Rep. Scott Drury

Filed: 11/28/2016

 

 


 

 


 
09900SB1393ham001LRB099 08398 MLM 51831 a

1
AMENDMENT TO SENATE BILL 1393

2    AMENDMENT NO. ______. Amend Senate Bill 1393 by replacing
3everything after the enacting clause with the following:
 
4    "Section 1. Short title. This Act may be cited as the
5Student Data Privacy Act.
 
6    Section 5. Legislative intent. It is the intent of the
7General Assembly to ensure that information generated by and
8about students in the course of and in connection with their
9education is safeguarded and that student privacy is honored,
10respected, and protected. The General Assembly finds the
11following:
12        (1) Information generated by and about students in the
13    course of and in connection with their education is a vital
14    resource for teachers and school staff in planning
15    education programs and services, scheduling students into
16    appropriate classes, and completing reports for school

 

 

09900SB1393ham001- 2 -LRB099 08398 MLM 51831 a

1    districts.
2        (2) Information generated by and about students in the
3    course of and in connection with their education is
4    critical to educators in helping students successfully
5    graduate from high school and being ready to enter the
6    workforce or postsecondary education.
7        (3) While information generated by and about students
8    in the course of and in connection with their education is
9    important for educational purposes, it is also critically
10    important to ensure that the information is protected,
11    safeguarded, and kept private and used only by appropriate
12    educational authorities or their permitted designees, and
13    then only to serve the best interests of the student.
14    To that end, this Act helps ensure that information
15generated by and about students in the course of and in
16connection with their education is protected and expectations
17of privacy are honored.
 
18    Section 10. Definitions. As used in this Act:
19    "Biometric information" has the meaning ascribed to that
20term in Section 10-20.40 of the School Code.
21    "Directory information" means any personally identifiable
22information that the State Board of Education has designated as
23directory information under Section 375.80 of Title 23 of the
24Illinois Administrative Code.
25    "Educational online product" means an Internet website,

 

 

09900SB1393ham001- 3 -LRB099 08398 MLM 51831 a

1online service, online application, cloud computing service,
2or mobile application that is designed and marketed or may
3reasonably be used for educational purposes.
4    "Educational purposes" means any activity that is directed
5by an employee or agent of a school district with authority to
6give the direction and is intended to assist with the school
7district's educational curriculum.
8    "Interactive computer service" means any service, system,
9or software provider that provides or enables multiple users
10access to a computer server, including a service or system that
11provides access to the Internet and systems or services offered
12by libraries or educational institutions.
13    "Operator" means the owner or operator, or any agent
14thereof, of an educational online product or interactive
15computer service that may reasonably be used for educational
16purposes or was designed and marketed for educational purposes.
17For the purposes of this Act, the term "operator" shall not be
18construed to include any school district, or school district
19employee or agent acting on behalf of a school district
20employer, that operates or owns an educational online product
21that is solely used within the school district for educational
22purposes.
23    "Personally identifiable information" means information
24that, alone or in combination, identifies an individual student
25with reasonable certainty or that is linked to information that
26identifies an individual student, including, but not limited

 

 

09900SB1393ham001- 4 -LRB099 08398 MLM 51831 a

1to: (1) information in the student's school student record,
2student permanent record, or student temporary record, as those
3terms are defined in the Illinois School Student Records Act,
4or other educational record or electronic mail; (2) the
5student's first and last name or the name of the student's
6parent or guardian or other family members; (3) the home
7address of the student or student's family; (4) the telephone
8number of the student or student's family; (5) the electronic
9mail address of the student or student's family; (6) any other
10information that allows physical or online contact with the
11student; (7) discipline records; (8) test results; (9) data
12that is a part of or related to any individualized education
13program for such student; (10) juvenile dependency records;
14(11) grades; (12) evaluations; (13) criminal records; (14)
15medical records; (15) health records; (16) social security
16number or other personal identifiers; (17) biometric
17information; (18) disabilities; (19) socioeconomic
18information; (20) food purchases; (21) political affiliations;
19(22) religious information; (23) text messages; (24)
20documents; (25) student identifiers, such as date of birth,
21place of birth, and mother's maiden name; (26) search activity;
22(27) photos; (28) voice recordings; (29) geolocation
23information; (30) directory information; (31) online accounts;
24(32) other information that, alone or in combination, is linked
25or linkable to a specific student that would allow a reasonable
26person in the school community who does not have knowledge of

