Stricken language would be deleted from and underlined language would be added to present law.
1 State of Arkansas
2 94th General Assembly A Bill
3 Regular Session, 2023 SENATE BILL 500
4
5 By: Senator J. Bryant
6 By: Representative G. Hodges
7
8 For An Act To Be Entitled
9 AN ACT TO CREATE THE STUDENT DATA VENDOR SECURITY
10 ACT; AND FOR OTHER PURPOSES.
11
12
13 Subtitle
14 TO CREATE THE STUDENT DATA VENDOR
15 SECURITY ACT.
16
17
18 BE IT ENACTED BY THE GENERAL ASSEMBLY OF THE STATE OF ARKANSAS:
19
20 SECTION 1. Arkansas Code Title 6, Chapter 18, is amended to add an
21 additional subchapter to read as follows:
22 Subchapter 25 — Student Data Vendor Security Act
23
24 6-18-2501. Title.
25 This subchapter shall be known and may be cited as the “Student Data
26 Vendor Security Act”.
27
28 6-18-2502. Purpose.
29 The purpose of this subchapter is to increase security and transparency
30 in the sharing and use of student data with and by third party vendors.
31
32 6-18-2503. Definitions.
33 As used in this subchapter:
34 (1) “Affiliate” means a legal entity that controls, is
35 controlled by, or is under common control with another legal entity;
36 (2) “Control” means:
*TNL312* 3/27/2023 4:36:02 PM TNL312
 SB500
1 (A) Ownership of, or the power to vote, more than fifty
2 percent (50%) of the outstanding voting securities of a company; or
3 (B) Control in any manner over the election of a majority
4 of the directors or of individuals exercising similar management functions of
5 a company;
6 (3) “Deidentified data” means data that cannot reasonably be
7 linked to an identified or identifiable natural person;
8 (4) “Destroy” means to remove student personally identifiable
9 information so that the information is permanently irretrievable in the
10 normal course of business;
11 (5) "Local education agency" means:
12 (A) A public school district; or
13 (B) An open-enrollment public charter school;
14 (6) “Parent” means:
15 (A) The biological or adoptive parent of a student;
16 (B) A student's legal guardian; or
17 (C) A person standing in loco parentis to a student;
18 (7) “Public education entity” means:
19 (A) The Department of Education;
20 (B) A public school within a public school district; or
21 (C) An open-enrollment public charter school;
22 (8)(A) “School service” means a website, online service, online
23 application, or mobile application that:
24 (i) Is designed and marketed primarily for use in a
25 preschool, elementary school, or secondary school;
26 (ii) Is used at the direction of teachers or other
27 employees of a local education agency; and
28 (iii) Collects, maintains, or uses student
29 personally identifiable information.
30 (B) “School service” does not include a website, online
31 service, online application, or mobile application that is designed and
32 marketed for use by individuals or entities generally, even if the website,
33 online service, online application, or mobile application is also marketed to
34 a preschool, elementary school, or secondary school;
35 (9) “School service contract provider” means an entity, other
36 than a local education agency or an institution of higher education, that
2 3/27/2023 4:36:02 PM TNL312
 SB500
1 enters into a formal, negotiated contract with a public education entity to
2 provide a school service;
3 (10) “School service on-demand provider” means an entity, other
4 than a public education entity or an institution of higher education, that
5 provides a school service to a public education entity, subject to agreement
6 by the public education entity, or an employee of the public education
7 entity, to standard, nonnegotiable terms and conditions of service
8 established by the entity;
9 (11)(A) “Student personally identifiable information” means
10 information that, alone or in combination, personally identifies an
11 individual student or the student’s parent or family, and that is collected,
12 maintained, generated, or inferred by:
13 (i) A public education entity, either directly or
14 through a school service;
15 (ii) A school service contract provider; or
16 (iii) A school service on-demand provider.
17 (B) “Student personally identifiable information” does not
18 include deidentified data;
19 (12)(A) “Targeted advertising” means selecting and sending
20 advertisements to a student based on personal data obtained or inferred over
21 time from the student’s online behavior, use of applications, or student
22 personally identifiable information.
