2020 -- H 7724

========

LC005061

========

     STATE OF RHODE ISLAND

IN GENERAL ASSEMBLY

JANUARY SESSION, A.D. 2020

____________

A N   A C T

RELATING TO COMMERCIAL LAW - GENERAL REGULATORY PROVISIONS -

ESTABLISHING THE STUDENT CLOUD COMPUTING PRIVACY AND PROTECTION

ACT

     Introduced By: Representatives Barros, Shanley, Marszalkowski, Cassar, and Carson

     Date Introduced: February 26, 2020

     Referred To: House Judiciary

     It is enacted by the General Assembly as follows:

     SECTION 1. Title 6 of the General Laws entitled "COMMERCIAL LAW - GENERAL

REGULATORY PROVISIONS" is hereby amended by adding thereto the following chapter:

CHAPTER 48.3

THE STUDENT CLOUD COMPUTING PRIVACY AND PROTECTION ACT

     6-48.3-1. Short title.

     This chapter shall be known and may be cited as the "Student cloud computing privacy and

protection act".

     6-48.3-2. Definitions.

     As used in this chapter:

     (1) "Cloud computing service" means a service that enables convenient on-demand

network access to a shared pool of configurable computing resources to provide a student, teacher,

or staff member account-based productivity applications such as email, document storage, and

document editing that can be rapidly provisioned and released with minimal management effort or

cloud computing service provider interaction.

     (2) "Cloud computing service provider" means an entity other than a public elementary or

secondary school that operates a cloud computing service.

     (3) "Covered information" means personally identifiable information or material, to

include, but not limited to, unique biometric data generated from measurement or technical analysis

of human body characteristics, or information that is linked to personally identifiable information

or material, in any media or format that is not publically available and is any of the following:

     (i) Created by or provided to an operator by a student, or the student's parent or legal

guardian, in the course of the student's, parent's, or legal guardian's use of the operator's site,

service, or application for K-12 school purposes.

     (ii) Created by or provided to an operator by an employee or agent of a K-12 school or

school district for K-12 school purposes.

     (iii) Gathered by a cloud computing service provider through the operation of its site,

service, or application for K-12 school purposes and personally identifies a student, including, but

not limited to, information in the student's educational record or electronic mail, first and last name,

home address, telephone number, electronic mail address, or other information that allows physical

or online contact, discipline records, test results, special education data, juvenile delinquency

records, grades, evaluations, criminal records, financial records, medical records, health records,

social security number, biometric information, disabilities, socioeconomic information, food

purchases, political affiliations, religious information, text messages, documents, student

identifiers, search activity, photos, voice recordings, passport number, driver's license number,

Rhode Island identification card number, tribal identification number, or geolocation information.

     (4) "Interactive computer service" means that term as defined in 47 USC 230.

     (5) "K-12 school" or "school" means a public or charter school that offers any of grades

kindergarten through twelve (12) and that is operated by a school district.

     (6) "K-12 school purposes" means purposes that are directed by or that customarily take

place at the direction of a K-12 school, teacher, or school district or aid in the administration of

school activities, including, but not limited to, instruction in the classroom or at home,

administrative activities, and collaboration between students, school personnel, or parents, or are

otherwise for the use and benefit of the school.

     (7) "Operator of a cloud computing service" or "cloud computer service provider" means,

to the extent that it is operating in this capacity, the operator of an Internet website, online service,

online application, or mobile application with actual knowledge that the site, service, or application

is used primarily for K-12 school purposes and was designed and marketed for K-12 school

purposes.

     (8) "Process" means to use, access, manipulate, scan, modify, transform, disclose, store,

transmit, transfer, retain, aggregate, or dispose of student data.

     (9) "School district" means a public school district, or regional public school district.

     (10) "Student data" means any information in any media or format created or provided:

LC005061 - Page 2 of 8

     (i) By a student; or

     (ii) By a school board employee about a student in the course of using a cloud computing

service, including the student's name, email address, postal address, email message, documents,

unique identifiers, and metadata.

     (11) "Targeted advertising" means presenting advertisements to a student where the

advertisement is selected based on information obtained or inferred over time from that student's

online behavior, usage of applications, or covered information. It does not include advertising to a

student at an online location based upon that student's current visit to that location, or in response

to that student's request for information or feedback, without the retention of that student's online

activities or requests over time for the purpose of targeting subsequent ads.

     6-48.3-3. School cloud computing service providers.

     (a) Notwithstanding any general or special law to the contrary, any person or entity who

provides a cloud computing service to a school district, public or charter school operating within

the state shall process data of a student enrolled in kindergarten through grade twelve (12) for the

sole purpose of providing the cloud computing service to the educational institution and shall not

process such data for any commercial purposes, including, but not limited to, advertising purposed

that benefit the cloud computing service provider.