 

 

09900SB1393ham001- 5 -LRB099 08398 MLM 51831 a

1the relevant circumstances to identify the student with
2reasonable certainty; or (33) information requested by a person
3whom the school district or an employee or agent of the school
4district reasonably believes knows the identity of the student
5to whom the information relates.
6    "Service provider" means a person, subcontractor, agent,
7independent contractor, or other entity that provides a service
8to an operator or provides a service that enables users to
9access content, information, electronic mail, or other
10services offered over the Internet or a computer network.
11    "Student data" means any information or record, including
12personally identifiable information, not otherwise available
13to the public that was collected or created by or otherwise
14provided to an operator, in any media or format, for or in
15connection with an educational purpose. "Student data"
16includes any aggregated information or records capable of being
17de-aggregated or reconstructed to the point that any student
18may be individually identified therefrom.
19    "Targeted advertising" means presenting an advertisement
20to a student or group of students in which the advertisement is
21selected based on a known or assumed trait of the student or
22group of students or information obtained or inferred over time
23from that student's or group of students' online behavior;
24usage of online applications, educational online products,
25online services, cloud computing services, or mobile
26applications; or student data. Targeted advertising does not

 

 

09900SB1393ham001- 6 -LRB099 08398 MLM 51831 a

1include information provided to a student for an educational
2purpose.
 
3    Section 15. Operator and service provider duties.
4    (a) An operator or service provider shall not knowingly:
5        (1) engage in targeted advertising based in whole or in
6    part on any student data;
7        (2) use data created or collected through the operation
8    of educational online products or interactive services to
9    amass a profile about a student, except in furtherance of
10    specifically defined educational purposes that are set
11    forth in writing as required by subsection (e) of this
12    Section;
13        (3) sell, rent, or provide student data to a third
14    party, unless the data is part of assets being transferred
15    during the purchase, merger, or other acquisition of an
16    operator by another entity, provided that the successor
17    entity agrees in writing to be subject to and bound by the
18    provisions of this Act as though it were an operator with
19    respect to the acquired student data and information;
20        (4) exercise or claim any rights, implied or otherwise,
21    to any student data, unless otherwise authorized by this
22    Act;    
23        (5) disclose student data, unless the disclosure is
24    made for the following purposes:
25            (A) for legitimate research purposes, subject to

 

 

09900SB1393ham001- 7 -LRB099 08398 MLM 51831 a

1        and as allowed by federal law and in compliance with
2        subsection (a) of Section 6 of the Illinois School
3        Student Records Act, and under the direction of a
4        school district, provided that the student data is not
5        used for advertising or to amass a profile on the
6        student or for any other purposes other than
7        specifically defined educational purposes that are set
8        forth in writing as required by subsection (e) of this
9        Section;
10            (B) in response to requests by a school district or
11        State agency for personal information for educational
12        purposes;
13            (C) in response to legally permissible and
14        authorized requests or orders by law enforcement
15        agencies or courts of competent jurisdiction, as long
16        as the operator complies with the requirements of
17        federal and State law in protecting and disclosing that
18        information; or
19            (D) to a service provider, provided that the
20        operator contractually: (i) prohibits the service
21        provider from using any student data for any purpose
22        prohibited by this Act; (ii) prohibits the service
23        provider from disclosing any student data provided by
24        the operator with subsequent third parties; and (iii)
25        requires the service provider to implement and
26        maintain reasonable security procedures and practices

 

 

