|
| | 103RD GENERAL ASSEMBLY
State of Illinois
2023 and 2024 SB2256 Introduced 2/10/2023, by Sen. Robert F. Martwick SYNOPSIS AS INTRODUCED: |
| 105 ILCS 85/5 | | 105 ILCS 85/15 | | 105 ILCS 85/25 | | 105 ILCS 85/26 | | 105 ILCS 85/27 | | 105 ILCS 85/30 | |
|
Amends the Student Online Personal Protection Act. Provides that "covered information" does not include de-identified or aggregate information from which all personally identifiable information of a student has been removed. Makes conforming changes. Provides that the covered information restrictions shall be included as part of the operator's terms of service agreement, privacy policy, or similar document (instead of requiring that an operator enter into a written agreement with the school, school district, or State Board before the covered information may be transferred) Removes provisions requiring that if the school maintains a website, a the operator shall provide a statement that the school must publish the written agreement on the school's website. Makes related changes. Provides that a statement that the operator will implement and maintain reasonable security procedures and practices that otherwise meet or exceed industry standards designed to protect covered information from unauthorized access, destruction, use, modification, or disclosure Provides that the business address of the operator and a link to the terms of service agreement, privacy policy, or similar document shall be provided. Provides that de-identified or aggregate information from which all personally identifiable information of a student has been removed are not prohibited for an operator to use. Removes restrictions prohibiting a school from sharing, transferring, disclosing, or providing access to a students covered information to an entity of individual. Makes other changes.
|
| |
| | A BILL FOR |
|
|
| | SB2256 | | LRB103 27298 RJT 53669 b |
|
|
1 | | AN ACT concerning education.
|
2 | | Be it enacted by the People of the State of Illinois,
|
3 | | represented in the General Assembly:
|
4 | | Section 5. The Student Online Personal Protection Act is |
5 | | amended by changing Sections 5, 15, 25, 26, 27 and 30 as |
6 | | follows: |
7 | | (105 ILCS 85/5) |
8 | | Sec. 5. Definitions. In this Act: |
9 | | "Breach" means the unauthorized acquisition of |
10 | | computerized data that compromises the security, |
11 | | confidentiality, or integrity of covered information |
12 | | maintained by an operator or school. "Breach" does not include |
13 | | the good faith acquisition of covered personal information by |
14 | | an employee or agent of an operator or school for a legitimate |
15 | | purpose of the operator or school if the covered information |
16 | | is not used for a purpose prohibited by this Act or subject to |
17 | | further unauthorized disclosure. |
18 | | "Covered information" means personally identifiable |
19 | | information or material of a student or information that is |
20 | | linked to personally identifiable information or material in |
21 | | any media or format that is not publicly available and is any |
22 | | of the following: |
23 | | (1) Created by or provided to an operator by a student |
|
| | SB2256 | - 2 - | LRB103 27298 RJT 53669 b |
|
|
1 | | or the student's parent in the course of the student's or |
2 | | parent's use of the operator's site, service, or |
3 | | application for K through 12 school purposes. |
4 | | (2) Created by or provided to an operator by an |
5 | | employee or agent of a school or school district for K |
6 | | through 12 school purposes. |
7 | | (3) Gathered by an operator through the operation of |
8 | | its site, service, or application for K through 12 school |
9 | | purposes and personally identifies a student, including, |
10 | | but not limited to, information in the student's |
11 | | educational record or electronic mail, first and last |
12 | | name, home address, telephone number, electronic mail |
13 | | address, or other information that allows physical or |
14 | | online contact, discipline records, test results, special |
15 | | education data, juvenile dependency records, grades, |
16 | | evaluations, criminal records, medical records, health |
17 | | records, a social security number, biometric information, |
18 | | disabilities, socioeconomic information, food purchases, |
19 | | political affiliations, religious information, text |
20 | | messages, documents, student identifiers, search activity, |
21 | | photos, voice recordings, or geolocation information. |
22 | | The term does not include de-identified or aggregate |