     (b) No person or entity who provides a cloud computing service to a school district, public

or charter school shall:

     (1) Engage in targeted advertising on the cloud computing site, service, or application, or

target advertising on any other site, service, or application if the targeting of the advertising is based

on any information, including covered information and persistent unique identifiers, that the

operator has acquired because of the use of that operator's site, service, or application for K-12

school purposes.

     (2) Use information, including persistent unique identifiers, created or gathered by the

cloud computing site, service, or application, to create or establish a profile about a student except

in furtherance of K-12 school purposes. "Create or establish a profile" does not include the

collection and retention of account information that remains under the control of the student, the

student's parent or guardian, or K-12 school.

     (3) Sell or rent a student's information, including covered information. This subsection does

not apply to the purchase, merger, or other type of acquisition of a cloud computing site or service

by another entity, if the successor entity complies with the provisions of this chapter regarding

previously acquired student information, or to national assessment providers if the provider secures

the express written consent of the parent or student, given in response to clear and conspicuous

LC005061 - Page 3 of 8

notice, solely to provide access to employment, educational scholarships or financial aid, or

postsecondary educational opportunities.

     (4) Except as otherwise provided in this chapter, disclose covered information unless the

disclosure is made for the following purposes:

     (i) In furtherance of the K-12 school purposes of the site, service, or application, if the

recipient of the covered information disclosed under this section does not further disclose the

information unless done to allow or improve operability and functionality of the cloud computing

site, service, or application.

     (ii) To ensure legal and regulatory compliance or protect against liability.

     (iii) To respond to or participate in judicial process, or to comply with a court order.

     (iv) To protect the safety or integrity of users of the site or others or the security of the site,

service, or application.

     (v) For a school, educational, or employment purpose requested by the student or the

student's parent or guardian; provided that, the information is not used or further disclosed for any

other purpose.

     (vi) To a third party, if the cloud computing service provider contractually prohibits the

third party from using any covered information for any purpose other than providing the contracted

service to or on behalf of the operator, prohibits the third party from disclosing any covered

information provided by the operator with subsequent third parties, and requires the third party to

implement and maintain reasonable security procedures and practices.

     (5) Nothing in this section shall prohibit the cloud computing service provider's use of

information for maintaining, developing, supporting, improving, or diagnosing the cloud

computing site, service, or application.

     (c) Every operator of a cloud computing service providing cloud computing service to a

school district, public or charter school shall:

     (1) Implement and maintain reasonable security procedures and practices appropriate to

the nature of the covered information designed to protect that covered information from

unauthorized access, destruction, use, modification, or disclosure.

     (2) Delete within a reasonable time period not to exceed thirty (30) days, a student's

covered information if the K-12 school or school district requests deletion of covered information

under the control of the K-12 school or school district, unless a student or parent or guardian

consents to the maintenance of the covered information.

     (3) Establish, implement, and maintain appropriate security measures, consistent with best

current practices, to protect the student data that the cloud computing service sends, receives, stores,

LC005061 - Page 4 of 8

and transmits in conjunction with the service provided educational institutions in the state.

     (4) Establish and implement policies and procedures for responding to data breaches

involving the unauthorized acquisition of or access to any student data collected by the cloud

computing service. Such policies and procedures, at a minimum, shall:

     (i) Require notice be provided by the cloud computing service provider to any and all

affected parties, including educational institutions, the department of education, the school board

and/or committee, and the cloud computing service student users and their parents or legal

guardians, within thirty (30) days of the discovery of the breach;

     (ii) Require the notice to include a description of the categories of student data that were,

or were reasonably believed to have been, accessed or acquired by an unauthorized person; and

     (iii) Satisfy all other applicable breach notification standards established under state or

federal law; and

     (5) Permanently delete all student data collected by the cloud computing service within

ninety (90) days of the termination of the student user's account, or upon request by the student

user, the student user's parent or legal guardian, or the student user's educational institution.

     (d) An operator of a cloud computing service or a cloud computer service provider may

use or disclose covered information of a student under the following circumstances:

     (1) If other provisions of federal or state law require the operator to disclose the

information, and the operator complies with the requirements of federal and state law in protecting

and disclosing that information.

     (2) As long as no covered information is used for advertising or to amass a profile on the

student for purposes other than elementary, middle school, or high school purposes, for legitimate

research purposes: as required by state or federal law and subject to the restrictions under applicable

state and federal law; or as allowed by state or federal law and in furtherance of K-12 school

purposes or postsecondary educational purposes.

     (3) To a state or local educational agency, including K-12 schools and school districts, for

K-12 school purposes, as permitted by state or federal law.

