HOUSE 3rd Reading Unamended April 27, 2015 HOUSE Amended 2nd Reading April 23, 2015 SENATE 3rd Reading Unamended March 18, 2015 SENATE Amended 2nd Reading March 17, 2015First Regular Session Seventieth General Assembly STATE OF COLORADO REREVISED This Version Includes All Amendments Adopted in the Second House LLS NO. 15-0279.02 Jane Ritter x4342 SENATE BILL 15-173 SENATE SPONSORSHIP Holbert, HOUSE SPONSORSHIP Pabon, Senate Committees House Committees Education Education A BILL FOR AN ACT Concerning expanding protections for student data security. Bill Summary (Note: This summary applies to this bill as introduced and does not reflect any amendments that may be subsequently adopted. If this bill passes third reading in the house of introduction, a bill summary that applies to the reengrossed version of this bill will be available at http://www.leg.state.co.us/billsummaries.) The bill adds additional protections to existing law concerning student data privacy and transparency. A vendor is defined as an operator of a web site, on-line service, on-line application, or mobile application (site or service) with knowledge that the site or service is used primarily for public school purposes and was designed and marketed for public school purposes. The bill prohibits vendors from: Engaging in targeted advertising if the targeting is based upon any student information acquired because of the use of a vendor's site or service; Using information acquired through the site or service to create a profile of a student that is not in furtherance of a public school purpose; Selling a student's information; and Disclosing covered student information unless specific requirements are met. The bill allows vendors to: Implement and maintain reasonable security procedures and practices; Delete a student's data at the request of the school or school district with control of the data; Disclose covered student information if required by state or federal law; Disclose covered student information for legitimate research purposes, provided applicable requirements of state and federal law are met; Disclose deidentified covered student information in order to improve the vendor's sites or services or other educational products or for marketing uses. The bill does not: Limit the authority of law enforcement to access any information allowed by law or authorized by a court order; Apply to general audience sites and services or to internet service providers in the course of providing internet connectivity; Prohibit a vendor from marketing its product or services, provided the marketing did not result from the use of covered student information obtained by the vendor in violation of the bill; Impose duties on electronic stores, gateways, marketplaces, or other means of purchasing or downloading software or applications; or Impede the ability of a student to download, export, or otherwise save or maintain his or her own student-created data or documents. The bill moves existing law related to parental written consent for obtaining and releasing data to part 3 of article 2 of title 22, C.R.S., along with other relevant law related to student data. Be it enacted by the General Assembly of the State of Colorado: SECTION 1. In Colorado Revised Statutes, amend 22-2-301 as follows: 22-2-301. Short title. This part 3 shall be known and may be cited as the "Data Reporting and Technology Protection Act". SECTION 2. In Colorado Revised Statutes, add 22-2-310 as follows: 22-2-310. Student data protection - accountability and transparency - legislative declaration - definitions - prohibited actions - remedies. (1) The general assembly finds that although there are federal statutes limiting the use of student data collected by schools, these statutes primarily govern the actions of schools and government entities and have less applicability to third-party vendors. The effective use of student data to improve learning requires a framework of trust around its use. (2) It is therefore the intent of the general assembly to achieve the following purposes: (a) To ensure the privacy of all public school students by restricting third-party vendors from sharing, mining, selling, or using personally identifiable data collected by schools, school districts, and boards of cooperative services; and (b) To prohibit an operator of an internet web site, on-line service, on-line application, or mobile application from using, disclosing, or compiling personal information of a public school student for the purpose of marketing, advertising, or research that is directed at understanding the behaviors, attitudes, or preferences of school-age children for commercial purposes. (3) As used in this section, unless the context otherwise requires: (a) "Covered information" means personally identifiable information or materials regarding a public school student who is a Colorado resident, in any media or format that is: (I) Created or provided by a student, or the student's parent or legal guardian, to an operator in the course of the student's, parent's, or legal guardian's use of the operator's web site, service, or application for public school purposes; (II) Created or provided by an employee or agent of the public school, school district, board of cooperative services, charter school institute, local education agency, or department to an operator for a public school purpose; or (III) Gathered by an operator and personally identifies a student. This includes, but is not limited to: (A) Information in the student's educational record or electronic mail; (B) Student data; (C) First and last name, home address, telephone number, electronic mail address, or any other information that allows physical or on-line contact; or (D) Discipline or criminal records, juvenile dependency records, medical or health records, social security number, biometric information, disabilities, socioeconomic information, political affiliations, religious information, text messages, documents, student identifiers, search activity, photos, voice recordings, food purchases, or geolocation information. (b) "Education