09900SB1393ham001- 8 -LRB099 08398 MLM 51831 a

1        to ensure the confidentiality of the student data; or
2        (6) subject to the provisions of subsection (e) of this
3    Section, modify or otherwise alter the terms and conditions
4    of any agreement with a school district related to student
5    data without the express written consent of the school
6    district.
7    (b) An operator or service provider shall:
8            (1) implement and maintain reasonable security
9        procedures and practices appropriate to the nature of
10        the student data that are designed to protect the
11        information from unauthorized access, destruction,
12        use, modification, or disclosure; and
13            (2) delete student data within a reasonable period
14        of time, not to exceed 60 days, upon written request by
15        the school district, provided that the school district
16        provides the student or the student's parent or legal
17        guardian with written notice of the request and
18        provides an opportunity to object.
19    (c) Nothing in this Section shall be construed to prohibit
20an operator or service provider from:
21        (1) using or sharing aggregated, de-identified student
22    data that is not capable of being deaggregated or otherwise
23    manipulated to allow for the identification of any
24    individual student to maintain, develop, support, improve,
25    or diagnose educational online products or interactive
26    computer services;

 

 

09900SB1393ham001- 9 -LRB099 08398 MLM 51831 a

1        (2) using aggregated, de-identified student data that
2    is not capable of being deaggregated or otherwise
3    manipulated to allow for the identification of any
4    individual student to demonstrate the effectiveness of
5    educational online products or interactive computer
6    services, including marketing; or
7        (3) providing a response for a non-advertising,
8    educational purpose to a student's request for information
9    or feedback, provided that (i) the response is not
10    determined in whole or in part by payment or other
11    consideration from a third party, (ii) the operator does
12    not receive any payment or other consideration upon a
13    student selecting any information or responding to the
14    request, and (iii) the operator does not keep a record or
15    otherwise collect or retain data regarding a student's
16    online activities over time or that links or otherwise ties
17    the student to the request.
18    (d) Nothing in this Section shall be construed to:
19        (1) limit the authority of a law enforcement agency to
20    obtain any content or information from an operator as
21    authorized by law or pursuant to a court order;
22        (2) limit the ability of a school district to authorize
23    an operator to use student data for adaptive learning or
24    customized student-learning purposes, provided it is done
25    in a manner consistent with this Act;
26        (3) limit service providers from providing Internet

 

 

09900SB1393ham001- 10 -LRB099 08398 MLM 51831 a

1    connectivity to schools or to students and the students'
2    parents or legal guardians;
3        (4) prohibit an operator from marketing educational
4    products to general audiences, provided that the marketing
5    is not based on any student data and does not constitute
6    targeted advertising;
7        (5) impose a duty upon a provider of an electronic
8    store, gateway, marketplace, or other means of purchasing
9    or downloading software or applications to review or
10    enforce compliance with this Section on such software or
11    applications, unless the provider is also an operator or
12    affiliated with an operator, in which case the provider is
13    required to comply with this Section with respect to
14    software or applications offered by or otherwise provided
15    by the operator or affiliate;
16        (6) impose a duty upon a provider of an interactive
17    computer service to review or enforce compliance with this
18    Section by third-party content providers, unless the
19    third-party content providers are affiliated with the
20    interactive computer service, in which case the
21    interactive computer service is required to comply with
22    this Section with respect to software or applications
23    offered or otherwise provided by those content providers;
24    or
25        (7) prohibit students from downloading, exporting,
26    transferring, saving, or maintaining the student's own

 

 

09900SB1393ham001- 11 -LRB099 08398 MLM 51831 a

1    student data or documents, provided that an operator does
2    not offer or receive any consideration from a student
3    engaging in such an activity.
4    (e) Any operator who seeks to receive any student data may
5do so only by entering into a written agreement with the
6applicable school district before any records may be released
7or transferred.
8        (1) The agreement shall include, but not be limited to,
9    all of the following:
10            (A) Provisions consistent with the prohibitions or
11        requirements of this Section.
12            (B) A statement of the educational products or
13        interactive computer services being provided.
14            (C) A statement that the operator is acting as a
15        school official with a legitimate educational
16        interest, is performing an institutional service or
17        function for which the school district would otherwise
18        use employees, is under the direct control of the
19        school district with respect to the use and maintenance
20        of student data, and is using such student data only
21        for an authorized purpose and will not redisclose it to
22        third parties or affiliates unless otherwise permitted
23        under this Act.
24            (D) A description of the actions the operator will
25        take, including a description of the training the
26        operator will provide to anyone who will receive or

