Enacts the "K12 student privacy and cloud computing act" to prohibit service providers who offer cloud computing services to primary and secondary educational services from processing student data for commercial purposes.
NEW YORK STATE ASSEMBLY MEMORANDUM IN SUPPORT OF LEGISLATION submitted in accordance with Assembly Rule III, Sec 1(f)
 
BILL NUMBER: A7243
SPONSOR: Simotas
 
TITLE OF BILL: An act to amend the education law, in relation to
enacting the "K12 student privacy and cloud computing act" to prohibit
service providers who offer cloud computing services to primary and
secondary educational institutions from processing student data for
commercial purposes
 
PURPOSE OF THE BILL:
To ensure that when an educational institution (primary and secondary)
engages a cloud computing service provider and such provider has access
to student data, such data may only be used to benefit the educational
institution and may not be used for the provider's own commercial
purposes, including profiling for the purposes of marketing and adver-
tising.
 
SUMMARY OF SPECIFIC PROVISIONS:
Section 1 refers to the measure as the "K-12 Student Privacy and Cloud
Computing Act."
Section 2 sets forth legislative intent -- essentially establishing that
cloud computing can deliver cost-effect, efficient on-demand network
services to educational institutions with the potential to provide
students with a full suite of information technology tools - but also
harbors the potential to insidiously invade the privacy of students by
tracking and profiling their online activities for commercial purposes.
As a result, the Legislature finds that such activity should be prohib-
ited in the State's primary and secondary educational institutions.
Section 3 establishes a new § 815 in the Education Law to address the
issue of cloud computing and student privacy.
Subdivision 1 establishes clear definitions so that the prohibited
behavior is clearly defined.
Subdivision 2 prohibits any person who provides a cloud computing
service to an educational institution from processing student data of
any student or students for any commercial purposes, including but not
limited to advertising, marketing products or services, creating or
correcting an individual or household profile and sale of the data. An
exception is made for the processing of data necessary to provide the
service to the educational institution or maintain the integrity of the
system.
Subdivision 3 provides that, upon entering into an agreement with an
educational institution, a cloud computing service must certify in writ-
ing to the institution that shall comply with the prohibitions in this
act.
 