record" has the same meaning as defined in the federal "Family Educational Rights and Privacy Act of 1974", as amended, 20 U.S.C. sec. 1232g. "Education record" includes an individualized education program. (c) "Operator" means any operator of an internet web site; an on-line service, including cloud computing services; an on-line application; or a mobile application with actual knowledge that the site, service, or application is used primarily for public school purposes and was designed and marketed for public school purposes, to the extent that it is operating in that capacity. "Operator" does not include a school, a school district, board of cooperative services, the charter school institute, the department, the state board, or on-line school programs as defined in sections 22-30.7-102 (9) and 22-30.7-102 (9.5). (d) "Personally identifiable information" has the same meaning as defined in the federal "Family Educational Rights and Privacy Act of 1974", as amended, 20 U.S.C. sec. 1232g. (e) "Public school purpose" means any purpose that is directed by or customarily takes place at the direction of a public school that serves any grade between kindergarten and twelfth grade, teacher, school district, charter school, a board of cooperative services, or the charter school institute, or aids in the administration of school activities, including, but not limited to, instruction in the classroom or at home, administrative activities, and collaboration between students, school personnel, or parents, or any other purpose that is primarily for the use and benefit of a public school, charter school, or board of cooperative services. (f) "Targeted advertising" means presenting advertisements to a student where the advertisement is selected based on information obtained or inferred from that student's on-line viewing behavior, usage of applications, or covered information. "Targeted advertising" does not include: (I) Adaptive or individualized learning; or (II) Advertising presented to an individual student at an on-line location based on the student's current visit to the on-line location without collection or retention of the student's on-line activities over time, or in response to a single search query without collection or retention of the student's on-line activities over time. (4) An operator shall not knowingly engage in any of the following activities with respect to its web site, service, or application: (a) (I) Engage in targeted advertising on the operator's web site, service, or application; or (II) Target advertising on any other web site, service, or application when the targeting of the advertising is based upon any information, including covered information and persistent unique identifiers, that the operator has acquired because of the use of that operator's web site, service, or application; (b) Use information, including persistent unique identifiers, created or gathered by the operator's web site, service, or application, to amass a profile about a public school student, except in furtherance of a public school purpose. Amassing a profile does not include collection and retention of account information that remains under the control of the student, parent, school, school district, or board of cooperative services. (c) Sell a student's information, including covered information. This prohibition does not apply to the purchase, merger, or other type of acquisition of an operator by another entity, provided that the operator or successor entity continues to comply with the provisions of this section concerning previously acquired student information that is subject to the provisions of this part 3. (d) Disclose covered information unless the disclosure is made, to the extent reasonably necessary: (I) In furtherance of the public school purpose of the web site, service, or application, provided the recipient of the covered information disclosed pursuant to this paragraph (d): (A) Does not further disclose the covered information unless done to allow or improve operability and functionality within that student's classroom or school; and (B) Is legally required to comply with subsection (6) of this section and does not use the covered information in violation of this part 3; (II) To protect the security or integrity of its web site, service, or application; (III) To ensure legal or regulatory compliance or to take precautions against liability; (IV) To respond to or participate in the judicial process; (V) To protect the safety of users or others or the security of the operator's web site, service, or application; (VI) To the extent permitted under other provisions of law, to provide information to law enforcement agencies or for an investigation on a matter related to public safety; or (VII) To a service provider, provided that the operator contractually: (A) Prohibits the service provider from using any covered information for any purpose other than providing the contracted service to, or on behalf of, the operator; (B) Prohibits the service provider from disclosing any covered information provided by the operator with subsequent third parties, except to the extent necessary to carry out legitimate educational functions delegated to it by the agency or institution, unless the disclosure is expressly permitted by this part 3; and (C) Requires the service provider to implement and maintain reasonable security procedures and practices as provided for in subsection (6) of this section. (VIII) For a school, educational, or employment purpose that is requested by the student or the student's parent or legal guardian, provided that the student's covered information is not used or further disclosed for any other purpose. (5) Nothing in subsection (4) of this section shall be construed to prohibit the operator's use of information for maintaining, developing, supporting, improving, or diagnosing the operator's web site, service, or application. (6) An operator shall: (a) Implement and maintain reasonable security procedures and practices that, at a minimum, meet the requirements developed by the department and state board