Public Act 101-0516

HB3606 Enrolled LRB101 09053 AXK 54146 b

AN ACT concerning education.

Be it enacted by the People of the State of Illinois,

represented in the General Assembly:

Section 5. The Student Online Personal Protection Act is

amended by changing Sections 5, 10, 15, and 30 and by adding

Sections 26, 27, 28, and 33 as follows:

(105 ILCS 85/5)

Sec. 5. Definitions. In this Act:

"Breach" means the unauthorized acquisition of

computerized data that compromises the security,

confidentiality, or integrity of covered information

maintained by an operator or school. "Breach" does not include

the good faith acquisition of personal information by an

employee or agent of an operator or school for a legitimate

purpose of the operator or school if the covered information is

not used for a purpose prohibited by this Act or subject to

further unauthorized disclosure.

"Covered information" means personally identifiable

information or material or information that is linked to

personally identifiable information or material in any media or

format that is not publicly available and is any of the

following:

(1) Created by or provided to an operator by a student

or the student's parent or legal guardian in the course of

the student's or , parent's, or legal guardian's use of the

operator's site, service, or application for K through 12

school purposes.

(2) Created by or provided to an operator by an

employee or agent of a school or school district for K

through 12 school purposes.

(3) Gathered by an operator through the operation of

its site, service, or application for K through 12 school

purposes and personally identifies a student, including,

but not limited to, information in the student's

educational record or electronic mail, first and last name,

home address, telephone number, electronic mail address,

or other information that allows physical or online

contact, discipline records, test results, special

education data, juvenile dependency records, grades,

evaluations, criminal records, medical records, health

records, a social security number, biometric information,

disabilities, socioeconomic information, food purchases,

political affiliations, religious information, text

messages, documents, student identifiers, search activity,

photos, voice recordings, or geolocation information.

"Interactive computer service" has the meaning ascribed to

that term in Section 230 of the federal Communications Decency

Act of 1996 (47 U.S.C. 230).

"K through 12 school purposes" means purposes that are

directed by or that customarily take place at the direction of

a school, teacher, or school district; aid in the

administration of school activities, including, but not

limited to, instruction in the classroom or at home,

administrative activities, and collaboration between students,

school personnel, or parents; or are otherwise for the use and

benefit of the school.

"Longitudinal data system" has the meaning given to that

term under the P-20 Longitudinal Education Data System Act.

"Operator" means, to the extent that an entity is operating

in this capacity, the operator of an Internet website, online

service, online application, or mobile application with actual

knowledge that the site, service, or application is used

primarily for K through 12 school purposes and was designed and

marketed for K through 12 school purposes.

"Parent" has the meaning given to that term under the

Illinois School Student Records Act.

"School" means (1) any preschool, public kindergarten,

elementary or secondary educational institution, vocational

school, special educational facility, or any other elementary

or secondary educational agency or institution or (2) any

person, agency, or institution that maintains school student

records from more than one school. Except as otherwise provided

in this Act, "school" "School" includes a private or nonpublic

school.

"State Board" means the State Board of Education.

"Student" has the meaning given to that term under the

Illinois School Student Records Act.

"Targeted advertising" means presenting advertisements to

a student where the advertisement is selected based on

information obtained or inferred over time from that student's

online behavior, usage of applications, or covered

information. The term does not include advertising to a student

at an online location based upon that student's current visit

to that location or in response to that student's request for

information or feedback, without the retention of that

student's online activities or requests over time for the

purpose of targeting subsequent ads.

(Source: P.A. 100-315, eff. 8-24-17.)

(105 ILCS 85/10)

Sec. 10. Operator prohibitions. An operator shall not

knowingly do any of the following:

(1) Engage in targeted advertising on the operator's

site, service, or application or target advertising on any

other site, service, or application if the targeting of the

advertising is based on any information, including covered

information and persistent unique identifiers, that the

operator has acquired because of the use of that operator's

site, service, or application for K through 12 school

purposes.

(2) Use information, including persistent unique

identifiers, created or gathered by the operator's site,

service, or application to amass a profile about a student,

except in furtherance of K through 12 school purposes.

"Amass a profile" does not include the collection and

retention of account information that remains under the

control of the student, the student's parent or legal

guardian, or the school.

