|  |
Public Act 101-0516
Public Act 0516 101ST GENERAL ASSEMBLY
|
Public Act 101-0516
| | HB3606 Enrolled | LRB101 09053 AXK 54146 b |
|
| AN ACT concerning education.
| Be it enacted by the People of the State of Illinois,
| represented in the General Assembly:
| Section 5. The Student Online Personal Protection Act is | amended by changing Sections 5, 10, 15, and 30 and by adding | Sections 26, 27, 28, and 33 as follows:
| (105 ILCS 85/5)
| Sec. 5. Definitions. In this Act: | "Breach" means the unauthorized acquisition of | computerized data that compromises the security, | confidentiality, or integrity of covered information | maintained by an operator or school. "Breach" does not include | the good faith acquisition of personal information by an | employee or agent of an operator or school for a legitimate | purpose of the operator or school if the covered information is | not used for a purpose prohibited by this Act or subject to | further unauthorized disclosure. | "Covered information" means personally identifiable | information or material or information that is linked to | personally identifiable information or material in any media or | format that is not publicly available and is any of the | following: | (1) Created by or provided to an operator by a student |
| or the student's parent or legal guardian in the course of | the student's or , parent's, or legal guardian's use of the | operator's site, service, or application for K through 12 | school purposes. | (2) Created by or provided to an operator by an | employee or agent of a school or school district for K | through 12 school purposes. | (3) Gathered by an operator through the operation of | its site, service, or application for K through 12 school | purposes and personally identifies a student, including, | but not limited to, information in the student's | educational record or electronic mail, first and last name, | home address, telephone number, electronic mail address, | or other information that allows physical or online | contact, discipline records, test results, special | education data, juvenile dependency records, grades, | evaluations, criminal records, medical records, health | records, a social security number, biometric information, | disabilities, socioeconomic information, food purchases, | political affiliations, religious information, text | messages, documents, student identifiers, search activity, | photos, voice recordings, or geolocation information. | "Interactive computer service" has the meaning ascribed to | that term in Section 230 of the federal Communications Decency | Act of 1996 (47 U.S.C. 230). | "K through 12 school purposes" means purposes that are |
| directed by or that customarily take place at the direction of | a school, teacher, or school district; aid in the | administration of school activities, including, but not | limited to, instruction in the classroom or at home, | administrative activities, and collaboration between students, | school personnel, or parents; or are otherwise for the use and | benefit of the school. | "Longitudinal data system" has the meaning given to that | term under the P-20 Longitudinal Education Data System Act. | "Operator" means, to the extent that an entity is operating | in this capacity, the operator of an Internet website, online | service, online application, or mobile application with actual | knowledge that the site, service, or application is used | primarily for K through 12 school purposes and was designed and | marketed for K through 12 school purposes. | "Parent" has the meaning given to that term under the | Illinois School Student Records Act. | "School" means (1) any preschool, public kindergarten, | elementary or secondary educational institution, vocational | school, special educational facility, or any other elementary | or secondary educational agency or institution or (2) any | person, agency, or institution that maintains school student | records from more than one school. Except as otherwise provided | in this Act, "school" "School" includes a private or nonpublic | school. | "State Board" means the State Board of Education. |
| "Student" has the meaning given to that term under the | Illinois School Student Records Act. | "Targeted advertising" means presenting advertisements to | a student where the advertisement is selected based on | information obtained or inferred over time from that student's | online behavior, usage of applications, or covered | information. The term does not include advertising to a student | at an online location based upon that student's current visit | to that location or in response to that student's request for | information or feedback, without the retention of that | student's online activities or requests over time for the | purpose of targeting subsequent ads.
| (Source: P.A. 100-315, eff. 8-24-17.)
