| |||||||
| |||||||
| |||||||
1 | AN ACT concerning education.
| ||||||
2 | Be it enacted by the People of the State of Illinois,
| ||||||
3 | represented in the General Assembly:
| ||||||
4 | Section 1. Short title. This Act may be cited as the | ||||||
5 | Student Online Personal Protection Act. | ||||||
6 | Section 3. Legislative intent. Schools today are | ||||||
7 | increasingly using a wide range of beneficial online services | ||||||
8 | and other technologies to help students learn, but concerns | ||||||
9 | have been raised about whether sufficient safeguards exist to | ||||||
10 | protect the privacy and security of data about students when it | ||||||
11 | is collected by educational technology companies. This Act is | ||||||
12 | intended to ensure that student data will be protected when it | ||||||
13 | is collected by educational technology companies and that the | ||||||
14 | data may be used for beneficial purposes such as providing | ||||||
15 | personalized learning and innovative educational technologies. | ||||||
16 | Section 5. Definitions. In this Act: | ||||||
17 | "Covered information" means personally identifiable | ||||||
18 | information or material or information that is linked to | ||||||
19 | personally identifiable information or material in any media or | ||||||
20 | format that is not publicly available and is any of the | ||||||
21 | following: | ||||||
22 | (1) Created by or provided to an operator by a student |
| |||||||
| |||||||
1 | or the student's parent or legal guardian in the course of | ||||||
2 | the student's, parent's, or legal guardian's use of the | ||||||
3 | operator's site, service, or application for K through 12 | ||||||
4 | school purposes. | ||||||
5 | (2) Created by or provided to an operator by an | ||||||
6 | employee or agent of a school or school district for K | ||||||
7 | through 12 school purposes. | ||||||
8 | (3) Gathered by an operator through the operation of | ||||||
9 | its site, service, or application for K through 12 school | ||||||
10 | purposes and personally identifies a student, including, | ||||||
11 | but not limited to, information in the student's | ||||||
12 | educational record or electronic mail, first and last name, | ||||||
13 | home address, telephone number, electronic mail address, | ||||||
14 | or other information that allows physical or online | ||||||
15 | contact, discipline records, test results, special | ||||||
16 | education data, juvenile dependency records, grades, | ||||||
17 | evaluations, criminal records, medical records, health | ||||||
18 | records, a social security number, biometric information, | ||||||
19 | disabilities, socioeconomic information, food purchases, | ||||||
20 | political affiliations, religious information, text | ||||||
21 | messages, documents, student identifiers, search activity, | ||||||
22 | photos, voice recordings, or geolocation information. | ||||||
23 | "Interactive computer service" has the meaning ascribed to | ||||||
24 | that term in Section 230 of the federal Communications Decency | ||||||
25 | Act of 1996 (47 U.S.C. 230). | ||||||
26 | "K through 12 school purposes" means purposes that are |
| |||||||
| |||||||
1 | directed by or that customarily take place at the direction of | ||||||
2 | a school, teacher, or school district; aid in the | ||||||
3 | administration of school activities, including, but not | ||||||
4 | limited to, instruction in the classroom or at home, | ||||||
5 | administrative activities, and collaboration between students, | ||||||
6 | school personnel, or parents; or are otherwise for the use and | ||||||
7 | benefit of the school. | ||||||
8 | "Operator" means, to the extent that an entity is operating | ||||||
9 | in this capacity, the operator of an Internet website, online | ||||||
10 | service, online application, or mobile application with actual | ||||||
11 | knowledge that the site, service, or application is used | ||||||
12 | primarily for K through 12 school purposes and was designed and | ||||||
13 | marketed for K through 12 school purposes. | ||||||
14 | "School" means (1) any preschool, public kindergarten, | ||||||
15 | elementary or secondary educational institution, vocational | ||||||
16 | school, special educational facility, or any other elementary | ||||||
17 | or secondary educational agency or institution or (2) any | ||||||
18 | person, agency, or institution that maintains school student | ||||||
19 | records from more than one school. "School" includes a private | ||||||
