Bill Amendment: IL HB3606 | 2019-2020 | 101st General Assembly
NOTE: For additional amemendments please see the Bill Drafting List
Bill Title: STUDENT ONLINE PROTECTION
Status: 2019-08-23 - Public Act . . . . . . . . . 101-0516 [HB3606 Detail]
Download: Illinois-2019-HB3606-Senate_Amendment_002.html
Bill Title: STUDENT ONLINE PROTECTION
Status: 2019-08-23 - Public Act . . . . . . . . . 101-0516 [HB3606 Detail]
Download: Illinois-2019-HB3606-Senate_Amendment_002.html
| |||||||
| |||||||
| |||||||
| 1 | AMENDMENT TO HOUSE BILL 3606
| ||||||
| 2 | AMENDMENT NO. ______. Amend House Bill 3606, AS AMENDED, by | ||||||
| 3 | replacing everything after the enacting clause with the | ||||||
| 4 | following:
| ||||||
| 5 | "Section 5. The Student Online Personal Protection Act is | ||||||
| 6 | amended by changing Sections 5, 10, 15, and 30 and by adding | ||||||
| 7 | Sections 26, 27, 28, and 33 as follows:
| ||||||
| 8 | (105 ILCS 85/5)
| ||||||
| 9 | Sec. 5. Definitions. In this Act: | ||||||
| 10 | "Breach" means the unauthorized acquisition of | ||||||
| 11 | computerized data that compromises the security, | ||||||
| 12 | confidentiality, or integrity of covered information | ||||||
| 13 | maintained by an operator or school. "Breach" does not include | ||||||
| 14 | the good faith acquisition of personal information by an | ||||||
| 15 | employee or agent of an operator or school for a legitimate | ||||||
| 16 | purpose of the operator or school if the covered information is | ||||||
| |||||||
| |||||||
| 1 | not used for a purpose prohibited by this Act or subject to | ||||||
| 2 | further unauthorized disclosure. | ||||||
| 3 | "Covered information" means personally identifiable | ||||||
| 4 | information or material or information that is linked to | ||||||
| 5 | personally identifiable information or material in any media or | ||||||
| 6 | format that is not publicly available and is any of the | ||||||
| 7 | following: | ||||||
| 8 | (1) Created by or provided to an operator by a student | ||||||
| 9 | or the student's parent or legal guardian in the course of | ||||||
| 10 | the student's or , parent's, or legal guardian's use of the | ||||||
| 11 | operator's site, service, or application for K through 12 | ||||||
| 12 | school purposes. | ||||||
| 13 | (2) Created by or provided to an operator by an | ||||||
| 14 | employee or agent of a school or school district for K | ||||||
| 15 | through 12 school purposes. | ||||||
| 16 | (3) Gathered by an operator through the operation of | ||||||
| 17 | its site, service, or application for K through 12 school | ||||||
| 18 | purposes and personally identifies a student, including, | ||||||
| 19 | but not limited to, information in the student's | ||||||
| 20 | educational record or electronic mail, first and last name, | ||||||
| 21 | home address, telephone number, electronic mail address, | ||||||
| 22 | or other information that allows physical or online | ||||||
| 23 | contact, discipline records, test results, special | ||||||
| 24 | education data, juvenile dependency records, grades, | ||||||
| 25 | evaluations, criminal records, medical records, health | ||||||
| 26 | records, a social security number, biometric information, | ||||||
| |||||||
| |||||||
| 1 | disabilities, socioeconomic information, food purchases, | ||||||
| 2 | political affiliations, religious information, text | ||||||
| 3 | messages, documents, student identifiers, search activity, | ||||||
| 4 | photos, voice recordings, or geolocation information. | ||||||
| 5 | "Interactive computer service" has the meaning ascribed to | ||||||
| 6 | that term in Section 230 of the federal Communications Decency | ||||||
| 7 | Act of 1996 (47 U.S.C. 230). | ||||||
| 8 | "K through 12 school purposes" means purposes that are | ||||||
| 9 | directed by or that customarily take place at the direction of | ||||||
| 10 | a school, teacher, or school district; aid in the | ||||||
| 11 | administration of school activities, including, but not | ||||||
| 12 | limited to, instruction in the classroom or at home, | ||||||
| 13 | administrative activities, and collaboration between students, | ||||||
| 14 | school personnel, or parents; or are otherwise for the use and | ||||||
| 15 | benefit of the school. | ||||||
| 16 | "Longitudinal data system" has the meaning given to that | ||||||
| 17 | term under the P-20 Longitudinal Education Data System Act. | ||||||
| 18 | "Operator" means, to the extent that an entity is operating | ||||||
| 19 | in this capacity, the operator of an Internet website, online | ||||||
| 20 | service, online application, or mobile application with actual | ||||||
| 21 | knowledge that the site, service, or application is used | ||||||
| 22 | primarily for K through 12 school purposes and was designed and | ||||||
| 23 | marketed for K through 12 school purposes. | ||||||
| 24 | "Parent" has the meaning given to that term under the | ||||||
| 25 | Illinois School Student Records Act. | ||||||
| 26 | "School" means (1) any preschool, public kindergarten, | ||||||
| |||||||
| |||||||
| 1 | elementary or secondary educational institution, vocational | ||||||
