Sen. Omar Aquino

Filed: 5/13/2019

 

 


 

 


 
10100HB3606sam001LRB101 09053 AXK 60514 a

1
AMENDMENT TO HOUSE BILL 3606

2    AMENDMENT NO. ______. Amend House Bill 3606 by replacing
3everything after the enacting clause with the following:
 
4    "Section 5. The Student Online Personal Protection Act is
5amended by changing Sections 5, 10, 15, and 30 and by adding
6Sections 26, 27, 28, and 33 as follows:
 
7    (105 ILCS 85/5)
8    Sec. 5. Definitions. In this Act:
9    "Breach" means the unauthorized acquisition of
10computerized data that compromises the security,
11confidentiality, or integrity of covered information
12maintained by an operator or school. "Breach" does not include
13the good faith acquisition of personal information by an
14employee or agent of an operator or school for a legitimate
15purpose of the operator or school if the covered information is
16not used for a purpose prohibited by this Act or subject to

 

 

10100HB3606sam001- 2 -LRB101 09053 AXK 60514 a

1further unauthorized disclosure.
2    "Covered information" means personally identifiable
3information or material or information that is linked to
4personally identifiable information or material in any media or
5format that is not publicly available and is any of the
6following:
7        (1) Created by or provided to an operator by a student
8    or the student's parent or legal guardian in the course of
9    the student's, parent's, or legal guardian's use of the
10    operator's site, service, or application for K through 12
11    school purposes.
12        (2) Created by or provided to an operator by an
13    employee or agent of a school or school district for K
14    through 12 school purposes.
15        (3) Gathered by an operator through the operation of
16    its site, service, or application for K through 12 school
17    purposes and personally identifies a student, including,
18    but not limited to, information in the student's
19    educational record or electronic mail, first and last name,
20    home address, telephone number, electronic mail address,
21    or other information that allows physical or online
22    contact, discipline records, test results, special
23    education data, juvenile dependency records, grades,
24    evaluations, criminal records, medical records, health
25    records, a social security number, biometric information,
26    disabilities, socioeconomic information, food purchases,

 

 

10100HB3606sam001- 3 -LRB101 09053 AXK 60514 a

1    political affiliations, religious information, text
2    messages, documents, student identifiers, search activity,
3    photos, voice recordings, or geolocation information.
4    "Interactive computer service" has the meaning ascribed to
5that term in Section 230 of the federal Communications Decency
6Act of 1996 (47 U.S.C. 230).
7    "K through 12 school purposes" means purposes that are
8directed by or that customarily take place at the direction of
9a school, teacher, or school district; aid in the
10administration of school activities, including, but not
11limited to, instruction in the classroom or at home,
12administrative activities, and collaboration between students,
13school personnel, or parents; or are otherwise for the use and
14benefit of the school.
15    "Longitudinal data system" has the meaning given to that
16term under the P-20 Longitudinal Education Data System Act.
17    "Operator" means, to the extent that an entity is operating
18in this capacity, the operator of an Internet website, online
19service, online application, or mobile application with actual
20knowledge that the site, service, or application is used
21primarily for K through 12 school purposes and was designed and
22marketed for K through 12 school purposes.
23    "Parent" has the meaning given to that term under the
24Illinois School Student Records Act.
25    "School" means (1) any preschool, public kindergarten,
26elementary or secondary educational institution, vocational

 

 

10100HB3606sam001- 4 -LRB101 09053 AXK 60514 a

1school, special educational facility, or any other elementary
2or secondary educational agency or institution or (2) any
3person, agency, or institution that maintains school student
4records from more than one school. Except as otherwise provided
5in this Act, "school" "School" includes a private or nonpublic
6school.
7    "State Board" means the State Board of Education.
8    "Student" has the meaning given to that term under the
9Illinois School Student Records Act.
10    "Targeted advertising" means presenting advertisements to
11a student where the advertisement is selected based on
12information obtained or inferred over time from that student's
13online behavior, usage of applications, or covered
14information. The term does not include advertising to a student
15at an online location based upon that student's current visit
16to that location or in response to that student's request for
17information or feedback, without the retention of that
18student's online activities or requests over time for the
19purpose of targeting subsequent ads.
20(Source: P.A. 100-315, eff. 8-24-17.)
 