20 | or nonpublic school. | ||||||
21 | "Targeted advertising" means presenting advertisements to | ||||||
22 | a student where the advertisement is selected based on | ||||||
23 | information obtained or inferred over time from that student's | ||||||
24 | online behavior, usage of applications, or covered | ||||||
25 | information. The term does not include advertising to a student | ||||||
26 | at an online location based upon that student's current visit |
| |||||||
| |||||||
1 | to that location or in response to that student's request for | ||||||
2 | information or feedback, without the retention of that | ||||||
3 | student's online activities or requests over time for the | ||||||
4 | purpose of targeting subsequent ads. | ||||||
5 | Section 10. Operator prohibitions. An operator shall not | ||||||
6 | knowingly do any of the following: | ||||||
7 | (1) Engage in targeted advertising on the operator's | ||||||
8 | site, service, or application or target advertising on any | ||||||
9 | other site, service, or application if the targeting of the | ||||||
10 | advertising is based on any information, including covered | ||||||
11 | information and persistent unique identifiers, that the | ||||||
12 | operator has acquired because of the use of that operator's | ||||||
13 | site, service, or application for K through 12 school | ||||||
14 | purposes. | ||||||
15 | (2) Use information, including persistent unique | ||||||
16 | identifiers, created or gathered by the operator's site, | ||||||
17 | service, or application to amass a profile about a student, | ||||||
18 | except in furtherance of K through 12 school purposes. | ||||||
19 | "Amass a profile" does not include the collection and | ||||||
20 | retention of account information that remains under the | ||||||
21 | control of the student, the student's parent or legal | ||||||
22 | guardian, or the school. | ||||||
23 | (3) Sell or rent a student's information, including | ||||||
24 | covered information. This subdivision (3) does not apply to | ||||||
25 | the purchase, merger, or other type of acquisition of an |
| |||||||
| |||||||
1 | operator by another entity if the operator or successor | ||||||
2 | entity complies with this Act regarding previously | ||||||
3 | acquired student information. | ||||||
4 | (4) Except as otherwise provided in Section 20 of this | ||||||
5 | Act, disclose covered information, unless the disclosure | ||||||
6 | is made for the following purposes: | ||||||
7 | (A) In furtherance of the K through 12 school | ||||||
8 | purposes of the site, service, or application if the | ||||||
9 | recipient of the covered information disclosed under | ||||||
10 | this clause (A) does not further disclose the | ||||||
11 | information, unless done to allow or improve | ||||||
12 | operability and functionality of the operator's site, | ||||||
13 | service, or application. | ||||||
14 | (B) To ensure legal and regulatory compliance or | ||||||
15 | take precautions
against liability. | ||||||
16 | (C) To respond to the judicial process. | ||||||
17 | (D) To protect the safety or integrity of users of | ||||||
18 | the site or others or the security of the site, | ||||||
19 | service, or application. | ||||||
20 | (E) For a school, educational, or employment | ||||||
21 | purpose requested by the student or the student's | ||||||
22 | parent or legal guardian, provided that the | ||||||
23 | information is not used or further disclosed for any | ||||||
24 | other purpose. | ||||||
25 | (F) To a third party if the operator contractually | ||||||
26 | prohibits the third party from using any covered |
| |||||||
| |||||||
1 | information for any purpose other than providing the | ||||||
2 | contracted service to or on behalf of the operator, | ||||||
3 | prohibits the third party from disclosing any covered | ||||||
4 | information provided by the operator with subsequent | ||||||
5 | third parties, and requires the third party to | ||||||
6 | implement and maintain reasonable security procedures | ||||||
7 | and practices. | ||||||
8 | Nothing in this Section prohibits the operator's use of | ||||||
9 | information for maintaining, developing, supporting, | ||||||
10 | improving, or diagnosing the operator's site, service, or | ||||||
11 | application. | ||||||
12 | Section 15. Operator duties. An operator shall do the | ||||||
13 | following: | ||||||
14 | (1) Implement and maintain reasonable security | ||||||
15 | procedures and practices appropriate to the nature of the | ||||||