23 | | information from which all personally identifiable information |
24 | | of a student has been removed. |
25 | | "Interactive computer service" has the meaning ascribed to |
26 | | that term in Section 230 of the federal Communications Decency |
|
| | SB2256 | - 3 - | LRB103 27298 RJT 53669 b |
|
|
1 | | Act of 1996 (47 U.S.C. 230). |
2 | | "K through 12 school purposes" means purposes that are |
3 | | directed by or that customarily take place at the direction of |
4 | | a school, teacher, or school district; aid in the |
5 | | administration of school activities, including, but not |
6 | | limited to, instruction in the classroom or at home, |
7 | | administrative activities, and collaboration between students, |
8 | | school personnel, or parents; or are otherwise for the use and |
9 | | benefit of the school. |
10 | | "Longitudinal data system" has the meaning given to that |
11 | | term under the P-20 Longitudinal Education Data System Act. |
12 | | "Operator" means, to the extent that an entity is |
13 | | operating in this capacity, the operator of an Internet |
14 | | website, online service, online application, or mobile |
15 | | application with actual knowledge that the site, service, or |
16 | | application is used primarily for K through 12 school purposes |
17 | | and was designed and marketed for K through 12 school |
18 | | purposes. |
19 | | "Parent" has the meaning given to that term under the |
20 | | Illinois School Student Records Act. |
21 | | "School" means (1) any preschool, public kindergarten, |
22 | | elementary or secondary educational institution, vocational |
23 | | school, special educational facility, or any other elementary |
24 | | or secondary educational agency or institution or (2) any |
25 | | person, agency, or institution that maintains school student |
26 | | records from more than one school. Except as otherwise |
|
| | SB2256 | - 4 - | LRB103 27298 RJT 53669 b |
|
|
1 | | provided in this Act, "school" includes a private or nonpublic |
2 | | school. |
3 | | "State Board" means the State Board of Education. |
4 | | "Student" has the meaning given to that term under the |
5 | | Illinois School Student Records Act. |
6 | | "Targeted advertising" means presenting advertisements to |
7 | | a student where the advertisement is selected based on |
8 | | information obtained or inferred from that student's online |
9 | | behavior, usage of applications, or covered information. The |
10 | | term does not include advertising to a student at an online |
11 | | location based upon that student's current visit to that |
12 | | location or in response to that student's request for |
13 | | information or feedback, without the retention of that |
14 | | student's online activities or requests over time for the |
15 | | purpose of targeting subsequent ads.
|
16 | | (Source: P.A. 100-315, eff. 8-24-17; 101-516, eff. 7-1-21 .) |
17 | | (105 ILCS 85/15) |
18 | | Sec. 15. Operator duties. An operator shall do the |
19 | | following: |
20 | | (1) Implement and maintain reasonable security |
21 | | procedures and practices that otherwise meet or exceed |
22 | | industry standards designed to protect covered information |
23 | | from unauthorized access, destruction, use, modification, |
24 | | or disclosure. |
25 | | (2) Delete, within a reasonable time period, a |
|
| | SB2256 | - 5 - | LRB103 27298 RJT 53669 b |
|
|
1 | | student's covered information if the school or school |
2 | | district requests deletion of covered information under |
3 | | the control of the school or school district, unless a |
4 | | student or his or her parent consents to the maintenance |
5 | | of the covered information. |
6 | | (3) Publicly disclose material information about its |
7 | | collection, use, and disclosure of covered information, |
8 | | including, but not limited to, publishing a terms of |
9 | | service agreement, privacy policy, or similar document. |
10 | | (4) Except for a nonpublic school, for any operator |
11 | | who receives seeks to receive from a public school, school |
12 | | district, or the State Board in any manner any covered |
13 | | information, must include as part of their service |
14 | | agreement, privacy policy, or similar document the |
15 | | following: enter into a written agreement with the school, |
16 | | school district, or State Board before the covered |
17 | | information may be transferred. The written agreement may |
18 | | be created in electronic form and signed with an |
19 | | electronic or digital signature or may be a click wrap |
20 | | agreement that is used with software licenses, downloaded |