21    (105 ILCS 85/10)
22    Sec. 10. Operator prohibitions. An operator shall not
23knowingly do any of the following:
24        (1) Engage in targeted advertising on the operator's
25    site, service, or application or target advertising on any

 

 

10100HB3606sam001- 5 -LRB101 09053 AXK 60514 a

1    other site, service, or application if the targeting of the
2    advertising is based on any information, including covered
3    information and persistent unique identifiers, that the
4    operator has acquired because of the use of that operator's
5    site, service, or application for K through 12 school
6    purposes.
7        (2) Use information, including persistent unique
8    identifiers, created or gathered by the operator's site,
9    service, or application to amass a profile about a student,
10    except in furtherance of K through 12 school purposes.
11    "Amass a profile" does not include the collection and
12    retention of account information that remains under the
13    control of the student, the student's parent or legal
14    guardian, or the school.
15        (3) Sell or rent a student's information, including
16    covered information. This subdivision (3) does not apply to
17    the purchase, merger, or other type of acquisition of an
18    operator by another entity if the operator or successor
19    entity complies with this Act regarding previously
20    acquired student information.
21        (4) Except as otherwise provided in Section 20 of this
22    Act, disclose covered information, unless the disclosure
23    is made for the following purposes:
24            (A) In furtherance of the K through 12 school
25        purposes of the site, service, or application if the
26        recipient of the covered information disclosed under

 

 

10100HB3606sam001- 6 -LRB101 09053 AXK 60514 a

1        this clause (A) does not further disclose the
2        information, unless done to allow or improve
3        operability and functionality of the operator's site,
4        service, or application.
5            (B) To ensure legal and regulatory compliance or
6        take precautions against liability.
7            (C) To respond to the judicial process.
8            (D) To protect the safety or integrity of users of
9        the site or others or the security of the site,
10        service, or application.
11            (E) For a school, educational, or employment
12        purpose requested by the student or the student's
13        parent or legal guardian, provided that the
14        information is not used or further disclosed for any
15        other purpose.
16            (F) To a third party if the operator contractually
17        prohibits the third party from using any covered
18        information for any purpose other than providing the
19        contracted service to or on behalf of the operator,
20        prohibits the third party from disclosing any covered
21        information provided by the operator with subsequent
22        third parties, and requires the third party to
23        implement and maintain reasonable security procedures
24        and practices as required under Section 15.
25    Nothing in this Section prohibits the operator's use of
26information for maintaining, developing, supporting,

 

 

10100HB3606sam001- 7 -LRB101 09053 AXK 60514 a

1improving, or diagnosing the operator's site, service, or
2application.
3(Source: P.A. 100-315, eff. 8-24-17.)
 
4    (105 ILCS 85/15)
5    Sec. 15. Operator duties. An operator shall do the
6following:
7        (1) Implement and maintain reasonable security
8    procedures and practices that otherwise meet or exceed
9    industry standards appropriate to the nature of the covered
10    information and designed to protect that covered
11    information from unauthorized access, destruction, use,
12    modification, or disclosure.
13        (2) Delete, within a reasonable time period, a
14    student's covered information if the school or school
15    district requests deletion of covered information under
16    the control of the school or school district, unless a
17    student or his or her parent or legal guardian consents to
18    the maintenance of the covered information.
19        (3) Publicly disclose material information about its
20    collection, use, and disclosure of covered information,
21    including, but not limited to, publishing a terms of
22    service agreement, privacy policy, or similar document.
23        (4) Except for a nonpublic school, for any operator who
24    seeks to receive from a school, school district, or the
25    State Board in any manner any covered information, enter

 

 

