Public Act 100-0315

SB1796 Enrolled LRB100 08966 MLM 19112 b

AN ACT concerning education.

Be it enacted by the People of the State of Illinois,

represented in the General Assembly:

Section 1. Short title. This Act may be cited as the

Student Online Personal Protection Act.

Section 3. Legislative intent. Schools today are

increasingly using a wide range of beneficial online services

and other technologies to help students learn, but concerns

have been raised about whether sufficient safeguards exist to

protect the privacy and security of data about students when it

is collected by educational technology companies. This Act is

intended to ensure that student data will be protected when it

is collected by educational technology companies and that the

data may be used for beneficial purposes such as providing

personalized learning and innovative educational technologies.

Section 5. Definitions. In this Act:

"Covered information" means personally identifiable

information or material or information that is linked to

personally identifiable information or material in any media or

format that is not publicly available and is any of the

following:

(1) Created by or provided to an operator by a student

or the student's parent or legal guardian in the course of

the student's, parent's, or legal guardian's use of the

operator's site, service, or application for K through 12

school purposes.

(2) Created by or provided to an operator by an

employee or agent of a school or school district for K

through 12 school purposes.

(3) Gathered by an operator through the operation of

its site, service, or application for K through 12 school

purposes and personally identifies a student, including,

but not limited to, information in the student's

educational record or electronic mail, first and last name,

home address, telephone number, electronic mail address,

or other information that allows physical or online

contact, discipline records, test results, special

education data, juvenile dependency records, grades,

evaluations, criminal records, medical records, health

records, a social security number, biometric information,

disabilities, socioeconomic information, food purchases,

political affiliations, religious information, text

messages, documents, student identifiers, search activity,

photos, voice recordings, or geolocation information.

"Interactive computer service" has the meaning ascribed to

that term in Section 230 of the federal Communications Decency

Act of 1996 (47 U.S.C. 230).

"K through 12 school purposes" means purposes that are

directed by or that customarily take place at the direction of

a school, teacher, or school district; aid in the

administration of school activities, including, but not

limited to, instruction in the classroom or at home,

administrative activities, and collaboration between students,

school personnel, or parents; or are otherwise for the use and

benefit of the school.

"Operator" means, to the extent that an entity is operating

in this capacity, the operator of an Internet website, online

service, online application, or mobile application with actual

knowledge that the site, service, or application is used

primarily for K through 12 school purposes and was designed and

marketed for K through 12 school purposes.

"School" means (1) any preschool, public kindergarten,

elementary or secondary educational institution, vocational

school, special educational facility, or any other elementary

or secondary educational agency or institution or (2) any

person, agency, or institution that maintains school student

records from more than one school. "School" includes a private

or nonpublic school.

"Targeted advertising" means presenting advertisements to

a student where the advertisement is selected based on

information obtained or inferred over time from that student's

online behavior, usage of applications, or covered

information. The term does not include advertising to a student

at an online location based upon that student's current visit

to that location or in response to that student's request for

information or feedback, without the retention of that

student's online activities or requests over time for the

purpose of targeting subsequent ads.

Section 10. Operator prohibitions. An operator shall not

knowingly do any of the following:

(1) Engage in targeted advertising on the operator's

site, service, or application or target advertising on any

other site, service, or application if the targeting of the

advertising is based on any information, including covered

information and persistent unique identifiers, that the

operator has acquired because of the use of that operator's

site, service, or application for K through 12 school

purposes.

(2) Use information, including persistent unique

identifiers, created or gathered by the operator's site,

service, or application to amass a profile about a student,

except in furtherance of K through 12 school purposes.

"Amass a profile" does not include the collection and

retention of account information that remains under the

control of the student, the student's parent or legal

guardian, or the school.

(3) Sell or rent a student's information, including

covered information. This subdivision (3) does not apply to

the purchase, merger, or other type of acquisition of an

operator by another entity if the operator or successor

entity complies with this Act regarding previously

acquired student information.

(4) Except as otherwise provided in Section 20 of this

Act, disclose covered information, unless the disclosure

is made for the following purposes:

(A) In furtherance of the K through 12 school

purposes of the site, service, or application if the

recipient of the covered information disclosed under

this clause (A) does not further disclose the

information, unless done to allow or improve

operability and functionality of the operator's site,

service, or application.

(B) To ensure legal and regulatory compliance or

take precautions against liability.

(C) To respond to the judicial process.

(D) To protect the safety or integrity of users of

the site or others or the security of the site,

service, or application.

(E) For a school, educational, or employment

purpose requested by the student or the student's

parent or legal guardian, provided that the

information is not used or further disclosed for any

other purpose.

(F) To a third party if the operator contractually

prohibits the third party from using any covered

information for any purpose other than providing the

contracted service to or on behalf of the operator,

prohibits the third party from disclosing any covered

information provided by the operator with subsequent

third parties, and requires the third party to

implement and maintain reasonable security procedures

and practices.

Nothing in this Section prohibits the operator's use of

information for maintaining, developing, supporting,

improving, or diagnosing the operator's site, service, or

application.

Section 15. Operator duties. An operator shall do the

following:

(1) Implement and maintain reasonable security

procedures and practices appropriate to the nature of the

covered information and designed to protect that covered

information from unauthorized access, destruction, use,

modification, or disclosure.

(2) Delete, within a reasonable time period, a

student's covered information if the school or school

district requests deletion of covered information under

the control of the school or school district, unless a

student or his or her parent or legal guardian consents to

the maintenance of the covered information.

