2020 -- H 7724 | |
======== | |
LC005061 | |
======== | |
STATE OF RHODE ISLAND | |
IN GENERAL ASSEMBLY | |
JANUARY SESSION, A.D. 2020 | |
____________ | |
A N A C T | |
RELATING TO COMMERCIAL LAW - GENERAL REGULATORY PROVISIONS - | |
ESTABLISHING THE STUDENT CLOUD COMPUTING PRIVACY AND PROTECTION | |
ACT | |
| |
Introduced By: Representatives Barros, Shanley, Marszalkowski, Cassar, and Carson | |
Date Introduced: February 26, 2020 | |
Referred To: House Judiciary | |
It is enacted by the General Assembly as follows: | |
1 | SECTION 1. Title 6 of the General Laws entitled "COMMERCIAL LAW - GENERAL |
2 | REGULATORY PROVISIONS" is hereby amended by adding thereto the following chapter: |
3 | CHAPTER 48.3 |
4 | THE STUDENT CLOUD COMPUTING PRIVACY AND PROTECTION ACT |
5 | 6-48.3-1. Short title. |
6 | This chapter shall be known and may be cited as the "Student cloud computing privacy and |
7 | protection act". |
8 | 6-48.3-2. Definitions. |
9 | As used in this chapter: |
10 | (1) "Cloud computing service" means a service that enables convenient on-demand |
11 | network access to a shared pool of configurable computing resources to provide a student, teacher, |
12 | or staff member account-based productivity applications such as email, document storage, and |
13 | document editing that can be rapidly provisioned and released with minimal management effort or |
14 | cloud computing service provider interaction. |
15 | (2) "Cloud computing service provider" means an entity other than a public elementary or |
16 | secondary school that operates a cloud computing service. |
17 | (3) "Covered information" means personally identifiable information or material, to |
18 | include, but not limited to, unique biometric data generated from measurement or technical analysis |
| |
1 | of human body characteristics, or information that is linked to personally identifiable information |
2 | or material, in any media or format that is not publically available and is any of the following: |
3 | (i) Created by or provided to an operator by a student, or the student's parent or legal |
4 | guardian, in the course of the student's, parent's, or legal guardian's use of the operator's site, |
5 | service, or application for K-12 school purposes. |
6 | (ii) Created by or provided to an operator by an employee or agent of a K-12 school or |
7 | school district for K-12 school purposes. |
8 | (iii) Gathered by a cloud computing service provider through the operation of its site, |
9 | service, or application for K-12 school purposes and personally identifies a student, including, but |
10 | not limited to, information in the student's educational record or electronic mail, first and last name, |
11 | home address, telephone number, electronic mail address, or other information that allows physical |
12 | or online contact, discipline records, test results, special education data, juvenile delinquency |
13 | records, grades, evaluations, criminal records, financial records, medical records, health records, |
14 | social security number, biometric information, disabilities, socioeconomic information, food |
15 | purchases, political affiliations, religious information, text messages, documents, student |
16 | identifiers, search activity, photos, voice recordings, passport number, driver's license number, |
17 | Rhode Island identification card number, tribal identification number, or geolocation information. |
18 | (4) "Interactive computer service" means that term as defined in 47 USC 230. |
19 | (5) "K-12 school" or "school" means a public or charter school that offers any of grades |
20 | kindergarten through twelve (12) and that is operated by a school district. |
21 | (6) "K-12 school purposes" means purposes that are directed by or that customarily take |
22 | place at the direction of a K-12 school, teacher, or school district or aid in the administration of |
23 | school activities, including, but not limited to, instruction in the classroom or at home, |
24 | administrative activities, and collaboration between students, school personnel, or parents, or are |
25 | otherwise for the use and benefit of the school. |
26 | (7) "Operator of a cloud computing service" or "cloud computer service provider" means, |
27 | to the extent that it is operating in this capacity, the operator of an Internet website, online service, |
28 | online application, or mobile application with actual knowledge that the site, service, or application |
29 | is used primarily for K-12 school purposes and was designed and marketed for K-12 school |
30 | purposes. |
31 | (8) "Process" means to use, access, manipulate, scan, modify, transform, disclose, store, |
32 | transmit, transfer, retain, aggregate, or dispose of student data. |
33 | (9) "School district" means a public school district, or regional public school district. |
34 | (10) "Student data" means any information in any media or format created or provided: |