10100HB3606sam001- 8 -LRB101 09053 AXK 60514 a

1    into a written agreement with the school, school district,
2    or State Board before the covered information may be
3    transferred. The written agreement may be created in
4    electronic form and signed with an electronic or digital
5    signature or may be a click wrap agreement that is used
6    with software licenses, downloaded or online applications
7    and transactions for educational technologies, or other
8    technologies in which a user must agree to terms and
9    conditions before using the product or service. The written
10    agreement must contain all of the following:
11            (A) A listing of the categories or types of covered
12        information to be provided to the operator.
13            (B) A statement of the product or service being
14        provided to the school by the operator.
15            (C) A statement that the operator is acting as a
16        school official with a legitimate educational
17        interest, is performing an institutional service or
18        function for which the school would otherwise use
19        employees, under the direct control of the school, with
20        respect to the use and maintenance of covered
21        information, and is using the covered information only
22        for an authorized purpose and may not re-disclose it to
23        third parties or affiliates, unless otherwise
24        permitted under this Act, without permission from the
25        school or pursuant to court order.
26            (D) A description of how, if a breach is attributed

 

 

10100HB3606sam001- 9 -LRB101 09053 AXK 60514 a

1        to the operator, any costs and expenses incurred by the
2        school in investigating and remediating the breach
3        will be allocated between the operator and the school.
4        The costs and expenses may include, but are not limited
5        to:
6                (i) providing notification to the parents of
7            those students whose covered information was
8            compromised and to regulatory agencies or other
9            entities as required by law or contract;
10                (ii) providing credit monitoring to those
11            students whose covered information was exposed in
12            a manner during the breach that a reasonable person
13            would believe that it could impact his or her
14            credit or financial security;
15                (iii) legal fees, audit costs, fines, and any
16            other fees or damages imposed against the school as
17            a result of the security breach; and
18                (iv) providing any other notifications or
19            fulfilling any other requirements adopted by the
20            State Board or of any other State or federal laws.
21            (E) A statement that the operator must delete or
22        transfer to the school all covered information if the
23        information is no longer needed for the purposes of the
24        written agreement and to specify the time period in
25        which the information must be deleted or transferred
26        once the operator is made aware that the information is

 

 

10100HB3606sam001- 10 -LRB101 09053 AXK 60514 a

1        no longer needed for the purposes of the written
2        agreement.
3            (F) A statement that the school must publish the
4        written agreement on the school's website. If mutually
5        agreed upon by the school and the operator, provisions
6        of the written agreement, other than those under
7        subparagraphs (A), (B), and (C), may be redacted in the
8        copy of the written agreement published on the school's
9        website.
10        (5) In case of any breach, within the most expedient
11    time possible and without unreasonable delay, but no later
12    than 30 calendar days after the determination that a breach
13    has occurred, notify the school of any breach of the
14    students' covered information.
15        (6) Provide to the school a list of any third parties
16    or affiliates to whom the operator is currently disclosing
17    covered information or has disclosed covered information.
18    This list must, at a minimum, be updated and provided to
19    the school by the beginning of each school year and at the
20    beginning of each calendar year.
21(Source: P.A. 100-315, eff. 8-24-17.)
 
22    (105 ILCS 85/26 new)
23    Sec. 26. School prohibitions. A school may not do either of
24the following:
25        (1) Sell, rent, lease, or trade covered information.

 

 

10100HB3606sam001- 11 -LRB101 09053 AXK 60514 a

1        (2) Share, transfer, disclose, or provide access to a
2    student's covered information to an entity or individual,
3    other than the student's parent or the State Board, without
4    a written agreement, unless the disclosure or transfer is:
5            (A) to the extent permitted by federal law, to law
6        enforcement officials to protect the safety of users or
7        others or the security or integrity of the operator's
8        service;
9            (B) required by court order or State or federal
10        law; or
11            (C) to ensure legal or regulatory compliance.
12        This paragraph (2) does not apply to nonpublic schools.
 