| 2 | school, special educational facility, or any other elementary | ||||||
| 3 | or secondary educational agency or institution or (2) any | ||||||
| 4 | person, agency, or institution that maintains school student | ||||||
| 5 | records from more than one school. Except as otherwise provided | ||||||
| 6 | in this Act, "school" "School" includes a private or nonpublic | ||||||
| 7 | school. | ||||||
| 8 | "State Board" means the State Board of Education. | ||||||
| 9 | "Student" has the meaning given to that term under the | ||||||
| 10 | Illinois School Student Records Act. | ||||||
| 11 | "Targeted advertising" means presenting advertisements to | ||||||
| 12 | a student where the advertisement is selected based on | ||||||
| 13 | information obtained or inferred over time from that student's | ||||||
| 14 | online behavior, usage of applications, or covered | ||||||
| 15 | information. The term does not include advertising to a student | ||||||
| 16 | at an online location based upon that student's current visit | ||||||
| 17 | to that location or in response to that student's request for | ||||||
| 18 | information or feedback, without the retention of that | ||||||
| 19 | student's online activities or requests over time for the | ||||||
| 20 | purpose of targeting subsequent ads.
| ||||||
| 21 | (Source: P.A. 100-315, eff. 8-24-17.)
| ||||||
| 22 | (105 ILCS 85/10)
| ||||||
| 23 | Sec. 10. Operator prohibitions. An operator shall not | ||||||
| 24 | knowingly do any of the following: | ||||||
| 25 | (1) Engage in targeted advertising on the operator's | ||||||
| |||||||
| |||||||
| 1 | site, service, or application or target advertising on any | ||||||
| 2 | other site, service, or application if the targeting of the | ||||||
| 3 | advertising is based on any information, including covered | ||||||
| 4 | information and persistent unique identifiers, that the | ||||||
| 5 | operator has acquired because of the use of that operator's | ||||||
| 6 | site, service, or application for K through 12 school | ||||||
| 7 | purposes. | ||||||
| 8 | (2) Use information, including persistent unique | ||||||
| 9 | identifiers, created or gathered by the operator's site, | ||||||
| 10 | service, or application to amass a profile about a student, | ||||||
| 11 | except in furtherance of K through 12 school purposes. | ||||||
| 12 | "Amass a profile" does not include the collection and | ||||||
| 13 | retention of account information that remains under the | ||||||
| 14 | control of the student, the student's parent or legal | ||||||
| 15 | guardian, or the school. | ||||||
| 16 | (3) Sell or rent a student's information, including | ||||||
| 17 | covered information. This subdivision (3) does not apply to | ||||||
| 18 | the purchase, merger, or other type of acquisition of an | ||||||
| 19 | operator by another entity if the operator or successor | ||||||
| 20 | entity complies with this Act regarding previously | ||||||
| 21 | acquired student information. | ||||||
| 22 | (4) Except as otherwise provided in Section 20 of this | ||||||
| 23 | Act, disclose covered information, unless the disclosure | ||||||
| 24 | is made for the following purposes: | ||||||
| 25 | (A) In furtherance of the K through 12 school | ||||||
| 26 | purposes of the site, service, or application if the | ||||||
| |||||||
| |||||||
| 1 | recipient of the covered information disclosed under | ||||||
| 2 | this clause (A) does not further disclose the | ||||||
| 3 | information, unless done to allow or improve | ||||||
| 4 | operability and functionality of the operator's site, | ||||||
| 5 | service, or application. | ||||||
| 6 | (B) To ensure legal and regulatory compliance or | ||||||
| 7 | take precautions
against liability. | ||||||
| 8 | (C) To respond to the judicial process. | ||||||
| 9 | (D) To protect the safety or integrity of users of | ||||||
| 10 | the site or others or the security of the site, | ||||||
| 11 | service, or application. | ||||||
| 12 | (E) For a school, educational, or employment | ||||||
| 13 | purpose requested by the student or the student's | ||||||
| 14 | parent or legal guardian, provided that the | ||||||
| 15 | information is not used or further disclosed for any | ||||||
| 16 | other purpose. | ||||||
| 17 | (F) To a third party if the operator contractually | ||||||
| 18 | prohibits the third party from using any covered | ||||||
| 19 | information for any purpose other than providing the | ||||||
| 20 | contracted service to or on behalf of the operator, | ||||||
| 21 | prohibits the third party from disclosing any covered | ||||||
| 22 | information provided by the operator with subsequent | ||||||
| 23 | third parties, and requires the third party to | ||||||
| 24 | implement and maintain reasonable security procedures | ||||||
| 25 | and practices as required under Section 15. | ||||||
| 26 | Nothing in this Section prohibits the operator's use of | ||||||
| |||||||
| |||||||
| 1 | information for maintaining, developing, supporting, | ||||||
| 2 | improving, or diagnosing the operator's site, service, or | ||||||
| 3 | application.