JUSTIFICATION:
As more and more schools have made adopted advanced information technol-
ogy platforms as essential components of the educational paradigm, poli-
cy-makers have demonstrated concern about the implications of student
privacy in the digital age. To that end, Congress has enacted the "Fami-
ly Education Rights Privacy Act" (FERPA) and the "Children's Online
Privacy Protection Act" (COPPA), ostensibly to address some of these
concerns.
Under FERPA, schools are required to notify parents at the beginning of
the school year of the right to "opt out" of school disclosure of a
student's personally identifiable information. While the benefits and
flaws of FERPA are much debated - it simply does not address the chal-
lenges presented by a cloud-computing service provider (CSP) accessing
and processing student correspondence, school work product, photographs,
social networking and other information.
COPPA, on the other hand, regulates the online collection, use and
disclosure of personal information from children under 13 by operators
of websites and online services that are directed to children - includ-
ing, in certain cases, CSPs. COPPA generally applies to websites and
online services operated for commercial purposes, but may also apply to
schools that offer students access on online services such as email and
that are operated for commercial purposes. COPPA does not apply to a
CSP's online collection of information from students under the age of 13
as long as the collection of information is for the sole use and benefit
of the school. If, however, the CSP uses the collected information for
commercial purposes, then COPPA applies.
If COPPA does apply to a CSP who uses the student's data for commercial
purposes - the behavior is not barred, but rather the following steps
must be taken by the CSP:
1.Notice must be sent to the parent and verifiable consent must be
obtained;
2.The CSP must post a clear privacy notice on its website or online
service that explains what personal information is collected from chil-
dren and how it is used;
3.Limits must be placed on the collection of personal information that
is necessary to participate in the online activity;
4.Parents are to be provided with an opportunity to review and delete
their children's personal information;
5.The confidentiality, integrity and security of the children's personal
information must be protected.
Finally, COPPA also requires that an educational institution obtain
permission from a parent before using the online service.
While well-intended, in practicality, COPPA falls far short of adequate-
ly insulating students (and parents) from wide-spread data collection
and profiling. In fact, under COPPA, schools are being asked to monitor
activities that they are ill-equipped to oversee; while the few parents
who are actually aware of what is at stake, have to choose between their
child's privacy and the child's access to the same cloud services that
the other students are using. Moreover, COPPA only applies to students
under the age of 13.
A recent study by Brunswick Insight* published this year revealed the
gap between Congressional intent and reality. In the study more than
1000 American parents with-children in in grades K-12 were surveyed. The
results were nothing less than stunning. Despite the privacy require-
ments of FERPA and COPPA, there is a massive "awareness problem". As
parents were informed of the collection and use of data related to their
children:
*75% of parents disapproved of CSPs tracking online behavior to build
profiles;
*75% of parents objected to CSPs using data collected from in-school
email and Internet usage in order to target students with Internet
advertising;
*76% disapproved of CSP's using additional service offerings, such as
video sharing or social networking, to get around privacy agreements and
collect children's personal information and track their online behavior;
and
*After receiving more information about online tracking and data mining,
an astounding 64% indicated that they would like to take action against
those practices.
Beyond awareness, there is an equally vexing problem. Schools are in the
Proverbial Dark Ages when it comes to managing privacy issues. A recent:
study by Professor Daniel Solove** concluded that K-12 educational
institutions did not have the expertise or personnel to manage privacy
issues. For example, his research failed to unearth a single Chief
Privacy Officer at any K-12 educational institution anywhere. Yet, in
light of what we know about protecting personal privacy, every school
should be able to tell you what steps they are taking to protect their
children's privacy; every school should be able to tell you about online
tracking by any of their cloud or online vendors; every school should be
doing online privacy audits; every school should conduct data inventory
or have data stewards. Unfortunately, this is not happening.
Unlike FERPA and COPPA, this legislation acknowledges the dual realities
that (1) parents are generally uninformed about the data that is being
collected on their children and how IL is being used, but, once
informed, overwhelming reject that practice; and (2) our schools are
uniformly ill-equipped to manage the massive privacy concerns presented
by the sophisticated methods behind data mining and commercial behav-
ioral advertising. As a result, any cloud-computing service provider
doing business with educational institutions in New York would be
prohibited from data mining for commercial purposes and they must certi-
fy, in writing, to the same.
 
PRIOR LEGISLATIVE HISTORY:
New Bill
 
FISCAL IMPLICATIONS:
None to the State; but will relieve school districts of some financial
obligations associated with complying with certain provisions of FERPA
and COPPA.
 
