AN ACT CONCERNING STUDENT DATA PRIVACY.

This bill restricts how student information may be used by (1) entities that contract to provide educational software and electronic storage of student records (“contractors”) and (2) operators of websites, online services, or mobile applications (i.e., apps).

Regarding software contractors that do business with local or regional boards of education, the State Board of Education (SBE), or the State Department of Education (SDE), the bill:

1. requires contracts between such contractors and boards of education, SBE, or SDE to contain specific provisions relating to the use and security of student information;

2. prohibits such contractors from using personally identifiable information from student records to engage in advertising or for any purposes other than those contractually authorized; and

3. requires boards of education to notify parents within five business days of executing a contract with such contractors.

The bill also voids any (1) contract provision between these parties that conflicts with the above requirements and prohibitions on or after October 1, 2016 or (2) contract between these parties that fails to include the above required provisions.

For operators of websites, online services, or mobile apps, the bill does the following:

1. requires such operators to maintain reasonable security practices to protect student information and delete student information upon student, parent, guardian, or board of education request;

2. prohibits such operators from engaging in targeted advertising, creating student profiles for purposes unrelated to school, or selling or disclosing student information, with some exceptions;

3. allows such operators to use student information and de-identified student information for purposes related to student learning or operational improvements.

The bill also requires school districts to withhold the release of student directory information if the local or regional board of education determines that a request for such information is not related to school purposes.

The bill does not provide any specific enforcement mechanism or penalties; however, existing law provides a civil penalty for each violation.

EFFECTIVE DATE: October 1, 2016, and the provision regarding (1) contracts is applicable to contracts entered into, amended, or renewed on or after that date and (2) directory information takes effect July 1, 2016.

The bill places a number of restrictions on how software and electronic information services contractors can use student information.

It defines contractors as individuals, businesses, or other entities that (1) provide educational software or services for storing, managing, or retrieving electronic student records and (2) receive student records under a written contract with a local or regional board of education, SBE, or SDE.

Under the bill, such contractors are banned from using (1) student records for any purposes other than those the contract authorizes or (2) personally identifiable information contained in student records for advertising.

The bill defines “student records” as any information (1) directly related to a student that boards of education, SDE, or SBE maintains and (2) acquired through a student's use of educational software that a teacher or other public education employee assigned. Student records do not include de-identified student information allowed under the contract that the contractor uses to:

“De-identified student information” means any information that cannot be used to identify an individual student.

Under the bill, every contract that a board of education, SDE, or SBE enters into with a contractor, beginning October 1, 2016, must include:

1. a statement that student records and student-generated content are not the property of, or under the control of, a contractor;

2. a statement that the contractor will not use student records for any purposes except those the contract authorizes;

3. a description of the procedures for a student, parent, or guardian to (a) review personally identifiable information in the student record and (b) correct erroneous information, if any, in the record;

4. a description of the actions the contractor agrees to take to ensure student record security and confidentiality;

5. a description of the procedures for notifying a student, parent, or guardian and the board of education, SBE, or SDE (as appropriate) as soon as practical, but not later than 48 hours, after the contractor becomes aware of, or suspects, that any student record under the contractor's control has been subject to unauthorized access or suspected unauthorized access;

6. a statement that the contractor and the board of education, SBE, or SDE will ensure compliance with the federal Family Educational Rights and Privacy Act of 1974 (FERPA), 20 USC 1232g (see BACKGROUND);

7. a description of how a student, parent, or legal guardian of a student may retain possession and control of student-generated content and, if applicable, how a student, parent, or guardian can transfer the student-generated content to an email account;

8. a statement that the contractor will not retain or have available student records after completing the contracted services unless a student, parent, or guardian chooses to establish or maintain an electronic account with the contractor to store student-generated content;

9. a statement that Connecticut law governs the rights and duties of all parties to the contract; and

10. a statement that a court finding of invalidity for any contract provision does not invalidate other contract provisions or applications that are not affected by the finding.

Under the bill “student-generated content” refers to materials a student creates, including essays, research papers, portfolios, creative writing, music or other audio files or photographs, except that it does not include student responses to a standardized assessment.

The bill requires boards of education to notify affected students and their parents or guardians within five business days after entering into a contract with a software or information storage contractor. The notice must do the following:

1. state that the contract has been executed and its date of execution,

2. provide a brief description of the contract and its purpose,

3. state what student-generated content or student records may be collected under the contract, and

4. state that the parent or guardian of a student affected by the contract may choose to opt their student out of participation in the contract execution.

The bill restricts Internet website, online service, and app operators from using student information.

The bill defines these entities as operators of websites, online services, or mobile applications that are designed, used, and marketed for school purposes and who collect, maintain or use student information.

“School purposes” are activities directed by, or customarily take place at the direction of, a public school teacher or board of education and include classroom or at-home instruction, administrative activities, and collaboration among students, school personnel, or parents or guardians of students. (It is unclear what “customarily take place at the direction” of a teacher or board of education means in this context.)

“Students” refers to children who live in Connecticut and are enrolled in (1) a preschool program participating in the statewide public school information system (see BACKGROUND) or (2) grades kindergarten to 12 in a public school.