13    (105 ILCS 85/27 new)
14    Sec. 27. School duties.
15    (a) Each school shall post and maintain on its website all
16of the following information:
17        (1) An explanation, that is clear and understandable by
18    a layperson, of the data elements of covered information
19    that the school collects, maintains, or discloses to any
20    person, entity, third party, or governmental agency. The
21    information must explain how the school uses, to whom or
22    what entities it discloses, and for what purpose it
23    discloses the covered information.
24        (2) A list of operators that the school has written
25    agreements with, a copy of each written agreement, and a

 

 

10100HB3606sam001- 12 -LRB101 09053 AXK 60514 a

1    business address for each operator.
2        (3) For each operator, a list of any subcontractors to
3    whom covered information may be disclosed, as provided by
4    the operator to the school under paragraph (6) of Section
5    15.
6        (4) A written description of the procedures that a
7    parent may use to carry out the rights enumerated under
8    Section 33.
9        (5) A list of any breaches of covered information
10    maintained by the school or breaches under Section 15 that
11    includes, but is not limited to, all of the following
12    information:
13            (A) The number of students whose covered
14        information is involved in the breach.
15            (B) The date, estimated date, or estimated date
16        range of the breach.
17            (C) For a breach under Section 15, the name of the
18        operator.
19        The school may omit from the list required under this
20    paragraph (5) (i) any breach in which, to the best of the
21    school's knowledge at the time of updating the list, the
22    number of students whose covered information is involved in
23    the breach is less than 10% of the school's enrollment or
24    (ii) any breach in which, at the time of posting the list,
25    the school is not required to notify the parent of a
26    student under subsection (d).

 

 

10100HB3606sam001- 13 -LRB101 09053 AXK 60514 a

1    The school must, at a minimum, update the items under
2paragraphs (1), (3), (4), and (5) no later than 30 calendar
3days following the start of a school year and no later than 30
4days following the beginning of a calendar year.
5    (b) Each school must adopt a policy designating which
6school employees are authorized to enter into written
7agreements with operators. This subsection may not be construed
8to limit individual school employees outside of the scope of
9their employment from entering into agreements with operators
10on their own behalf and for non-K through 12 school purposes,
11provided that no covered information is provided to the
12operators. Any agreement or contract entered into in violation
13of this Act is void and unenforceable as against public policy.
14    (c) A school must post on its website each written
15agreement entered into under this Act, along with any
16information required under subsection (a), no later than 5
17business days after entering into the agreement.
18    (d) After receipt of notice of a breach under Section 15 or
19determination of a breach of covered information maintained by
20the school, a school shall notify, no later than 30 calendar
21days after receipt of the notice or determination that a breach
22has occurred, the parent of any student whose covered
23information is involved in the breach. The notification must
24include, but is not limited to, all of the following:
25        (1) The date, estimated date, or estimated date range
26    of the breach.

 

 

10100HB3606sam001- 14 -LRB101 09053 AXK 60514 a

1        (2) A description of the covered information that was
2    compromised or reasonably believed to have been
3    compromised in the breach.
4        (3) Information that the parent may use to contact the
5    operator and school to inquire about the breach.
6        (4) The toll-free numbers, addresses, and websites for
7    consumer reporting agencies.
8        (5) The toll-free number, address, and website for the
9    Federal Trade Commission.
10        (6) A statement that the parent may obtain information
11    from the Federal Trade Commission and consumer reporting
12    agencies about fraud alerts and security freezes.
13    (e) Each school must implement and maintain reasonable
14security procedures and practices that otherwise meet or exceed
15industry standards designed to protect covered information
16from unauthorized access, destruction, use, modification, or
17disclosure. Any written agreement under which the disclosure of
18covered information between the school and a third party takes
19place must include a provision requiring the entity to whom the
20covered information is disclosed to implement and maintain
21reasonable security procedures and practices that otherwise
22meet or exceed industry standards designed to protect covered
23information from unauthorized access, destruction, use,
24modification, or disclosure.
25    (f) Each school shall designate an appropriate staff person
26as a privacy officer, who may also be an official records

