•  Summary 
  •  Actions 
  •  Committee Votes 
  •  Floor Votes 
  •  Memo 
  •  Text 

A02628 Summary:

COSPNSRRosenthal, Otis, Lavine, Friend
Add S756, Ed L
Enacts the "K12 student privacy and cloud computing act" to prohibit service providers who offer cloud computing services to primary and secondary educational services from processing student data for commercial purposes.
Go to top

A02628 Text:

                STATE OF NEW YORK
                               2015-2016 Regular Sessions
                   IN ASSEMBLY
                                    January 20, 2015
        Introduced by M. of A. SIMOTAS, ROSENTHAL, OTIS, LAVINE -- read once and
          referred to the Committee on Education
        AN  ACT  to  amend  the  education law, in relation to enacting the "K12
          student privacy and cloud computing act" to prohibit service providers
          who offer cloud computing services to  primary  and  secondary  educa-
          tional  institutions  from  processing  student  data  for  commercial
          The People of the State of New York, represented in Senate and  Assem-
        bly, do enact as follows:
     1    Section  1.  Short  title. This act shall be known and may be cited as
     2  the "K12 student privacy and cloud computing act".
     3    § 2. Legislative findings. The legislature hereby finds and declares:
     4    1. Cloud  computing  services  enable  convenient,  on-demand  network
     5  access  to  a shared pool of configurable computing resources (including
     6  networks, servers, storage, applications,  and  services)  that  can  be
     7  rapidly  provisioned  and  released  with  minimal  management effort or
     8  service provider interaction;
     9    2. Cloud computing services offer tremendous potential to  educational
    10  institutions  in  terms of helping consolidate technical infrastructure,
    11  reducing energy and  capital  costs,  increasing  collaboration  through
    12  "anytime-anywhere" access to applications and information, and realizing
    13  efficiencies, network resilience, and flexible deployment; and
    14    3.  Cloud computing service providers hold the potential to invade the
    15  privacy of students by tracking students' online activities for  commer-
    16  cial  purposes,  such as delivering behaviorally targeted advertising or
    17  otherwise improving advertising services that the service  provider  may
    18  offer  in connection with or separate from the services it offers to the
    19  educational institution.
    20    In light of the foregoing,  the  legislature  deems  it  necessary  to
    21  ensure  that  when  an educational institution engages a cloud computing
    22  service provider to process student data, that the service provider uses
    23  student data only for the benefit of  the  educational  institution  and
    24  does  not  use  such  data  for  the  service  provider's own commercial
    25  purposes.
         EXPLANATION--Matter in italics (underscored) is new; matter in brackets
                              [ ] is old law to be omitted.

        A. 2628                             2
     1    § 3. The education law is amended by adding a new section 756 to  read
     2  as follows:
     3    §  756.  Student  privacy and cloud computing. 1. Definitions. For the
     4  purposes of this section, the following terms shall have  the  following
     5  meanings:
     6    (a)  "Cloud  computing  service"  shall  mean  a  service that enables
     7  convenient, on-demand network access to a shared  pool  of  configurable
     8  computing  resources  to  provide  a  student,  teacher  or staff member
     9  account-based productivity applications such as email, document  storage
    10  and  document  editing that can be rapidly provisioned and released with
    11  minimal management effort or cloud  computing  service  provider  inter-
    12  action.
    13    (b)  "Cloud  computing  service  provider" shall mean an entity, other
    14  than  an  educational  institution,  that  operates  a  cloud  computing
    15  service.
    16    (c)  "Educational  institution"  shall  mean  any  public or nonpublic
    17  school, charter school, school district or board of  cooperative  educa-
    18  tional  services serving students in grades kindergarten through twelfth
    19  grade.
    20    (d) "Person" shall mean individual, partnership, corporation,  associ-
    21  ation, company or any other legal entity.
    22    (e)  "Process"  or "processing" shall mean to use, access, manipulate,
    23  scan, modify, transform, disclose, store,  transmit,  transfer,  retain,
    24  aggregate, or dispose of student data.
    25    (f)  "Student  data"  shall  mean  any information or materials in any
    26  media or format created or provided by: (i) a student in the  course  of
    27  the student's use of the cloud computing service; or (ii) an employee or
    28  agent  of  the  educational institution that is related to a student. In
    29  each case the term "student data" shall include, but not be  limited  to
    30  the  name,  electronic mail address, postal address, phone number, email
    31  message, word processing documents, unique identifiers, metadata,  of  a
    32  student, or any aggregations or derivatives thereof.
    33    2.  Prohibition on the use of student data. Any person who, with know-
    34  ledge that student data will be processed, provides  a  cloud  computing
    35  service  to  an  educational  institution, is prohibited from using that
    36  cloud computing service to process student data for any  secondary  uses
    37  that  benefit  the  cloud computing service provider or any third party,
    38  including, but not limited to, online behavioral  advertising,  creating
    39  or correcting an individual or household profile primarily for the cloud
    40  computing  service  provider's or any third party's benefit, the sale of
    41  the data for any commercial purpose, or  any  other  similar  commercial
    42  for-profit  activity;  provided,  however, a cloud computing service may
    43  process or monitor student data solely to provide such  service  to  the
    44  educational institution and maintain the integrity of such service.
    45    3.  Certification  of compliance. Any person who enters into an agree-
    46  ment to provide a cloud computing service to an educational  institution
    47  must  certify  in  writing  to the educational institution that it shall
    48  comply with the terms and conditions set forth  in  subdivision  two  of
    49  this section.
    50    § 4. This act shall take effect on the first of November next succeed-
    51  ing  the  date  on  which  it shall have become a law, provided that the
    52  commissioner of education and the board of  regents  are  authorized  to
    53  promulgate such rules and regulations as may be necessary for the timely
    54  implementation of this act on or before such effective date.
Go to top