Connecticut Seal

Substitute House Bill No. 5469

Public Act No. 16-189

AN ACT CONCERNING STUDENT DATA PRIVACY.

Be it enacted by the Senate and House of Representatives in General Assembly convened:

Section 1. (NEW) (Effective October 1, 2016) As used in this section and sections 2 to 4, inclusive:

(1) "Contractor" means an operator or consultant that is in possession of or has access to student information, student records or student-generated content as a result of a contract with a local or regional board of education;

(2) "Operator" means any person who (A) operates an Internet web site, online service or mobile application with actual knowledge that such Internet web site, online service or mobile application is used for school purposes and was designed and marketed for school purposes, to the extent it is engaged in the operation of such Internet web site, online service or mobile application, and (B) collects, maintains or uses student information;

(3) "Consultant" means a professional who provides noninstructional services, including, but not limited to, administrative, planning, analysis, statistical or research services, to a local or regional board of education pursuant to a contract with such local or regional board of education;

(4) "Student information" means personally identifiable information or material of a student in any media or format that is not publicly available and is any of the following: (A) Created or provided by a student or the parent or legal guardian of a student, to the operator in the course of the student, parent or legal guardian using the operator's Internet web site, online service or mobile application for school purposes, (B) created or provided by an employee or agent of a local or regional board of education to an operator for school purposes, or (C) gathered by an operator through the operation of the operator's Internet web site, online service or mobile application and identifies a student, including, but not limited to, information in the student's records or electronic mail account, first or last name, home address, telephone number, date of birth, electronic mail address, discipline records, test results, grades, evaluations, criminal records, medical records, health records, Social Security number, biometric information, disabilities, socioeconomic information, food purchases, political affiliations, religious affiliations, text messages, documents, student identifiers, search activity, photographs, voice recordings, survey responses or behavioral assessments;

(5) "Student record" means any information directly related to a student that is maintained by a local or regional board of education, the State Board of Education or the Department of Education or any information acquired from a student through the use of educational software assigned to the student by a teacher or employee of a local or regional board of education, except "student record" does not include de-identified student information allowed under the contract to be used by the contractor to (A) improve educational products for adaptive learning purposes and customize student learning, (B) demonstrate the effectiveness of the contractor's products in the marketing of such products, and (C) develop and improve the contractor's products and services;

(6) "Student-generated content" means any student materials created by a student including, but not limited to, essays, research papers, portfolios, creative writing, music or other audio files or photographs, except "student-generated content" does not include student responses to a standardized assessment;

(7) "Directory information" has the same meaning as provided in 34 CFR 99. 3, as amended from time to time;

(8) "School purposes" means purposes that customarily take place at the direction of a teacher or a local or regional board of education, or aid in the administration of school activities, including, but not limited to, instruction in the classroom, administrative activities and collaboration among students, school personnel or parents or legal guardians of students;

(9) "Student" means a person who is a resident of the state and (A) enrolled in a preschool program participating in the state-wide public school information system, pursuant to section 10-10a of the general statutes, (B) enrolled in grades kindergarten to twelve, inclusive, in a public school, (C) receiving special education and related services under an individualized education program, or (D) otherwise the responsibility of a local or regional board of education;

(10) "Targeted advertising" means presenting an advertisement to a student where the selection of the advertisement is based on student information, student records or student-generated content or inferred over time from the usage of the operator's Internet web site, online service or mobile application by such student or the retention of such student's online activities or requests over time for the purpose of targeting subsequent advertisements. "Targeted advertising" does not include any advertising to a student on an Internet web site that such student is accessing at the time or in response to a student's response or request for information or feedback;

(11) "De-identified student information" means any student information that has been altered to prevent the identification of an individual student; and

(12) "Persistent unique identifier" means a unique piece of information that can be used to recognize a user over time and across different Internet web sites, online services or mobile applications and is acquired as a result of the use of a student's use of an operator's Internet web site, online service or mobile application.