21 | | or online applications and transactions for educational |
22 | | technologies, or other technologies in which a user must |
23 | | agree to terms and conditions before using the product or |
24 | | service. Any written agreement entered into, amended, or |
25 | | renewed must contain all of the following : |
26 | | (A) A listing of the categories or types of |
|
| | SB2256 | - 6 - | LRB103 27298 RJT 53669 b |
|
|
1 | | covered information to be provided by the school to |
2 | | the operator. |
3 | | (B) A statement of the product or service being |
4 | | provided to the school by the operator. |
5 | | (C) A statement that, pursuant to the federal |
6 | | Family Educational Rights and Privacy Act of 1974, the |
7 | | operator is acting as a school official with a |
8 | | legitimate educational interest, is performing an |
9 | | institutional service or function for which the school |
10 | | would otherwise use employees, under the direct |
11 | | control of the school, with respect to the use and |
12 | | maintenance of covered information, and is using the |
13 | | covered information only for an authorized purpose and |
14 | | may not re-disclose it to third parties or affiliates, |
15 | | unless otherwise permitted under this Act, without |
16 | | permission from the school or pursuant to court order. |
17 | | (D) A statement that description of how , if a |
18 | | breach is attributed to the operator, any costs and |
19 | | expenses incurred by the school in investigating and |
20 | | remediating the breach will be allocated to between |
21 | | the operator and the school . The costs and expenses |
22 | | shall may include, but are not limited to: |
23 | | (i) providing notification to the parents of |
24 | | those students whose covered information was |
25 | | compromised and to regulatory agencies or other |
26 | | entities as required by law or contract; |
|
| | SB2256 | - 7 - | LRB103 27298 RJT 53669 b |
|
|
1 | | (ii) providing credit monitoring to those |
2 | | students whose covered information was exposed in |
3 | | a manner during the breach that a reasonable |
4 | | person would believe that it could impact his or |
5 | | her credit or financial security; |
6 | | (iii) legal fees, audit costs, fines, and any |
7 | | other fees or damages imposed against the school |
8 | | as a result of the security breach; and |
9 | | (iv) providing any other notifications or |
10 | | fulfilling any other requirements adopted by the |
11 | | State Board or of any other State or federal laws. |
12 | | (E) A statement that the operator must delete or |
13 | | transfer to the school all covered information if the |
14 | | information is no longer needed for the purposes of |
15 | | the school's use of the operator's site, service, or |
16 | | application the written agreement and to specify the |
17 | | time period in which the information must be deleted |
18 | | or transferred once the operator is made aware that |
19 | | the information is no longer needed for the purposes |
20 | | of the school's use of the operator's site, service, |
21 | | or application written agreement . |
22 | | (F) (Blank) If the school maintains a website, a |
23 | | statement that the school must publish the written |
24 | | agreement on the school's website. If the school does |
25 | | not maintain a website, a statement that the school |
26 | | must make the written agreement available for |
|
| | SB2256 | - 8 - | LRB103 27298 RJT 53669 b |
|
|
1 | | inspection by the general public at its administrative |
2 | | office. If mutually agreed upon by the school and the |
3 | | operator, provisions of the written agreement, other |
4 | | than those under subparagraphs (A), (B), and (C), may |
5 | | be redacted in the copy of the written agreement |
6 | | published on the school's website or made available at |
7 | | its administrative office. |
8 | | (G) A statement that the operator will implement |
9 | | and maintain reasonable security procedures and |
10 | | practices that otherwise meet or exceed industry |
11 | | standards designed to protect covered information from |
12 | | unauthorized access, destruction, use, modification, |
13 | | or disclosure. |
14 | | (H) The business address of the operator and a |
15 | | link to the terms of service agreement, privacy |
16 | | policy, or similar document. |
17 | | (5) In case of any breach, within the most expedient |
18 | | time possible and without unreasonable delay, but no later |
19 | | than 30 calendar days after the determination that a |
20 | | breach has occurred, notify the school of any breach of |
21 | | the students' covered information.