| ||||||
| 4 | (Source: P.A. 100-315, eff. 8-24-17.)
| ||||||
| 5 | (105 ILCS 85/15)
| ||||||
| 6 | Sec. 15. Operator duties. An operator shall do the | ||||||
| 7 | following: | ||||||
| 8 | (1) Implement and maintain reasonable security | ||||||
| 9 | procedures and practices that otherwise meet or exceed | ||||||
| 10 | industry standards appropriate to the nature of the covered | ||||||
| 11 | information and designed to protect that covered | ||||||
| 12 | information from unauthorized access, destruction, use, | ||||||
| 13 | modification, or disclosure. | ||||||
| 14 | (2) Delete, within a reasonable time period, a | ||||||
| 15 | student's covered information if the school or school | ||||||
| 16 | district requests deletion of covered information under | ||||||
| 17 | the control of the school or school district, unless a | ||||||
| 18 | student or his or her parent or legal guardian consents to | ||||||
| 19 | the maintenance of the covered information. | ||||||
| 20 | (3) Publicly disclose material information about its | ||||||
| 21 | collection, use, and disclosure of covered information, | ||||||
| 22 | including, but not limited to, publishing a terms of | ||||||
| 23 | service agreement, privacy policy, or similar document. | ||||||
| 24 | (4) Except for a nonpublic school, for any operator who | ||||||
| 25 | seeks to receive from a school, school district, or the | ||||||
| |||||||
| |||||||
| 1 | State Board in any manner any covered information, enter | ||||||
| 2 | into a written agreement with the school, school district, | ||||||
| 3 | or State Board before the covered information may be | ||||||
| 4 | transferred. The written agreement may be created in | ||||||
| 5 | electronic form and signed with an electronic or digital | ||||||
| 6 | signature or may be a click wrap agreement that is used | ||||||
| 7 | with software licenses, downloaded or online applications | ||||||
| 8 | and transactions for educational technologies, or other | ||||||
| 9 | technologies in which a user must agree to terms and | ||||||
| 10 | conditions before using the product or service. Any written | ||||||
| 11 | agreement entered into, amended, or renewed must contain | ||||||
| 12 | all of the following: | ||||||
| 13 | (A) A listing of the categories or types of covered | ||||||
| 14 | information to be provided to the operator. | ||||||
| 15 | (B) A statement of the product or service being | ||||||
| 16 | provided to the school by the operator. | ||||||
| 17 | (C) A statement that, pursuant to the federal | ||||||
| 18 | Family Educational Rights and Privacy Act of 1974, the | ||||||
| 19 | operator is acting as a school official with a | ||||||
| 20 | legitimate educational interest, is performing an | ||||||
| 21 | institutional service or function for which the school | ||||||
| 22 | would otherwise use employees, under the direct | ||||||
| 23 | control of the school, with respect to the use and | ||||||
| 24 | maintenance of covered information, and is using the | ||||||
| 25 | covered information only for an authorized purpose and | ||||||
| 26 | may not re-disclose it to third parties or affiliates, | ||||||
| |||||||
| |||||||
| 1 | unless otherwise permitted under this Act, without | ||||||
| 2 | permission from the school or pursuant to court order. | ||||||
| 3 | (D) A description of how, if a breach is attributed | ||||||
| 4 | to the operator, any costs and expenses incurred by the | ||||||
| 5 | school in investigating and remediating the breach | ||||||
| 6 | will be allocated between the operator and the school. | ||||||
| 7 | The costs and expenses may include, but are not limited | ||||||
| 8 | to: | ||||||
| 9 | (i) providing notification to the parents of | ||||||
| 10 | those students whose covered information was | ||||||
| 11 | compromised and to regulatory agencies or other | ||||||
