|
| Public Act 101-0516
|
| HB3606 Enrolled | LRB101 09053 AXK 54146 b |
|
|
AN ACT concerning education.
|
Be it enacted by the People of the State of Illinois,
|
represented in the General Assembly:
|
Section 5. The Student Online Personal Protection Act is |
amended by changing Sections 5, 10, 15, and 30 and by adding |
Sections 26, 27, 28, and 33 as follows:
|
(105 ILCS 85/5)
|
Sec. 5. Definitions. In this Act: |
"Breach" means the unauthorized acquisition of |
computerized data that compromises the security, |
confidentiality, or integrity of covered information |
maintained by an operator or school. "Breach" does not include |
the good faith acquisition of personal information by an |
employee or agent of an operator or school for a legitimate |
purpose of the operator or school if the covered information is |
not used for a purpose prohibited by this Act or subject to |
further unauthorized disclosure. |
"Covered information" means personally identifiable |
information or material or information that is linked to |
personally identifiable information or material in any media or |
format that is not publicly available and is any of the |
following: |
(1) Created by or provided to an operator by a student |
|
or the student's parent or legal guardian in the course of |
the student's or , parent's, or legal guardian's use of the |
operator's site, service, or application for K through 12 |
school purposes. |
(2) Created by or provided to an operator by an |
employee or agent of a school or school district for K |
through 12 school purposes. |
(3) Gathered by an operator through the operation of |
its site, service, or application for K through 12 school |
purposes and personally identifies a student, including, |
but not limited to, information in the student's |
educational record or electronic mail, first and last name, |
home address, telephone number, electronic mail address, |
or other information that allows physical or online |
contact, discipline records, test results, special |
education data, juvenile dependency records, grades, |
evaluations, criminal records, medical records, health |
records, a social security number, biometric information, |
disabilities, socioeconomic information, food purchases, |
political affiliations, religious information, text |
messages, documents, student identifiers, search activity, |
photos, voice recordings, or geolocation information. |
"Interactive computer service" has the meaning ascribed to |
that term in Section 230 of the federal Communications Decency |
Act of 1996 (47 U.S.C. 230). |
"K through 12 school purposes" means purposes that are |
|
directed by or that customarily take place at the direction of |
a school, teacher, or school district; aid in the |
administration of school activities, including, but not |
limited to, instruction in the classroom or at home, |
administrative activities, and collaboration between students, |
school personnel, or parents; or are otherwise for the use and |
benefit of the school. |
"Longitudinal data system" has the meaning given to that |
term under the P-20 Longitudinal Education Data System Act. |
"Operator" means, to the extent that an entity is operating |
in this capacity, the operator of an Internet website, online |
service, online application, or mobile application with actual |
knowledge that the site, service, or application is used |
primarily for K through 12 school purposes and was designed and |
marketed for K through 12 school purposes. |
"Parent" has the meaning given to that term under the |
Illinois School Student Records Act. |
"School" means (1) any preschool, public kindergarten, |
elementary or secondary educational institution, vocational |
school, special educational facility, or any other elementary |
or secondary educational agency or institution or (2) any |
person, agency, or institution that maintains school student |
records from more than one school. Except as otherwise provided |
in this Act, "school" "School" includes a private or nonpublic |
school. |
"State Board" means the State Board of Education. |
|
"Student" has the meaning given to that term under the |
Illinois School Student Records Act. |
"Targeted advertising" means presenting advertisements to |
a student where the advertisement is selected based on |
information obtained or inferred over time from that student's |
online behavior, usage of applications, or covered |
information. The term does not include advertising to a student |
at an online location based upon that student's current visit |
to that location or in response to that student's request for |
information or feedback, without the retention of that |
student's online activities or requests over time for the |
purpose of targeting subsequent ads.
|
(Source: P.A. 100-315, eff. 8-24-17.)