The bill defines “student information” as personally identifiable information that:

1. a student, parent, or legal guardian creates or provides by using the operator's website, service, or application for school purposes;

2. an employee or agent of a board of education creates or provides to an operator for school purposes; or

3. an operator gathers through the operator's website, service, or application and identifies a student, including (a) information in the student's records or email account; (b) first or last name; (c) home address or telephone number; (d) date of birth; (e) electronic mail address; (f) discipline records; (g) test results; (h) grades; (i) evaluations; (j) criminal, medical, or health records; (k) Social Security number; (l) biometric information; (m) disabilities; (n) socioeconomic information; (o) food purchases; (p) political or religious affiliations; (q) text messages; (r) documents; (s) student identifiers; (t) search activity; (u) photographs or voice recordings; (v) survey responses; or (w) behavioral assessments.

1. engaging in targeted advertising on the operator's or any other website, service, or application, that uses any student information that the operator acquired because a student, parent, or legal guardian used the operator's website, service, or application;

2. using student information created or gathered by the website, service, or application to create a student profile, except in furthering school purposes;

3. selling student information, unless the sale is part of the purchase, merger or acquisition of an operator by a successor operator and the successor operator continues to be subject to the bill's provisions; and

4. disclosing student information, with some exceptions (see below).

The bill permits operators to disclose student information if the disclosure is made under the following circumstances:

1. in furtherance of school purposes of the website, online service, or app, provided the recipient of the information uses it to improve the functionality of the site, service, or app;

2. to ensure compliance with federal or state law;

3. in response to a judicial order;

4. to protect the safety of users or others, or the security of the website, online service, or app; or

5. to an entity hired by the operator to provide services for the website, online service, or app, as long as the operator contractually (a) prohibits the entity from using the information for any purpose other than providing the contracted service to, or on behalf of, the operator; (b) prohibits the entity from disclosing such student information to subsequent third parties; and (c) requires the entity to agree to maintain security procedures and delete any student information at a student's, parent's, or guardian's request.

Under the bill, an operator must (1) protect student information from unauthorized access, whenever and however stored or maintained, in accordance with current industry standards, and (2) delete a student's information if a student, parent, or guardian or the board of education requests the information be deleted.

Current state consumer protection law has a similar provision that requires anyone who possesses another person's personal information to safeguard, among other things, the data and computer files from misuse by third parties (CGS § 42-471). It also requires the data be destroyed or made unusable before it is disposed of. Willful violators may be subject to civil penalties of $500 for each violation, provided the penalty cannot exceed $500,000 for any single event.

The bill permits an operator to use de-identified student information to improve the operator's website, service, or application and to market the effectiveness of the website, service, or application. Under the bill, “de-identified student information” refers to any student information that has been altered to prevent the identification of an individual student. It also permits an operator to use aggregated de-identified student information for improvement and development of websites, services, or applications for school purposes.

Another portion of the bill allows the operator to use student information to maintain, support, evaluate, or diagnose the operator's website, service, or application or for adaptive learning purposes or customized student learning without specifying that the information first be de-identified.

The bill specifies that all of the above provisions applicable to operators of websites, online services, or apps do not do any of the following:

1. limit a law enforcement agency's ability to obtain student information from an operator authorized by law or court order;

2. limit a student's, parent's, or guardian's ability to download, transfer, or otherwise save or maintain student information;

3. impose a duty on an interactive computer services provider, as defined under federal law, to ensure third-party information content providers' compliance with the operator prohibitions and requirements in this bill;

4. impose a duty on a seller or provider of online services or apps to ensure compliance with the operator prohibitions and requirements in this bill regarding such online services or apps;

5. limit an Internet service provider from giving a student, parent, or guardian or a board of education the ability to connect to the Internet;

6. prohibit an operator from advertising other websites, online services, or apps used for school purposes to students' parents or guardians, as long as it does not result from the use of student information; or

7. apply to websites, online services, or apps designed and marketed for general use by individuals.

Under FERPA, a board of education may disclose directory information if a parent has not made a request to restrict disclosure. The bill defines “directory information” using federal regulations for FERPA (see BACKGROUND).

The bill maintains a local or regional board of education's authority to disclose directory information but prohibits a board from disclosing such information if it determines that the disclosure request is not related to school purposes.

This system is a statewide, standardized electronic database that tracks and reports data on student, teacher, school, and district performance growth. This data is available to local and regional boards of education for evaluating educational performance and growth of teachers and students enrolled in Connecticut public schools (CGS § 10-10a).

FERPA is the federal law that protects the privacy of student education records, with some exceptions (20 USC § 1232g). One exception is that FERPA allows school districts to disclose information they designate as “directory information” without prior parental consent (or student consent if the student is age 18 or older). Once a year, districts must notify parents of the policy and give them the opportunity to restrict the disclosure of directory information. Unless the parent affirmatively requests limiting disclosure, the district can disclose directory information.

“Directory information” means information contained in a student's education record that would generally not be considered harmful or an invasion of privacy if disclosed.

1. name, address, and telephone listing;

2. electronic mail address;

3. photograph;

4. date and place of birth;

5. major field of study;

6. grade level and enrollment status;

7. dates of attendance;

8. participation in officially recognized activities and sports;

9. weight and height of sports team members;

10. degrees, honors, and awards received;

11. most recent educational agency or institution attended; and

12. certain student identification (ID) numbers or unique personal identifiers that cannot be used to gain access to educational records.

Directory information does not include a student's social security number or student ID number that can be used to gain access to educational records (34 CFR § 99.3).