| (105 ILCS 85/10)
| Sec. 10. Operator prohibitions. An operator shall not | knowingly do any of the following: | (1) Engage in targeted advertising on the operator's | site, service, or application or target advertising on any | other site, service, or application if the targeting of the | advertising is based on any information, including covered | information and persistent unique identifiers, that the | operator has acquired because of the use of that operator's | site, service, or application for K through 12 school | purposes. | (2) Use information, including persistent unique |
| identifiers, created or gathered by the operator's site, | service, or application to amass a profile about a student, | except in furtherance of K through 12 school purposes. | "Amass a profile" does not include the collection and | retention of account information that remains under the | control of the student, the student's parent or legal | guardian, or the school. | (3) Sell or rent a student's information, including | covered information. This subdivision (3) does not apply to | the purchase, merger, or other type of acquisition of an | operator by another entity if the operator or successor | entity complies with this Act regarding previously | acquired student information. | (4) Except as otherwise provided in Section 20 of this | Act, disclose covered information, unless the disclosure | is made for the following purposes: | (A) In furtherance of the K through 12 school | purposes of the site, service, or application if the | recipient of the covered information disclosed under | this clause (A) does not further disclose the | information, unless done to allow or improve | operability and functionality of the operator's site, | service, or application. | (B) To ensure legal and regulatory compliance or | take precautions
against liability. | (C) To respond to the judicial process. |
| (D) To protect the safety or integrity of users of | the site or others or the security of the site, | service, or application. | (E) For a school, educational, or employment | purpose requested by the student or the student's | parent or legal guardian, provided that the | information is not used or further disclosed for any | other purpose. | (F) To a third party if the operator contractually | prohibits the third party from using any covered | information for any purpose other than providing the | contracted service to or on behalf of the operator, | prohibits the third party from disclosing any covered | information provided by the operator with subsequent | third parties, and requires the third party to | implement and maintain reasonable security procedures | and practices as required under Section 15. | Nothing in this Section prohibits the operator's use of | information for maintaining, developing, supporting, | improving, or diagnosing the operator's site, service, or | application.
| (Source: P.A. 100-315, eff. 8-24-17.)
| (105 ILCS 85/15)
| Sec. 15. Operator duties. An operator shall do the | following: |
| (1) Implement and maintain reasonable security | procedures and practices that otherwise meet or exceed | industry standards appropriate to the nature of the covered | information and designed to protect that covered | information from unauthorized access, destruction, use, | modification, or disclosure. | (2) Delete, within a reasonable time period, a | student's covered information if the school or school | district requests deletion of covered information under | the control of the school or school district, unless a | student or his or her parent or legal guardian consents to | the maintenance of the covered information. | (3) Publicly disclose material information about its | collection, use, and disclosure of covered information, | including, but not limited to, publishing a terms of | service agreement, privacy policy, or similar document. | (4) Except for a nonpublic school, for any operator who | seeks to receive from a school, school district, or the | State Board in any manner any covered information, enter | into a written agreement with the school, school district, | or State Board before the covered information may be | transferred. The written agreement may be created in | electronic form and signed with an electronic or digital | signature or may be a click wrap agreement that is used | with software licenses, downloaded or online applications | and transactions for educational technologies, or other |
| technologies in which a user must agree to terms and | conditions before using the product or service. Any written | agreement entered into, amended, or renewed must contain | all of the following: | (A) A listing of the categories or types of covered | information to be provided to the operator. | (B) A statement of the product or service being | provided to the school by the operator. | (C) A statement that, pursuant to the federal | Family Educational Rights and Privacy Act of 1974, the | operator is acting as a school official with a | legitimate educational interest, is performing an | institutional service or function for which the school | would otherwise use employees, under the direct | control of the school, with respect to the use and | maintenance of covered information, and is using the | covered information only for an authorized purpose and | may not re-disclose it to third parties or affiliates, | unless otherwise permitted under this Act, without | permission from the school or pursuant to court order. | (D) A description of how, if a breach is attributed | to the operator, any costs and expenses incurred by the | school in investigating and remediating the breach | will be allocated between the operator and the school. | The costs and expenses may include, but are not limited | to: |
| (i) providing notification to the parents of | those students whose covered information was | compromised and to regulatory agencies or other | entities as required by law or contract; | (ii) providing credit monitoring to those | students whose covered information was exposed in | a manner during the breach that a reasonable person | would believe that it could impact his or her | credit or financial security; | (iii) legal fees, audit costs, fines, and any | other fees or damages imposed against the school as | a result of the security breach; and | (iv) providing any other notifications or | fulfilling any other requirements adopted by the | State Board or of any other State or federal laws. | (E) A statement that the operator must delete or | transfer to the school all covered information if the | information is no longer needed for the purposes of the | written agreement and to specify the time period in | which the information must be deleted or transferred | once the operator is made aware that the information is | no longer needed for the purposes of the written | agreement. | (F) If the school maintains a website, a statement | that the school must publish the written agreement on | the school's website. If the school does not maintain a |
| website, a statement that the school must make the | written agreement available for inspection by the | general public at its administrative office. If | mutually agreed upon by the school and the operator, | provisions of the written agreement, other than those | under subparagraphs (A), (B), and (C), may be redacted | in the copy of the written agreement published on the | school's website or made available at its | administrative office. | (5) In case of any breach, within the most expedient | time possible and without unreasonable delay, but no later | than 30 calendar days after the determination that a breach | has occurred, notify the school of any breach of the | students' covered information.