 

 

10100HB3606sam001- 15 -LRB101 09053 AXK 60514 a

1custodian as designated under the Illinois School Student
2Records Act, to carry out the duties and responsibilities
3assigned to schools and to ensure compliance with the
4requirements of this Section and Section 26.
5    (g) A school shall make a request, pursuant to paragraph
6(2) of Section 15, to an operator to delete covered information
7on behalf of a student's parent if the parent requests from the
8school that the student's covered information held by the
9operator be deleted, so long as the deletion of the covered
10information is not in violation of the Illinois School Student
11Records Act.
12    (h) This Section does not apply to nonpublic schools.
 
13    (105 ILCS 85/28 new)
14    Sec. 28. State Board duties.
15    (a) The State Board may not sell, rent, lease, or trade
16covered information.
17    (b) The State Board may not share, transfer, disclose, or
18provide covered information to an entity or individual without
19a contract or written agreement, except for disclosures
20required by federal law to federal agencies.
21    (c) At least once annually, the State Board must publish
22and maintain on its website a list of all of the entities or
23individuals, including, but not limited to, operators,
24individual researchers, research organizations, institutions
25of higher education, or government agencies, that the State

 

 

10100HB3606sam001- 16 -LRB101 09053 AXK 60514 a

1Board contracts with or has agreements with and that hold
2covered information and a copy of each contract or agreement.
3The list must include all of the following information:
4        (1) The name of the entity or individual. In naming an
5    individual, the list must include the entity that sponsors
6    the individual or with which the individual is affiliated,
7    if any. If the individual is conducting research at an
8    institution of higher education, the list may include the
9    name of that institution and a contact person in the
10    department that is associated with the research in lieu of
11    the name of the researcher. If the entity is an operator,
12    the list must include its business address.
13        (2) The purpose and scope of the contract or agreement.
14        (3) The duration of the contract or agreement.
15        (4) The types of covered information that the entity or
16    individual holds under the contract or agreement.
17        (5) The use of the covered information under the
18    contract or agreement.
19        (6) The length of time for which the entity or
20    individual may hold the covered information.
21        (7) A list of any subcontractors to whom covered
22    information may be disclosed under Section 15.
23    (d) The State Board shall create, publish, and make
24publicly available an inventory, along with a dictionary or
25index of data elements and their definitions, of covered
26information collected or maintained by the State Board,

 

 

10100HB3606sam001- 17 -LRB101 09053 AXK 60514 a

1including, but not limited to, both of the following:
2        (1) Covered information that schools are required to
3    report to the State Board by State or federal law.
4        (2) Covered information in the State longitudinal data
5    system or any data warehouse used by the State Board to
6    populate the longitudinal data system.
7    The inventory shall make clear for what purposes the State
8Board uses the covered information.
9    (e) The State Board shall develop, publish, and make
10publicly available, for the benefit of schools, model student
11data privacy policies and procedures that comply with relevant
12State and federal law, including, but not limited to, a model
13notice that schools must use to provide notice to parents and
14students about operators. The notice must state, in general
15terms, the types of student data that are collected by the
16schools and shared with operators under this Act and the
17purposes of collecting and using the student data. After
18creation of the notice under this subsection, a school shall,
19at the beginning of each school year, provide the notice to
20parents by the same means generally used to send notices to
21them. This subsection does not apply to nonpublic schools.
 
