|
| | 10000SB0444sam001 | - 2 - | LRB100 04884 MLM 25745 a |
|
|
1 | | Section 5. Definitions. In this Act: |
2 | | "Covered information" means personally identifiable |
3 | | information or material or information that is linked to |
4 | | personally identifiable information or material in any media or |
5 | | format that is not publicly available and is any of the |
6 | | following: |
7 | | (1) Created by or provided to an operator by a student |
8 | | or the student's parent or legal guardian in the course of |
9 | | the student's, parent's, or legal guardian's use of the |
10 | | operator's site, service, or application for K through 12 |
11 | | school purposes. |
12 | | (2) Created by or provided to an operator by an |
13 | | employee or agent of a school or school district for K |
14 | | through 12 school purposes. |
15 | | (3) Gathered by an operator through the operation of |
16 | | its site, service, or application for K through 12 school |
17 | | purposes and personally identifies a student, including, |
18 | | but not limited to, information in the student's |
19 | | educational record or electronic mail, first and last name, |
20 | | home address, telephone number, electronic mail address, |
21 | | or other information that allows physical or online |
22 | | contact, discipline records, test results, special |
23 | | education data, juvenile dependency records, grades, |
24 | | evaluations, criminal records, medical records, health |
25 | | records, a social security number, biometric information, |
26 | | disabilities, socioeconomic information, food purchases, |
|
| | 10000SB0444sam001 | - 3 - | LRB100 04884 MLM 25745 a |
|
|
1 | | political affiliations, religious information, text |
2 | | messages, documents, student identifiers, search activity, |
3 | | photos, voice recordings, or geolocation information. |
4 | | "Interactive computer service" has the meaning ascribed to |
5 | | that term in Section 230 of the federal Communications Decency |
6 | | Act of 1996 (47 U.S.C. 230). |
7 | | "K through 12 school purposes" means purposes that are |
8 | | directed by or that customarily take place at the direction of |
9 | | a school, teacher, or school district; aid in the |
10 | | administration of school activities, including, but not |
11 | | limited to, instruction in the classroom or at home, |
12 | | administrative activities, and collaboration between students, |
13 | | school personnel, or parents; or are otherwise for the use and |
14 | | benefit of the school. |
15 | | "Operator" means, to the extent that an entity is operating |
16 | | in this capacity, the operator of an Internet website, online |
17 | | service, online application, or mobile application with actual |
18 | | knowledge that the site, service, or application is used |
19 | | primarily for K through 12 school purposes and was designed and |
20 | | marketed for K through 12 school purposes. |
21 | | "School" means (1) any preschool, public kindergarten, |
22 | | elementary or secondary educational institution, vocational |
23 | | school, special educational facility, or any other elementary |
24 | | or secondary educational agency or institution or (2) any |
25 | | person, agency, or institution that maintains school student |
26 | | records from more than one school. "School" includes a private |
|
| | 10000SB0444sam001 | - 4 - | LRB100 04884 MLM 25745 a |
|
|
1 | | or nonpublic school. |
2 | | "Targeted advertising" means presenting advertisements to |
3 | | a student where the advertisement is selected based on |
4 | | information obtained or inferred over time from that student's |
5 | | online behavior, usage of applications, or covered |
6 | | information. The term does not include advertising to a student |
7 | | at an online location based upon that student's current visit |
8 | | to that location or in response to that student's request for |
9 | | information or feedback, without the retention of that |
10 | | student's online activities or requests over time for the |
11 | | purpose of targeting subsequent ads. |
12 | | Section 10. Operator prohibitions. An operator shall not |
13 | | knowingly do any of the following: |
14 | | (1) Engage in targeted advertising on the operator's |
15 | | site, service, or application or target advertising on any |
16 | | other site, service, or application if the targeting of the |
17 | | advertising is based on any information, including covered |
18 | | information and persistent unique identifiers, that the |
