New Governance Requirements Created for Tech Vendors
This June, Colorado Governor John Hickenlooper signed into law a bill that will significantly change the way student data is governed in the state. HB 16-1423, also known as the Student Data Transparency and Security Act, will provide for a number of new requirements for vendors and school districts. It sets forth some of the most comprehensive requirements in the country for technology vendors.
Among these new requirements are heavy protections to student personally identifiable information (SPII). SPII is defined by the bill as:
“Information that, alone or in combination, personally identifies an individual student or the student’s parent or family, and that is collected, maintained, generated, or inferred by a public education entity, either directly or through a school service, or by a school service contract provider or school service on-demand provider.”
“School services” covered include any web application or online service that collects SPII, is designed or marketed primarily for use in a school setting, and is used at the direction of teachers or other school employees. The law also governs “school service on-demand providers” — web services or applications that are used in educational settings using “non-negotiable terms and conditions.” In other words, this law applies to sites or apps that use clickwrap agreements or generalized terms of service agreements — provided they can be legally categorized as “school services.”
As of August 10th 2016, vendors contracting with schools or educational agencies in Colorado must contractually agree to comply with certain requirements if they are to collect information from students. Every covered educational institution must list the school services they use on their website, including a copy of each contract. Here are some of the bill’s requirements for vendors:
– Vendors contracting with the Colorado Department of Education must identify on their website what types of SPII they collect, their purpose for doing so, and how they share this data.
– Vendors can only collect data for the purposes specified in the contract. If they would like to use data in another way, they must receive consent from the parent or student (if over 18). The bill also bans commercial uses, including selling information or using it for targeted advertising. By default, data cannot be used for any purposes beyond those outlined in the contract. If a vendor would like to do so, they must obtain parental consent.
– Providers may share data with subcontractors only if the subcontractor contractually agrees to comply with these rules and restrictions.
– Providers must also maintain a comprehensive information security program, ensuring that student data is accessed and used appropriately.
– Providers must destroy information upon request by the education institution, or at the end of the contract or its specified timeline.
In addition to potential liabilities, material breaches of these requirements may result in the education entity terminating use of the service. If this occurs, then the vendor may be added to a public list of terminated companies — to which vendors may submit public responses.
The Colorado Department of Education (CDE) will be implementing the requirements of the bill. Here is a timeline of the law’s implementation:
August 10, 2016 – CDE and schools/education providers cannot enter into or renew a contract with entities that refuse to accept the terms of updated contracts and provisions of the bill
March 1, 2017 – CDE must create and publish a sample student information privacy and protection policy for schools and education providers.
December 31, 2017 – Schools and education providers to adopt a student information privacy and protection policy
July 1, 2018 – Small rural districts to adopt a student information privacy and protection policy
iKeepSafe now includes a review for these Colorado regulations in our state privacy compliance assessment. For more information, visit iKeepSafe.org/privacy or email [email protected]
For more information about privacy regulations in the state of Colorado, visit https://www.cde.state.co.us/dataprivacyandsecurity.
This blog post does not constitute legal advice. For legal counsel, contact your attorney. Legal inquiries can be made to [email protected]