     6-48.3-4. Permissible conduct.

     Nothing in this chapter shall be construed to prohibit:

     (1) Using covered information to improve educational products if that information is not

associated with an identified student within the cloud computer site, service, or application or other

sites, services, or applications owned by the operator of a cloud computing service.

     (2) Using covered information that is not associated with an identified student to

demonstrate the effectiveness of the operator's products or services, including in their marketing.

LC005061 - Page 5 of 8

     (3) Sharing covered information that is not associated with an identified student for the

development and improvement of educational sites, services, or applications.

     (4) Using recommendation engines not affiliated with owned or controlled by the cloud

computer service provider, to recommend to a student either of the following:

     (i) Additional content relating to an educational, other learning, or employment opportunity

purpose within an online site, service, or application if the recommendation is not determined in

whole or in part by payment or other consideration from a third party;

     (ii) Additional services relating to an educational, other learning, or employment

opportunity purpose within an online site, service, or application if the recommendation is not

determined in whole or in part by payment or other consideration from a third party.

     (5) Responding to a student's request for information or for feedback without the

information or response being determined in whole or in part by payment or other consideration

from a third party.

     6-48.3-5. Application.

     Nothing in this chapter shall be construed to:

     (1) Limit the application or enforcement of §§ 16-21.6-1 or 16-104-1.

     (2) Limit the authority of a law enforcement agency to obtain any content or information

from a cloud computer service provider as authorized by law or under a court order.

     (3) Limit the ability of a cloud computer service provider to use student data, including

covered information, for adaptive learning or customized student learning purposes.

     (4) Apply to general audience Internet websites, general audience online services, general

audience online applications, or general audience mobile applications, even if login credentials

created for a cloud computer service provider's site, service, or application may be used to access

those general audience sites, services, or applications.

     (5) Limit service providers from providing Internet connectivity to schools or students and

their families.

     (6) Prohibit an operator of an Internet website, online service, online application, or mobile

application from marketing educational products directly to parents if the marketing did not result

from the use of covered information obtained by the operator through the provision of services

covered under this chapter.

     (7) Impose a duty upon a provider of an electronic store, gateway, marketplace, or other

means of purchasing or downloading software or applications to review or enforce compliance with

this chapter on those applications or software.

     (8) Impose a duty upon a provider of an interactive computer service to review or enforce

LC005061 - Page 6 of 8

compliance with this chapter by third-party content providers.

     (9) Prohibit students from downloading, exporting, transferring, saving, or maintaining

their own student data or documents.

     (10) To apply in any manner to any information or data that is subject to the Federal

Gramm-Leach-Bliley Act of 1999 and the rules promulgated under that act, or to information or

data subject to the Health Insurance Portability and Accountability Act of 1996 (HIPAA); provided,

however, no entity or individual shall be exempt from the provisions of this chapter.

     6-48.3-6. Certification.

     Each cloud computing service that enters into a contract to provide such services to a school

district, public or charter school shall certify, in writing, that it shall comply with the provisions of

this chapter.

     6-48.3-7. Limitations on use.

     Evidence or information obtained or collected in violation of this chapter shall be promptly

deleted or destroyed and shall not be admissible in any civil or criminal trial or legal proceeding,

disciplinary action, or administrative hearing involving the student, or used by an educational

institution for any other purpose adverse to the interest of the student.

     6-48.3-8. Penalties.

     Any person who violates the terms of this chapter shall forfeit and pay to the state a civil

penalty of not more than one thousand dollars ($1,000) per violation.

     6-48.3-9. Enforcement.

     (a) The office of attorney general shall have sole enforcement authority of the provisions

of this chapter and may enforce a violation of this chapter pursuant to the provisions of § 6-48.3-8

of as a deceptive trade practice in violation of chapter 13.1 of title 6.

     (b) Nothing in this chapter shall be construed to authorize any private right of action to

enforce any provision of this chapter, any regulation hereunder or other provisions of commercial

law in title 6.

     SECTION 2. This act shall take effect on January 1, 2021.

========

LC005061

========

LC005061 - Page 7 of 8

EXPLANATION

BY THE LEGISLATIVE COUNCIL

OF

A N   A C T

RELATING TO COMMERCIAL LAW - GENERAL REGULATORY PROVISIONS -

ESTABLISHING THE STUDENT CLOUD COMPUTING PRIVACY AND PROTECTION

ACT

***

     This act would establish the "student cloud computing privacy and protection act" which

prohibits use of student information by cloud computing service providers for specified purposes;

protects student personal information; and requires cloud computing service providers to establish

and maintain appropriate security measures.

     This act would take effect on January 1, 2021.

========

LC005061

========

LC005061 - Page 8 of 8