(3) Sell or rent a student's information, including

covered information. This subdivision (3) does not apply to

the purchase, merger, or other type of acquisition of an

operator by another entity if the operator or successor

entity complies with this Act regarding previously

acquired student information.

(4) Except as otherwise provided in Section 20 of this

Act, disclose covered information, unless the disclosure

is made for the following purposes:

(A) In furtherance of the K through 12 school

purposes of the site, service, or application if the

recipient of the covered information disclosed under

this clause (A) does not further disclose the

information, unless done to allow or improve

operability and functionality of the operator's site,

service, or application.

(B) To ensure legal and regulatory compliance or

take precautions against liability.

(C) To respond to the judicial process.

(D) To protect the safety or integrity of users of

the site or others or the security of the site,

service, or application.

(E) For a school, educational, or employment

purpose requested by the student or the student's

parent or legal guardian, provided that the

information is not used or further disclosed for any

other purpose.

(F) To a third party if the operator contractually

prohibits the third party from using any covered

information for any purpose other than providing the

contracted service to or on behalf of the operator,

prohibits the third party from disclosing any covered

information provided by the operator with subsequent

third parties, and requires the third party to

implement and maintain reasonable security procedures

and practices as required under Section 15.

Nothing in this Section prohibits the operator's use of

information for maintaining, developing, supporting,

improving, or diagnosing the operator's site, service, or

application.

(Source: P.A. 100-315, eff. 8-24-17.)

(105 ILCS 85/15)

Sec. 15. Operator duties. An operator shall do the

following:

(1) Implement and maintain reasonable security

procedures and practices that otherwise meet or exceed

industry standards appropriate to the nature of the covered

information and designed to protect that covered

information from unauthorized access, destruction, use,

modification, or disclosure.

(2) Delete, within a reasonable time period, a

student's covered information if the school or school

district requests deletion of covered information under

the control of the school or school district, unless a

student or his or her parent or legal guardian consents to

the maintenance of the covered information.

(3) Publicly disclose material information about its

collection, use, and disclosure of covered information,

including, but not limited to, publishing a terms of

service agreement, privacy policy, or similar document.

(4) Except for a nonpublic school, for any operator who

seeks to receive from a school, school district, or the

State Board in any manner any covered information, enter

into a written agreement with the school, school district,

or State Board before the covered information may be

transferred. The written agreement may be created in

electronic form and signed with an electronic or digital

signature or may be a click wrap agreement that is used

with software licenses, downloaded or online applications

and transactions for educational technologies, or other

technologies in which a user must agree to terms and

conditions before using the product or service. Any written

agreement entered into, amended, or renewed must contain

all of the following:

(A) A listing of the categories or types of covered

information to be provided to the operator.

(B) A statement of the product or service being

provided to the school by the operator.

(C) A statement that, pursuant to the federal

Family Educational Rights and Privacy Act of 1974, the

operator is acting as a school official with a

legitimate educational interest, is performing an

institutional service or function for which the school

would otherwise use employees, under the direct

control of the school, with respect to the use and

maintenance of covered information, and is using the

covered information only for an authorized purpose and

may not re-disclose it to third parties or affiliates,

unless otherwise permitted under this Act, without

permission from the school or pursuant to court order.

(D) A description of how, if a breach is attributed

to the operator, any costs and expenses incurred by the

school in investigating and remediating the breach

will be allocated between the operator and the school.

The costs and expenses may include, but are not limited

to:

(i) providing notification to the parents of

those students whose covered information was

compromised and to regulatory agencies or other

entities as required by law or contract;

(ii) providing credit monitoring to those

students whose covered information was exposed in

a manner during the breach that a reasonable person

would believe that it could impact his or her

credit or financial security;

(iii) legal fees, audit costs, fines, and any

other fees or damages imposed against the school as

a result of the security breach; and

(iv) providing any other notifications or

fulfilling any other requirements adopted by the

State Board or of any other State or federal laws.

(E) A statement that the operator must delete or

transfer to the school all covered information if the

information is no longer needed for the purposes of the

written agreement and to specify the time period in

which the information must be deleted or transferred

once the operator is made aware that the information is

no longer needed for the purposes of the written

agreement.