| 12 | entities as required by law or contract; | ||||||
| 13 | (ii) providing credit monitoring to those | ||||||
| 14 | students whose covered information was exposed in | ||||||
| 15 | a manner during the breach that a reasonable person | ||||||
| 16 | would believe that it could impact his or her | ||||||
| 17 | credit or financial security; | ||||||
| 18 | (iii) legal fees, audit costs, fines, and any | ||||||
| 19 | other fees or damages imposed against the school as | ||||||
| 20 | a result of the security breach; and | ||||||
| 21 | (iv) providing any other notifications or | ||||||
| 22 | fulfilling any other requirements adopted by the | ||||||
| 23 | State Board or of any other State or federal laws. | ||||||
| 24 | (E) A statement that the operator must delete or | ||||||
| 25 | transfer to the school all covered information if the | ||||||
| 26 | information is no longer needed for the purposes of the | ||||||
| |||||||
| |||||||
| 1 | written agreement and to specify the time period in | ||||||
| 2 | which the information must be deleted or transferred | ||||||
| 3 | once the operator is made aware that the information is | ||||||
| 4 | no longer needed for the purposes of the written | ||||||
| 5 | agreement. | ||||||
| 6 | (F) If the school maintains a website, a statement | ||||||
| 7 | that the school must publish the written agreement on | ||||||
| 8 | the school's website. If the school does not maintain a | ||||||
| 9 | website, a statement that the school must make the | ||||||
| 10 | written agreement available for inspection by the | ||||||
| 11 | general public at its administrative office. If | ||||||
| 12 | mutually agreed upon by the school and the operator, | ||||||
| 13 | provisions of the written agreement, other than those | ||||||
| 14 | under subparagraphs (A), (B), and (C), may be redacted | ||||||
| 15 | in the copy of the written agreement published on the | ||||||
| 16 | school's website or made available at its | ||||||
| 17 | administrative office. | ||||||
| 18 | (5) In case of any breach, within the most expedient | ||||||
| 19 | time possible and without unreasonable delay, but no later | ||||||
| 20 | than 30 calendar days after the determination that a breach | ||||||
| 21 | has occurred, notify the school of any breach of the | ||||||
| 22 | students' covered information.
| ||||||
| 23 | (6) Except for a nonpublic school, provide to the | ||||||
| 24 | school a list of any third parties or affiliates to whom | ||||||
| 25 | the operator is currently disclosing covered information | ||||||
| 26 | or has disclosed covered information. This list must, at a | ||||||
| |||||||
| |||||||
| 1 | minimum, be updated and provided to the school by the | ||||||
| 2 | beginning of each State fiscal year and at the beginning of | ||||||
| 3 | each calendar year. | ||||||
| 4 | (Source: P.A. 100-315, eff. 8-24-17.)
| ||||||
| 5 | (105 ILCS 85/26 new) | ||||||
| 6 | Sec. 26. School prohibitions. A school may not do either of | ||||||
| 7 | the following: | ||||||
| 8 | (1) Sell, rent, lease, or trade covered information. | ||||||
| 9 | (2) Share, transfer, disclose, or provide access to a | ||||||
| 10 | student's covered information to an entity or individual, | ||||||
| 11 | other than the student's parent, school personnel, or the | ||||||
| 12 | State Board, without a written agreement, unless the | ||||||
| 13 | disclosure or transfer is: | ||||||
| 14 | (A) to the extent permitted by State or federal | ||||||
| 15 | law, to law enforcement officials to protect the safety | ||||||
| 16 | of users or others or the security or integrity of the | ||||||
| 17 | operator's service; | ||||||
| 18 | (B) required by court order or State or federal | ||||||
| 19 | law; or | ||||||
| 20 | (C) to ensure legal or regulatory compliance. | ||||||
| 21 | This paragraph (2) does not apply to nonpublic schools.