| (6) Except for a nonpublic school, provide to the | school a list of any third parties or affiliates to whom | the operator is currently disclosing covered information | or has disclosed covered information. This list must, at a | minimum, be updated and provided to the school by the | beginning of each State fiscal year and at the beginning of | each calendar year. | (Source: P.A. 100-315, eff. 8-24-17.)
| (105 ILCS 85/26 new) | Sec. 26. School prohibitions. A school may not do either of | the following: |
| (1) Sell, rent, lease, or trade covered information. | (2) Share, transfer, disclose, or provide access to a | student's covered information to an entity or individual, | other than the student's parent, school personnel, | appointed or elected school board members or local school | council members, or the State Board, without a written | agreement, unless the disclosure or transfer is: | (A) to the extent permitted by State or federal | law, to law enforcement officials to protect the safety | of users or others or the security or integrity of the | operator's service; | (B) required by court order or State or federal | law; or | (C) to ensure legal or regulatory compliance. | This paragraph (2) does not apply to nonpublic schools.
| (105 ILCS 85/27 new) | Sec. 27. School duties. | (a) Each school shall post and maintain on its website or, | if the school does not maintain a website, make available for | inspection by the general public at its administrative office | all of the following information: | (1) An explanation, that is clear and understandable by | a layperson, of the data elements of covered information | that the school collects, maintains, or discloses to any | person, entity, third party, or governmental agency. The |
| information must explain how the school uses, to whom or | what entities it discloses, and for what purpose it | discloses the covered information. | (2) A list of operators that the school has written | agreements with, a copy of each written agreement, and a | business address for each operator. A copy of a written | agreement posted or made available by a school under this | paragraph may contain redactions, as provided under | subparagraph (F) of paragraph (4) of Section 15. | (3) For each operator, a list of any subcontractors to | whom covered information may be disclosed or a link to a | page on the operator's website that clearly lists that | information, as provided by the operator to the school | under paragraph (6) of Section 15. | (4) A written description of the procedures that a | parent may use to carry out the rights enumerated under | Section 33. | (5) A list of any breaches of covered information | maintained by the school or breaches under Section 15 that | includes, but is not limited to, all of the following | information: | (A) The number of students whose covered | information is involved in the breach, unless | disclosing that number would violate the provisions of | the Personal Information Protection Act. | (B) The date, estimated date, or estimated date |
| range of the breach. | (C) For a breach under Section 15, the name of the | operator. | The school may omit from the list required under this | paragraph (5) (i) any breach in which, to the best of the | school's knowledge at the time of updating the list, the | number of students whose covered information is involved in | the breach is less than 10% of the school's enrollment, | (ii) any breach in which, at the time of posting the list, | the school is not required to notify the parent of a | student under subsection (d), (iii) any breach in which the | date, estimated date, or estimated date range in which it | occurred is earlier than July 1, 2021, or (iv) any breach | previously posted on a list under this paragraph (5) no | more than 5 years prior to the school updating the current | list. | The school must, at a minimum, update the items under | paragraphs (1), (3), (4), and (5) no later than 30 calendar | days following the start of a fiscal year and no later than 30 | days following the beginning of a calendar year. | (b) Each school must adopt a policy for designating which | school employees are authorized to enter into written | agreements with operators. This subsection may not be construed | to limit individual school employees outside of the scope of | their employment from entering into agreements with operators | on their own behalf and for non-K through 12 school purposes, |
| provided that no covered information is provided to the | operators. Any agreement or contract entered into in violation | of this Act is void and unenforceable as against public policy. | (c) A school must post on its website or, if the school | does not maintain a website, make available at its | administrative office for inspection by the general public each | written agreement entered into under this Act, along with any | information required under subsection (a), no later than 10 | business days after entering into the agreement. | (d) After receipt of notice of a breach under Section 15 or | determination of a breach of covered information maintained by | the school, a school shall notify, no later than 30 calendar | days after receipt of the notice or determination that a breach | has occurred, the parent of any student whose covered | information is involved in the breach. The notification must | include, but is not limited to, all of the following: | (1) The date, estimated date, or estimated date range | of the breach. | (2) A description of the covered information that was | compromised or reasonably believed to have been | compromised in the breach. | (3) Information that the parent may use to contact the | operator and school to inquire about the breach. | (4) The toll-free numbers, addresses, and websites for | consumer reporting agencies. | (5) The toll-free number, address, and website for the |