| LC005061 - Page 2 of 8 |
1 | (i) By a student; or |
2 | (ii) By a school board employee about a student in the course of using a cloud computing |
3 | service, including the student's name, email address, postal address, email message, documents, |
4 | unique identifiers, and metadata. |
5 | (11) "Targeted advertising" means presenting advertisements to a student where the |
6 | advertisement is selected based on information obtained or inferred over time from that student's |
7 | online behavior, usage of applications, or covered information. It does not include advertising to a |
8 | student at an online location based upon that student's current visit to that location, or in response |
9 | to that student's request for information or feedback, without the retention of that student's online |
10 | activities or requests over time for the purpose of targeting subsequent ads. |
11 | 6-48.3-3. School cloud computing service providers. |
12 | (a) Notwithstanding any general or special law to the contrary, any person or entity who |
13 | provides a cloud computing service to a school district, public or charter school operating within |
14 | the state shall process data of a student enrolled in kindergarten through grade twelve (12) for the |
15 | sole purpose of providing the cloud computing service to the educational institution and shall not |
16 | process such data for any commercial purposes, including, but not limited to, advertising purposed |
17 | that benefit the cloud computing service provider. |
18 | (b) No person or entity who provides a cloud computing service to a school district, public |
19 | or charter school shall: |
20 | (1) Engage in targeted advertising on the cloud computing site, service, or application, or |
21 | target advertising on any other site, service, or application if the targeting of the advertising is based |
22 | on any information, including covered information and persistent unique identifiers, that the |
23 | operator has acquired because of the use of that operator's site, service, or application for K-12 |
24 | school purposes. |
25 | (2) Use information, including persistent unique identifiers, created or gathered by the |
26 | cloud computing site, service, or application, to create or establish a profile about a student except |
27 | in furtherance of K-12 school purposes. "Create or establish a profile" does not include the |
28 | collection and retention of account information that remains under the control of the student, the |
29 | student's parent or guardian, or K-12 school. |
30 | (3) Sell or rent a student's information, including covered information. This subsection does |
31 | not apply to the purchase, merger, or other type of acquisition of a cloud computing site or service |
32 | by another entity, if the successor entity complies with the provisions of this chapter regarding |
33 | previously acquired student information, or to national assessment providers if the provider secures |
34 | the express written consent of the parent or student, given in response to clear and conspicuous |
| LC005061 - Page 3 of 8 |
1 | notice, solely to provide access to employment, educational scholarships or financial aid, or |
2 | postsecondary educational opportunities. |
3 | (4) Except as otherwise provided in this chapter, disclose covered information unless the |
4 | disclosure is made for the following purposes: |
5 | (i) In furtherance of the K-12 school purposes of the site, service, or application, if the |
6 | recipient of the covered information disclosed under this section does not further disclose the |
7 | information unless done to allow or improve operability and functionality of the cloud computing |
8 | site, service, or application. |
9 | (ii) To ensure legal and regulatory compliance or protect against liability. |
10 | (iii) To respond to or participate in judicial process, or to comply with a court order. |
11 | (iv) To protect the safety or integrity of users of the site or others or the security of the site, |
12 | service, or application. |
13 | (v) For a school, educational, or employment purpose requested by the student or the |
14 | student's parent or guardian; provided that, the information is not used or further disclosed for any |
15 | other purpose. |
16 | (vi) To a third party, if the cloud computing service provider contractually prohibits the |
17 | third party from using any covered information for any purpose other than providing the contracted |
18 | service to or on behalf of the operator, prohibits the third party from disclosing any covered |
19 | information provided by the operator with subsequent third parties, and requires the third party to |
20 | implement and maintain reasonable security procedures and practices. |
21 | (5) Nothing in this section shall prohibit the cloud computing service provider's use of |
22 | information for maintaining, developing, supporting, improving, or diagnosing the cloud |
