Sen. James F. Clayborne, Jr.

Filed: 5/2/2017

 

 


 

 


 
10000SB0444sam001LRB100 04884 MLM 25745 a

1
AMENDMENT TO SENATE BILL 444

2    AMENDMENT NO. ______. Amend Senate Bill 444 by replacing
3everything after the enacting clause with the following:
 
4    "Section 1. Short title. This Act may be cited as the
5Student Online Personal Protection Act.
 
6    Section 3. Legislative intent. Schools today are
7increasingly using a wide range of beneficial online services
8and other technologies to help students learn, but concerns
9have been raised about whether sufficient safeguards exist to
10protect the privacy and security of data about students when it
11is collected by educational technology companies. This Act is
12intended to ensure that student data will be protected when it
13is collected by educational technology companies and that the
14data may be used for beneficial purposes such as providing
15personalized learning and innovative educational technologies.
 

 

 

10000SB0444sam001- 2 -LRB100 04884 MLM 25745 a

1    Section 5. Definitions. In this Act:
2    "Covered information" means personally identifiable
3information or material or information that is linked to
4personally identifiable information or material in any media or
5format that is not publicly available and is any of the
6following:
7        (1) Created by or provided to an operator by a student
8    or the student's parent or legal guardian in the course of
9    the student's, parent's, or legal guardian's use of the
10    operator's site, service, or application for K through 12
11    school purposes.
12        (2) Created by or provided to an operator by an
13    employee or agent of a school or school district for K
14    through 12 school purposes.
15        (3) Gathered by an operator through the operation of
16    its site, service, or application for K through 12 school
17    purposes and personally identifies a student, including,
18    but not limited to, information in the student's
19    educational record or electronic mail, first and last name,
20    home address, telephone number, electronic mail address,
21    or other information that allows physical or online
22    contact, discipline records, test results, special
23    education data, juvenile dependency records, grades,
24    evaluations, criminal records, medical records, health
25    records, a social security number, biometric information,
26    disabilities, socioeconomic information, food purchases,

 

 

10000SB0444sam001- 3 -LRB100 04884 MLM 25745 a

1    political affiliations, religious information, text
2    messages, documents, student identifiers, search activity,
3    photos, voice recordings, or geolocation information.
4    "Interactive computer service" has the meaning ascribed to
5that term in Section 230 of the federal Communications Decency
6Act of 1996 (47 U.S.C. 230).
7    "K through 12 school purposes" means purposes that are
8directed by or that customarily take place at the direction of
9a school, teacher, or school district; aid in the
10administration of school activities, including, but not
11limited to, instruction in the classroom or at home,
12administrative activities, and collaboration between students,
13school personnel, or parents; or are otherwise for the use and
14benefit of the school.
15    "Operator" means, to the extent that an entity is operating
16in this capacity, the operator of an Internet website, online
17service, online application, or mobile application with actual
18knowledge that the site, service, or application is used
19primarily for K through 12 school purposes and was designed and
20marketed for K through 12 school purposes.
21    "School" means (1) any preschool, public kindergarten,
22elementary or secondary educational institution, vocational
23school, special educational facility, or any other elementary
24or secondary educational agency or institution or (2) any
25person, agency, or institution that maintains school student
26records from more than one school. "School" includes a private

 

 

10000SB0444sam001- 4 -LRB100 04884 MLM 25745 a

1or nonpublic school.
2    "Targeted advertising" means presenting advertisements to
3a student where the advertisement is selected based on
4information obtained or inferred over time from that student's
5online behavior, usage of applications, or covered
6information. The term does not include advertising to a student
7at an online location based upon that student's current visit
8to that location or in response to that student's request for
9information or feedback, without the retention of that
10student's online activities or requests over time for the
11purpose of targeting subsequent ads.
 
12    Section 10. Operator prohibitions. An operator shall not
13knowingly do any of the following:
14        (1) Engage in targeted advertising on the operator's
15    site, service, or application or target advertising on any
16    other site, service, or application if the targeting of the
17    advertising is based on any information, including covered
18    information and persistent unique identifiers, that the
19    operator has acquired because of the use of that operator's
20    site, service, or application for K through 12 school
21    purposes.
22        (2) Use information, including persistent unique
23    identifiers, created or gathered by the operator's site,
24    service, or application to amass a profile about a student,
25    except in furtherance of K through 12 school purposes.