| Federal Trade Commission. | (6) A statement that the parent may obtain information | from the Federal Trade Commission and consumer reporting | agencies about fraud alerts and security freezes. | A notice of breach required under this subsection may be | delayed if an appropriate law enforcement agency determines | that the notification will interfere with a criminal | investigation and provides the school with a written request | for a delay of notice. A school must comply with the | notification requirements as soon as the notification will no | longer interfere with the investigation. | (e) Each school must implement and maintain reasonable | security procedures and practices that otherwise meet or exceed | industry standards designed to protect covered information | from unauthorized access, destruction, use, modification, or | disclosure. Any written agreement under which the disclosure of | covered information between the school and a third party takes | place must include a provision requiring the entity to whom the | covered information is disclosed to implement and maintain | reasonable security procedures and practices that otherwise | meet or exceed industry standards designed to protect covered | information from unauthorized access, destruction, use, | modification, or disclosure. The State Board must make | available on its website a guidance document for schools | pertaining to reasonable security procedures and practices | under this subsection. |
| (f) Each school may designate an appropriate staff person | as a privacy officer, who may also be an official records | custodian as designated under the Illinois School Student | Records Act, to carry out the duties and responsibilities | assigned to schools and to ensure compliance with the | requirements of this Section and Section 26. | (g) A school shall make a request, pursuant to paragraph | (2) of Section 15, to an operator to delete covered information | on behalf of a student's parent if the parent requests from the | school that the student's covered information held by the | operator be deleted, so long as the deletion of the covered | information is not in violation of State or federal records | laws. | (h) This Section does not apply to nonpublic schools.
| (105 ILCS 85/28 new) | Sec. 28. State Board duties. | (a) The State Board may not sell, rent, lease, or trade | covered information. | (b) Except for an employee of the State Board or a State | Board official acting within his or her official capacity, the | State Board may not share, transfer, disclose, or provide | covered information to an entity or individual without a | contract or written agreement, except for disclosures required | by State or federal law. | (c) At least once annually, the State Board must publish |
| and maintain on its website a list of all of the entities or | individuals, including, but not limited to, operators, | individual researchers, research organizations, institutions | of higher education, or government agencies, that the State | Board contracts with or has written agreements with and that | hold covered information and a copy of each contract or written | agreement. The list must include all of the following | information: | (1) The name of the entity or individual. In naming an | individual, the list must include the entity that sponsors | the individual or with which the individual is affiliated, | if any. If the individual is conducting research at an | institution of higher education, the list may include the | name of that institution and a contact person in the | department that is associated with the research in lieu of | the name of the researcher. If the entity is an operator, | the list must include its business address. | (2) The purpose and scope of the contract or agreement. | (3) The duration of the contract or agreement. | (4) The types of covered information that the entity or | individual holds under the contract or agreement. | (5) The use of the covered information under the | contract or agreement. | (6) The length of time for which the entity or | individual may hold the covered information. | (7) A list of any subcontractors to whom covered |
| information may be disclosed under Section 15 or a link to | a page on the operator's website that clearly lists that | information. | If mutually agreed upon by the State Board and the | operator, provisions of a contract or written agreement, other | than those pertaining to paragraphs (1) through (7), may be | redacted on the State Board's website. | (d) The State Board shall create, publish, and make | publicly available an inventory, along with a dictionary or | index of data elements and their definitions, of covered | information collected or maintained by the State Board, | including, but not limited to, both of the following: | (1) Covered information that schools are required to | report to the State Board by State or federal law. | (2) Covered information in the State longitudinal data | system or any data warehouse used by the State Board to | populate the longitudinal data system. | The inventory shall make clear for what purposes the State | Board uses the covered information. | (e) The State Board shall develop, publish, and make | publicly available, for the benefit of schools, model student | data privacy policies and procedures that comply with relevant | State and federal law, including, but not limited to, a model | notice that schools must use to provide notice to parents and | students about operators. The notice must state, in general | terms, the types of student data that are collected by the |
| schools and shared with operators under this Act and the | purposes of collecting and using the student data. After | creation of the notice under this subsection, a school shall, | at the beginning of each school year, provide the notice to | parents by the same means generally used to send notices to | them. This subsection does not apply to nonpublic schools.