|
22 | | (6) Except for a nonpublic school, maintain provide to |
23 | | the school a list of any third parties or affiliates to |
24 | | whom the operator is currently disclosing covered |
25 | | information or has disclosed covered information on its |
26 | | site, service, or application . This list must, at a |
|
| | SB2256 | - 9 - | LRB103 27298 RJT 53669 b |
|
|
1 | | minimum, be updated and provided to the school by the |
2 | | beginning of each State fiscal year and at the beginning |
3 | | of each calendar year. |
4 | | (Source: P.A. 100-315, eff. 8-24-17; 101-516, eff. 7-1-21 .) |
5 | | (105 ILCS 85/25)
|
6 | | Sec. 25. Operator actions that are not prohibited. This |
7 | | Act does not prohibit an operator from doing any of the |
8 | | following: |
9 | | (1) Using de-identified or aggregate information from |
10 | | which all personally identifiable information of a student |
11 | | has been removed covered information to improve |
12 | | educational products if that information is not associated |
13 | | with an identified student within the operator's site, |
14 | | service, or application or other sites, services, or |
15 | | applications owned by the operator. |
16 | | (2) Using de-identified or aggregate information from |
17 | | which all personally identifiable information of a student |
18 | | has been removed covered information that is not |
19 | | associated with an identified student to demonstrate the |
20 | | effectiveness of the operator's products or services, |
21 | | including in their marketing. |
22 | | (3) Sharing de-identified or aggregate information |
23 | | from which all personally identifiable information of a |
24 | | student has been removed covered information that is not |
25 | | associated with an identified student for the development |
|
| | SB2256 | - 10 - | LRB103 27298 RJT 53669 b |
|
|
1 | | and improvement of educational sites, services, or |
2 | | applications. |
3 | | (4) Using recommendation engines to recommend to a |
4 | | student either of the following: |
5 | | (A) Additional content relating to an educational, |
6 | | other learning, or employment opportunity purpose |
7 | | within an online site, service, or application if the |
8 | | recommendation is not determined in whole or in part |
9 | | by payment or other consideration from a third party. |
10 | | (B) Additional services relating to an |
11 | | educational, other learning, or employment opportunity |
12 | | purpose within an online site, service, or application |
13 | | if the recommendation is not determined in whole or in |
14 | | part by payment or other consideration from a third |
15 | | party. |
16 | | (5) Responding to a student's request for information |
17 | | or for feedback without the information or response being |
18 | | determined in whole or in part by payment or other |
19 | | consideration from a third party.
|
20 | | (Source: P.A. 100-315, eff. 8-24-17.) |
21 | | (105 ILCS 85/26) |
22 | | Sec. 26. School prohibitions. A school may not do either |
23 | | of the following : |
24 | | (1) Sell, rent, lease, or trade covered information. |
25 | | (2) (Blank). Share, transfer, disclose, or provide |
|
| | SB2256 | - 11 - | LRB103 27298 RJT 53669 b |
|
|
1 | | access to a student's covered information to an entity or |
2 | | individual, other than the student's parent, school |
3 | | personnel, appointed or elected school board members or |
4 | | local school council members, or the State Board, without |
5 | | a written agreement, unless the disclosure or transfer is: |
6 | | (A) to the extent permitted by State or federal |
7 | | law, to law enforcement officials to protect the |
8 | | safety of users or others or the security or integrity |
9 | | of the operator's service; |
10 | | (B) required by court order or State or federal |
11 | | law; or |
12 | | (C) to ensure legal or regulatory compliance. |
13 | | This paragraph (2) does not apply to nonpublic |
14 | | schools.
|
15 | | (Source: P.A. 101-516, eff. 7-1-21 .) |
16 | | (105 ILCS 85/27) |
17 | | Sec. 27. School duties. |
18 | | (a) Each school shall post and maintain on its website or, |
19 | | if the school does not maintain a website, make available for |
20 | | inspection by the general public at its administrative office |
21 | | all of the following information: |
22 | | (1) An explanation, that is clear and understandable |
23 | | by a layperson, of the data elements of covered |
24 | | information that the school collects, maintains, or |
25 | | discloses to any operator person, entity, third party, or |
|
| | SB2256 | - 12 - | LRB103 27298 RJT 53669 b |
|
|
1 | | governmental agency . The information must explain how the |
2 | | school uses, to whom or what entities it discloses, and |
3 | | for what purpose it discloses the covered information. |
4 | | (2) A list of the operators of any educational sites, |
5 | | services, or applications used by the school, that the |
6 | | school has written agreements with, a copy of each written |
7 | | agreement, and a business address for each operator , and a |
