The Student Data Vendor Security Act is designed to enhance the security and transparency of student data management by third-party vendors in Arkansas. It introduces a new subchapter to Arkansas Code Title 6, Chapter 18, defining key terms such as "student personally identifiable information," "school service," and "vendor." The Act mandates that local education agencies include provisions in vendor contracts to protect student data and maintain a list of school service providers. Additionally, it requires these agencies to provide parents access to this information upon request. School service contract providers must communicate their data collection and sharing practices and notify local education agencies of any misuse or unauthorized release of student data.
The legislation prohibits school service contract providers from selling student personally identifiable information (PII), using it for targeted advertising, or creating personal profiles without consent. It outlines specific circumstances for the permissible use or disclosure of student PII, such as legal compliance or safety, and mandates the maintenance of a comprehensive information security program. The bill also allows for the destruction of student PII upon request or after contract termination. It clarifies that students aged 18 or older or legally emancipated individuals can consent to the use of their PII, and the Act will take effect on June 1, 2024, with compliance required for contracts entered into or renewed after this date.