(F) If the school maintains a website, a statement

that the school must publish the written agreement on

the school's website. If the school does not maintain a

website, a statement that the school must make the

written agreement available for inspection by the

general public at its administrative office. If

mutually agreed upon by the school and the operator,

provisions of the written agreement, other than those

under subparagraphs (A), (B), and (C), may be redacted

in the copy of the written agreement published on the

school's website or made available at its

administrative office.

(5) In case of any breach, within the most expedient

time possible and without unreasonable delay, but no later

than 30 calendar days after the determination that a breach

has occurred, notify the school of any breach of the

students' covered information.

(6) Except for a nonpublic school, provide to the

school a list of any third parties or affiliates to whom

the operator is currently disclosing covered information

or has disclosed covered information. This list must, at a

minimum, be updated and provided to the school by the

beginning of each State fiscal year and at the beginning of

each calendar year.

(Source: P.A. 100-315, eff. 8-24-17.)

(105 ILCS 85/26 new)

Sec. 26. School prohibitions. A school may not do either of

the following:

(1) Sell, rent, lease, or trade covered information.

(2) Share, transfer, disclose, or provide access to a

student's covered information to an entity or individual,

other than the student's parent, school personnel,

appointed or elected school board members or local school

council members, or the State Board, without a written

agreement, unless the disclosure or transfer is:

(A) to the extent permitted by State or federal

law, to law enforcement officials to protect the safety

of users or others or the security or integrity of the

operator's service;

(B) required by court order or State or federal

law; or

(C) to ensure legal or regulatory compliance.

This paragraph (2) does not apply to nonpublic schools.

(105 ILCS 85/27 new)

Sec. 27. School duties.

(a) Each school shall post and maintain on its website or,

if the school does not maintain a website, make available for

inspection by the general public at its administrative office

all of the following information:

(1) An explanation, that is clear and understandable by

a layperson, of the data elements of covered information

that the school collects, maintains, or discloses to any

person, entity, third party, or governmental agency. The

information must explain how the school uses, to whom or

what entities it discloses, and for what purpose it

discloses the covered information.

(2) A list of operators that the school has written

agreements with, a copy of each written agreement, and a

business address for each operator. A copy of a written

agreement posted or made available by a school under this

paragraph may contain redactions, as provided under

subparagraph (F) of paragraph (4) of Section 15.

(3) For each operator, a list of any subcontractors to

whom covered information may be disclosed or a link to a

page on the operator's website that clearly lists that

information, as provided by the operator to the school

under paragraph (6) of Section 15.

(4) A written description of the procedures that a

parent may use to carry out the rights enumerated under

Section 33.

(5) A list of any breaches of covered information

maintained by the school or breaches under Section 15 that

includes, but is not limited to, all of the following

information:

(A) The number of students whose covered

information is involved in the breach, unless

disclosing that number would violate the provisions of

the Personal Information Protection Act.

(B) The date, estimated date, or estimated date

range of the breach.

(C) For a breach under Section 15, the name of the

operator.

The school may omit from the list required under this

paragraph (5) (i) any breach in which, to the best of the

school's knowledge at the time of updating the list, the

number of students whose covered information is involved in

the breach is less than 10% of the school's enrollment,

(ii) any breach in which, at the time of posting the list,

the school is not required to notify the parent of a

student under subsection (d), (iii) any breach in which the

date, estimated date, or estimated date range in which it

occurred is earlier than July 1, 2021, or (iv) any breach

previously posted on a list under this paragraph (5) no

more than 5 years prior to the school updating the current

list.

The school must, at a minimum, update the items under

paragraphs (1), (3), (4), and (5) no later than 30 calendar

days following the start of a fiscal year and no later than 30

days following the beginning of a calendar year.

(b) Each school must adopt a policy for designating which

school employees are authorized to enter into written

agreements with operators. This subsection may not be construed

to limit individual school employees outside of the scope of

their employment from entering into agreements with operators

on their own behalf and for non-K through 12 school purposes,

provided that no covered information is provided to the

operators. Any agreement or contract entered into in violation

of this Act is void and unenforceable as against public policy.

(c) A school must post on its website or, if the school

does not maintain a website, make available at its

administrative office for inspection by the general public each

written agreement entered into under this Act, along with any

information required under subsection (a), no later than 10

business days after entering into the agreement.