|
(105 ILCS 85/10)
|
Sec. 10. Operator prohibitions. An operator shall not |
knowingly do any of the following: |
(1) Engage in targeted advertising on the operator's |
site, service, or application or target advertising on any |
other site, service, or application if the targeting of the |
advertising is based on any information, including covered |
information and persistent unique identifiers, that the |
operator has acquired because of the use of that operator's |
site, service, or application for K through 12 school |
purposes. |
(2) Use information, including persistent unique |
|
identifiers, created or gathered by the operator's site, |
service, or application to amass a profile about a student, |
except in furtherance of K through 12 school purposes. |
"Amass a profile" does not include the collection and |
retention of account information that remains under the |
control of the student, the student's parent or legal |
guardian, or the school. |
(3) Sell or rent a student's information, including |
covered information. This subdivision (3) does not apply to |
the purchase, merger, or other type of acquisition of an |
operator by another entity if the operator or successor |
entity complies with this Act regarding previously |
acquired student information. |
(4) Except as otherwise provided in Section 20 of this |
Act, disclose covered information, unless the disclosure |
is made for the following purposes: |
(A) In furtherance of the K through 12 school |
purposes of the site, service, or application if the |
recipient of the covered information disclosed under |
this clause (A) does not further disclose the |
information, unless done to allow or improve |
operability and functionality of the operator's site, |
service, or application. |
(B) To ensure legal and regulatory compliance or |
take precautions
against liability. |
(C) To respond to the judicial process. |
|
(D) To protect the safety or integrity of users of |
the site or others or the security of the site, |
service, or application. |
(E) For a school, educational, or employment |
purpose requested by the student or the student's |
parent or legal guardian, provided that the |
information is not used or further disclosed for any |
other purpose. |
(F) To a third party if the operator contractually |
prohibits the third party from using any covered |
information for any purpose other than providing the |
contracted service to or on behalf of the operator, |
prohibits the third party from disclosing any covered |
information provided by the operator with subsequent |
third parties, and requires the third party to |
implement and maintain reasonable security procedures |
and practices as required under Section 15. |
Nothing in this Section prohibits the operator's use of |
information for maintaining, developing, supporting, |
improving, or diagnosing the operator's site, service, or |
application.
|
(Source: P.A. 100-315, eff. 8-24-17.)
|
(105 ILCS 85/15)
|
Sec. 15. Operator duties. An operator shall do the |
following: |
|
(1) Implement and maintain reasonable security |
procedures and practices that otherwise meet or exceed |
industry standards appropriate to the nature of the covered |
information and designed to protect that covered |
information from unauthorized access, destruction, use, |
modification, or disclosure. |
(2) Delete, within a reasonable time period, a |
student's covered information if the school or school |
district requests deletion of covered information under |
the control of the school or school district, unless a |
student or his or her parent or legal guardian consents to |
the maintenance of the covered information. |
(3) Publicly disclose material information about its |
collection, use, and disclosure of covered information, |
including, but not limited to, publishing a terms of |
service agreement, privacy policy, or similar document. |
(4) Except for a nonpublic school, for any operator who |
seeks to receive from a school, school district, or the |
State Board in any manner any covered information, enter |
into a written agreement with the school, school district, |
or State Board before the covered information may be |
transferred. The written agreement may be created in |
electronic form and signed with an electronic or digital |
signature or may be a click wrap agreement that is used |
with software licenses, downloaded or online applications |
and transactions for educational technologies, or other |
|
technologies in which a user must agree to terms and |
conditions before using the product or service. Any written |
agreement entered into, amended, or renewed must contain |
all of the following: |
(A) A listing of the categories or types of covered |
information to be provided to the operator. |
(B) A statement of the product or service being |
provided to the school by the operator. |
(C) A statement that, pursuant to the federal |
Family Educational Rights and Privacy Act of 1974, the |
operator is acting as a school official with a |
legitimate educational interest, is performing an |
institutional service or function for which the school |
would otherwise use employees, under the direct |
control of the school, with respect to the use and |
maintenance of covered information, and is using the |
covered information only for an authorized purpose and |
may not re-disclose it to third parties or affiliates, |
unless otherwise permitted under this Act, without |
permission from the school or pursuant to court order. |
(D) A description of how, if a breach is attributed |
to the operator, any costs and expenses incurred by the |
school in investigating and remediating the breach |
will be allocated between the operator and the school. |
The costs and expenses may include, but are not limited |
to: |
|
(i) providing notification to the parents of |
those students whose covered information was |
compromised and to regulatory agencies or other |
entities as required by law or contract; |
(ii) providing credit monitoring to those |
students whose covered information was exposed in |
a manner during the breach that a reasonable person |
would believe that it could impact his or her |
credit or financial security; |
(iii) legal fees, audit costs, fines, and any |
other fees or damages imposed against the school as |
a result of the security breach; and |
(iv) providing any other notifications or |
fulfilling any other requirements adopted by the |
State Board or of any other State or federal laws. |
(E) A statement that the operator must delete or |
transfer to the school all covered information if the |
information is no longer needed for the purposes of the |
written agreement and to specify the time period in |
which the information must be deleted or transferred |
once the operator is made aware that the information is |
no longer needed for the purposes of the written |
agreement. |
(F) If the school maintains a website, a statement |
that the school must publish the written agreement on |
the school's website. If the school does not maintain a |
|
website, a statement that the school must make the |
written agreement available for inspection by the |
general public at its administrative office. If |
mutually agreed upon by the school and the operator, |
provisions of the written agreement, other than those |
under subparagraphs (A), (B), and (C), may be redacted |
in the copy of the written agreement published on the |
school's website or made available at its |
administrative office. |
(5) In case of any breach, within the most expedient |
time possible and without unreasonable delay, but no later |
than 30 calendar days after the determination that a breach |
has occurred, notify the school of any breach of the |
students' covered information.