16 | covered information and designed to protect that covered | ||||||
17 | information from unauthorized access, destruction, use, | ||||||
18 | modification, or disclosure. | ||||||
19 | (2) Delete, within a reasonable time period, a | ||||||
20 | student's covered information if the school or school | ||||||
21 | district requests deletion of covered information under | ||||||
22 | the control of the school or school district, unless a | ||||||
23 | student or his or her parent or legal guardian consents to | ||||||
24 | the maintenance of the covered information. | ||||||
25 | (3) Publicly disclose material information about its |
| |||||||
| |||||||
1 | collection, use, and disclosure of covered information, | ||||||
2 | including, but not limited to, publishing a terms of | ||||||
3 | service agreement, privacy policy, or similar document. | ||||||
4 | Section 20. Permissive use or disclosure. An operator may | ||||||
5 | use or disclose covered information of a student under the | ||||||
6 | following circumstances: | ||||||
7 | (1) If other provisions of federal or State law require | ||||||
8 | the operator to disclose the information, and the operator | ||||||
9 | complies with the requirements of federal and State law in | ||||||
10 | protecting and disclosing that information. | ||||||
11 | (2) For legitimate research purposes as required by | ||||||
12 | State or federal law and subject to the restrictions under | ||||||
13 | applicable State and federal law or as allowed by State or | ||||||
14 | federal law and under the direction of a school, school | ||||||
15 | district, or the State Board of Education if the covered | ||||||
16 | information is not used for advertising or to amass a | ||||||
17 | profile on the student for purposes other than for K | ||||||
18 | through 12 school purposes. | ||||||
19 | (3) To a State or local educational agency, including | ||||||
20 | schools and school districts, for K through 12 school | ||||||
21 | purposes, as permitted by State or federal law. | ||||||
22 | Section 25. Operator actions that are not prohibited. This | ||||||
23 | Act does not prohibit an operator from doing any of the | ||||||
24 | following: |
| |||||||
| |||||||
1 | (1) Using covered information to improve educational | ||||||
2 | products if that information is not associated with an | ||||||
3 | identified student within the operator's site, service, or | ||||||
4 | application or other sites, services, or applications | ||||||
5 | owned by the operator. | ||||||
6 | (2) Using covered information that is not associated | ||||||
7 | with an identified student to demonstrate the | ||||||
8 | effectiveness of the operator's products or services, | ||||||
9 | including in their marketing. | ||||||
10 | (3) Sharing covered information that is not associated | ||||||
11 | with an identified student for the development and | ||||||
12 | improvement of educational sites, services, or | ||||||
13 | applications. | ||||||
14 | (4) Using recommendation engines to recommend to a | ||||||
15 | student either of the following: | ||||||
16 | (A) Additional content relating to an educational, | ||||||
17 | other learning, or employment opportunity purpose | ||||||
18 | within an online site, service, or application if the | ||||||
19 | recommendation is not determined in whole or in part by | ||||||
20 | payment or other consideration from a third party. | ||||||
21 | (B) Additional services relating to an | ||||||
22 | educational, other learning, or employment opportunity | ||||||
23 | purpose within an online site, service, or application | ||||||
24 | if the recommendation is not determined in whole or in | ||||||
25 | part by payment or other consideration from a third | ||||||
26 | party. |
| |||||||
| |||||||
1 | (5) Responding to a student's request for information | ||||||
2 | or for feedback without the information or response being | ||||||
3 | determined in whole or in part by payment or other | ||||||
4 | consideration from a third party. | ||||||
5 | Section 30. Applicability. This Act does not do any of the | ||||||
6 | following: | ||||||
7 | (1) Limit the authority of a law enforcement agency to | ||||||
8 | obtain any content or information from an operator as | ||||||
9 | authorized by law or under a court order. | ||||||
10 | (2) Limit the ability of an operator to use student | ||||||
11 | data, including covered information, for adaptive learning | ||||||
12 | or customized student learning purposes. | ||||||
