Colorado Student Data Privacy Bill – What EdTech Software Providers Need to Know


Colorado is the latest state to revisit, and expand upon, its laws pertaining to the use and protection of student data. Colorado Governor John Hickenlooper recently signed into law House Bill 16-1423 (the “Bill”) designed to increase the transparency and security of personal information about students enrolled in Colorado’s public education system (K-12).  Described by its sponsors and the media as nation-leading” with respect to the extremely broad scope of the definition of “student personally identifiable information”, the Bill imposes additional, detailed requirements on the Colorado Department of Education, the Colorado Department of Education, the Colorado Charter School Institute, school districts, public schools, and other local education providers (each, a “Public Education Entity”) and commercial software providers (including education application providers) with respect to the collection, use, and security of student data. In this blog post, we focus only on the duties of commercial software or education application providers.

What software providers are covered by the Bill?

The Bill covers primarily commercial software providers that enter into a negotiated agreement for school services with a Public Education Entity (“School Service Contract Providers”). A school service is “any Internet website, online service, online application, or mobile application that is (i) designed and marketed primarily for use in a preschool, elementary school, or secondary school, (ii) is used at the direction of teachers or other employees of a local education provider, AND (iii) which collects, maintains, or uses student personally identifiable information.” A “school service” is not a website, online service or application, or mobile app designed and marketed for use by individuals or entities generally, even if it is also marketed to a U.S. preschool, elementary school or secondary school, but the key to covered entities here will turn on whether software or an application is “designed and primarily marketed.”

What type of information is protected by the Bill?

The Bill covers “student personally identifiable information,” which is very broadly defined as “information that, alone or in combination, personally identifies an individual student or the student’s parent or family, and that is collected, maintained, generated, or inferred by a public education entity, either directly or through a school service, or by a school service contract provider or school service on-demand provider.”

What does a “School Service Contract Provider” have to do to comply with the Bill?

Although the effective date is August 10, 2016, if you are a “Contract Provider” or an “On-Demand Provider” under the Bill, this is the time to begin thinking about what kind of changes you may need to make in your processes and procedures and to put in place an implementation plan to be compliant with the Bill by its effective date.


©1994-2024 Mintz, Levin, Cohn, Ferris, Glovsky and Popeo, P.C. All Rights Reserved.
National Law Review, Volumess VI, Number 179