(d) After receipt of notice of a breach under Section 15 or

determination of a breach of covered information maintained by

the school, a school shall notify, no later than 30 calendar

days after receipt of the notice or determination that a breach

has occurred, the parent of any student whose covered

information is involved in the breach. The notification must

include, but is not limited to, all of the following:

(1) The date, estimated date, or estimated date range

of the breach.

(2) A description of the covered information that was

compromised or reasonably believed to have been

compromised in the breach.

(3) Information that the parent may use to contact the

operator and school to inquire about the breach.

(4) The toll-free numbers, addresses, and websites for

consumer reporting agencies.

(5) The toll-free number, address, and website for the

Federal Trade Commission.

(6) A statement that the parent may obtain information

from the Federal Trade Commission and consumer reporting

agencies about fraud alerts and security freezes.

A notice of breach required under this subsection may be

delayed if an appropriate law enforcement agency determines

that the notification will interfere with a criminal

investigation and provides the school with a written request

for a delay of notice. A school must comply with the

notification requirements as soon as the notification will no

longer interfere with the investigation.

(e) Each school must implement and maintain reasonable

security procedures and practices that otherwise meet or exceed

industry standards designed to protect covered information

from unauthorized access, destruction, use, modification, or

disclosure. Any written agreement under which the disclosure of

covered information between the school and a third party takes

place must include a provision requiring the entity to whom the

covered information is disclosed to implement and maintain

reasonable security procedures and practices that otherwise

meet or exceed industry standards designed to protect covered

information from unauthorized access, destruction, use,

modification, or disclosure. The State Board must make

available on its website a guidance document for schools

pertaining to reasonable security procedures and practices

under this subsection.

(f) Each school may designate an appropriate staff person

as a privacy officer, who may also be an official records

custodian as designated under the Illinois School Student

Records Act, to carry out the duties and responsibilities

assigned to schools and to ensure compliance with the

requirements of this Section and Section 26.

(g) A school shall make a request, pursuant to paragraph

(2) of Section 15, to an operator to delete covered information

on behalf of a student's parent if the parent requests from the

school that the student's covered information held by the

operator be deleted, so long as the deletion of the covered

information is not in violation of State or federal records

laws.

(h) This Section does not apply to nonpublic schools.

(105 ILCS 85/28 new)

Sec. 28. State Board duties.

(a) The State Board may not sell, rent, lease, or trade

covered information.

(b) Except for an employee of the State Board or a State

Board official acting within his or her official capacity, the

State Board may not share, transfer, disclose, or provide

covered information to an entity or individual without a

contract or written agreement, except for disclosures required

by State or federal law.

(c) At least once annually, the State Board must publish

and maintain on its website a list of all of the entities or

individuals, including, but not limited to, operators,

individual researchers, research organizations, institutions

of higher education, or government agencies, that the State

Board contracts with or has written agreements with and that

hold covered information and a copy of each contract or written

agreement. The list must include all of the following

information:

(1) The name of the entity or individual. In naming an

individual, the list must include the entity that sponsors

the individual or with which the individual is affiliated,

if any. If the individual is conducting research at an

institution of higher education, the list may include the

name of that institution and a contact person in the

department that is associated with the research in lieu of

the name of the researcher. If the entity is an operator,

the list must include its business address.

(2) The purpose and scope of the contract or agreement.

(3) The duration of the contract or agreement.

(4) The types of covered information that the entity or

individual holds under the contract or agreement.

(5) The use of the covered information under the

contract or agreement.

(6) The length of time for which the entity or

individual may hold the covered information.

(7) A list of any subcontractors to whom covered

information may be disclosed under Section 15 or a link to

a page on the operator's website that clearly lists that

information.

If mutually agreed upon by the State Board and the

operator, provisions of a contract or written agreement, other

than those pertaining to paragraphs (1) through (7), may be

redacted on the State Board's website.

(d) The State Board shall create, publish, and make

publicly available an inventory, along with a dictionary or

index of data elements and their definitions, of covered

information collected or maintained by the State Board,

including, but not limited to, both of the following:

(1) Covered information that schools are required to

report to the State Board by State or federal law.

(2) Covered information in the State longitudinal data

system or any data warehouse used by the State Board to

populate the longitudinal data system.

The inventory shall make clear for what purposes the State

Board uses the covered information.

