Colorado Student Data Privacy Legal Compliance Guide

The following chart provides a brief overview of the laws of the state of Colorado addressing privacy and security of student data, and the corresponding provisions of Microsoft’s standard operating documents that demonstrate compliance with those laws and regulations.

Colorado’s Student Data Transparency and Security Act is codified at CRS § 22-16-101 – 22-16-112.  The Act is meant to protect students’ personally identifiable information by increasing the level of transparency regarding, and specifying and enforcing limitations on, the collection, use, storage, and destruction of student data. 

Entities that provide online services pursuant to a contract are “school service contract providers” or “contract providers” within the meaning of the Act.  The Act also applies to “on-demand providers” that provide a school service under unnegotiated, standardized terms of service that the provider creates.

Microsoft’s standard Online Services Data Protection Addendum (“DPA”) addresses the requirements imposed by Colorado’s statutory framework.  The DPA sets forth Microsoft’s standard obligations with respect to the processing and security of customer data and personal data in connection with Microsoft’s provision of online services. 

The reference chart below briefly identifies those provisions of Colorado law that are applicable to Microsoft, and the relevant provision(s) from Microsoft’s DPA that addresses Microsoft’s compliance with that requirement.

Colorado Law ProvisionCompliant Microsoft Provision(s)
C.R.S. § 22-16-108(1)
Provide clear information that is understandable by a layperson explaining the data elements of student personally identifiable information that the school service contract provider collects, the learning purpose for which the school service contract provider collects the student personally identifiable information, and how the school service contract provider uses and shares the student personally identifiable information
Microsoft Online Services Terms

Microsoft Online Services Data Protection Addendum

C.R.S. § 22-16-108(2)
Clear notice of material changes to privacy policies
Microsoft Online Services Data Protection Addendum -> Notices
C.R.S. § 22-16-109(1)(a)
Collection, use, and sharing of student personally identifiable information only for the purposes authorized in the contract
Microsoft Online Services Data Protection Addendum -> Data Protection Terms -> Nature of Data Processing; Ownership -> Processing to Provide Customer the Online Services
C.R.S. § 22-16-109(1)(b)
Consent of the student or the student’s parent before using student personally identifiable information in a manner that is materially inconsistent with the school service contract provider’s privacy policy or materially inconsistent with the contract
Microsoft Online Services Data Protection Addendum -> Data Protection Terms -> Nature of Data Processing; Ownership -> Processing to Provide Customer the Online Services
C.R.S. § 22-16-109(2)(a)
Selling a student’s personally identifiable information
Microsoft Online Services Data Protection Addendum -> Data Protection Terms -> Nature of Data Processing; Ownership -> Processing to Provide Customer the Online Services
C.R.S. § 22-16-109(2)(b)
Targeted advertising based on personally identifiable information
Microsoft Online Services Data Protection Addendum -> Data Protection Terms -> Nature of Data Processing; Ownership -> Processing to Provide Customer the Online Services
C.R.S. § 22-16-109(2)(c)
Use of information to create a personal profile about a student
Microsoft Online Services Data Protection Addendum -> Data Protection Terms -> Nature of Data Processing; Ownership -> Processing to Provide Customer the Online Services
C.R.S. § 22-16-110(1)
Requirement to maintain a comprehensive information security program
Microsoft Online Services Data Protection Addendum -> Data Protection Terms -> Data Security -> Security Practices and Policies

See also Microsoft Online Services Data Protection Addendum -> Appendix A – Security Measures
C.R.S. § 22-16-110(2)
Destruction of a student’s personally identifiable information upon request as soon as practicable during the term of the contract
Microsoft Online Services Data Protection Addendum -> Data Protection Terms -> Data Retention and Deletion
C.R.S. § 22-16-110(3)
Destruction of a student’s personally identifiable information following termination or conclusion of the contract
Microsoft Online Services Data Protection Addendum -> Data Protection Terms -> Data Retention and Deletion

In addition to the provisions above, C.R.S. § 22-16-108 requires that each school service contract provider shall facilitate access to and correction of any factually inaccurate student personally identifiable information by a contracting local education provider in response to a request for correction that the local education provider receives and responds to in accordance with section 22-16-112(1)(c).  C.R.S. § 22-16-108(3).

Upon discovering the misuse or unauthorized release of student personally identifiable information held by the contract provider, a subcontractor of the contract provider, or a subsequent subcontractor, the contract provider shall notify the contracting public education entity as soon as possible, regardless of whether the misuse or unauthorized release is a result of a material breach of the terms of the contract.  C.R.S. § 22-16-108(4).