| (105 ILCS 85/30)
| Sec. 30. Applicability. This Act does not do any of the | following: | (1) Limit the authority of a law enforcement agency to | obtain any content or information from an operator as | authorized by law or under a court order. | (2) Limit the ability of an operator to use student | data, including covered information, for adaptive learning | or customized student learning purposes. | (3) Apply to general audience Internet websites, | general audience online services, general audience online | applications, or general audience mobile applications, | even if login credentials created for an operator's site, | service, or application may be used to access those general | audience sites, services, or applications. | (4) Limit service providers from providing Internet | connectivity to schools or students and their families. | (5) Prohibit an operator of an Internet website, online | service, online application, or mobile application from |
| marketing educational products directly to parents if the | marketing did not result from the use of covered | information obtained by the operator through the provision | of services covered under this Act. | (6) Impose a duty upon a provider of an electronic | store, gateway, marketplace, or other means of purchasing | or downloading software or applications to review or | enforce compliance with this Act on those applications or | software. | (7) Impose a duty upon a provider of an interactive | computer service to review or enforce compliance with this | Act by third-party content providers. | (8) Prohibit students from downloading, exporting, | transferring, saving, or maintaining their own student | data or documents. | (9) Supersede the federal Family Educational Rights | and Privacy Act of 1974, or rules adopted pursuant to that | Act or the Illinois School Student Records Act, or any | rules adopted pursuant to those Acts.
| (10) Prohibit an operator or school from producing and | distributing, free or for consideration, student class | photos and yearbooks to the school, students, parents, or | individuals authorized by parents and to no others, in | accordance with the terms of a written agreement between | the operator and the school. | (Source: P.A. 100-315, eff. 8-24-17.)
|
| (105 ILCS 85/33 new) | Sec. 33. Parent and student rights. | (a) A student's covered information shall be collected only | for K through 12 school purposes and not further processed in a | manner that is incompatible with those purposes. | (b) A student's covered information shall only be adequate, | relevant, and limited to what is necessary in relation to the K | through 12 school purposes for which it is processed. | (c) Except for a parent of a student enrolled in a | nonpublic school, the parent of a student enrolled in a school | has the right to all of the following: | (1) Inspect and review the student's covered | information, regardless of whether it is maintained by the | school, the State Board, or an operator. | (2) Request from a school a paper or electronic copy of | the student's covered information, including covered | information maintained by an operator or the State Board. | If a parent requests an electronic copy of the student's | covered information under this paragraph, the school must | provide an electronic copy of that information, unless the | school does not maintain the information in an electronic | format and reproducing the information in an electronic | format would be unduly burdensome to the school. If a | parent requests a paper copy of the student's covered | information, the school may charge the parent the |
| reasonable cost for copying the information in an amount | not to exceed the amount fixed in a schedule adopted by the | State Board, except that no parent may be denied a copy of | the information due to the parent's inability to bear the | cost of the copying. The State Board must adopt rules on | the methodology and frequency of requests under this | paragraph. | (3) Request corrections of factual inaccuracies | contained in the student's covered information. After | receiving a request for corrections and determining that a | factual inaccuracy exists, a school must do either of the | following: | (A) If the school maintains or possesses the | covered information that contains the factual | inaccuracy, correct the factual inaccuracy and confirm | the correction with the parent within 90 calendar days | after receiving the parent's request. | (B) If the operator or State Board maintains or | possesses the covered information that contains the | factual inaccuracy, notify the operator or the State | Board of the correction. The operator or the State | Board must correct the factual inaccuracy and confirm | the correction with the school within 90 calendar days | after receiving the notice. Within 10 business days | after receiving confirmation of the correction from | the operator or State Board, the school must confirm |
| the correction with the parent. | (d) Nothing in this Section shall be construed to limit the | rights granted to parents and students under the Illinois | School Student Records Act or the federal Family Educational | Rights and Privacy Act of 1974.
| Section 99. Effective date. This Act takes effect July 1, | 2021. |
Effective Date: 7/1/2021
|
|
|
|
Translate