(e) The State Board shall develop, publish, and make

publicly available, for the benefit of schools, model student

data privacy policies and procedures that comply with relevant

State and federal law, including, but not limited to, a model

notice that schools must use to provide notice to parents and

students about operators. The notice must state, in general

terms, the types of student data that are collected by the

schools and shared with operators under this Act and the

purposes of collecting and using the student data. After

creation of the notice under this subsection, a school shall,

at the beginning of each school year, provide the notice to

parents by the same means generally used to send notices to

them. This subsection does not apply to nonpublic schools.

(105 ILCS 85/30)

Sec. 30. Applicability. This Act does not do any of the

following:

(1) Limit the authority of a law enforcement agency to

obtain any content or information from an operator as

authorized by law or under a court order.

(2) Limit the ability of an operator to use student

data, including covered information, for adaptive learning

or customized student learning purposes.

(3) Apply to general audience Internet websites,

general audience online services, general audience online

applications, or general audience mobile applications,

even if login credentials created for an operator's site,

service, or application may be used to access those general

audience sites, services, or applications.

(4) Limit service providers from providing Internet

connectivity to schools or students and their families.

(5) Prohibit an operator of an Internet website, online

service, online application, or mobile application from

marketing educational products directly to parents if the

marketing did not result from the use of covered

information obtained by the operator through the provision

of services covered under this Act.

(6) Impose a duty upon a provider of an electronic

store, gateway, marketplace, or other means of purchasing

or downloading software or applications to review or

enforce compliance with this Act on those applications or

software.

(7) Impose a duty upon a provider of an interactive

computer service to review or enforce compliance with this

Act by third-party content providers.

(8) Prohibit students from downloading, exporting,

transferring, saving, or maintaining their own student

data or documents.

(9) Supersede the federal Family Educational Rights

and Privacy Act of 1974, or rules adopted pursuant to that

Act or the Illinois School Student Records Act, or any

rules adopted pursuant to those Acts.

(10) Prohibit an operator or school from producing and

distributing, free or for consideration, student class

photos and yearbooks to the school, students, parents, or

individuals authorized by parents and to no others, in

accordance with the terms of a written agreement between

the operator and the school.

(Source: P.A. 100-315, eff. 8-24-17.)

(105 ILCS 85/33 new)

Sec. 33. Parent and student rights.

(a) A student's covered information shall be collected only

for K through 12 school purposes and not further processed in a

manner that is incompatible with those purposes.

(b) A student's covered information shall only be adequate,

relevant, and limited to what is necessary in relation to the K

through 12 school purposes for which it is processed.

(c) Except for a parent of a student enrolled in a

nonpublic school, the parent of a student enrolled in a school

has the right to all of the following:

(1) Inspect and review the student's covered

information, regardless of whether it is maintained by the

school, the State Board, or an operator.

(2) Request from a school a paper or electronic copy of

the student's covered information, including covered

information maintained by an operator or the State Board.

If a parent requests an electronic copy of the student's

covered information under this paragraph, the school must

provide an electronic copy of that information, unless the

school does not maintain the information in an electronic

format and reproducing the information in an electronic

format would be unduly burdensome to the school. If a

parent requests a paper copy of the student's covered

information, the school may charge the parent the

reasonable cost for copying the information in an amount

not to exceed the amount fixed in a schedule adopted by the

State Board, except that no parent may be denied a copy of

the information due to the parent's inability to bear the

cost of the copying. The State Board must adopt rules on

the methodology and frequency of requests under this

paragraph.

(3) Request corrections of factual inaccuracies

contained in the student's covered information. After

receiving a request for corrections and determining that a

factual inaccuracy exists, a school must do either of the

following:

(A) If the school maintains or possesses the

covered information that contains the factual

inaccuracy, correct the factual inaccuracy and confirm

the correction with the parent within 90 calendar days

after receiving the parent's request.

(B) If the operator or State Board maintains or

possesses the covered information that contains the

factual inaccuracy, notify the operator or the State

Board of the correction. The operator or the State

Board must correct the factual inaccuracy and confirm

the correction with the school within 90 calendar days

after receiving the notice. Within 10 business days

after receiving confirmation of the correction from

the operator or State Board, the school must confirm

the correction with the parent.

(d) Nothing in this Section shall be construed to limit the

rights granted to parents and students under the Illinois

School Student Records Act or the federal Family Educational

Rights and Privacy Act of 1974.

Section 99. Effective date. This Act takes effect July 1,

2021.