|
(6) Except for a nonpublic school, provide to the |
school a list of any third parties or affiliates to whom |
the operator is currently disclosing covered information |
or has disclosed covered information. This list must, at a |
minimum, be updated and provided to the school by the |
beginning of each State fiscal year and at the beginning of |
each calendar year. |
(Source: P.A. 100-315, eff. 8-24-17.)
|
(105 ILCS 85/26 new) |
Sec. 26. School prohibitions. A school may not do either of |
the following: |
|
(1) Sell, rent, lease, or trade covered information. |
(2) Share, transfer, disclose, or provide access to a |
student's covered information to an entity or individual, |
other than the student's parent, school personnel, |
appointed or elected school board members or local school |
council members, or the State Board, without a written |
agreement, unless the disclosure or transfer is: |
(A) to the extent permitted by State or federal |
law, to law enforcement officials to protect the safety |
of users or others or the security or integrity of the |
operator's service; |
(B) required by court order or State or federal |
law; or |
(C) to ensure legal or regulatory compliance. |
This paragraph (2) does not apply to nonpublic schools.
|
(105 ILCS 85/27 new) |
Sec. 27. School duties. |
(a) Each school shall post and maintain on its website or, |
if the school does not maintain a website, make available for |
inspection by the general public at its administrative office |
all of the following information: |
(1) An explanation, that is clear and understandable by |
a layperson, of the data elements of covered information |
that the school collects, maintains, or discloses to any |
person, entity, third party, or governmental agency. The |
|
information must explain how the school uses, to whom or |
what entities it discloses, and for what purpose it |
discloses the covered information. |
(2) A list of operators that the school has written |
agreements with, a copy of each written agreement, and a |
business address for each operator. A copy of a written |
agreement posted or made available by a school under this |
paragraph may contain redactions, as provided under |
subparagraph (F) of paragraph (4) of Section 15. |
(3) For each operator, a list of any subcontractors to |
whom covered information may be disclosed or a link to a |
page on the operator's website that clearly lists that |
information, as provided by the operator to the school |
under paragraph (6) of Section 15. |
(4) A written description of the procedures that a |
parent may use to carry out the rights enumerated under |
Section 33. |
(5) A list of any breaches of covered information |
maintained by the school or breaches under Section 15 that |
includes, but is not limited to, all of the following |
information: |
(A) The number of students whose covered |
information is involved in the breach, unless |
disclosing that number would violate the provisions of |
the Personal Information Protection Act. |
(B) The date, estimated date, or estimated date |
|
range of the breach. |
(C) For a breach under Section 15, the name of the |
operator. |
The school may omit from the list required under this |
paragraph (5) (i) any breach in which, to the best of the |
school's knowledge at the time of updating the list, the |
number of students whose covered information is involved in |
the breach is less than 10% of the school's enrollment, |
(ii) any breach in which, at the time of posting the list, |
the school is not required to notify the parent of a |
student under subsection (d), (iii) any breach in which the |
date, estimated date, or estimated date range in which it |
occurred is earlier than July 1, 2021, or (iv) any breach |
previously posted on a list under this paragraph (5) no |
more than 5 years prior to the school updating the current |
list. |
The school must, at a minimum, update the items under |
paragraphs (1), (3), (4), and (5) no later than 30 calendar |
days following the start of a fiscal year and no later than 30 |
days following the beginning of a calendar year. |
(b) Each school must adopt a policy for designating which |
school employees are authorized to enter into written |
agreements with operators. This subsection may not be construed |
to limit individual school employees outside of the scope of |
their employment from entering into agreements with operators |
on their own behalf and for non-K through 12 school purposes, |
|
provided that no covered information is provided to the |
operators. Any agreement or contract entered into in violation |
of this Act is void and unenforceable as against public policy. |
(c) A school must post on its website or, if the school |
does not maintain a website, make available at its |
administrative office for inspection by the general public each |
written agreement entered into under this Act, along with any |
information required under subsection (a), no later than 10 |
business days after entering into the agreement. |
(d) After receipt of notice of a breach under Section 15 or |
determination of a breach of covered information maintained by |
the school, a school shall notify, no later than 30 calendar |
days after receipt of the notice or determination that a breach |
has occurred, the parent of any student whose covered |
information is involved in the breach. The notification must |
include, but is not limited to, all of the following: |
(1) The date, estimated date, or estimated date range |
of the breach. |
(2) A description of the covered information that was |
compromised or reasonably believed to have been |
compromised in the breach. |
(3) Information that the parent may use to contact the |
operator and school to inquire about the breach. |
(4) The toll-free numbers, addresses, and websites for |
consumer reporting agencies. |
(5) The toll-free number, address, and website for the |
|
Federal Trade Commission. |