 

 

10000SB0444sam001- 5 -LRB100 04884 MLM 25745 a

1    "Amass a profile" does not include the collection and
2    retention of account information that remains under the
3    control of the student, the student's parent or legal
4    guardian, or the school.
5        (3) Sell or rent a student's information, including
6    covered information. This subdivision (3) does not apply to
7    the purchase, merger, or other type of acquisition of an
8    operator by another entity if the operator or successor
9    entity complies with this Act regarding previously
10    acquired student information.
11        (4) Except as otherwise provided in Section 20 of this
12    Act, disclose covered information, unless the disclosure
13    is made for the following purposes:
14            (A) In furtherance of the K through 12 school
15        purposes of the site, service, or application if the
16        recipient of the covered information disclosed under
17        this clause (A) does not further disclose the
18        information, unless done to allow or improve
19        operability and functionality of the operator's site,
20        service, or application.
21            (B) To ensure legal and regulatory compliance or
22        take precautions against liability.
23            (C) To respond to the judicial process.
24            (D) To protect the safety or integrity of users of
25        the site or others or the security of the site,
26        service, or application.

 

 

10000SB0444sam001- 6 -LRB100 04884 MLM 25745 a

1            (E) For a school, educational, or employment
2        purpose requested by the student or the student's
3        parent or legal guardian, provided that the
4        information is not used or further disclosed for any
5        other purpose.
6            (F) To a third party if the operator contractually
7        prohibits the third party from using any covered
8        information for any purpose other than providing the
9        contracted service to or on behalf of the operator,
10        prohibits the third party from disclosing any covered
11        information provided by the operator with subsequent
12        third parties, and requires the third party to
13        implement and maintain reasonable security procedures
14        and practices.
15    Nothing in this Section prohibits the operator's use of
16information for maintaining, developing, supporting,
17improving, or diagnosing the operator's site, service, or
18application.
 
19    Section 15. Operator duties. An operator shall do the
20following:
21        (1) Implement and maintain reasonable security
22    procedures and practices appropriate to the nature of the
23    covered information and designed to protect that covered
24    information from unauthorized access, destruction, use,
25    modification, or disclosure.

 

 

10000SB0444sam001- 7 -LRB100 04884 MLM 25745 a

1        (2) Delete, within a reasonable time period, a
2    student's covered information if the school or school
3    district requests deletion of covered information under
4    the control of the school or school district, unless a
5    student or his or her parent or legal guardian consents to
6    the maintenance of the covered information.
7        (3) Publicly disclose material information about its
8    collection, use, and disclosure of covered information,
9    including, but not limited to, publishing a terms of
10    service agreement, privacy policy, or similar document.
 
11    Section 20. Permissive use or disclosure.
12    (a) An operator may use or disclose covered information of
13a student under the following circumstances:
14        (1) If other provisions of federal or State law require
15    the operator to disclose the information, and the operator
16    complies with the requirements of federal and State law in
17    protecting and disclosing that information.
18        (2) For legitimate research purposes as required by
19    State or federal law and subject to the restrictions under
20    applicable State and federal law or as allowed by State or
21    federal law and under the direction of a school, school
22    district, or the State Board of Education if the covered
23    information is not used for advertising or to amass a
24    profile on the student for purposes other than for K
25    through 12 school purposes.

 

 

10000SB0444sam001- 8 -LRB100 04884 MLM 25745 a

1        (3) To a State or local educational agency, including
2    schools and school districts, for K through 12 school
3    purposes, as permitted by State or federal law.
4        (4) For the purpose of identifying or displaying
5    information to the student about or facilitating the
6    connection of the student with a not-for-profit
7    institution of higher education or a scholarship
8    opportunity. Information under this paragraph (4) may be
9    disclosed only if the operator has first obtained the
10    express written consent of the student's parent or legal
11    guardian or, if the student is 18 years old or older or is
12    an emancipated minor, the student. For the purposes of this
13    paragraph (4), express written consent may be obtained as a
14    response to the annual notice required under 34 CFR 99.7
15    and is not required to be in addition to consent given in
16    response to that annual notice.
17    (b) A school may use or disclose covered information of a
18student for the purpose of identifying or displaying
19information to the student about or facilitating the connection
20of the student with a not-for-profit institution of higher
21education or a scholarship opportunity. Information under this
22subsection (b) may be disclosed only if the operator has first
23obtained the express written consent of the student's parent or
24legal guardian or, if the student is 18 years old or older or
25is an emancipated minor, the student. For the purposes of this
26subsection (b), express written consent may be obtained as a

 

 

10000SB0444sam001- 9 -LRB100 04884 MLM 25745 a

1response to the annual notice required under 34 CFR 99.7 and is
2not required to be in addition to consent given in response to
3that annual notice.
 
4    Section 25. Operator actions that are not prohibited. This
5Act does not prohibit an operator from doing any of the
6following:
7        (1) Using covered information to improve educational
8    products if that information is not associated with an
9    identified student within the operator's site, service, or
10    application or other sites, services, or applications
11    owned by the operator.
12        (2) Using covered information that is not associated
13    with an identified student to demonstrate the
14    effectiveness of the operator's products or services,
15    including in their marketing.
16        (3) Sharing covered information that is not associated
17    with an identified student for the development and
18    improvement of educational sites, services, or
19    applications.
20        (4) Using recommendation engines to recommend to a
21    student either of the following:
22            (A) Additional content relating to an educational,
23        other learning, or employment opportunity purpose
24        within an online site, service, or application if the
25        recommendation is not determined in whole or in part by

 

 

10000SB0444sam001- 10 -LRB100 04884 MLM 25745 a

1        payment or other consideration from a third party.
2            (B) Additional services relating to an
3        educational, other learning, or employment opportunity
4        purpose within an online site, service, or application
5        if the recommendation is not determined in whole or in
6        part by payment or other consideration from a third
7        party.
8        (5) Responding to a student's request for information
9    or for feedback without the information or response being
10    determined in whole or in part by payment or other
11    consideration from a third party.
 