23 (B) “Targeted advertising” does not include:
24 (i) Advertising to a student:
25 (a) At an online location based on the
26 student’s current visit to that location or in response to the student’s
27 request for information or feedback; and
28 (b) Without the collection and retention of a
29 student’s online activities over time;
30 (ii) Adaptive learning, personalized learning, or
31 customized education;
32 (iii) With the consent of a student or the student’s
33 parent, using the student’s personally identifiable information to identify
34 for the student institutions of higher education or scholarship providers
35 that are seeking students who meet specific criteria; or
36 (iv) Processing personal data solely for measuring
3 3/27/2023 4:36:02 PM TNL312
 SB500
1 or reporting advertising performance, reach, or frequency; and
2 (13)(A) “Vendor” means a business or other organization with
3 which a public education entity contracts for a product or service.
4 (B) “Vendor” includes a school service contract provider
5 and a school service on-demand provider.
6
7 6-18-2504. Local education agency — Vendor security and transparency.
8 (a) Each local education agency shall ensure that all contracts that
9 disclose or make available student personally identifiable information to
10 vendors, including school service contract providers, school service on-
11 demand providers, and other third parties, including without limitation
12 subcontractors of contract providers, include express provisions that
13 safeguard the privacy and security of student personally identifiable
14 information.
15 (b)(1)(A) Each local education agency shall maintain a list of the
16 school service contract providers that the local education agency contracts
17 with for school services that include or make available student personally
18 identifiable information.
19 (B) A local education agency shall:
20 (i) At a minimum, update the list of school service
21 contract providers required under subdivision (b)(1)(A) of this section at
22 the beginning and mid-point of each school year;
23 (ii) Upon the request of a parent, provide a copy of
24 the list required under subdivision (b)(1)(A) of this section; and
25 (iii) Maintain a copy of each contract between the
26 local education agency and a school service contract provider.
27 (2)(A) A local education agency shall ensure that the terms of a
28 contract entered into or renewed by the local education agency with a school
29 service contract provider on and after the effective date of this act, at a
30 minimum, require the school service contract provider to comply with the
31 requirements in § 6-18-2505 and § 6-18-2507.
32 (B)(i) If a school service contract provider commits a
33 material breach of a contract that involves the misuse or unauthorized
34 release of student personally identifiable information, the local education
35 agency shall determine whether to terminate the contract at the direction of,
36 or in accordance with a policy adopted by, the governing body of the local
4 3/27/2023 4:36:02 PM TNL312
 SB500
1 education agency.
2 (ii) At a minimum, within a reasonable time after
3 the local education agency identifies the existence of a material breach of
4 contract, the local education agency shall:
5 (a) Investigate the nature of the material
6 breach;
7 (b) Provide an opportunity for the school
8 service contract provider to respond concerning the alleged material breach;
9 (c) Obtain the advice and direction of the
10 governing body of the local education agency; and
11 (d) Determine whether to terminate or continue
12 the contract with the school service contract provider.
13 (3) On and after the effective date of this act, a local
14 education agency shall not enter into or renew a contract with a school
15 service contract provider that:
16 (A) Refuses to accept the terms specified in subdivision
17 (b)(2) of this section; or
18 (B) Has substantially failed to comply with one (1) or
19 more of the requirements in § 6-18-2505 and § 6-18-2507.
20 (c)(1)(A) Each local education agency shall maintain a list of the
21 school service on-demand providers that the local education agency or an
22 employee of the local education agency uses for school services that include
23 or make available student personally identifiable information.
24 (B) A local education agency shall:
25 (i) At a minimum, update the list of school service
26 on-demand providers required under subdivision (c)(1)(A) of this section at
27 the beginning and mid-point of each school year; and
28 (ii) Upon the request of a parent, provide a copy of
29 the list required under subdivision (c)(1)(A) of this section and, upon
30 further request of the parent, assist the parent in obtaining the data
31 privacy policy of the school service on-demand providers.