(6) A statement that the parent may obtain information |
from the Federal Trade Commission and consumer reporting |
agencies about fraud alerts and security freezes. |
A notice of breach required under this subsection may be |
delayed if an appropriate law enforcement agency determines |
that the notification will interfere with a criminal |
investigation and provides the school with a written request |
for a delay of notice. A school must comply with the |
notification requirements as soon as the notification will no |
longer interfere with the investigation. |
(e) Each school must implement and maintain reasonable |
security procedures and practices that otherwise meet or exceed |
industry standards designed to protect covered information |
from unauthorized access, destruction, use, modification, or |
disclosure. Any written agreement under which the disclosure of |
covered information between the school and a third party takes |
place must include a provision requiring the entity to whom the |
covered information is disclosed to implement and maintain |
reasonable security procedures and practices that otherwise |
meet or exceed industry standards designed to protect covered |
information from unauthorized access, destruction, use, |
modification, or disclosure. The State Board must make |
available on its website a guidance document for schools |
pertaining to reasonable security procedures and practices |
under this subsection. |
|
(f) Each school may designate an appropriate staff person |
as a privacy officer, who may also be an official records |
custodian as designated under the Illinois School Student |
Records Act, to carry out the duties and responsibilities |
assigned to schools and to ensure compliance with the |
requirements of this Section and Section 26. |
(g) A school shall make a request, pursuant to paragraph |
(2) of Section 15, to an operator to delete covered information |
on behalf of a student's parent if the parent requests from the |
school that the student's covered information held by the |
operator be deleted, so long as the deletion of the covered |
information is not in violation of State or federal records |
laws. |
(h) This Section does not apply to nonpublic schools.
|
(105 ILCS 85/28 new) |
Sec. 28. State Board duties. |
(a) The State Board may not sell, rent, lease, or trade |
covered information. |
(b) Except for an employee of the State Board or a State |
Board official acting within his or her official capacity, the |
State Board may not share, transfer, disclose, or provide |
covered information to an entity or individual without a |
contract or written agreement, except for disclosures required |
by State or federal law. |
(c) At least once annually, the State Board must publish |
|
and maintain on its website a list of all of the entities or |
individuals, including, but not limited to, operators, |
individual researchers, research organizations, institutions |
of higher education, or government agencies, that the State |
Board contracts with or has written agreements with and that |
hold covered information and a copy of each contract or written |
agreement. The list must include all of the following |
information: |
(1) The name of the entity or individual. In naming an |
individual, the list must include the entity that sponsors |
the individual or with which the individual is affiliated, |
if any. If the individual is conducting research at an |
institution of higher education, the list may include the |
name of that institution and a contact person in the |
department that is associated with the research in lieu of |
the name of the researcher. If the entity is an operator, |
the list must include its business address. |
(2) The purpose and scope of the contract or agreement. |
(3) The duration of the contract or agreement. |
(4) The types of covered information that the entity or |
individual holds under the contract or agreement. |
(5) The use of the covered information under the |
contract or agreement. |
(6) The length of time for which the entity or |
individual may hold the covered information. |
(7) A list of any subcontractors to whom covered |
|
information may be disclosed under Section 15 or a link to |
a page on the operator's website that clearly lists that |
information. |
If mutually agreed upon by the State Board and the |
operator, provisions of a contract or written agreement, other |
than those pertaining to paragraphs (1) through (7), may be |
redacted on the State Board's website. |
(d) The State Board shall create, publish, and make |
publicly available an inventory, along with a dictionary or |
index of data elements and their definitions, of covered |
information collected or maintained by the State Board, |
including, but not limited to, both of the following: |
(1) Covered information that schools are required to |
report to the State Board by State or federal law. |
(2) Covered information in the State longitudinal data |
system or any data warehouse used by the State Board to |
populate the longitudinal data system. |
The inventory shall make clear for what purposes the State |
Board uses the covered information. |
(e) The State Board shall develop, publish, and make |
publicly available, for the benefit of schools, model student |
data privacy policies and procedures that comply with relevant |
State and federal law, including, but not limited to, a model |
notice that schools must use to provide notice to parents and |
students about operators. The notice must state, in general |
terms, the types of student data that are collected by the |
|
schools and shared with operators under this Act and the |
purposes of collecting and using the student data. After |
creation of the notice under this subsection, a school shall, |
at the beginning of each school year, provide the notice to |
parents by the same means generally used to send notices to |
them. This subsection does not apply to nonpublic schools.