pursuant to section 22-2-309 and that are appropriate to the nature of the covered information and protect that information from unauthorized access, destruction, use, modification, or disclosure; (b) Delete a student's covered information within a reasonable time frame if the public school, school district, charter school, board of cooperative services, or charter school institute requests such deletion of any data under the control of the public school, school district, charter school, board of cooperative services, or charter school institute; (c) Provide clear and easy-to-understand information about the types of covered information the operator collects and about how the operator uses and shares the covered information; (d) Provide prominent notice before making material changes to its privacy policies for internet web sites, on-line services, on-line applications, or mobile applications, as described in paragraph (c) of subsection (3) of this section; and (e) Facilitate access to and correction of covered information by a student or his or her parent or legal guardian either directly or through the relevant public school, teacher, school district, charter school, board of cooperative services, or the charter school institute. (7) If the internet web site, on-line service, on-line application, or mobile application, as described in paragraph (c) of subsection (3) of this section is offered to a public school, teacher, school district, charter school, board of cooperative services, or the charter school institute, the information required pursuant to paragraphs (a) and (b) of subsection (6) of this section may be provided to the public school, teacher, school district, charter school, board of cooperative services, or the charter school institute. (8) Notwithstanding the provisions of paragraph (d) of subsection (4) of this section, an operator may disclose covered information of a student under the following circumstances, as long as paragraphs (a) to (c) of subsection (4) of this section, inclusive, are not violated: (a) If another provision of state or federal law requires the operator to disclose applicable covered information and the operator complies with the applicable requirements of state and federal law in protecting and disclosing the information; (b) For legitimate research purposes approved by the school district, a board of cooperative services, or the charter school institute: (I) As required by state or federal law and subject to the restrictions under applicable state and federal law; or (II) As allowed by state or federal law and under the direction of a public school, school district, charter school, board of cooperative services, charter school institute, or the department, if no covered information is used for any purpose in furtherance of advertising or to amass a profile on a student for a purpose other than a public school purpose; and (c) To a state or local education agency, including public schools, school districts, charter schools, boards of cooperative services, or the charter school institute for a public school purpose, as permitted by state or federal law. (9) Nothing in this section prohibits an operator from using deidentified covered information as follows: (a) Within the operator's web site, service, or application, or other web sites, services, or applications owned by the operator, to develop or improve its educational products; or (b) To demonstrate the effectiveness of the operator's products or services, including its marketing. (10) Nothing in this section prohibits an operator from sharing aggregated or deidentified covered information for the development and improvement of educational web sites, products, services, or applications. (11) This section must not be construed to: (a) Limit the authority of a law enforcement agency to obtain any content or information from an operator as authorized by law or pursuant to an order of a court of competent jurisdiction; (b) Limit the ability of an operator to use covered information for adaptive learning or customized student learning purposes; (c) Prohibit an operator of an internet web site, on-line service, on-line application, or mobile application from using recommendation engines to recommend to a student additional content or services relating to an educational, other learning, or employment opportunity purpose to students within the operator's web site, on-line service, or application if the recommendation is not determined in whole or in part by payment or other consideration from a third party; (d) Prohibit an operator of an internet web site, on-line service, on-line application, or mobile application from responding to a student's search, query, or other request for information or for feedback without the information or response being determined in whole or in part by payment or other consideration from a third party; (e) Prohibit an operator of an internet web site, on-line service, on-line application, or mobile application from using or retaining a student's information to ensure legal or regulatory compliance or to take precautions against liability; (f) Prohibit an operator of an internet web site, on-line service, on-line application, or mobile application from using or disclosing covered information with the affirmative consent of the school, student, or the student's parent or legal guardian if the consent is given in response to clear and conspicuous notice of the use or disclosure of the covered information; (g) Apply to general-audience internet web sites, on-line services, on-line applications, or mobile applications, even if log-in credentials created for an operator's web site, service, or application may be used to access the general-audience web site, service, application, or mobile application; (h) Limit internet service providers from providing internet connectivity to schools or students and their families; (i) Prohibit an operator of an internet web site, on-line service, on-line application, or mobile application from marketing educational products directly to parents, so long as the marketing did not