| ||||||
| 22 | (105 ILCS 85/27 new) | ||||||
| 23 | Sec. 27. School duties. | ||||||
| 24 | (a) Each school shall post and maintain on its website or, | ||||||
| |||||||
| |||||||
| 1 | if the school does not maintain a website, make available for | ||||||
| 2 | inspection by the general public at its administrative office | ||||||
| 3 | all of the following information: | ||||||
| 4 | (1) An explanation, that is clear and understandable by | ||||||
| 5 | a layperson, of the data elements of covered information | ||||||
| 6 | that the school collects, maintains, or discloses to any | ||||||
| 7 | person, entity, third party, or governmental agency. The | ||||||
| 8 | information must explain how the school uses, to whom or | ||||||
| 9 | what entities it discloses, and for what purpose it | ||||||
| 10 | discloses the covered information. | ||||||
| 11 | (2) A list of operators that the school has written | ||||||
| 12 | agreements with, a copy of each written agreement, and a | ||||||
| 13 | business address for each operator. A copy of a written | ||||||
| 14 | agreement posted or made available by a school under this | ||||||
| 15 | paragraph may contain redactions, as provided under | ||||||
| 16 | subparagraph (F) of paragraph (4) of Section 15. | ||||||
| 17 | (3) For each operator, a list of any subcontractors to | ||||||
| 18 | whom covered information may be disclosed, as provided by | ||||||
| 19 | the operator to the school under paragraph (6) of Section | ||||||
| 20 | 15. | ||||||
| 21 | (4) A written description of the procedures that a | ||||||
| 22 | parent may use to carry out the rights enumerated under | ||||||
| 23 | Section 33. | ||||||
| 24 | (5) A list of any breaches of covered information | ||||||
| 25 | maintained by the school or breaches under Section 15 that | ||||||
| 26 | includes, but is not limited to, all of the following | ||||||
| |||||||
| |||||||
| 1 | information: | ||||||
| 2 | (A) The number of students whose covered | ||||||
| 3 | information is involved in the breach. | ||||||
| 4 | (B) The date, estimated date, or estimated date | ||||||
| 5 | range of the breach. | ||||||
| 6 | (C) For a breach under Section 15, the name of the | ||||||
| 7 | operator. | ||||||
| 8 | The school may omit from the list required under this | ||||||
| 9 | paragraph (5) (i) any breach in which, to the best of the | ||||||
| 10 | school's knowledge at the time of updating the list, the | ||||||
| 11 | number of students whose covered information is involved in | ||||||
| 12 | the breach is less than 10% of the school's enrollment, | ||||||
| 13 | (ii) any breach in which, at the time of posting the list, | ||||||
| 14 | the school is not required to notify the parent of a | ||||||
| 15 | student under subsection (d), (iii) any breach in which the | ||||||
| 16 | date, estimated date, or estimated date range in which it | ||||||
| 17 | occurred is earlier than July 1, 2021, or (iv) any breach | ||||||
| 18 | previously posted on a list under this paragraph (5) no | ||||||
| 19 | more than 5 years prior to the school updating the current | ||||||
| 20 | list. | ||||||
| 21 | The school must, at a minimum, update the items under | ||||||
| 22 | paragraphs (1), (3), (4), and (5) no later than 30 calendar | ||||||
| 23 | days following the start of a fiscal year and no later than 30 | ||||||
| 24 | days following the beginning of a calendar year. | ||||||
| 25 | (b) Each school must adopt a policy designating which | ||||||
| 26 | school employees are authorized to enter into written | ||||||
| |||||||
| |||||||
| 1 | agreements with operators. This subsection may not be construed | ||||||
| 2 | to limit individual school employees outside of the scope of | ||||||
| 3 | their employment from entering into agreements with operators | ||||||
| 4 | on their own behalf and for non-K through 12 school purposes, | ||||||
| 5 | provided that no covered information is provided to the | ||||||
| 6 | operators. Any agreement or contract entered into in violation | ||||||
| 7 | of this Act is void and unenforceable as against public policy. | ||||||
| 8 | (c) A school must post on its website or, if the school | ||||||
| 9 | does not maintain a website, make available at its | ||||||
| 10 | administrative office for inspection by the general public each | ||||||
| 11 | written agreement entered into under this Act, along with any | ||||||
| 12 | information required under subsection (a), no later than 10 | ||||||
| 13 | business days after entering into the agreement. | ||||||
| 14 | (d) After receipt of notice of a breach under Section 15 or | ||||||
| 15 | determination of a breach of covered information maintained by | ||||||
| 16 | the school, a school shall notify, no later than 30 calendar | ||||||
| 17 | days after receipt of the notice or determination that a breach | ||||||
| 18 | has occurred, the parent of any student whose covered | ||||||
| 19 | information is involved in the breach. The notification must | ||||||