Sec. 2. (NEW) (Effective October 1, 2016, and applicable to contracts entered into, amended or renewed on or after said date) (a) On and after October 1, 2016, a local or regional board of education shall enter into a written contract with a contractor any time such local or regional board of education shares or provides access to student information, student records or student-generated content with such contractor. Each such contract shall include, but need not be limited to, the following:

(1) A statement that student information, student records and student-generated content are not the property of or under the control of a contractor;

(2) A description of the means by which the local or regional board of education may request the deletion of student information, student records or student-generated content in the possession of the contractor;

(3) A statement that the contractor shall not use student information, student records and student-generated content for any purposes other than those authorized pursuant to the contract;

(4) A description of the procedures by which a student, parent or legal guardian of a student may review personally identifiable information contained in student information, student records or student-generated content and correct erroneous information, if any, in such student record;

(5) A statement that the contractor shall take actions designed to ensure the security and confidentiality of student information, student records and student-generated content;

(6) A description of the procedures that a contractor will follow to notify the local or regional board of education, in accordance with the provisions of section 4 of this act, when there has been an unauthorized release, disclosure or acquisition of student information, student records or student-generated content;

(7) A statement that student information, student records or student-generated content shall not be retained or available to the contractor upon completion of the contracted services unless a student, parent or legal guardian of a student chooses to establish or maintain an electronic account with the contractor for the purpose of storing student-generated content;

(8) A statement that the contractor and the local or regional board of education shall ensure compliance with the Family Educational Rights and Privacy Act of 1974, 20 USC 1232g, as amended from time to time;

(9) A statement that the laws of the state of Connecticut shall govern the rights and duties of the contractor and the local or regional board of education; and

(10) A statement that if any provision of the contract or the application of the contract is held invalid by a court of competent jurisdiction, the invalidity does not affect other provisions or applications of the contract which can be given effect without the invalid provision or application.

(b) All student-generated content shall be the property of the student or the parent or legal guardian of the student.

(c) A contractor shall implement and maintain security procedures and practices designed to protect student information, student records and student-generated content from unauthorized access, destruction, use, modification or disclosure that, based on the sensitivity of the data and the risk from unauthorized access, (1) use technologies and methodologies that are consistent with the guidance issued pursuant to section 13402(h)(2) of Public Law 111-5, as amended from time to time, (2) maintain technical safeguards as it relates to the possession of student records in a manner consistent with the provisions of 45 CFR 164. 312, as amended from time to time, and (3) otherwise meet or exceed industry standards.

(d) A contractor shall not use (1) student information, student records or student-generated content for any purposes other than those authorized pursuant to the contract, or (2) personally identifiable information contained in student information, student records or student-generated content to engage in targeted advertising.

(e) Any provision of a contract entered into between a contractor and a local or regional board of education on or after October 1, 2016, that conflicts with any provision of this section shall be void.

(f) Any contract entered into on and after October 1, 2016, that does not include a provision required by subsection (a) of this section shall be void, provided the local or regional board of education has given reasonable notice to the contractor and the contractor has failed within a reasonable time to amend the contract to include the provision required by subsection (a) of this section.

(g) Not later than five business days after executing a contract pursuant to this section, a local or regional board of education shall provide electronic notice to any student and the parent or legal guardian of a student affected by the contract. The notice shall (1) state that the contract has been executed and the date that such contract was executed, (2) provide a brief description of the contract and the purpose of the contract, and (3) state what student information, student records or student-generated content may be collected as a result of the contract. The local or regional board of education shall post such notice and the contract on the board's Internet web site.

Sec. 3. (NEW) (Effective October 1, 2016) (a) An operator shall (1) implement and maintain security procedures and practices that meet or exceed industry standards and that are designed to protect student information, student records and student-generated content from unauthorized access, destruction, use, modification or disclosure, and (2) delete any student information, student records or student-generated content within a reasonable amount of time if a student, parent or legal guardian of a student or local or regional board of education who has the right to control such student information requests the deletion of such student information, student records or student-generated content.

(b) An operator shall not knowingly:

(1) Engage in (A) targeted advertising on the operator's Internet web site, online service or mobile application, or (B) targeted advertising on any other Internet web site, online service or mobile application if such advertising is based on any student information, student records, student-generated content or persistent unique identifiers that the operator has acquired because of the use of the operator's Internet web site, online service or mobile application for school purposes;

(2) Collect, store and use student information, student records, student-generated content or persistent unique identifiers for purposes other than the furtherance of school purposes;

(3) Sell, rent or trade student information, student records or student-generated content unless the sale is part of the purchase, merger or acquisition of an operator by a successor operator and the operator and successor operator continue to be subject to the provisions of this section regarding student information; or