result from the use of covered information obtained by the operator through the provision of services covered under this section; (j) Impose a duty upon a provider of an electronic store, gateway, marketplace, or other means of purchasing or downloading software or applications to review or enforce compliance of this section on those applications or software; (k) Impose a duty upon a provider of an interactive computer service, as defined in section 230 of title 47, U.S.C., to review or enforce compliance with this section by third-party content providers; or (l) Impede the ability of a student to download, transfer, or otherwise save or maintain his or her student data or documents. (12) Any interested party may make an initial report of alleged violations of this section to the department. The department shall contact the operator directly and provide the operator with the opportunity to explain or rectify. If the department continues to receive complaints about the same operator, it may bring the issue to the office of the attorney general for review and action. SECTION 3. In Colorado Revised Statutes, add 22-2-311 as follows: 22-2-311. Data protection - disclosure and transparency - definition. (1) Beginning with the start of the 2015-16 academic year, and at the start of each academic year thereafter, each school district, charter school, and the charter school institute shall provide an annual notice to parents and legal guardians listing all operators with whom the school district, charter school, or charter school institute has entered into a negotiated contract, excluding end-user agreements, that provides for the transfer of covered information for the upcoming academic year. (2) The requirements of subsection (1) of this section do not apply to rural public schools, rural school districts, or rural charter schools as those terms are defined by the department. (3) As used in this section, "operator" means any operator of an internet web site; an on-line service, including cloud computing services; an on-line application; or a mobile application with actual knowledge that the site, service, or application is used primarily for public school purposes and was designed and marketed for public school purposes, to the extent that it is operating in that capacity. "Operator" does not include a school, a school district, the department, or the state board. SECTION 4. In Colorado Revised Statutes, 22-1-123, add (14) as follows: 22-1-123. Protection of student data - parental or legal guardian consent for surveys. (14) (a) If a public school, school district, charter school, board of cooperative services, or the charter school institute utilizes cloud computing services, web sites, on-line programs, or applications that collect or store student information, whether the information is personally identifiable or not, it shall develop an education technology plan that provides for the following: (I) Annual notice to parents and legal guardians concerning cloud computing service providers; (II) Training for students and staff concerning the appropriate use of technology, including safety and privacy safeguards and protocols; and (III) Notice to the parent or legal guardian if there is a security breach or other unauthorized disclosure of his or her child's information. (b) The provisions of this section do not apply to rural public schools, rural school districts, or rural charter schools, as those terms are defined by the department of education or to boards of cooperative services. SECTION 5. In Colorado Revised Statutes, amend 22-2-106.5 as follows: 22-2-106.5. State board - duties with regard to student data - memorandum of understanding. (1) Notwithstanding the provisions of section 22-2-111 (3) (a), the state board shall enter into a memorandum of understanding on or before September 1, 2006, with the Colorado commission on higher education to adopt a policy to share student data. At a minimum, the policy shall ensure that the exchange of information is conducted in conformance with the requirements of the federal "Family Educational Rights and Privacy Act of 1974", as amended, 20 U.S.C. sec. 1232g, and all federal regulations and applicable guidelines adopted in accordance therewith. The policy shall additionally require the state board, upon request, to share student data with qualified researchers. For purposes of this section, qualified researchers shall include, but need not be limited to, institutions of higher education, school districts, and public policy research and advocacy organizations. (2) Any release of data pursuant to subsection (1) of this section must conform to the requirements of section 22-2-310. SECTION 6. In Colorado Revised Statutes, 22-2-111, add (4) as follows: 22-2-111. Commissioner of education - office - records - confidential nature. (4) Any release of data pursuant to subsection (3) of this section must conform to the requirements of section 22-2-310. SECTION 7. In Colorado Revised Statutes, 25-1-1202, amend (1) (ll) as follows: 25-1-1202. Index of statutory sections regarding medical record confidentiality and health information. (1) Statutory provisions concerning policies, procedures, and references to the release, sharing, and use of medical records and health information include the following: (ll) Section Sections 22-1-123 (5) and 22-2-310, C.R.S., concerning the protection of student data; SECTION 8. Act subject to petition - effective date. This act takes effect at 12:01 a.m. on the day following the expiration of the ninety-day period after final adjournment of the general assembly (August 5, 2015, if adjournment sine die is on May 6, 2015); except that, if a referendum petition is filed pursuant to section 1 (3) of article V of the state constitution against this act or an item, section, or part of this act within such period, then the act, item, section, or part will not take effect unless approved by the people at the general election to be held in November 2016 and, in such case, will take effect on the date of the official declaration of the vote thereon by the governor.