22    (105 ILCS 85/30)
23    Sec. 30. Applicability. This Act does not do any of the
24following:
25        (1) Limit the authority of a law enforcement agency to

 

 

10100HB3606sam001- 18 -LRB101 09053 AXK 60514 a

1    obtain any content or information from an operator as
2    authorized by law or under a court order.
3        (2) Limit the ability of an operator to use student
4    data, including covered information, for adaptive learning
5    or customized student learning purposes.
6        (3) Apply to general audience Internet websites,
7    general audience online services, general audience online
8    applications, or general audience mobile applications,
9    even if login credentials created for an operator's site,
10    service, or application may be used to access those general
11    audience sites, services, or applications.
12        (4) Limit service providers from providing Internet
13    connectivity to schools or students and their families.
14        (5) Prohibit an operator of an Internet website, online
15    service, online application, or mobile application from
16    marketing educational products directly to parents if the
17    marketing did not result from the use of covered
18    information obtained by the operator through the provision
19    of services covered under this Act.
20        (6) Impose a duty upon a provider of an electronic
21    store, gateway, marketplace, or other means of purchasing
22    or downloading software or applications to review or
23    enforce compliance with this Act on those applications or
24    software.
25        (7) Impose a duty upon a provider of an interactive
26    computer service to review or enforce compliance with this

 

 

10100HB3606sam001- 19 -LRB101 09053 AXK 60514 a

1    Act by third-party content providers.
2        (8) Prohibit students from downloading, exporting,
3    transferring, saving, or maintaining their own student
4    data or documents.
5        (9) Supersede the federal Family Educational Rights
6    and Privacy Act of 1974 or rules adopted pursuant to that
7    Act or the Illinois School Student Records Act.
8        (10) Prohibit an operator or school from producing and
9    distributing, free or for consideration, student class
10    photos and yearbooks to the school, students, parents, or
11    individuals authorized by parents and to no others, in
12    accordance with the terms of a written agreement between
13    the operator and the school.
14(Source: P.A. 100-315, eff. 8-24-17.)
 
15    (105 ILCS 85/33 new)
16    Sec. 33. Parent and student rights.
17    (a) A student's covered information is the sole property of
18the student's parent.
19    (b) A student's covered information shall be collected only
20for K through 12 school purposes and not further processed in a
21manner that is incompatible with those purposes.
22    (c) A student's covered information shall only be adequate,
23relevant, and limited to what is necessary in relation to the K
24through 12 school purposes for which it is processed.
25    (d) Except for a parent of a student enrolled in a

 

 

10100HB3606sam001- 20 -LRB101 09053 AXK 60514 a

1nonpublic school, the parent of a student enrolled in a school
2has the right to all of the following:
3        (1) Inspect and review the student's covered
4    information, regardless of whether it is maintained by the
5    school, the State Board, or an operator.
6        (2) Request from a school a paper or electronic copy of
7    the student's covered information, including covered
8    information maintained by an operator or the State Board.
9    If a parent requests an electronic copy of the student's
10    covered information under this paragraph, the school must
11    provide an electronic copy of that information, unless the
12    school does not maintain the information in an electronic
13    format and reproducing the information in an electronic
14    format would be unduly burdensome to the school. If a
15    parent requests a paper copy of the student's covered
16    information, the school may charge the parent the
17    reasonable cost for copying the information in an amount
18    not to exceed the amount fixed in a schedule adopted by the
19    State Board, except that no parent may be denied a copy of
20    the information due to the parent's inability to bear the
21    cost of the copying. The State Board must adopt rules on
22    the methodology and frequency of requests under this
23    paragraph.
24        (3) Request corrections of factual inaccuracies
25    contained in the student's covered information. After
26    receiving a request for corrections that documents a

 

 

10100HB3606sam001- 21 -LRB101 09053 AXK 60514 a

1    factual inaccuracy, a school must do either of the
2    following:
3            (A) Confirm the correction with the parent within
4        90 calendar days after receiving the parent's request
5        if the school or State Board maintains the covered
6        information that contains the factual inaccuracy.
7            (B) Notify the operator who must confirm the
8        correction with the parent within 90 calendar days
9        after receiving the parent's request if the covered
10        information that contains the factual inaccuracy is
11        maintained by an operator.
12    (e) Nothing in this Section shall be construed to limit the
13rights granted to parents and students under the Illinois
14School Student Records Act.
 
15    Section 99. Effective date. This Act takes effect July 1,
162021.".