custody; provided, however, compliance with this
168requirement shall not, in itself, absolve the operator of liability in the event of an unauthorized
169disclosure of covered information;
170 (6) a description of the procedures for notifying any and all affected parties in the event
171of an unauthorized disclosure of covered information or any breach of security resulting in an
172unauthorized release of covered information, provided that the procedures shall comply with
173chapter 444 of the acts of 2018 and implementing regulations;
174 (7) a certification that covered information shall be returned or destroyed by the operator
175upon completion of the terms of the contract; and 10 of 12
176 (8) a description of how the educational entity and the operator will jointly ensure
177compliance with applicable federal and state law, including, but not limited to, 20 U.S.C. section
1781232g, 15 U.S.C. section 6501 et. seq. and sections 34A through 34L, inclusive, of this chapter.
179 (b) Any contract that fails to comply with the requirements of this section shall be
180voidable and all covered information and student records in possession of an operator or any
181third party shall be returned to the educational entity or, if the return of such information is not
182technologically feasible, destroyed.
183 Section 34L. (a) The board shall promulgate regulations that establish data security and
184privacy responsibilities of the department and educational entities as well as minimum required
185security standards for operators, including for use in department and educational entity contracts
186and agreements with operators, and shall approve the department’s data privacy and security
187policy and security plan for the state data system. The regulations further shall establish the
188process through which the commissioner, pursuant to subsection (g) of section 34J, may bar an
189operator from receiving student and educator evaluation data of any educational entity in this
190commonwealth for a period of no less than five years. The regulations further shall provide that
191curricula in student data privacy, security and confidentiality shall be a requirement for approved
192educator preparation programs. In carrying out these responsibilities, the board shall consult with
193the executive office of technology services and security and seek the input of security and
194cybersecurity experts, including those from fields in addition to education that have experience
195with personal data protection.
196 (b) The commissioner shall appoint a chief privacy officer with experience in data
197privacy and security. The chief privacy officer shall oversee the development and 11 of 12
198implementation, subject to the board’s approval, of a department data privacy and security policy
199and a detailed security plan for the state data system in consultation with the executive office of
200technology services and security. The chief privacy officer further shall develop a model school
201district data privacy and security policy as well as a model operator contract or contracts in
202consultation with the executive office of technology services and security; otherwise support and
203supervise implementation of sections 34I through 34L, inclusive, of this chapter and the
204regulations issued by the board pursuant to subsection (a); develop and provide a program of
205training, technical assistance and resource materials to K-12 schools, school districts and other
206educational entities including through the issuance of guidance and recommendations to assist
207with compliance with federal and state law pertaining to personally identifiable information
208including, but not limited to, 20 U.S.C. 1232g, sections 34A through 34L, inclusive, of chapter
20971 of the General Laws, chapter 66A of the General Laws and chapter 444 of the acts of 2018;
210develop and oversee a program of oversight, support and accountability for the department and
211educational entities responsible for implementing policies pursuant to sections 34I through 34L
212of this chapter; and assist the commissioner with enforcement responsibilities regarding
213operators that violate any provision of sections 34I through 34K, inclusive, of this chapter.
214 (c) The department shall make publicly available a list of categories of covered
215information collected by the department including, but not limited to, covered information
216required to be collected or reported by state or federal law. The list shall contain the source of the
217information, the reason for the collection of the information and the use of the information
218collected.
219 (d) In accordance with the regulations of the board promulgated pursuant to subsection
220(a), each district shall develop a detailed privacy and security policy for the protection of covered 12 of 12
221information that includes security breach planning, notice and procedures; provided, however,
222that said policy shall include a requirement that the district report all significant data breaches of
223student data either by the district or an operator to the commissioner within ten business days of
224the initial discovery of the significant data breach; and provided, further, that a district may adopt
225any model policy developed by the chief privacy officer of the department and approved by the
226board to comply with this requirement. Each district shall designate an individual to act as a
227student data manager to oversee said policy.
228 (e) Each district shall make publicly available on its website a list of categories of student
229personally identifiable information collected at the school district, school or classroom level. The
230list shall contain the source of the information, the reason for collection of the information and
231the use of the information. Each district further shall make publicly available on its website a list
232of the operators with which the district has a contract or agreement that involves the creation,
233provision or gathering of covered information and a list of operators with which the district had a
234contract or agreement that involved the creation, provision or gathering of covered information
235in the last ten years.
236 (f) Each district annually shall provide annual training regarding the confidentiality of
237student data to any employee with access to covered information; provided that, completion of
238said training shall be a condition of a provisional or standard educator certification as defined in
239section 38G.