12    Section 30. Applicability. This Act does not do any of the
13following:
14        (1) Limit the authority of a law enforcement agency to
15    obtain any content or information from an operator as
16    authorized by law or under a court order.
17        (2) Limit the ability of an operator to use student
18    data, including covered information, for adaptive learning
19    or customized student learning purposes.
20        (3) Apply to general audience Internet websites,
21    general audience online services, general audience online
22    applications, or general audience mobile applications,
23    even if login credentials created for an operator's site,
24    service, or application may be used to access those general
25    audience sites, services, or applications.

 

 

10000SB0444sam001- 11 -LRB100 04884 MLM 25745 a

1        (4) Limit service providers from providing Internet
2    connectivity to schools or students and their families.
3        (5) Prohibit an operator of an Internet website, online
4    service, online application, or mobile application from
5    marketing educational products directly to parents if the
6    marketing did not result from the use of covered
7    information obtained by the operator through the provision
8    of services covered under this Act.
9        (6) Impose a duty upon a provider of an electronic
10    store, gateway, marketplace, or other means of purchasing
11    or downloading software or applications to review or
12    enforce compliance with this Act on those applications or
13    software.
14        (7) Impose a duty upon a provider of an interactive
15    computer service to review or enforce compliance with this
16    Act by third-party content providers.
17        (8) Prohibit students from downloading, exporting,
18    transferring, saving, or maintaining their own student
19    data or documents.
20        (9) Supersede the federal Family Educational Rights
21    and Privacy Act of 1974 or rules adopted pursuant to that
22    Act or the Illinois School Student Records Act.
 
23    Section 35. Enforcement. Violations of this Act shall
24constitute unlawful practices for which the Attorney General
25may take appropriate action under the Consumer Fraud and

 

 

10000SB0444sam001- 12 -LRB100 04884 MLM 25745 a

1Deceptive Business Practices Act.
 
2    Section 40. Severability. The provisions of this Act are
3severable under Section 1.31 of the Statute on Statutes.
 
4    Section 50. The Consumer Fraud and Deceptive Business
5Practices Act is amended by changing Section 2Z as follows:
 
6    (815 ILCS 505/2Z)  (from Ch. 121 1/2, par. 262Z)
7    Sec. 2Z. Violations of other Acts. Any person who knowingly
8violates the Automotive Repair Act, the Automotive Collision
9Repair Act, the Home Repair and Remodeling Act, the Dance
10Studio Act, the Physical Fitness Services Act, the Hearing
11Instrument Consumer Protection Act, the Illinois Union Label
12Act, the Job Referral and Job Listing Services Consumer
13Protection Act, the Travel Promotion Consumer Protection Act,
14the Credit Services Organizations Act, the Automatic Telephone
15Dialers Act, the Pay-Per-Call Services Consumer Protection
16Act, the Telephone Solicitations Act, the Illinois Funeral or
17Burial Funds Act, the Cemetery Oversight Act, the Cemetery Care
18Act, the Safe and Hygienic Bed Act, the Pre-Need Cemetery Sales
19Act, the High Risk Home Loan Act, the Payday Loan Reform Act,
20the Mortgage Rescue Fraud Act, subsection (a) or (b) of Section
213-10 of the Cigarette Tax Act, subsection (a) or (b) of Section
223-10 of the Cigarette Use Tax Act, the Electronic Mail Act, the
23Internet Caller Identification Act, paragraph (6) of

 

 

10000SB0444sam001- 13 -LRB100 04884 MLM 25745 a

1subsection (k) of Section 6-305 of the Illinois Vehicle Code,
2Section 11-1431, 18d-115, 18d-120, 18d-125, 18d-135, 18d-150,
3or 18d-153 of the Illinois Vehicle Code, Article 3 of the
4Residential Real Property Disclosure Act, the Automatic
5Contract Renewal Act, the Reverse Mortgage Act, Section 25 of
6the Youth Mental Health Protection Act, or the Personal
7Information Protection Act, or the Student Online Personal
8Protection Act commits an unlawful practice within the meaning
9of this Act.
10(Source: P.A. 99-331, eff. 1-1-16; 99-411, eff. 1-1-16; 99-642,
11eff. 7-28-16.)
 
12    Section 99. Effective date. This Act takes effect upon
13becoming law.".