(3) Publicly disclose material information about its

collection, use, and disclosure of covered information,

including, but not limited to, publishing a terms of

service agreement, privacy policy, or similar document.

Section 20. Permissive use or disclosure. An operator may

use or disclose covered information of a student under the

following circumstances:

(1) If other provisions of federal or State law require

the operator to disclose the information, and the operator

complies with the requirements of federal and State law in

protecting and disclosing that information.

(2) For legitimate research purposes as required by

State or federal law and subject to the restrictions under

applicable State and federal law or as allowed by State or

federal law and under the direction of a school, school

district, or the State Board of Education if the covered

information is not used for advertising or to amass a

profile on the student for purposes other than for K

through 12 school purposes.

(3) To a State or local educational agency, including

schools and school districts, for K through 12 school

purposes, as permitted by State or federal law.

Section 25. Operator actions that are not prohibited. This

Act does not prohibit an operator from doing any of the

following:

(1) Using covered information to improve educational

products if that information is not associated with an

identified student within the operator's site, service, or

application or other sites, services, or applications

owned by the operator.

(2) Using covered information that is not associated

with an identified student to demonstrate the

effectiveness of the operator's products or services,

including in their marketing.

(3) Sharing covered information that is not associated

with an identified student for the development and

improvement of educational sites, services, or

applications.

(4) Using recommendation engines to recommend to a

student either of the following:

(A) Additional content relating to an educational,

other learning, or employment opportunity purpose

within an online site, service, or application if the

recommendation is not determined in whole or in part by

payment or other consideration from a third party.

(B) Additional services relating to an

educational, other learning, or employment opportunity

purpose within an online site, service, or application

if the recommendation is not determined in whole or in

part by payment or other consideration from a third

party.

(5) Responding to a student's request for information

or for feedback without the information or response being

determined in whole or in part by payment or other

consideration from a third party.

Section 30. Applicability. This Act does not do any of the

following:

(1) Limit the authority of a law enforcement agency to

obtain any content or information from an operator as

authorized by law or under a court order.

(2) Limit the ability of an operator to use student

data, including covered information, for adaptive learning

or customized student learning purposes.

(3) Apply to general audience Internet websites,

general audience online services, general audience online

applications, or general audience mobile applications,

even if login credentials created for an operator's site,

service, or application may be used to access those general

audience sites, services, or applications.

(4) Limit service providers from providing Internet

connectivity to schools or students and their families.

(5) Prohibit an operator of an Internet website, online

service, online application, or mobile application from

marketing educational products directly to parents if the

marketing did not result from the use of covered

information obtained by the operator through the provision

of services covered under this Act.

(6) Impose a duty upon a provider of an electronic

store, gateway, marketplace, or other means of purchasing

or downloading software or applications to review or

enforce compliance with this Act on those applications or

software.

(7) Impose a duty upon a provider of an interactive

computer service to review or enforce compliance with this

Act by third-party content providers.

(8) Prohibit students from downloading, exporting,

transferring, saving, or maintaining their own student

data or documents.

(9) Supersede the federal Family Educational Rights

and Privacy Act of 1974 or rules adopted pursuant to that

Act or the Illinois School Student Records Act.

Section 35. Enforcement. Violations of this Act shall

constitute unlawful practices for which the Attorney General

may take appropriate action under the Consumer Fraud and

Deceptive Business Practices Act.

Section 40. Severability. The provisions of this Act are

severable under Section 1.31 of the Statute on Statutes.

Section 50. The Consumer Fraud and Deceptive Business

Practices Act is amended by changing Section 2Z as follows:

(815 ILCS 505/2Z)  (from Ch. 121 1/2, par. 262Z)

Sec. 2Z. Violations of other Acts. Any person who knowingly

violates the Automotive Repair Act, the Automotive Collision

Repair Act, the Home Repair and Remodeling Act, the Dance

Studio Act, the Physical Fitness Services Act, the Hearing

Instrument Consumer Protection Act, the Illinois Union Label

Act, the Job Referral and Job Listing Services Consumer

Protection Act, the Travel Promotion Consumer Protection Act,

the Credit Services Organizations Act, the Automatic Telephone

Dialers Act, the Pay-Per-Call Services Consumer Protection

Act, the Telephone Solicitations Act, the Illinois Funeral or

Burial Funds Act, the Cemetery Oversight Act, the Cemetery Care

Act, the Safe and Hygienic Bed Act, the Pre-Need Cemetery Sales

Act, the High Risk Home Loan Act, the Payday Loan Reform Act,

the Mortgage Rescue Fraud Act, subsection (a) or (b) of Section

3-10 of the Cigarette Tax Act, subsection (a) or (b) of Section

3-10 of the Cigarette Use Tax Act, the Electronic Mail Act, the

Internet Caller Identification Act, paragraph (6) of

subsection (k) of Section 6-305 of the Illinois Vehicle Code,

Section 11-1431, 18d-115, 18d-120, 18d-125, 18d-135, 18d-150,

or 18d-153 of the Illinois Vehicle Code, Article 3 of the

Residential Real Property Disclosure Act, the Automatic

Contract Renewal Act, the Reverse Mortgage Act, Section 25 of

the Youth Mental Health Protection Act, or the Personal

Information Protection Act, or the Student Online Personal

Protection Act commits an unlawful practice within the meaning

of this Act.

(Source: P.A. 99-331, eff. 1-1-16; 99-411, eff. 1-1-16; 99-642,

eff. 7-28-16.)

Section 99. Effective date. This Act takes effect upon

becoming law.