Colorado is the latest state to revisit, and expand upon, its laws pertaining to the use and protection of student data. Colorado Governor John Hickenlooper recently signed into law House Bill 16-1423 (the “Bill”) designed to increase the transparency and security of personal information about students enrolled in Colorado’s public education system (K-12). Described by its sponsors and the media as nation-leading” with respect to the extremely broad scope of the definition of “student personally identifiable information”, the Bill imposes additional, detailed requirements on the Colorado Department of Education, the Colorado Department of Education, the Colorado Charter School Institute, school districts, public schools, and other local education providers (each, a “Public Education Entity”) and commercial software providers (including education application providers) with respect to the collection, use, and security of student data. In this blog post, we focus only on the duties of commercial software or education application providers.

What software providers are covered by the Bill?

The Bill covers primarily commercial software providers that enter into a negotiated agreement for school services with a Public Education Entity (“School Service Contract Providers”). A school service is “any Internet website, online service, online application, or mobile application that is (i) designed and marketed primarily for use in a preschool, elementary school, or secondary school, (ii) is used at the direction of teachers or other employees of a local education provider, AND (iii) which collects, maintains, or uses student personally identifiable information.” A “school service” is not a website, online service or application, or mobile app designed and marketed for use by individuals or entities generally, even if it is also marketed to a U.S. preschool, elementary school or secondary school, but the key to covered entities here will turn on whether software or an application is “designed and primarily marketed.”

What type of information is protected by the Bill?

The Bill covers “student personally identifiable information,” which is very broadly defined as “information that, alone or in combination, personally identifies an individual student or the student’s parent or family, and that is collected, maintained, generated, or inferred by a public education entity, either directly or through a school service, or by a school service contract provider or school service on-demand provider.”

What does a “School Service Contract Provider” have to do to comply with the Bill?

  • Data Use Obligations/Restrictions:
    • Collect, use, and share student personally identifiable information (PII) only (i) for the purposes authorized in the contracts with the Public Education Entities, or (ii) with the consent of the student (if the student is at least 18 or legally emancipated) or the student’s parent. The consent of the student or the student’s parent is required before using student PII in a manner that is materially inconsistent with the provider’s privacy policy or the contract with the applicable Public Education Entity.
    • Not sell student personally identifiable information, except in the event of a purchase, merger, or other type of acquisition of the provider or any assets of the provider by another entity provided that the successor continues to be subject to all of the requirements of the Bill with respect to the acquired student PII.
    • Not use or share student PII for targeted advertising (defined as “selecting and sending advertisements to a student based on information obtained or inferred over time from the student’s online behavior, use of applications, or personally identifiable information”), with certain exceptions set forth in the Bill.
    • Not use student PII to create a personal profile of a student, except (i) for supporting purposes authorized by the contracting public education entity or (ii) with the consent of the student (if the student is at least 18 or legally emancipated) or the student’s parent.The Bill contains a list of exceptions to the use and disclosure restrictions described above (e.g., legal or regulatory compliance purposes and user safety) and a list of permitted uses of student PII (e.g., to use adaptive learning or design personalized or customized education or to maintain, develop, support, improve, or diagnose a provider’s website, online service, online application, or mobile application).
  • Data Transparency:
    • Provide to each contracting Public Education Entity (and update to maintain accuracy) clear information, understandable by a layperson, describing (i) all of the student PII collected, including aggregated information, (ii) the learning purpose underlying the collection, and (iii) how the student PII is used and shared. Notice is also required before making material changes to the provider’s applicable privacy policy.
    • If requested, facilitate access to and correction of any factually inaccurate student PII held by the provider.
    • Upon discovering misuse or unauthorized release of student PII held by the provider, subcontractors, or subsequent subcontractors, notify the applicable Public Education Entity as soon as possible, regardless of whether the misuse or unauthorized release is a result of a material breach of the agreement with the entity.
    • Disclose student PII to a subcontractor (and a subcontractor may share with a subsequent subcontractor) only if the provider contractually requires the subcontractor (and the subcontractor requires the subsequent subcontractor) to comply with specific requirements of the Bill.
  • Data Security/Destruction:
    • Maintain a comprehensive information security program (including appropriate administrative, technological, and physical safeguards) reasonably designed to protect the security, privacy, confidentiality, and integrity of student PII.
    • Subject to certain exceptions, during and after termination of the agreement with a Public Education Entity, destroy (defined as “removing student personally identifiable information so that it is permanently irretrievable in the normal course of business”) student PII within the time period set forth in the Bill and notify the applicable entity of the destruction date

Although the effective date is August 10, 2016, if you are a “Contract Provider” or an “On-Demand Provider” under the Bill, this is the time to begin thinking about what kind of changes you may need to make in your processes and procedures and to put in place an implementation plan to be compliant with the Bill by its effective date.