(4) Disclose student information, student records or student-generated content unless the disclosure is made (A) in furtherance of school purposes of the Internet web site, online service or mobile application, provided the recipient of the student information uses such student information to improve the operability and functionality of the Internet web site, online service or mobile application and complies with subsection (a) of this section; (B) to ensure compliance with federal or state law or regulations or pursuant to a court order; (C) in response to a judicial order; (D) to protect the safety or integrity of users or others, or the security of the Internet web site, online service or mobile application; (E) to an entity hired by the operator to provide services for the operator's Internet web site, online service or mobile application, provided the operator contractually (i) prohibits the entity from using student information, student records or student-generated content for any purpose other than providing the contracted service to, or on behalf of, the operator, (ii) prohibits the entity from disclosing student information, student records or student-generated content provided by the operator to subsequent third parties, and (iii) requires the entity to comply with subsection (a) of this section; or (F) for a school purpose or other educational or employment purpose requested by a student or the parent or legal guardian of a student, provided such student information is not used or disclosed for any other purpose.

(c) An operator may use student information (1) to maintain, support, improve, evaluate or diagnose the operator's Internet web site, online service or mobile application, (2) for adaptive learning purposes or customized student learning, (3) to provide recommendation engines to recommend content or services relating to school purposes or other educational or employment purposes, provided such recommendation is not determined in whole or in part by payment or other consideration from a third party, or (4) to respond to a request for information or feedback from a student, provided such response is not determined in whole or in part by payment or other consideration from a third party.

(d) An operator may use de-identified student information or aggregated student information (1) to develop or improve the operator's Internet web site, online service or mobile application, or other Internet web sites, online services or mobile applications owned by the operator, or (2) to demonstrate or market the effectiveness of the operator's Internet web site, online service or mobile application.

(e) An operator may share aggregated student information or de-identified student information for the improvement and development of Internet web sites, online services or mobile applications designed for school purposes.

(f) Nothing in this section shall be construed to (1) limit the ability of a law enforcement agency to obtain student information, student records or student-generated content from an operator as authorized by law or pursuant to a court order, (2) limit the ability of a student or the parent or legal guardian of a student to download, export, transfer or otherwise save or maintain student information, student records or student-generated content, (3) impose a duty upon a provider of an interactive computer service, as defined in 47 USC 230, as amended from time to time, to ensure compliance with this section by third-party information content providers, as defined in 47 USC 230, as amended from time to time, (4) impose a duty upon a seller or provider of an electronic store, gateway, marketplace or other means of purchasing or downloading software applications to review or enforce compliance with this section on such software applications, (5) limit an Internet service provider from providing a student, parent or legal guardian of a student or local or regional board of education with the ability to connect to the Internet, (6) prohibit an operator from advertising other Internet web sites, online services or mobile applications that are used for school purposes to parents or legal guardians of students, provided such advertising does not result from the operator's use of student information, student records or student-generated content, or (7) apply to Internet web sites, online services or mobile applications that are designed and marketed for use by individuals generally, even if the account credentials created for an operator's Internet web site, online service or mobile application may be used to access Internet web sites, online services or mobile applications that are designed and marketed for school purposes.

Sec. 4. (NEW) (Effective October 1, 2016) (a) (1) Upon the discovery of a breach of security that results in the unauthorized release, disclosure or acquisition of student information, excluding any directory information contained in such student information, a contractor shall notify, without unreasonable delay, but not more than thirty days after such discovery, the local or regional board of education of such breach of security. During such thirty-day period, the contractor may (A) conduct an investigation to determine the nature and scope of such unauthorized release, disclosure or acquisition, and the identity of the students whose student information is involved in such unauthorized release, disclosure or acquisition, or (B) restore the reasonable integrity of the contractor's data system.

(2) Upon the discovery of a breach of security that results in the unauthorized release, disclosure or acquisition of directory information, student records or student-generated content, a contractor shall notify, without unreasonable delay, but not more than sixty days after such discovery, the local or regional board of education of such breach of security. During such sixty-day period, the contractor may (A) conduct an investigation to determine the nature and scope of such unauthorized release, disclosure or acquisition, and the identity of the students whose directory information, student records or student-generated content is involved in such unauthorized release, disclosure or acquisition, or (B) restore the reasonable integrity of the contractor's data system.

(3) Upon receipt of notice of a breach of security under subdivisions (1) or (2) of this subsection, a local or regional board of education shall electronically notify, not later than forty-eight hours after receipt of such notice, the student and the parents or guardians of the student whose student information, student records or student-generated content is involved in such breach of security. The local or regional board of education shall post such notice on the board's Internet web site.