| 20 | include, but is not limited to, all of the following: | ||||||
| 21 | (1) The date, estimated date, or estimated date range | ||||||
| 22 | of the breach. | ||||||
| 23 | (2) A description of the covered information that was | ||||||
| 24 | compromised or reasonably believed to have been | ||||||
| 25 | compromised in the breach. | ||||||
| 26 | (3) Information that the parent may use to contact the | ||||||
| |||||||
| |||||||
| 1 | operator and school to inquire about the breach. | ||||||
| 2 | (4) The toll-free numbers, addresses, and websites for | ||||||
| 3 | consumer reporting agencies. | ||||||
| 4 | (5) The toll-free number, address, and website for the | ||||||
| 5 | Federal Trade Commission. | ||||||
| 6 | (6) A statement that the parent may obtain information | ||||||
| 7 | from the Federal Trade Commission and consumer reporting | ||||||
| 8 | agencies about fraud alerts and security freezes. | ||||||
| 9 | (e) Each school must implement and maintain reasonable | ||||||
| 10 | security procedures and practices that otherwise meet or exceed | ||||||
| 11 | industry standards designed to protect covered information | ||||||
| 12 | from unauthorized access, destruction, use, modification, or | ||||||
| 13 | disclosure. Any written agreement under which the disclosure of | ||||||
| 14 | covered information between the school and a third party takes | ||||||
| 15 | place must include a provision requiring the entity to whom the | ||||||
| 16 | covered information is disclosed to implement and maintain | ||||||
| 17 | reasonable security procedures and practices that otherwise | ||||||
| 18 | meet or exceed industry standards designed to protect covered | ||||||
| 19 | information from unauthorized access, destruction, use, | ||||||
| 20 | modification, or disclosure. The State Board must make | ||||||
| 21 | available on its website a guidance document for schools | ||||||
| 22 | pertaining to reasonable security procedures and practices | ||||||
| 23 | under this subsection. | ||||||
| 24 | (f) Each school may designate an appropriate staff person | ||||||
| 25 | as a privacy officer, who may also be an official records | ||||||
| 26 | custodian as designated under the Illinois School Student | ||||||
| |||||||
| |||||||
| 1 | Records Act, to carry out the duties and responsibilities | ||||||
| 2 | assigned to schools and to ensure compliance with the | ||||||
| 3 | requirements of this Section and Section 26. | ||||||
| 4 | (g) A school shall make a request, pursuant to paragraph | ||||||
| 5 | (2) of Section 15, to an operator to delete covered information | ||||||
| 6 | on behalf of a student's parent if the parent requests from the | ||||||
| 7 | school that the student's covered information held by the | ||||||
| 8 | operator be deleted, so long as the deletion of the covered | ||||||
| 9 | information is not in violation of the Illinois School Student | ||||||
| 10 | Records Act. | ||||||
| 11 | (h) This Section does not apply to nonpublic schools.
| ||||||
| 12 | (105 ILCS 85/28 new) | ||||||
| 13 | Sec. 28. State Board duties. | ||||||
| 14 | (a) The State Board may not sell, rent, lease, or trade | ||||||
| 15 | covered information. | ||||||
| 16 | (b) Except for an employee of the State Board or a State | ||||||
| 17 | Board official acting within his or her official capacity, the | ||||||
| 18 | State Board may not share, transfer, disclose, or provide | ||||||
| 19 | covered information to an entity or individual without a | ||||||
| 20 | contract or written agreement, except for disclosures required | ||||||
| 21 | by federal law to federal agencies. | ||||||
| 22 | (c) At least once annually, the State Board must publish | ||||||
| 23 | and maintain on its website a list of all of the entities or | ||||||
| 24 | individuals, including, but not limited to, operators, | ||||||
| 25 | individual researchers, research organizations, institutions | ||||||
| |||||||
| |||||||
| 1 | of higher education, or government agencies, that the State | ||||||
| 2 | Board contracts with or has written agreements with and that | ||||||
| 3 | hold covered information and a copy of each contract or written | ||||||
| 4 | agreement. The list must include all of the following | ||||||
| 5 | information: | ||||||
| 6 | (1) The name of the entity or individual. In naming an | ||||||
| 7 | individual, the list must include the entity that sponsors | ||||||
| 8 | the individual or with which the individual is affiliated, | ||||||
| 9 | if any. If the individual is conducting research at an | ||||||
| 10 | institution of higher education, the list may include the | ||||||
| 11 | name of that institution and a contact person in the | ||||||
| 12 | department that is associated with the research in lieu of | ||||||
| 13 | the name of the researcher. If the entity is an operator, | ||||||
| 14 | the list must include its business address. | ||||||
| 15 | (2) The purpose and scope of the contract or agreement. | ||||||
| 16 | (3) The duration of the contract or agreement. | ||||||