 

 

09900SB1393ham001- 12 -LRB099 08398 MLM 51831 a

1        have access to student data, to ensure the security and
2        confidentiality of student data. Compliance with this
3        subdivision (D) does not, in itself, absolve the
4        operator of liability in the event of an unauthorized
5        disclosure of student data.
6            (E) A provision stating that (i) any dispute
7        arising out of or otherwise connected to student data
8        must be litigated using Illinois law, (ii) the proper
9        venue is in the county in which the school district is
10        located, and (iii) the court in the proper venue shall
11        have jurisdiction over the operator.
12            (F) A statement that the agreement is the entire
13        agreement between the school district, including
14        school district employees or agents and other users,
15        and the operator.
16        (2) The agreement shall not include any provisions that
17    require a school district or its employees or agents to:
18            (A) pay the operator's attorney's fees or costs in
19        connection with any dispute arising out of or otherwise
20        connected to student data, except in the case of
21        willful or wanton conduct by a school district or its
22        employees or agents, in which case indemnification by
23        the school district may be permitted; or
24            (B) arbitrate any dispute arising out of or
25        otherwise connected to student data.
 

 

 

09900SB1393ham001- 13 -LRB099 08398 MLM 51831 a

1    Section 20. Disclosure of student data by school district.
2A school district or its employees or agents shall only
3disclose student data in accordance with the provisions of this
4Section.
5    Without prior written authorization from the school
6district in which an individual employee or agent works, no
7individual employee or agent of that school district may enter
8into any agreements with operators or service providers that
9concern the use of educational online products that utilize
10student data. If an operator enters into an agreement with any
11unauthorized individual employee or agent or other user, then
12the school district must have the authority to unilaterally
13cancel the agreement and require the operator or service
14provider to provide all collected student data to the school
15district or to delete it.
16    The school district may disclose personally identifiable
17information or directory information if the student (if the
18student is an adult) or the student's parent or legal guardian
19(if the student is a minor) consents to the disclosure in
20writing. An operator may not solicit any student or parent or
21legal guardian to disclose student data.
 
22    Section 25. Collection of biometric information. No school
23district may collect biometric information from a student or
24use any device or mechanism to assess a student's physiological
25or emotional state, unless the student (if the student is an

 

 

09900SB1393ham001- 14 -LRB099 08398 MLM 51831 a

1adult) or the student's parent or legal guardian (if student is
2a minor) consents in writing.
 
3    Section 30. Security breach.
4    (a) Each school district must establish a policy for
5notifying students and parents of any security breach or
6unauthorized disclosure of student data by the school district
7or by an operator, service provider, or other entity or third
8party given access to student data or personally identifiable
9information of a student.
10    (b) In the event of any security breach or unauthorized
11disclosure of any student data by an operator, service
12provider, or other entity or third party given access to
13student data or personally identifiable information of any
14student, the operator, service provider, or other entity or
15third party shall immediately notify any Illinois school
16district that has provided student data to the operator,
17service provider, or other entity or third party of the breach
18or unauthorized disclosure, investigate the causes and
19consequences of the breach or unauthorized disclosure, and
20reimburse the school district in full for all reasonable costs
21and expenses incurred by the school district as a result of the
22breach, including (i) providing notification to students,
23parents, and guardians; (ii) providing at least one year's
24credit monitoring to impacted students; and (iii) paying all
25legal fees, costs, fines, and damages imposed against the

 

 

09900SB1393ham001- 15 -LRB099 08398 MLM 51831 a

1school district as a result of the breach.
2    (c) In the event of a security breach or unauthorized
3disclosure of student data by a school district, State agency,
4or other third party not covered by subsection (b) of this
5Section and given access to student data or personally
6identifiable information of any student, the school district,
7State agency, or other third party shall immediately notify
8each affected student (if the student is an adult) or the
9student's parent or legal guardian (if the student is a minor)
10of the breach or unauthorized disclosure and investigate the
11causes and consequences of the breach or unauthorized
12disclosure.
 
