LD 1780
Session - 126th Maine Legislature
LR 2694
Item 1
Bill Tracking, Additional Documents Chamber Status

An Act To Prohibit Providers of Cloud Computing Service to Elementary and Secondary Educational Institutions from Processing Student Data for Commercial Purposes

Be it enacted by the People of the State of Maine as follows:

Sec. 1. 20-A MRSA §6006  is enacted to read:

§ 6006 Student privacy and cloud computing

1 Definitions.   As used in this section, unless the context otherwise indicates, the following terms have the following meanings.
A "Cloud computing service" means a service that enables convenient, on-demand network access to a shared pool of configurable computing resources to provide a student, teacher or staff member with account-based productivity applications such as e-mail, document storage and document editing that can be rapidly accessed and made available with minimal management effort or interaction by a cloud computing service provider.
B "Cloud computing service provider" means a person, other than an educational institution, that operates a cloud computing service.
C "Educational institution" means any public, private or charter school or school administrative unit serving students in kindergarten to grade 12.
D "Person" means an individual, partnership, corporation, association, company or any other legal entity.
E "Process" means to use, access, manipulate, scan, modify, transform, disclose, store, transmit, transfer, retain, aggregate or dispose of student data.
F "Student data" means any information or materials in any media or format created or provided by:

(1) A student in the course of the student's use of a cloud computing service; or

(2) An employee or agent of an educational institution, if the information or materials are related to a student.

"Student data" includes, but is not limited to, the name, e-mail address, postal address, telephone number, unique identifier or metadata or any e-mail message or word processing document of a student.

2 Prohibition on the use of student data.   A cloud computing service provider that, with knowledge that student data will be processed, provides a cloud computing service to an educational institution may not use that cloud computing service to process student data for any secondary use that benefits the cloud computing service provider or any 3rd party, including, but not limited to:
A Collecting information relating to a student's online activity;
B Creating or correcting an individual or household profile primarily for the benefit of the cloud computing service provider or any 3rd party;
C Selling the student data for any commercial purpose; or
D Providing for any other similar commercial for-profit activity, except that a cloud computing service may process or monitor student data solely to provide the cloud computing service to the educational institution and maintain the integrity of the service.
3 Certification of compliance.   A cloud computing service provider that enters into an agreement to provide a cloud computing service to an educational institution shall certify in writing to the educational institution that it will comply with the provisions in subsection 2.
4 Rulemaking.   The commissioner may adopt rules to implement this section. Rules adopted pursuant to this subsection are routine technical rules as defined in Title 5, chapter 375, subchapter 2-A.


This bill prohibits a cloud computing service provider that provides a cloud computing service to an educational institution from using that service to process student data for any secondary use that benefits the provider or any 3rd party.

Top of Page