| 17 | (4) The types of covered information that the entity or | ||||||
| 18 | individual holds under the contract or agreement. | ||||||
| 19 | (5) The use of the covered information under the | ||||||
| 20 | contract or agreement. | ||||||
| 21 | (6) The length of time for which the entity or | ||||||
| 22 | individual may hold the covered information. | ||||||
| 23 | (7) A list of any subcontractors to whom covered | ||||||
| 24 | information may be disclosed under Section 15. | ||||||
| 25 | If mutually agreed upon by the State Board and the | ||||||
| 26 | operator, provisions of a contract or written agreement, other | ||||||
| |||||||
| |||||||
| 1 | than those pertaining to paragraphs (1) through (7), may be | ||||||
| 2 | redacted on the State Board's website. | ||||||
| 3 | (d) The State Board shall create, publish, and make | ||||||
| 4 | publicly available an inventory, along with a dictionary or | ||||||
| 5 | index of data elements and their definitions, of covered | ||||||
| 6 | information collected or maintained by the State Board, | ||||||
| 7 | including, but not limited to, both of the following: | ||||||
| 8 | (1) Covered information that schools are required to | ||||||
| 9 | report to the State Board by State or federal law. | ||||||
| 10 | (2) Covered information in the State longitudinal data | ||||||
| 11 | system or any data warehouse used by the State Board to | ||||||
| 12 | populate the longitudinal data system. | ||||||
| 13 | The inventory shall make clear for what purposes the State | ||||||
| 14 | Board uses the covered information. | ||||||
| 15 | (e) The State Board shall develop, publish, and make | ||||||
| 16 | publicly available, for the benefit of schools, model student | ||||||
| 17 | data privacy policies and procedures that comply with relevant | ||||||
| 18 | State and federal law, including, but not limited to, a model | ||||||
| 19 | notice that schools must use to provide notice to parents and | ||||||
| 20 | students about operators. The notice must state, in general | ||||||
| 21 | terms, the types of student data that are collected by the | ||||||
| 22 | schools and shared with operators under this Act and the | ||||||
| 23 | purposes of collecting and using the student data. After | ||||||
| 24 | creation of the notice under this subsection, a school shall, | ||||||
| 25 | at the beginning of each school year, provide the notice to | ||||||
| 26 | parents by the same means generally used to send notices to | ||||||
| |||||||
| |||||||
| 1 | them. This subsection does not apply to nonpublic schools.
| ||||||
| 2 | (105 ILCS 85/30)
| ||||||
| 3 | Sec. 30. Applicability. This Act does not do any of the | ||||||
| 4 | following: | ||||||
| 5 | (1) Limit the authority of a law enforcement agency to | ||||||
| 6 | obtain any content or information from an operator as | ||||||
| 7 | authorized by law or under a court order. | ||||||
| 8 | (2) Limit the ability of an operator to use student | ||||||
| 9 | data, including covered information, for adaptive learning | ||||||
| 10 | or customized student learning purposes. | ||||||
| 11 | (3) Apply to general audience Internet websites, | ||||||
| 12 | general audience online services, general audience online | ||||||
| 13 | applications, or general audience mobile applications, | ||||||
| 14 | even if login credentials created for an operator's site, | ||||||
| 15 | service, or application may be used to access those general | ||||||
| 16 | audience sites, services, or applications. | ||||||
| 17 | (4) Limit service providers from providing Internet | ||||||
| 18 | connectivity to schools or students and their families. | ||||||
| 19 | (5) Prohibit an operator of an Internet website, online | ||||||
| 20 | service, online application, or mobile application from | ||||||
| 21 | marketing educational products directly to parents if the | ||||||
| 22 | marketing did not result from the use of covered | ||||||
| 23 | information obtained by the operator through the provision | ||||||
| 24 | of services covered under this Act. | ||||||
| 25 | (6) Impose a duty upon a provider of an electronic | ||||||
| |||||||
| |||||||
| 1 | store, gateway, marketplace, or other means of purchasing | ||||||
| 2 | or downloading software or applications to review or | ||||||
| 3 | enforce compliance with this Act on those applications or | ||||||
| 4 | software. | ||||||
| 5 | (7) Impose a duty upon a provider of an interactive | ||||||
| 6 | computer service to review or enforce compliance with this | ||||||
| 7 | Act by third-party content providers. | ||||||
| 8 | (8) Prohibit students from downloading, exporting, | ||||||
| 9 | transferring, saving, or maintaining their own student | ||||||
| 10 | data or documents. | ||||||
| 11 | (9) Supersede the federal Family Educational Rights | ||||||
| 12 | and Privacy Act of 1974, or rules adopted pursuant to that | ||||||
| 13 | Act or the Illinois School Student Records Act, or any | ||||||
| 14 | rules adopted pursuant to those Acts.