EFFECTIVE DATE:
The first day of November next after which it has become law, provided
that the commissioner of education and the board of regents are author-
ized to promulgate such rules and regulations as may be necessary for
the timely implementation of such act on or before such effective date.
*Brunswick Insight, January 2013
(media/43502/brunswick_edu_data_privacy_report_jan_2013.pdf)
**Daniel J. Solove is the John Marshall Harlan Research Professor of Law
at George Washington University Law School and the founder of TeachPri-
vacy (http://teachprivacy.com) and Senior Policy Advisor at Hogan
Lovells.
Permalink(/2013/1/8/parental-attitudes-about-student-privacy-online).
STATE OF NEW YORK
________________________________________________________________________
7243
2013-2014 Regular Sessions
IN ASSEMBLY
May 8, 2013
___________
Introduced by M. of A. SIMOTAS -- read once and referred to the Commit-
tee on Education
AN ACT to amend the education law, in relation to enacting the "K12
student privacy and cloud computing act" to prohibit service providers
who offer cloud computing services to primary and secondary educa-
tional institutions from processing student data for commercial
purposes
The People of the State of New York, represented in Senate and Assem-bly, do enact as follows:
1 Section 1. Short title. This act shall be known and may be cited as
2 the "K12 student privacy and cloud computing act".
3 § 2. Legislative findings. The legislature hereby finds and declares:
4 1. Cloud computing services enable convenient, on-demand network
5 access to a shared pool of configurable computing resources (including
6 networks, servers, storage, applications, and services) that can be
7 rapidly provisioned and released with minimal management effort or
8 service provider interaction;
9 2. Cloud computing services offer tremendous potential to educational
10 institutions in terms of helping consolidate technical infrastructure,
11 reducing energy and capital costs, increasing collaboration through
12 "anytime-anywhere" access to applications and information, and realizing
13 efficiencies, network resilience, and flexible deployment; and
14 3. Cloud computing service providers hold the potential to invade the
15 privacy of students by tracking students' online activities for commer-
16 cial purposes, such as delivering behaviorally targeted advertising or
17 otherwise improving advertising services that the service provider may
18 offer in connection with or separate from the services it offers to the
19 educational institution.
20 In light of the foregoing, the legislature deems it necessary to
21 ensure that when an educational institution engages a cloud computing
22 service provider to process student data, that the service provider uses
23 student data only for the benefit of the educational institution and
24 does not use such data for the service provider's own commercial
25 purposes.
EXPLANATION--Matter in italics (underscored) is new; matter in brackets
[] is old law to be omitted.
LBD10789-01-3
A. 7243 2
1 § 3. The education law is amended by adding a new section 755 to read
2 as follows:
3 § 755. Student privacy and cloud computing. 1. Definitions. For the
4 purposes of this section, the following terms shall have the following
5 meanings:
6 (a) "Cloud computing service" shall mean a service that enables
7 convenient, on-demand network access to a shared pool of configurable
8 computing resources to provide a student, teacher or staff member
9 account-based productivity applications such as email, document storage
10 and document editing that can be rapidly provisioned and released with
11 minimal management effort or cloud computing service provider inter-
12 action.
13 (b) "Cloud computing service provider" shall mean an entity, other
14 than an educational institution, that operates a cloud computing
15 service.
16 (c) "Educational institution" shall mean any public or nonpublic
17 school, charter school, school district or board of cooperative educa-
18 tional services serving students in grades kindergarten through twelfth
19 grade.
20 (d) "Person" shall mean individual, partnership, corporation, associ-
21 ation, company or any other legal entity.
22 (e) "Process" or "processing" shall mean to use, access, manipulate,
23 scan, modify, transform, disclose, store, transmit, transfer, retain,
24 aggregate, or dispose of student data.
25 (f) "Student data" shall mean any information or materials in any
26 media or format created or provided by: (i) a student in the course of
27 the student's use of the cloud computing service; or (ii) an employee or
28 agent of the educational institution that is related to a student. In
29 each case the term "student data" shall include, but not be limited to
30 the name, electronic mail address, postal address, phone number, email
31 message, word processing documents, unique identifiers, metadata, of a
32 student, or any aggregations or derivatives thereof.
33 2. Prohibition on the use of student data. Any person who, with know-
34 ledge that student data will be processed, provides a cloud computing
35 service to an educational institution, is prohibited from using that
36 cloud computing service to process student data for any secondary uses
37 that benefit the cloud computing service provider or any third party,
38 including, but not limited to, online behavioral advertising, creating
39 or correcting an individual or household profile primarily for the cloud
40 computing service provider's or any third party's benefit, the sale of
41 the data for any commercial purpose, or any other similar commercial
42 for-profit activity; provided, however, a cloud computing service may
43 process or monitor student data solely to provide such service to the
44 educational institution and maintain the integrity of such service.
45 3. Certification of compliance. Any person who enters into an agree-
46 ment to provide a cloud computing service to an educational institution
47 must certify in writing to the educational institution that it shall
48 comply with the terms and conditions set forth in subdivision two of
49 this section.
50 § 4. This act shall take effect on the first of November next succeed-
51 ing the date on which it shall have become a law, provided that the
52 commissioner of education and the board of regents are authorized to
53 promulgate such rules and regulations as may be necessary for the timely
54 implementation of this act on or before such effective date.