|
Sen. Omar Aquino
Filed: 5/17/2019
| | 10100HB3606sam003 | | LRB101 09053 AXK 60836 a |
|
|
1 | | AMENDMENT TO HOUSE BILL 3606
|
2 | | AMENDMENT NO. ______. Amend House Bill 3606, AS AMENDED, by |
3 | | replacing everything after the enacting clause with the |
4 | | following:
|
5 | | "Section 5. The Student Online Personal Protection Act is |
6 | | amended by changing Sections 5, 10, 15, and 30 and by adding |
7 | | Sections 26, 27, 28, and 33 as follows: |
8 | | (105 ILCS 85/5)
|
9 | | Sec. 5. Definitions. In this Act: |
10 | | "Breach" means the unauthorized acquisition of |
11 | | computerized data that compromises the security, |
12 | | confidentiality, or integrity of covered information |
13 | | maintained by an operator or school. "Breach" does not include |
14 | | the good faith acquisition of personal information by an |
15 | | employee or agent of an operator or school for a legitimate |
16 | | purpose of the operator or school if the covered information is |
|
| | 10100HB3606sam003 | - 2 - | LRB101 09053 AXK 60836 a |
|
|
1 | | not used for a purpose prohibited by this Act or subject to |
2 | | further unauthorized disclosure. |
3 | | "Covered information" means personally identifiable |
4 | | information or material or information that is linked to |
5 | | personally identifiable information or material in any media or |
6 | | format that is not publicly available and is any of the |
7 | | following: |
8 | | (1) Created by or provided to an operator by a student |
9 | | or the student's parent or legal guardian in the course of |
10 | | the student's or , parent's , or legal guardian's use of the |
11 | | operator's site, service, or application for K through 12 |
12 | | school purposes. |
13 | | (2) Created by or provided to an operator by an |
14 | | employee or agent of a school or school district for K |
15 | | through 12 school purposes. |
16 | | (3) Gathered by an operator through the operation of |
17 | | its site, service, or application for K through 12 school |
18 | | purposes and personally identifies a student, including, |
19 | | but not limited to, information in the student's |
20 | | educational record or electronic mail, first and last name, |
21 | | home address, telephone number, electronic mail address, |
22 | | or other information that allows physical or online |
23 | | contact, discipline records, test results, special |
24 | | education data, juvenile dependency records, grades, |
25 | | evaluations, criminal records, medical records, health |
26 | | records, a social security number, biometric information, |
|
| | 10100HB3606sam003 | - 3 - | LRB101 09053 AXK 60836 a |
|
|
1 | | disabilities, socioeconomic information, food purchases, |
2 | | political affiliations, religious information, text |
3 | | messages, documents, student identifiers, search activity, |
4 | | photos, voice recordings, or geolocation information. |
5 | | "Interactive computer service" has the meaning ascribed to |
6 | | that term in Section 230 of the federal Communications Decency |
7 | | Act of 1996 (47 U.S.C. 230). |
8 | | "K through 12 school purposes" means purposes that are |
9 | | directed by or that customarily take place at the direction of |
10 | | a school, teacher, or school district; aid in the |
11 | | administration of school activities, including, but not |
12 | | limited to, instruction in the classroom or at home, |
13 | | administrative activities, and collaboration between students, |
14 | | school personnel, or parents; or are otherwise for the use and |
15 | | benefit of the school. |
16 | | "Longitudinal data system" has the meaning given to that |
17 | | term under the P-20 Longitudinal Education Data System Act. |
18 | | "Operator" means, to the extent that an entity is operating |
19 | | in this capacity, the operator of an Internet website, online |
20 | | service, online application, or mobile application with actual |
21 | | knowledge that the site, service, or application is used |
22 | | primarily for K through 12 school purposes and was designed and |
23 | | marketed for K through 12 school purposes. |
24 | | "Parent" has the meaning given to that term under the |
25 | | Illinois School Student Records Act. |
26 | | "School" means (1) any preschool, public kindergarten, |
|