| ||||||
| 15 | (10) Prohibit an operator or school from producing and | ||||||
| 16 | distributing, free or for consideration, student class | ||||||
| 17 | photos and yearbooks to the school, students, parents, or | ||||||
| 18 | individuals authorized by parents and to no others, in | ||||||
| 19 | accordance with the terms of a written agreement between | ||||||
| 20 | the operator and the school. | ||||||
| 21 | (Source: P.A. 100-315, eff. 8-24-17.)
| ||||||
| 22 | (105 ILCS 85/33 new) | ||||||
| 23 | Sec. 33. Parent and student rights. | ||||||
| 24 | (a) A student's covered information shall be collected only | ||||||
| 25 | for K through 12 school purposes and not further processed in a | ||||||
| |||||||
| |||||||
| 1 | manner that is incompatible with those purposes. | ||||||
| 2 | (b) A student's covered information shall only be adequate, | ||||||
| 3 | relevant, and limited to what is necessary in relation to the K | ||||||
| 4 | through 12 school purposes for which it is processed. | ||||||
| 5 | (c) Except for a parent of a student enrolled in a | ||||||
| 6 | nonpublic school, the parent of a student enrolled in a school | ||||||
| 7 | has the right to all of the following: | ||||||
| 8 | (1) Inspect and review the student's covered | ||||||
| 9 | information, regardless of whether it is maintained by the | ||||||
| 10 | school, the State Board, or an operator. | ||||||
| 11 | (2) Request from a school a paper or electronic copy of | ||||||
| 12 | the student's covered information, including covered | ||||||
| 13 | information maintained by an operator or the State Board. | ||||||
| 14 | If a parent requests an electronic copy of the student's | ||||||
| 15 | covered information under this paragraph, the school must | ||||||
| 16 | provide an electronic copy of that information, unless the | ||||||
| 17 | school does not maintain the information in an electronic | ||||||
| 18 | format and reproducing the information in an electronic | ||||||
| 19 | format would be unduly burdensome to the school. If a | ||||||
| 20 | parent requests a paper copy of the student's covered | ||||||
| 21 | information, the school may charge the parent the | ||||||
| 22 | reasonable cost for copying the information in an amount | ||||||
| 23 | not to exceed the amount fixed in a schedule adopted by the | ||||||
| 24 | State Board, except that no parent may be denied a copy of | ||||||
| 25 | the information due to the parent's inability to bear the | ||||||
| 26 | cost of the copying. The State Board must adopt rules on | ||||||
| |||||||
| |||||||
| 1 | the methodology and frequency of requests under this | ||||||
| 2 | paragraph. | ||||||
| 3 | (3) Request corrections of factual inaccuracies | ||||||
| 4 | contained in the student's covered information. After | ||||||
| 5 | receiving a request for corrections and determining that a | ||||||
| 6 | factual inaccuracy exists, a school must do either of the | ||||||
| 7 | following: | ||||||
| 8 | (A) If the school maintains the covered | ||||||
| 9 | information that contains the factual inaccuracy, | ||||||
| 10 | correct the factual inaccuracy and confirm the | ||||||
| 11 | correction with the parent within 90 calendar days | ||||||
| 12 | after receiving the parent's request. | ||||||
| 13 | (B) If the operator or State Board maintains the | ||||||
| 14 | covered information that contains the factual | ||||||
| 15 | inaccuracy, notify the operator or the State Board of | ||||||
| 16 | the correction. The operator or the State Board must | ||||||
| 17 | correct the factual inaccuracy and confirm the | ||||||
| 18 | correction with the school within 90 calendar days | ||||||
| 19 | after receiving the notice. Within 10 business days | ||||||
| 20 | after receiving confirmation of the correction from | ||||||
| 21 | the operator or State Board, the school must confirm | ||||||
| 22 | the correction with the parent. | ||||||
| 23 | (d) Nothing in this Section shall be construed to limit the | ||||||
| 24 | rights granted to parents and students under the Illinois | ||||||
| 25 | School Student Records Act or the federal Family Educational | ||||||
| 26 | Rights and Privacy Act of 1974.
| ||||||
| |||||||
| |||||||
| 1 | Section 99. Effective date. This Act takes effect July 1, | ||||||
| 2 | 2021.".
| ||||||