23 | computing site, service, or application. |
24 | (c) Every operator of a cloud computing service providing cloud computing service to a |
25 | school district, public or charter school shall: |
26 | (1) Implement and maintain reasonable security procedures and practices appropriate to |
27 | the nature of the covered information designed to protect that covered information from |
28 | unauthorized access, destruction, use, modification, or disclosure. |
29 | (2) Delete within a reasonable time period not to exceed thirty (30) days, a student's |
30 | covered information if the K-12 school or school district requests deletion of covered information |
31 | under the control of the K-12 school or school district, unless a student or parent or guardian |
32 | consents to the maintenance of the covered information. |
33 | (3) Establish, implement, and maintain appropriate security measures, consistent with best |
34 | current practices, to protect the student data that the cloud computing service sends, receives, stores, |
| LC005061 - Page 4 of 8 |
1 | and transmits in conjunction with the service provided educational institutions in the state. |
2 | (4) Establish and implement policies and procedures for responding to data breaches |
3 | involving the unauthorized acquisition of or access to any student data collected by the cloud |
4 | computing service. Such policies and procedures, at a minimum, shall: |
5 | (i) Require notice be provided by the cloud computing service provider to any and all |
6 | affected parties, including educational institutions, the department of education, the school board |
7 | and/or committee, and the cloud computing service student users and their parents or legal |
8 | guardians, within thirty (30) days of the discovery of the breach; |
9 | (ii) Require the notice to include a description of the categories of student data that were, |
10 | or were reasonably believed to have been, accessed or acquired by an unauthorized person; and |
11 | (iii) Satisfy all other applicable breach notification standards established under state or |
12 | federal law; and |
13 | (5) Permanently delete all student data collected by the cloud computing service within |
14 | ninety (90) days of the termination of the student user's account, or upon request by the student |
15 | user, the student user's parent or legal guardian, or the student user's educational institution. |
16 | (d) An operator of a cloud computing service or a cloud computer service provider may |
17 | use or disclose covered information of a student under the following circumstances: |
18 | (1) If other provisions of federal or state law require the operator to disclose the |
19 | information, and the operator complies with the requirements of federal and state law in protecting |
20 | and disclosing that information. |
21 | (2) As long as no covered information is used for advertising or to amass a profile on the |
22 | student for purposes other than elementary, middle school, or high school purposes, for legitimate |
23 | research purposes: as required by state or federal law and subject to the restrictions under applicable |
24 | state and federal law; or as allowed by state or federal law and in furtherance of K-12 school |
25 | purposes or postsecondary educational purposes. |
26 | (3) To a state or local educational agency, including K-12 schools and school districts, for |
27 | K-12 school purposes, as permitted by state or federal law. |
28 | 6-48.3-4. Permissible conduct. |
29 | Nothing in this chapter shall be construed to prohibit: |
30 | (1) Using covered information to improve educational products if that information is not |
31 | associated with an identified student within the cloud computer site, service, or application or other |
32 | sites, services, or applications owned by the operator of a cloud computing service. |
33 | (2) Using covered information that is not associated with an identified student to |
34 | demonstrate the effectiveness of the operator's products or services, including in their marketing. |
| LC005061 - Page 5 of 8 |
1 | (3) Sharing covered information that is not associated with an identified student for the |
2 | development and improvement of educational sites, services, or applications. |
3 | (4) Using recommendation engines not affiliated with owned or controlled by the cloud |
4 | computer service provider, to recommend to a student either of the following: |
5 | (i) Additional content relating to an educational, other learning, or employment opportunity |
6 | purpose within an online site, service, or application if the recommendation is not determined in |
7 | whole or in part by payment or other consideration from a third party; |
8 | (ii) Additional services relating to an educational, other learning, or employment |
9 | opportunity purpose within an online site, service, or application if the recommendation is not |