32 (2) If a parent has evidence demonstrating that a school service
33 on-demand provider with which a local education agency or an employee of a
34 local education agency acting on behalf of a local education agency contracts
35 does not substantially comply with the school service on-demand provider’s
36 privacy policy or does not meet the requirements in § 6-18-2506(b) and § 6-
5 3/27/2023 4:36:02 PM TNL312
 SB500
1 18-2507(a), the parent may notify the local education agency and provide the
2 evidence for the parent’s conclusion.
3 (3)(A) If a local education agency has evidence demonstrating
4 that a school service on-demand provider does not substantially comply with
5 the school service on-demand provider’s privacy policy or does not meet the
6 requirements in § 6-18-2506(b) and § 6-18-2507(a), the local education agency
7 may cease using or refuse to use the school service on-demand provider and
8 prohibit employees of the local education agency from using the school
9 service on-demand provider.
10 (B) The local education agency shall notify the school
11 service on-demand provider that the:
12 (i) Local education agency is ceasing or refusing to
13 use the school service on-demand provider under subdivision (c)(3)(A) of this
14 section; and
15 (ii) School service on-demand provider may submit a
16 written response to the local education agency.
17 (C) The local education agency shall:
18 (i) Notify the Department of Education if the local
19 education agency ceases using a school service on-demand provider for the
20 reasons described in subdivision (c)(3) of this section; and
21 (ii) Provide a copy of any written response that a
22 school service on-demand provider submits to the local education agency under
23 subdivision (c)(3)(b)(ii) of this section.
24
25 6-18-2505. School service contract provider — Data transparency.
26 (a)(1) Each school service contract provider shall provide clear
27 information that is understandable by a layperson explaining:
28 (A) The elements of student personally identifiable
29 information that the school service contract provider collects;
30 (B) The purpose for which the school service contract
31 provider collects the student personally identifiable information; and
32 (C) How the school service contract provider uses and
33 shares the student personally identifiable information.
34 (2) The information required under subdivision (a)(1) of this
35 section shall include all student personally identifiable information that
36 the school service contract provider collects regardless of whether it is
6 3/27/2023 4:36:02 PM TNL312
 SB500
1 initially collected or ultimately held individually or in the aggregate.
2 (3) A school service contract provider shall:
3 (A) Provide the information required under subdivision
4 (a)(1) of this section to each public education entity that the school
5 service contract provider contracts with in a format that is easily
6 accessible; and
7 (B) Update the information required under subdivision
8 (a)(1) of this section as necessary to maintain accuracy.
9 (b) A school service contract provider shall:
10 (1) Provide clear notice to each public education entity that it
11 contracts with before making material changes to its privacy policy for
12 school services that would result in a material reduction in the level of
13 privacy and security provided for student personally identifiable
14 information; and
15 (2) Facilitate access to and the correction of any factually
16 inaccurate student personally identifiable information by a contracting local
17 education agency in response to a request for correction that the local
18 education agency receives and to which the local education agency responds.
19 (d) Upon discovering the misuse or unauthorized release of student
20 personally identifiable information held by a school service contract
21 provider, a subcontractor of a school service contract provider, or a
22 subsequent subcontractor of a school service contract provider, the school
23 service contract provider shall notify the contracting public education
24 entity as soon as possible, regardless of whether the misuse or unauthorized
25 release is a result of a material breach of the terms of a contract.
26
27 6-18-2506. School service contract provider — Use of data.
28 (a)(1) A school service contract provider may collect, use, and share
29 student personally identifiable information only:
30 (A) For the purposes authorized in the contract between
31 the school service contract provider and a public education entity; or
32 (B) With the consent of the student who is the subject of
33 the information or the student’s parent.
34 (2) A school service contract provider shall obtain the consent
35 of a student or a student’s parent before using student personally
36 identifiable information in a manner that is materially inconsistent with the
7 3/27/2023 4:36:02 PM TNL312
 SB500
1 contract between the school service contract provider and the public
2 education entity that applies to the collection of the student personally
3 identifiable information.
4 (b)(1) A school service contract provider shall not:
5