|
(105 ILCS 85/30)
|
Sec. 30. Applicability. This Act does not do any of the |
following: |
(1) Limit the authority of a law enforcement agency to |
obtain any content or information from an operator as |
authorized by law or under a court order. |
(2) Limit the ability of an operator to use student |
data, including covered information, for adaptive learning |
or customized student learning purposes. |
(3) Apply to general audience Internet websites, |
general audience online services, general audience online |
applications, or general audience mobile applications, |
even if login credentials created for an operator's site, |
service, or application may be used to access those general |
audience sites, services, or applications. |
(4) Limit service providers from providing Internet |
connectivity to schools or students and their families. |
(5) Prohibit an operator of an Internet website, online |
service, online application, or mobile application from |
|
marketing educational products directly to parents if the |
marketing did not result from the use of covered |
information obtained by the operator through the provision |
of services covered under this Act. |
(6) Impose a duty upon a provider of an electronic |
store, gateway, marketplace, or other means of purchasing |
or downloading software or applications to review or |
enforce compliance with this Act on those applications or |
software. |
(7) Impose a duty upon a provider of an interactive |
computer service to review or enforce compliance with this |
Act by third-party content providers. |
(8) Prohibit students from downloading, exporting, |
transferring, saving, or maintaining their own student |
data or documents. |
(9) Supersede the federal Family Educational Rights |
and Privacy Act of 1974, or rules adopted pursuant to that |
Act or the Illinois School Student Records Act, or any |
rules adopted pursuant to those Acts.
|
(10) Prohibit an operator or school from producing and |
distributing, free or for consideration, student class |
photos and yearbooks to the school, students, parents, or |
individuals authorized by parents and to no others, in |
accordance with the terms of a written agreement between |
the operator and the school. |
(Source: P.A. 100-315, eff. 8-24-17.)
|
|
(105 ILCS 85/33 new) |
Sec. 33. Parent and student rights. |
(a) A student's covered information shall be collected only |
for K through 12 school purposes and not further processed in a |
manner that is incompatible with those purposes. |
(b) A student's covered information shall only be adequate, |
relevant, and limited to what is necessary in relation to the K |
through 12 school purposes for which it is processed. |
(c) Except for a parent of a student enrolled in a |
nonpublic school, the parent of a student enrolled in a school |
has the right to all of the following: |
(1) Inspect and review the student's covered |
information, regardless of whether it is maintained by the |
school, the State Board, or an operator. |
(2) Request from a school a paper or electronic copy of |
the student's covered information, including covered |
information maintained by an operator or the State Board. |
If a parent requests an electronic copy of the student's |
covered information under this paragraph, the school must |
provide an electronic copy of that information, unless the |
school does not maintain the information in an electronic |
format and reproducing the information in an electronic |
format would be unduly burdensome to the school. If a |
parent requests a paper copy of the student's covered |
information, the school may charge the parent the |
|
reasonable cost for copying the information in an amount |
not to exceed the amount fixed in a schedule adopted by the |
State Board, except that no parent may be denied a copy of |
the information due to the parent's inability to bear the |
cost of the copying. The State Board must adopt rules on |
the methodology and frequency of requests under this |
paragraph. |
(3) Request corrections of factual inaccuracies |
contained in the student's covered information. After |
receiving a request for corrections and determining that a |
factual inaccuracy exists, a school must do either of the |
following: |
(A) If the school maintains or possesses the |
covered information that contains the factual |
inaccuracy, correct the factual inaccuracy and confirm |
the correction with the parent within 90 calendar days |
after receiving the parent's request. |
(B) If the operator or State Board maintains or |
possesses the covered information that contains the |
factual inaccuracy, notify the operator or the State |
Board of the correction. The operator or the State |
Board must correct the factual inaccuracy and confirm |
the correction with the school within 90 calendar days |
after receiving the notice. Within 10 business days |
after receiving confirmation of the correction from |
the operator or State Board, the school must confirm |