8 | | link to each operator's terms of service, privacy policy, |
9 | | or similar document . A copy of a written agreement posted |
10 | | or made available by a school under this paragraph may |
11 | | contain redactions, as provided under subparagraph (F) of |
12 | | paragraph (4) of Section 15. |
13 | | (3) For each operator, a list of any subcontractors to |
14 | | whom covered information may be disclosed or a link to a |
15 | | page on the operator's website that clearly lists the that |
16 | | information third parties or affiliates to whom the |
17 | | operator is currently disclosing covered information or |
18 | | has disclosed covered information , as provided by the |
19 | | operator to the school under paragraph (6) of Section 15. |
20 | | (4) A written description of the procedures that a |
21 | | parent may use to carry out the rights enumerated under |
22 | | Section 33. |
23 | | (5) A list of any breaches of covered information |
24 | | maintained by the school or breaches under Section 15 that |
25 | | includes, but is not limited to, all of the following |
26 | | information: |
|
| | SB2256 | - 13 - | LRB103 27298 RJT 53669 b |
|
|
1 | | (A) The number of students whose covered |
2 | | information is involved in the breach, unless |
3 | | disclosing that number would violate the provisions of |
4 | | the Personal Information Protection Act. |
5 | | (B) The date, estimated date, or estimated date |
6 | | range of the breach. |
7 | | (C) For a breach under Section 15, the name of the |
8 | | operator. |
9 | | The school may omit from the list required under this |
10 | | paragraph (5): (i) any breach in which, to the best of the |
11 | | school's knowledge at the time of updating the list, the |
12 | | number of students whose covered information is involved |
13 | | in the breach is less than 10% of the school's enrollment, |
14 | | (ii) any breach in which, at the time of posting the list, |
15 | | the school is not required to notify the parent of a |
16 | | student under subsection (d), (iii) any breach in which |
17 | | the date, estimated date, or estimated date range in which |
18 | | it occurred is earlier than July 1, 2021, or (iv) any |
19 | | breach previously posted on a list under this paragraph |
20 | | (5) no more than 5 years prior to the school updating the |
21 | | current list. |
22 | | The school must, at a minimum, update the items under |
23 | | paragraphs (1), (3), (4), and (5) no later than 30 calendar |
24 | | days following the start of a fiscal year and no later than 30 |
25 | | days following the beginning of a calendar year. |
26 | | (b) Each school must adopt a policy for designating which |
|
| | SB2256 | - 14 - | LRB103 27298 RJT 53669 b |
|
|
1 | | school employees are authorized to enter into written |
2 | | agreements with operators. This subsection may not be |
3 | | construed to limit individual school employees outside of the |
4 | | scope of their employment from entering into agreements with |
5 | | operators on their own behalf and for non-K through 12 school |
6 | | purposes, provided that no covered information is provided to |
7 | | the operators. Any agreement or contract entered into in |
8 | | violation of this Act is void and unenforceable as against |
9 | | public policy. |
10 | | (c) A school must post on its website or, if the school |
11 | | does not maintain a website, make available at its |
12 | | administrative office for inspection by the general public |
13 | | each written agreement entered into under this Act, along with |
14 | | any information required under subsection (a), no later than |
15 | | 10 business days after entering into the agreement. |
16 | | (d) After receipt of notice of a breach under Section 15 or |
17 | | determination of a breach of covered information maintained by |
18 | | the school, a school shall notify, no later than 30 calendar |
19 | | days after receipt of the notice or determination that a |
20 | | breach has occurred, the parent of any student whose covered |
21 | | information is involved in the breach. The notification must |
22 | | include, but is not limited to, all of the following: |
23 | | (1) The date, estimated date, or estimated date range |
24 | | of the breach. |
25 | | (2) A description of the covered information that was |
26 | | compromised or reasonably believed to have been |
|
| | SB2256 | - 15 - | LRB103 27298 RJT 53669 b |
|
|
1 | | compromised in the breach. |
2 | | (3) Information that the parent may use to contact the |
3 | | operator and school to inquire about the breach. |
4 | | (4) The toll-free numbers, addresses, and websites for |
5 | | consumer reporting agencies. |
6 | | (5) The toll-free number, address, and website for the |
7 | | Federal Trade Commission. |
8 | | (6) A statement that the parent may obtain information |
9 | | from the Federal Trade Commission and consumer reporting |
10 | | agencies about fraud alerts and security freezes. |
11 | | A notice of breach required under this subsection may be |
12 | | delayed if an appropriate law enforcement agency determines |