19 | | operator has acquired because of the use of that operator's |
20 | | site, service, or application for K through 12 school |
21 | | purposes. |
22 | | (2) Use information, including persistent unique |
23 | | identifiers, created or gathered by the operator's site, |
24 | | service, or application to amass a profile about a student, |
25 | | except in furtherance of K through 12 school purposes. |
|
| | 10000SB0444sam001 | - 5 - | LRB100 04884 MLM 25745 a |
|
|
1 | | "Amass a profile" does not include the collection and |
2 | | retention of account information that remains under the |
3 | | control of the student, the student's parent or legal |
4 | | guardian, or the school. |
5 | | (3) Sell or rent a student's information, including |
6 | | covered information. This subdivision (3) does not apply to |
7 | | the purchase, merger, or other type of acquisition of an |
8 | | operator by another entity if the operator or successor |
9 | | entity complies with this Act regarding previously |
10 | | acquired student information. |
11 | | (4) Except as otherwise provided in Section 20 of this |
12 | | Act, disclose covered information, unless the disclosure |
13 | | is made for the following purposes: |
14 | | (A) In furtherance of the K through 12 school |
15 | | purposes of the site, service, or application if the |
16 | | recipient of the covered information disclosed under |
17 | | this clause (A) does not further disclose the |
18 | | information, unless done to allow or improve |
19 | | operability and functionality of the operator's site, |
20 | | service, or application. |
21 | | (B) To ensure legal and regulatory compliance or |
22 | | take precautions
against liability. |
23 | | (C) To respond to the judicial process. |
24 | | (D) To protect the safety or integrity of users of |
25 | | the site or others or the security of the site, |
26 | | service, or application. |
|
| | 10000SB0444sam001 | - 6 - | LRB100 04884 MLM 25745 a |
|
|
1 | | (E) For a school, educational, or employment |
2 | | purpose requested by the student or the student's |
3 | | parent or legal guardian, provided that the |
4 | | information is not used or further disclosed for any |
5 | | other purpose. |
6 | | (F) To a third party if the operator contractually |
7 | | prohibits the third party from using any covered |
8 | | information for any purpose other than providing the |
9 | | contracted service to or on behalf of the operator, |
10 | | prohibits the third party from disclosing any covered |
11 | | information provided by the operator with subsequent |
12 | | third parties, and requires the third party to |
13 | | implement and maintain reasonable security procedures |
14 | | and practices. |
15 | | Nothing in this Section prohibits the operator's use of |
16 | | information for maintaining, developing, supporting, |
17 | | improving, or diagnosing the operator's site, service, or |
18 | | application. |
19 | | Section 15. Operator duties. An operator shall do the |
20 | | following: |
21 | | (1) Implement and maintain reasonable security |
22 | | procedures and practices appropriate to the nature of the |
23 | | covered information and designed to protect that covered |
24 | | information from unauthorized access, destruction, use, |
25 | | modification, or disclosure. |
|
| | 10000SB0444sam001 | - 7 - | LRB100 04884 MLM 25745 a |
|
|
1 | | (2) Delete, within a reasonable time period, a |
2 | | student's covered information if the school or school |
3 | | district requests deletion of covered information under |
4 | | the control of the school or school district, unless a |
5 | | student or his or her parent or legal guardian consents to |
6 | | the maintenance of the covered information. |
7 | | (3) Publicly disclose material information about its |
8 | | collection, use, and disclosure of covered information, |
9 | | including, but not limited to, publishing a terms of |
10 | | service agreement, privacy policy, or similar document. |
11 | | Section 20. Permissive use or disclosure. |
12 | | (a) An operator may use or disclose covered information of |
13 | | a student under the following circumstances: |
14 | | (1) If other provisions of federal or State law require |
15 | | the operator to disclose the information, and the operator |
16 | | complies with the requirements of federal and State law in |
17 | | protecting and disclosing that information. |
18 | | (2) For legitimate research purposes as required by |