(b) Upon the discovery of a breach of security that results in the unauthorized release, disclosure or acquisition of student information, student records or student-generated content, an operator that is in possession of or maintains student information, student records or student-generated content as a result of a student's use of such operator's Internet web site, online service or mobile application, shall (1) notify, without unreasonable delay, but not more than thirty days after such discovery, the student or the parents or guardians of such student of any breach of security that results in the unauthorized release, disclosure or acquisition of student information, excluding any directory information contained in such student information, of such student, and (2) notify, without unreasonable delay, but not more than sixty days after such discovery, the student or the parents or guardians of such student of any breach of security that results in the unauthorized release, disclosure or acquisition of directory information, student records or student-generated content of such student. During such thirty-day or sixty-day period, the operator may (A) conduct an investigation to determine the nature and scope of such unauthorized release, disclosure or acquisition, and the identity of the students whose student information, student records or student-generated content are involved in such unauthorized release, disclosure or acquisition, or (B) restore the reasonable integrity of the operator's data system.

Sec. 5. (Effective from passage) (a) There is established a task force to study issues relating to student data privacy. Such study shall include, but not be limited to, an examination of (1) when a parent or guardian of a student may reasonably or appropriately request the deletion of student information, student records or student-generated content that is in the possession of a contractor or operator, (2) means of providing notice to parents and guardians of students when a student uses an Internet web site, online service or mobile application of an operator for instructional purposes in a classroom or as part of an assignment by a teacher, (3) reasonable penalties for violations of the provisions of sections 2 to 4, inclusive, of this act, such as restricting a contractor or operator from accessing or collecting student information, student records or student-generated content, (4) strategies in effect in other states that ensure that school employees, contractors and operators are trained in data security handling, compliance and best practices, (5) the feasibility of developing a school district-wide list of approved Internet web sites, online services and mobile applications, (6) the use of an administrative hearing process designed to provide legal recourse to students and parents and guardians of students aggrieved by any violation of sections 2 to 4, inclusive, of this act, (7) the feasibility of creating an inventory of student information, student records and student-generated content currently collected pursuant to state and federal law, (8) the feasibility of developing a tool kit for use by local and regional boards of education to (A) improve student data contracting practices and compliance, including a state-wide template for use by districts, (B) increase school employee awareness of student data security best practices, including model training components, (C) develop district-wide lists of approved software applications and Internet web sites, and (D) increase the availability and accessibility of information on student data privacy for parents and guardians of students and educators, and (9) any other issue involving student data security that the task force deems relevant.

(b) The task force shall consist of the following members:

(1) Two appointed by the speaker of the House of Representatives, one of whom is an operator, pursuant to section 1 of this act and one of whom is an expert in information technology systems;

(2) Two appointed by the president pro tempore of the Senate, one of whom is a representative or member of the Connecticut Education Association and one of whom is a high school student in the state of Connecticut;

(3) Two appointed by the majority leader of the House of Representatives, one of whom is a representative of a contractor, pursuant to section 1 of this act and one of whom is an expert in information technology systems;

(4) Two appointed by the majority leader of the Senate, one of whom is a representative or member of the Connecticut Parent Teacher Association and one of whom is a representative or member of the American Federation of Teachers;

(5) Two appointed by the minority leader of the House of Representatives, one of whom is a student privacy advocate and one of whom is a representative or member of the Connecticut Association of Boards of Education;

(6) Two appointed by the minority leader of the Senate, one of whom is a representative of the Connecticut Association of School Administrators and one of whom is a representative or member of the Connecticut Association of Public School Superintendents;

(7) The Attorney General, or the Attorney General's designee; and

(8) The Commissioner of Education or the commissioner's designee.

(c) All appointments to the task force shall be made not later than thirty days after the effective date of this section. Any vacancy shall be filled by the appointing authority.

(d) The speaker of the House of Representatives and the president pro tempore of the Senate shall select the chairpersons of the task force from among the members of the task force. Such chairpersons shall schedule the first meeting of the task force, which shall be held not later than sixty days after the effective date of this section.

(e) The administrative staff of the joint standing committee of the General Assembly having cognizance of matters relating to general law shall serve as administrative staff of the task force.

(f) Not later than January 1, 2017, the task force shall submit a report on its findings and recommendations to the joint standing committee of the General Assembly having cognizance of matters relating to general law and education, in accordance with the provisions of section 11-4a of the general statutes. The task force shall terminate on the date that it submits such report or January 1, 2017, whichever is later.

Approved June 9, 2016