Arkansas Enacts Student Data Vendor Security Act | Practical Law

Arkansas Enacts Student Data Vendor Security Act | Practical Law

Arkansas has enacted a student data privacy law that imposes student data privacy and security obligations on contractors that provide online and mobile educational services and apps to public schools and prohibits them from selling student data.

Arkansas Enacts Student Data Vendor Security Act

Practical Law Legal Update w-039-2631 (Approx. 4 pages)

Arkansas Enacts Student Data Vendor Security Act

by Practical Law Data Privacy & Cybersecurity
Published on 25 Apr 2023Arkansas
Arkansas has enacted a student data privacy law that imposes student data privacy and security obligations on contractors that provide online and mobile educational services and apps to public schools and prohibits them from selling student data.
On April 12, 2023, Arkansas Governor Sarah Huckabee Sanders signed the Student Data Vendor Security Act (HB 1757) into law. The Act creates requirements for Arkansas public educational entities, including public schools, districts, and open-enrollment public charters, and entities that provide a "school service" to an educational entity under a formal, negotiated contract.
A school service includes a website, online service, online application, or mobile app that collects student personally identifiable information, and that is:
  • Designed and marketed primarily to be used in schools below the higher education level.
  • Used at the direction of teachers or other educational entity employees.
Under the Act, school service contract providers must:
  • Provide specified information about its student data collection practices to the educational entity in an easily-accessible format and in layman's terms.
  • Notify the educational entity before making material changes to its privacy policy that would materially reduce the level of protection for student data.
  • Allow the educational entity to access and correct student data upon request.
  • Notify the educational entity if it discovers the misuse or unauthorized disclosure of student data, whether or not it constitutes a material breach.
  • Collect, use, and disclose student data only:
    • as authorized by their contract; or
    • with the student data subject's consent, if 18, or their legal guardian's consent if underage.
  • Obtain new consent for secondary use purposes.
  • Require subcontractors receiving student data to comply with the Act's obligations.
  • Maintain a comprehensive information security program.
  • Destroy student data upon request, with exceptions for data subject consent and some transferring students.
  • Destroy student data at the time required by the contract, or if unspecified, as soon as practical after the data is no longer needed for contract purposes, and upon request, notify the educational entity when destruction is complete.
The Act prohibits school service contract providers from:
  • Selling student data.
  • Using or sharing student data for purposes of targeted advertising to students.
  • Profiling students, unless:
    • the contract terms authorize the profiling;
    • the student data subject is age 18 or over and consents; or
    • the student data subject's guardian consents.
The Student Data Vendor Security Act will become effective June 1, 2024.