19 | | State or federal law and subject to the restrictions under |
20 | | applicable State and federal law or as allowed by State or |
21 | | federal law and under the direction of a school, school |
22 | | district, or the State Board of Education if the covered |
23 | | information is not used for advertising or to amass a |
24 | | profile on the student for purposes other than for K |
25 | | through 12 school purposes. |
|
| | 10000SB0444sam001 | - 8 - | LRB100 04884 MLM 25745 a |
|
|
1 | | (3) To a State or local educational agency, including |
2 | | schools and school districts, for K through 12 school |
3 | | purposes, as permitted by State or federal law. |
4 | | (4) For the purpose of identifying or displaying |
5 | | information to the student about or facilitating the |
6 | | connection of the student with a not-for-profit |
7 | | institution of higher education or a scholarship |
8 | | opportunity. Information under this paragraph (4) may be |
9 | | disclosed only if the operator has first obtained the |
10 | | express written consent of the student's parent or legal |
11 | | guardian or, if the student is 18 years old or older or is |
12 | | an emancipated minor, the student. For the purposes of this |
13 | | paragraph (4), express written consent may be obtained as a |
14 | | response to the annual notice required under 34 CFR 99.7 |
15 | | and is not required to be in addition to consent given in |
16 | | response to that annual notice. |
17 | | (b) A school may use or disclose covered information of a |
18 | | student for the purpose of identifying or displaying |
19 | | information to the student about or facilitating the connection |
20 | | of the student with a not-for-profit institution of higher |
21 | | education or a scholarship opportunity. Information under this |
22 | | subsection (b) may be disclosed only if the operator has first |
23 | | obtained the express written consent of the student's parent or |
24 | | legal guardian or, if the student is 18 years old or older or |
25 | | is an emancipated minor, the student. For the purposes of this |
26 | | subsection (b), express written consent may be obtained as a |
|
| | 10000SB0444sam001 | - 9 - | LRB100 04884 MLM 25745 a |
|
|
1 | | response to the annual notice required under 34 CFR 99.7 and is |
2 | | not required to be in addition to consent given in response to |
3 | | that annual notice. |
4 | | Section 25. Operator actions that are not prohibited. This |
5 | | Act does not prohibit an operator from doing any of the |
6 | | following: |
7 | | (1) Using covered information to improve educational |
8 | | products if that information is not associated with an |
9 | | identified student within the operator's site, service, or |
10 | | application or other sites, services, or applications |
11 | | owned by the operator. |
12 | | (2) Using covered information that is not associated |
13 | | with an identified student to demonstrate the |
14 | | effectiveness of the operator's products or services, |
15 | | including in their marketing. |
16 | | (3) Sharing covered information that is not associated |
17 | | with an identified student for the development and |
18 | | improvement of educational sites, services, or |
19 | | applications. |
20 | | (4) Using recommendation engines to recommend to a |
21 | | student either of the following: |
22 | | (A) Additional content relating to an educational, |
23 | | other learning, or employment opportunity purpose |
24 | | within an online site, service, or application if the |
25 | | recommendation is not determined in whole or in part by |
|
| | 10000SB0444sam001 | - 10 - | LRB100 04884 MLM 25745 a |
|
|
1 | | payment or other consideration from a third party. |
2 | | (B) Additional services relating to an |
3 | | educational, other learning, or employment opportunity |
4 | | purpose within an online site, service, or application |
5 | | if the recommendation is not determined in whole or in |
6 | | part by payment or other consideration from a third |
7 | | party. |
8 | | (5) Responding to a student's request for information |
9 | | or for feedback without the information or response being |
10 | | determined in whole or in part by payment or other |
11 | | consideration from a third party. |
12 | | Section 30. Applicability. This Act does not do any of the |
13 | | following: |
14 | | (1) Limit the authority of a law enforcement agency to |
15 | | obtain any content or information from an operator as |
16 | | authorized by law or under a court order. |
