|
or the student's parent or legal guardian in the course of |
the student's, parent's, or legal guardian's use of the |
operator's site, service, or application for K through 12 |
school purposes. |
(2) Created by or provided to an operator by an |
employee or agent of a school or school district for K |
through 12 school purposes. |
(3) Gathered by an operator through the operation of |
its site, service, or application for K through 12 school |
purposes and personally identifies a student, including, |
but not limited to, information in the student's |
educational record or electronic mail, first and last name, |
home address, telephone number, electronic mail address, |
or other information that allows physical or online |
contact, discipline records, test results, special |
education data, juvenile dependency records, grades, |
evaluations, criminal records, medical records, health |
records, a social security number, biometric information, |
disabilities, socioeconomic information, food purchases, |
political affiliations, religious information, text |
messages, documents, student identifiers, search activity, |
photos, voice recordings, or geolocation information. |
"Interactive computer service" has the meaning ascribed to |
that term in Section 230 of the federal Communications Decency |
Act of 1996 (47 U.S.C. 230). |
"K through 12 school purposes" means purposes that are |
|
directed by or that customarily take place at the direction of |
a school, teacher, or school district; aid in the |
administration of school activities, including, but not |
limited to, instruction in the classroom or at home, |
administrative activities, and collaboration between students, |
school personnel, or parents; or are otherwise for the use and |
benefit of the school. |
"Operator" means, to the extent that an entity is operating |
in this capacity, the operator of an Internet website, online |
service, online application, or mobile application with actual |
knowledge that the site, service, or application is used |
primarily for K through 12 school purposes and was designed and |
marketed for K through 12 school purposes. |
"School" means (1) any preschool, public kindergarten, |
elementary or secondary educational institution, vocational |
school, special educational facility, or any other elementary |
or secondary educational agency or institution or (2) any |
person, agency, or institution that maintains school student |
records from more than one school. "School" includes a private |
or nonpublic school. |
"Targeted advertising" means presenting advertisements to |
a student where the advertisement is selected based on |
information obtained or inferred over time from that student's |
online behavior, usage of applications, or covered |
information. The term does not include advertising to a student |
at an online location based upon that student's current visit |
|
to that location or in response to that student's request for |
information or feedback, without the retention of that |
student's online activities or requests over time for the |
purpose of targeting subsequent ads.
|
Section 10. Operator prohibitions. An operator shall not |
knowingly do any of the following: |
(1) Engage in targeted advertising on the operator's |
site, service, or application or target advertising on any |
other site, service, or application if the targeting of the |
advertising is based on any information, including covered |
information and persistent unique identifiers, that the |
operator has acquired because of the use of that operator's |
site, service, or application for K through 12 school |
purposes. |
(2) Use information, including persistent unique |
identifiers, created or gathered by the operator's site, |
service, or application to amass a profile about a student, |
except in furtherance of K through 12 school purposes. |
"Amass a profile" does not include the collection and |
retention of account information that remains under the |
control of the student, the student's parent or legal |
guardian, or the school. |
(3) Sell or rent a student's information, including |
covered information. This subdivision (3) does not apply to |
the purchase, merger, or other type of acquisition of an |
|
operator by another entity if the operator or successor |
entity complies with this Act regarding previously |
acquired student information. |
(4) Except as otherwise provided in Section 20 of this |
Act, disclose covered information, unless the disclosure |
is made for the following purposes: |
(A) In furtherance of the K through 12 school |
purposes of the site, service, or application if the |
recipient of the covered information disclosed under |
this clause (A) does not further disclose the |
information, unless done to allow or improve |
operability and functionality of the operator's site, |
service, or application. |
(B) To ensure legal and regulatory compliance or |
take precautions
against liability. |
(C) To respond to the judicial process. |
(D) To protect the safety or integrity of users of |
the site or others or the security of the site, |
service, or application. |
(E) For a school, educational, or employment |
purpose requested by the student or the student's |
parent or legal guardian, provided that the |
information is not used or further disclosed for any |
other purpose. |
(F) To a third party if the operator contractually |
prohibits the third party from using any covered |
|
information for any purpose other than providing the |
contracted service to or on behalf of the operator, |
prohibits the third party from disclosing any covered |
information provided by the operator with subsequent |
third parties, and requires the third party to |
implement and maintain reasonable security procedures |
and practices. |
Nothing in this Section prohibits the operator's use of |
information for maintaining, developing, supporting, |
improving, or diagnosing the operator's site, service, or |
application.
|
Section 15. Operator duties. An operator shall do the |
following: |
(1) Implement and maintain reasonable security |
procedures and practices appropriate to the nature of the |
covered information and designed to protect that covered |
information from unauthorized access, destruction, use, |
modification, or disclosure. |
(2) Delete, within a reasonable time period, a |
student's covered information if the school or school |
district requests deletion of covered information under |
the control of the school or school district, unless a |
student or his or her parent or legal guardian consents to |
the maintenance of the covered information. |
(3) Publicly disclose material information about its |
|
collection, use, and disclosure of covered information, |
including, but not limited to, publishing a terms of |
service agreement, privacy policy, or similar document.