10 | determined in whole or in part by payment or other consideration from a third party. |
11 | (5) Responding to a student's request for information or for feedback without the |
12 | information or response being determined in whole or in part by payment or other consideration |
13 | from a third party. |
14 | 6-48.3-5. Application. |
15 | Nothing in this chapter shall be construed to: |
16 | (1) Limit the application or enforcement of §§ 16-21.6-1 or 16-104-1. |
17 | (2) Limit the authority of a law enforcement agency to obtain any content or information |
18 | from a cloud computer service provider as authorized by law or under a court order. |
19 | (3) Limit the ability of a cloud computer service provider to use student data, including |
20 | covered information, for adaptive learning or customized student learning purposes. |
21 | (4) Apply to general audience Internet websites, general audience online services, general |
22 | audience online applications, or general audience mobile applications, even if login credentials |
23 | created for a cloud computer service provider's site, service, or application may be used to access |
24 | those general audience sites, services, or applications. |
25 | (5) Limit service providers from providing Internet connectivity to schools or students and |
26 | their families. |
27 | (6) Prohibit an operator of an Internet website, online service, online application, or mobile |
28 | application from marketing educational products directly to parents if the marketing did not result |
29 | from the use of covered information obtained by the operator through the provision of services |
30 | covered under this chapter. |
31 | (7) Impose a duty upon a provider of an electronic store, gateway, marketplace, or other |
32 | means of purchasing or downloading software or applications to review or enforce compliance with |
33 | this chapter on those applications or software. |
34 | (8) Impose a duty upon a provider of an interactive computer service to review or enforce |
| LC005061 - Page 6 of 8 |
1 | compliance with this chapter by third-party content providers. |
2 | (9) Prohibit students from downloading, exporting, transferring, saving, or maintaining |
3 | their own student data or documents. |
4 | (10) To apply in any manner to any information or data that is subject to the Federal |
5 | Gramm-Leach-Bliley Act of 1999 and the rules promulgated under that act, or to information or |
6 | data subject to the Health Insurance Portability and Accountability Act of 1996 (HIPAA); provided, |
7 | however, no entity or individual shall be exempt from the provisions of this chapter. |
8 | 6-48.3-6. Certification. |
9 | Each cloud computing service that enters into a contract to provide such services to a school |
10 | district, public or charter school shall certify, in writing, that it shall comply with the provisions of |
11 | this chapter. |
12 | 6-48.3-7. Limitations on use. |
13 | Evidence or information obtained or collected in violation of this chapter shall be promptly |
14 | deleted or destroyed and shall not be admissible in any civil or criminal trial or legal proceeding, |
15 | disciplinary action, or administrative hearing involving the student, or used by an educational |
16 | institution for any other purpose adverse to the interest of the student. |
17 | 6-48.3-8. Penalties. |
18 | Any person who violates the terms of this chapter shall forfeit and pay to the state a civil |
19 | penalty of not more than one thousand dollars ($1,000) per violation. |
20 | 6-48.3-9. Enforcement. |
21 | (a) The office of attorney general shall have sole enforcement authority of the provisions |
22 | of this chapter and may enforce a violation of this chapter pursuant to the provisions of § 6-48.3-8 |
23 | of as a deceptive trade practice in violation of chapter 13.1 of title 6. |
24 | (b) Nothing in this chapter shall be construed to authorize any private right of action to |
25 | enforce any provision of this chapter, any regulation hereunder or other provisions of commercial |
26 | law in title 6. |
27 | SECTION 2. This act shall take effect on January 1, 2021. |
======== | |
LC005061 | |
======== | |
| LC005061 - Page 7 of 8 |
EXPLANATION | |
BY THE LEGISLATIVE COUNCIL | |
OF | |
A N A C T | |
RELATING TO COMMERCIAL LAW - GENERAL REGULATORY PROVISIONS - | |
ESTABLISHING THE STUDENT CLOUD COMPUTING PRIVACY AND PROTECTION | |
ACT | |
*** | |
1 | This act would establish the "student cloud computing privacy and protection act" which |
2 | prohibits use of student information by cloud computing service providers for specified purposes; |
3 | protects student personal information; and requires cloud computing service providers to establish |
4 | and maintain appropriate security measures. |
5 | This act would take effect on January 1, 2021. |
======== | |
LC005061 | |
======== | |
| LC005061 - Page 8 of 8 |