17 | | (2) Limit the ability of an operator to use student |
18 | | data, including covered information, for adaptive learning |
19 | | or customized student learning purposes. |
20 | | (3) Apply to general audience Internet websites, |
21 | | general audience online services, general audience online |
22 | | applications, or general audience mobile applications, |
23 | | even if login credentials created for an operator's site, |
24 | | service, or application may be used to access those general |
25 | | audience sites, services, or applications. |
|
| | 10000SB0444sam001 | - 11 - | LRB100 04884 MLM 25745 a |
|
|
1 | | (4) Limit service providers from providing Internet |
2 | | connectivity to schools or students and their families. |
3 | | (5) Prohibit an operator of an Internet website, online |
4 | | service, online application, or mobile application from |
5 | | marketing educational products directly to parents if the |
6 | | marketing did not result from the use of covered |
7 | | information obtained by the operator through the provision |
8 | | of services covered under this Act. |
9 | | (6) Impose a duty upon a provider of an electronic |
10 | | store, gateway, marketplace, or other means of purchasing |
11 | | or downloading software or applications to review or |
12 | | enforce compliance with this Act on those applications or |
13 | | software. |
14 | | (7) Impose a duty upon a provider of an interactive |
15 | | computer service to review or enforce compliance with this |
16 | | Act by third-party content providers. |
17 | | (8) Prohibit students from downloading, exporting, |
18 | | transferring, saving, or maintaining their own student |
19 | | data or documents. |
20 | | (9) Supersede the federal Family Educational Rights |
21 | | and Privacy Act of 1974 or rules adopted pursuant to that |
22 | | Act or the Illinois School Student Records Act. |
23 | | Section 35. Enforcement. Violations of this Act shall |
24 | | constitute unlawful practices for which the Attorney General |
25 | | may take appropriate action under the Consumer Fraud and |
|
| | 10000SB0444sam001 | - 12 - | LRB100 04884 MLM 25745 a |
|
|
1 | | Deceptive Business Practices Act. |
2 | | Section 40. Severability. The provisions of this Act are |
3 | | severable under Section 1.31 of the Statute on Statutes. |
4 | | Section 50. The Consumer Fraud and Deceptive Business |
5 | | Practices Act is amended by changing Section 2Z as follows:
|
6 | | (815 ILCS 505/2Z) (from Ch. 121 1/2, par. 262Z)
|
7 | | Sec. 2Z. Violations of other Acts. Any person who knowingly |
8 | | violates
the Automotive Repair Act, the Automotive Collision |
9 | | Repair Act,
the Home Repair and Remodeling Act,
the Dance |
10 | | Studio Act,
the Physical Fitness Services Act,
the Hearing |
11 | | Instrument Consumer Protection Act,
the Illinois Union Label |
12 | | Act,
the Job Referral and Job Listing Services Consumer |
13 | | Protection Act,
the Travel Promotion Consumer Protection Act,
|
14 | | the Credit Services Organizations Act,
the Automatic Telephone |
15 | | Dialers Act,
the Pay-Per-Call Services Consumer Protection |
16 | | Act,
the Telephone Solicitations Act,
the Illinois Funeral or |
17 | | Burial Funds Act,
the Cemetery Oversight Act, the Cemetery Care |
18 | | Act,
the Safe and Hygienic Bed Act,
the Pre-Need Cemetery Sales |
19 | | Act,
the High Risk Home Loan Act, the Payday Loan Reform Act, |
20 | | the Mortgage Rescue Fraud Act, subsection (a) or (b) of Section |
21 | | 3-10 of the
Cigarette Tax Act, subsection
(a) or (b) of Section |
22 | | 3-10 of the Cigarette Use Tax Act, the Electronic
Mail Act, the |
23 | | Internet Caller Identification Act, paragraph (6)
of
|
|
| | 10000SB0444sam001 | - 13 - | LRB100 04884 MLM 25745 a |
|
|
1 | | subsection (k) of Section 6-305 of the Illinois Vehicle Code, |
2 | | Section 11-1431, 18d-115, 18d-120, 18d-125, 18d-135, 18d-150, |
3 | | or 18d-153 of the Illinois Vehicle Code, Article 3 of the |
4 | | Residential Real Property Disclosure Act, the Automatic |
5 | | Contract Renewal Act, the Reverse Mortgage Act, Section 25 of |
6 | | the Youth Mental Health Protection Act, or the Personal |
7 | | Information Protection Act , or the Student Online Personal |
8 | | Protection Act commits an unlawful practice within the meaning |
9 | | of this Act.
|
10 | | (Source: P.A. 99-331, eff. 1-1-16; 99-411, eff. 1-1-16; 99-642, |
11 | | eff. 7-28-16.) |
12 | | Section 99. Effective date. This Act takes effect upon |
13 | | becoming law.".
|