13    Section 35. Rulemaking; notice.
14    (a) The State Board of Education shall adopt rules in
15accordance with this Act and applicable federal and State laws
16and rules to protect the right of privacy of any student and
17his or her family regarding personally identifiable records,
18files, and data directly related to the student by January 1,
192018. The rules shall provide for:
20        (1) means by which any student (if the student is an
21    adult) or the student's parent or guardian (if the student
22    is a minor) may inspect and review any records or files
23    directly related to the student;
24        (2) restricting the accessibility and availability of
25    any personally identifiable information in records or

 

 

09900SB1393ham001- 16 -LRB099 08398 MLM 51831 a

1    files of any student and preventing disclosure thereof
2    unless made upon written consent of such student (if the
3    student is an adult) or the student's parent or guardian
4    (if the student is a minor); and
5        (3) which employees or agents may bind the school
6    district to the terms of any written agreements, not
7    including electronic, click-through, or click-wrap
8    agreements, which agreements may not be entered into with a
9    school district.
10    (b) The State Board of Education must create a model notice
11that school districts shall annually provide to parents, legal
12guardians, and students that student data may be disclosed in
13accordance with this Act. The notice shall be signed by the
14student (if the student is an adult) or by the student's parent
15or legal guardian (if the student is a minor) and maintained on
16file with the school district. The notice must provide what
17types of student data are collected and shared with operators
18or service providers and the purpose for collection or use.
 
19    Section 40. Enforcement.
20    (a) Any person aggrieved by any violation of this Act may
21institute an action for injunctive relief in the circuit court
22of the county in which the violation has occurred or the
23circuit court of any of the counties in which the school
24district is located.
25    (b) Any person injured by a willful or negligent violation

 

 

09900SB1393ham001- 17 -LRB099 08398 MLM 51831 a

1of this Act may institute an action for damages in the circuit
2court of the county in which the violation has occurred or the
3circuit court of any of the counties in which the school
4district is located.
5    (c) In the case of any successful action under subsection
6(a) or (b) of this Section, any person or entity found to have
7willfully or negligently violated any provision of this Act is
8liable to the plaintiff for the plaintiff's damages, the costs
9of the action, and reasonable attorney's fees, as determined by
10the court.
11    (d) Actions for injunctive relief to secure compliance with
12this Act may be brought by the State Board of Education, by the
13State's Attorney of the county in which the alleged violation
14has occurred, or by the State's Attorney of any of the counties
15in which the school district is located, in each case in the
16circuit court of such county.
17    (e) Willful failure to comply with any Section of this Act
18is a petty offense.
 
19    Section 95. The Children's Privacy Protection and Parental
20Empowerment Act is amended by changing Section 5 as follows:
 
21    (325 ILCS 17/5)
22    Sec. 5. Definitions. As used in this Act:
23    "Child" means a person under the age of 18 16. "Child" does
24not include a minor emancipated by operation of law.

 

 

09900SB1393ham001- 18 -LRB099 08398 MLM 51831 a

1    "Parent" means a parent, step-parent, or legal guardian.
2    "Personal information" means any of the following:
3        (1) A person's name.
4        (2) A person's address.
5        (3) A person's telephone number.
6        (4) A person's driver's license number or State of
7    Illinois identification card as assigned by the Illinois
8    Secretary of State or by a similar agency of another state.
9        (5) A person's social security number.
10        (6) Any other information that can be used to locate or
11    contact a specific individual.
12    "Personal information" does not include any of the
13following:
14        (1) Public records as defined by Section 2 of the
15    Freedom of Information Act.
16        (2) Court records.
17        (3) Information found in publicly available sources,
18    including newspapers, magazines, and telephone
19    directories.
20        (4) Any other information that is not known to concern
21    a child.
22(Source: P.A. 93-462, eff. 1-1-04.)".