|
Section 20. Permissive use or disclosure. An operator may |
use or disclose covered information of a student under the |
following circumstances: |
(1) If other provisions of federal or State law require |
the operator to disclose the information, and the operator |
complies with the requirements of federal and State law in |
protecting and disclosing that information. |
(2) For legitimate research purposes as required by |
State or federal law and subject to the restrictions under |
applicable State and federal law or as allowed by State or |
federal law and under the direction of a school, school |
district, or the State Board of Education if the covered |
information is not used for advertising or to amass a |
profile on the student for purposes other than for K |
through 12 school purposes. |
(3) To a State or local educational agency, including |
schools and school districts, for K through 12 school |
purposes, as permitted by State or federal law.
|
Section 25. Operator actions that are not prohibited. This |
Act does not prohibit an operator from doing any of the |
following: |
|
(1) Using covered information to improve educational |
products if that information is not associated with an |
identified student within the operator's site, service, or |
application or other sites, services, or applications |
owned by the operator. |
(2) Using covered information that is not associated |
with an identified student to demonstrate the |
effectiveness of the operator's products or services, |
including in their marketing. |
(3) Sharing covered information that is not associated |
with an identified student for the development and |
improvement of educational sites, services, or |
applications. |
(4) Using recommendation engines to recommend to a |
student either of the following: |
(A) Additional content relating to an educational, |
other learning, or employment opportunity purpose |
within an online site, service, or application if the |
recommendation is not determined in whole or in part by |
payment or other consideration from a third party. |
(B) Additional services relating to an |
educational, other learning, or employment opportunity |
purpose within an online site, service, or application |
if the recommendation is not determined in whole or in |
part by payment or other consideration from a third |
party. |
|
(5) Responding to a student's request for information |
or for feedback without the information or response being |
determined in whole or in part by payment or other |
consideration from a third party.
|
Section 30. Applicability. This Act does not do any of the |
following: |
(1) Limit the authority of a law enforcement agency to |
obtain any content or information from an operator as |
authorized by law or under a court order. |
(2) Limit the ability of an operator to use student |
data, including covered information, for adaptive learning |
or customized student learning purposes. |
(3) Apply to general audience Internet websites, |
general audience online services, general audience online |
applications, or general audience mobile applications, |
even if login credentials created for an operator's site, |
service, or application may be used to access those general |
audience sites, services, or applications. |
(4) Limit service providers from providing Internet |
connectivity to schools or students and their families. |
(5) Prohibit an operator of an Internet website, online |
service, online application, or mobile application from |
marketing educational products directly to parents if the |
marketing did not result from the use of covered |
information obtained by the operator through the provision |
|
of services covered under this Act. |
(6) Impose a duty upon a provider of an electronic |
store, gateway, marketplace, or other means of purchasing |
or downloading software or applications to review or |
enforce compliance with this Act on those applications or |
software. |
(7) Impose a duty upon a provider of an interactive |
computer service to review or enforce compliance with this |
Act by third-party content providers. |
(8) Prohibit students from downloading, exporting, |
transferring, saving, or maintaining their own student |
data or documents. |
(9) Supersede the federal Family Educational Rights |
and Privacy Act of 1974 or rules adopted pursuant to that |
Act or the Illinois School Student Records Act.
|
Section 35. Enforcement. Violations of this Act shall |
constitute unlawful practices for which the Attorney General |
may take appropriate action under the Consumer Fraud and |
Deceptive Business Practices Act.
|
Section 40. Severability. The provisions of this Act are |
severable under Section 1.31 of the Statute on Statutes.
|
Section 50. The Consumer Fraud and Deceptive Business |
Practices Act is amended by changing Section 2Z as follows:
|
|
(815 ILCS 505/2Z) (from Ch. 121 1/2, par. 262Z)
|
Sec. 2Z. Violations of other Acts. Any person who knowingly |
violates
the Automotive Repair Act, the Automotive Collision |
Repair Act,
the Home Repair and Remodeling Act,
the Dance |
Studio Act,
the Physical Fitness Services Act,
the Hearing |
Instrument Consumer Protection Act,
the Illinois Union Label |
Act,
the Job Referral and Job Listing Services Consumer |
Protection Act,
the Travel Promotion Consumer Protection Act,
|
the Credit Services Organizations Act,
the Automatic Telephone |
Dialers Act,
the Pay-Per-Call Services Consumer Protection |
Act,
the Telephone Solicitations Act,
the Illinois Funeral or |
Burial Funds Act,
the Cemetery Oversight Act, the Cemetery Care |
Act,
the Safe and Hygienic Bed Act,
the Pre-Need Cemetery Sales |
Act,
the High Risk Home Loan Act, the Payday Loan Reform Act, |
the Mortgage Rescue Fraud Act, subsection (a) or (b) of Section |
3-10 of the
Cigarette Tax Act, subsection
(a) or (b) of Section |
3-10 of the Cigarette Use Tax Act, the Electronic
Mail Act, the |
Internet Caller Identification Act, paragraph (6)
of
|
subsection (k) of Section 6-305 of the Illinois Vehicle Code, |
Section 11-1431, 18d-115, 18d-120, 18d-125, 18d-135, 18d-150, |
or 18d-153 of the Illinois Vehicle Code, Article 3 of the |
Residential Real Property Disclosure Act, the Automatic |
Contract Renewal Act, the Reverse Mortgage Act, Section 25 of |
the Youth Mental Health Protection Act, or the Personal |
Information Protection Act, or the Student Online Personal |