13 | (3) Apply to general audience Internet websites, | ||||||
14 | general audience online services, general audience online | ||||||
15 | applications, or general audience mobile applications, | ||||||
16 | even if login credentials created for an operator's site, | ||||||
17 | service, or application may be used to access those general | ||||||
18 | audience sites, services, or applications. | ||||||
19 | (4) Limit service providers from providing Internet | ||||||
20 | connectivity to schools or students and their families. | ||||||
21 | (5) Prohibit an operator of an Internet website, online | ||||||
22 | service, online application, or mobile application from | ||||||
23 | marketing educational products directly to parents if the | ||||||
24 | marketing did not result from the use of covered | ||||||
25 | information obtained by the operator through the provision |
| |||||||
| |||||||
1 | of services covered under this Act. | ||||||
2 | (6) Impose a duty upon a provider of an electronic | ||||||
3 | store, gateway, marketplace, or other means of purchasing | ||||||
4 | or downloading software or applications to review or | ||||||
5 | enforce compliance with this Act on those applications or | ||||||
6 | software. | ||||||
7 | (7) Impose a duty upon a provider of an interactive | ||||||
8 | computer service to review or enforce compliance with this | ||||||
9 | Act by third-party content providers. | ||||||
10 | (8) Prohibit students from downloading, exporting, | ||||||
11 | transferring, saving, or maintaining their own student | ||||||
12 | data or documents. | ||||||
13 | (9) Supersede the federal Family Educational Rights | ||||||
14 | and Privacy Act of 1974 or rules adopted pursuant to that | ||||||
15 | Act or the Illinois School Student Records Act. | ||||||
16 | Section 35. Enforcement. Violations of this Act shall | ||||||
17 | constitute unlawful practices for which the Attorney General | ||||||
18 | may take appropriate action under the Consumer Fraud and | ||||||
19 | Deceptive Business Practices Act. | ||||||
20 | Section 40. Severability. The provisions of this Act are | ||||||
21 | severable under Section 1.31 of the Statute on Statutes. | ||||||
22 | Section 50. The Consumer Fraud and Deceptive Business | ||||||
23 | Practices Act is amended by changing Section 2Z as follows:
|
| |||||||
| |||||||
1 | (815 ILCS 505/2Z) (from Ch. 121 1/2, par. 262Z)
| ||||||
2 | Sec. 2Z. Violations of other Acts. Any person who knowingly | ||||||
3 | violates
the Automotive Repair Act, the Automotive Collision | ||||||
4 | Repair Act,
the Home Repair and Remodeling Act,
the Dance | ||||||
5 | Studio Act,
the Physical Fitness Services Act,
the Hearing | ||||||
6 | Instrument Consumer Protection Act,
the Illinois Union Label | ||||||
7 | Act,
the Job Referral and Job Listing Services Consumer | ||||||
8 | Protection Act,
the Travel Promotion Consumer Protection Act,
| ||||||
9 | the Credit Services Organizations Act,
the Automatic Telephone | ||||||
10 | Dialers Act,
the Pay-Per-Call Services Consumer Protection | ||||||
11 | Act,
the Telephone Solicitations Act,
the Illinois Funeral or | ||||||
12 | Burial Funds Act,
the Cemetery Oversight Act, the Cemetery Care | ||||||
13 | Act,
the Safe and Hygienic Bed Act,
the Pre-Need Cemetery Sales | ||||||
14 | Act,
the High Risk Home Loan Act, the Payday Loan Reform Act, | ||||||
15 | the Mortgage Rescue Fraud Act, subsection (a) or (b) of Section | ||||||
16 | 3-10 of the
Cigarette Tax Act, subsection
(a) or (b) of Section | ||||||
17 | 3-10 of the Cigarette Use Tax Act, the Electronic
Mail Act, the | ||||||
18 | Internet Caller Identification Act, paragraph (6)
of
| ||||||
19 | subsection (k) of Section 6-305 of the Illinois Vehicle Code, | ||||||
20 | Section 11-1431, 18d-115, 18d-120, 18d-125, 18d-135, 18d-150, | ||||||
21 | or 18d-153 of the Illinois Vehicle Code, Article 3 of the | ||||||
22 | Residential Real Property Disclosure Act, the Automatic | ||||||
23 | Contract Renewal Act, the Reverse Mortgage Act, Section 25 of | ||||||
24 | the Youth Mental Health Protection Act, or the Personal | ||||||
25 | Information Protection Act , or the Student Online Personal |
| |||||||
| |||||||
1 | Protection Act commits an unlawful practice within the meaning | ||||||
2 | of this Act.
| ||||||
3 | (Source: P.A. 99-331, eff. 1-1-16; 99-411, eff. 1-1-16; revised | ||||||
4 | 10-21-15.) | ||||||
5 | Section 99. Effective date. This Act takes effect upon | ||||||
6 | becoming law. |