13 | | that the notification will interfere with a criminal |
14 | | investigation and provides the school with a written request |
15 | | for a delay of notice. A school must comply with the |
16 | | notification requirements as soon as the notification will no |
17 | | longer interfere with the investigation. |
18 | | (e) Each school must implement and maintain reasonable |
19 | | security procedures and practices that otherwise meet or |
20 | | exceed industry standards designed to protect covered |
21 | | information from unauthorized access, destruction, use, |
22 | | modification, or disclosure. Any written agreement under which |
23 | | the disclosure of covered information between the school and a |
24 | | third party takes place must include a provision requiring the |
25 | | entity to whom the covered information is disclosed to |
26 | | implement and maintain reasonable security procedures and |
|
| | SB2256 | - 16 - | LRB103 27298 RJT 53669 b |
|
|
1 | | practices that otherwise meet or exceed industry standards |
2 | | designed to protect covered information from unauthorized |
3 | | access, destruction, use, modification, or disclosure. The |
4 | | State Board must make available on its website a guidance |
5 | | document for schools pertaining to reasonable security |
6 | | procedures and practices under this subsection. |
7 | | (f) Each school may designate an appropriate staff person |
8 | | as a privacy officer, who may also be an official records |
9 | | custodian as designated under the Illinois School Student |
10 | | Records Act, to carry out the duties and responsibilities |
11 | | assigned to schools and to ensure compliance with the |
12 | | requirements of this Section and Section 26. |
13 | | (g) A school shall make a request, pursuant to paragraph |
14 | | (2) of Section 15, to an operator to delete covered |
15 | | information on behalf of a student's parent if the parent |
16 | | requests from the school that the student's covered |
17 | | information held by the operator be deleted, so long as the |
18 | | deletion of the covered information is not in violation of |
19 | | State or federal records laws and the school has determined |
20 | | the covered information is not needed to administer its |
21 | | curriculum . |
22 | | (h) This Section does not apply to nonpublic schools.
|
23 | | (Source: P.A. 101-516, eff. 7-1-21; 102-558, eff. 8-20-21.) |
24 | | (105 ILCS 85/30) |
25 | | Sec. 30. Applicability. This Act does not do any of the |
|
| | SB2256 | - 17 - | LRB103 27298 RJT 53669 b |
|
|
1 | | following: |
2 | | (1) Limit the authority of a law enforcement agency to |
3 | | obtain any content or information from an operator as |
4 | | authorized by law or under a court order. |
5 | | (2) Limit the ability of an operator to use student |
6 | | data, including covered information, for adaptive learning |
7 | | or customized student learning purposes. |
8 | | (3) Apply to general audience Internet websites, |
9 | | general audience online services, general audience online |
10 | | applications, or general audience mobile applications, |
11 | | even if login credentials created for an operator's site, |
12 | | service, or application may be used to access those |
13 | | general audience sites, services, or applications. |
14 | | (4) Limit service providers from providing Internet |
15 | | connectivity to schools or students and their families. |
16 | | (5) Prohibit an operator of an Internet website, |
17 | | online service, online application, or mobile application |
18 | | from marketing educational products directly to parents if |
19 | | the marketing did not result from the use of covered |
20 | | information obtained by the operator through the provision |
21 | | of services covered under this Act. |
22 | | (6) Impose a duty upon a provider of an electronic |
23 | | store, gateway, marketplace, or other means of purchasing |
24 | | or downloading software or applications to review or |
25 | | enforce compliance with this Act on those applications or |
26 | | software. |
|
| | SB2256 | - 18 - | LRB103 27298 RJT 53669 b |
|
|
1 | | (7) Impose a duty upon a provider of an interactive |
2 | | computer service to review or enforce compliance with this |
3 | | Act by third-party content providers. |
4 | | (8) Prohibit students from downloading, exporting, |
5 | | transferring, saving, or maintaining their own student |
6 | | data or documents. |
7 | | (9) Supersede the federal Family Educational Rights |
8 | | and Privacy Act of 1974, the Illinois School Student |
9 | | Records Act, or any rules adopted pursuant to those Acts.
|
10 | | (10) Prohibit an operator or school from producing and |
11 | | distributing, free or for consideration, student class |
12 | | photos and yearbooks to the school, libraries, students, |
13 | | parents, or individuals authorized by parents and to no |
14 | | others , in accordance with the terms of a written |
15 | | agreement between the operator and the school. |
16 | | (Source: P.A. 100-315, eff. 8-24-17; 101-516, eff. 7-1-21 .)
|