| | 10100HB3606sam003 | - 4 - | LRB101 09053 AXK 60836 a |
|
|
1 | | elementary or secondary educational institution, vocational |
2 | | school, special educational facility, or any other elementary |
3 | | or secondary educational agency or institution or (2) any |
4 | | person, agency, or institution that maintains school student |
5 | | records from more than one school. Except as otherwise provided |
6 | | in this Act, "school" "School" includes a private or nonpublic |
7 | | school. |
8 | | "State Board" means the State Board of Education. |
9 | | "Student" has the meaning given to that term under the |
10 | | Illinois School Student Records Act. |
11 | | "Targeted advertising" means presenting advertisements to |
12 | | a student where the advertisement is selected based on |
13 | | information obtained or inferred over time from that student's |
14 | | online behavior, usage of applications, or covered |
15 | | information. The term does not include advertising to a student |
16 | | at an online location based upon that student's current visit |
17 | | to that location or in response to that student's request for |
18 | | information or feedback, without the retention of that |
19 | | student's online activities or requests over time for the |
20 | | purpose of targeting subsequent ads.
|
21 | | (Source: P.A. 100-315, eff. 8-24-17.) |
22 | | (105 ILCS 85/10)
|
23 | | Sec. 10. Operator prohibitions. An operator shall not |
24 | | knowingly do any of the following: |
25 | | (1) Engage in targeted advertising on the operator's |
|
| | 10100HB3606sam003 | - 5 - | LRB101 09053 AXK 60836 a |
|
|
1 | | site, service, or application or target advertising on any |
2 | | other site, service, or application if the targeting of the |
3 | | advertising is based on any information, including covered |
4 | | information and persistent unique identifiers, that the |
5 | | operator has acquired because of the use of that operator's |
6 | | site, service, or application for K through 12 school |
7 | | purposes. |
8 | | (2) Use information, including persistent unique |
9 | | identifiers, created or gathered by the operator's site, |
10 | | service, or application to amass a profile about a student, |
11 | | except in furtherance of K through 12 school purposes. |
12 | | "Amass a profile" does not include the collection and |
13 | | retention of account information that remains under the |
14 | | control of the student, the student's parent or legal |
15 | | guardian , or the school. |
16 | | (3) Sell or rent a student's information, including |
17 | | covered information. This subdivision (3) does not apply to |
18 | | the purchase, merger, or other type of acquisition of an |
19 | | operator by another entity if the operator or successor |
20 | | entity complies with this Act regarding previously |
21 | | acquired student information. |
22 | | (4) Except as otherwise provided in Section 20 of this |
23 | | Act, disclose covered information, unless the disclosure |
24 | | is made for the following purposes: |
25 | | (A) In furtherance of the K through 12 school |
26 | | purposes of the site, service, or application if the |
|
| | 10100HB3606sam003 | - 6 - | LRB101 09053 AXK 60836 a |
|
|
1 | | recipient of the covered information disclosed under |
2 | | this clause (A) does not further disclose the |
3 | | information, unless done to allow or improve |
4 | | operability and functionality of the operator's site, |
5 | | service, or application. |
6 | | (B) To ensure legal and regulatory compliance or |
7 | | take precautions
against liability. |
8 | | (C) To respond to the judicial process. |
9 | | (D) To protect the safety or integrity of users of |
10 | | the site or others or the security of the site, |
11 | | service, or application. |
12 | | (E) For a school, educational, or employment |
13 | | purpose requested by the student or the student's |
14 | | parent or legal guardian , provided that the |
15 | | information is not used or further disclosed for any |
16 | | other purpose. |
17 | | (F) To a third party if the operator contractually |
18 | | prohibits the third party from using any covered |
19 | | information for any purpose other than providing the |
20 | | contracted service to or on behalf of the operator, |
21 | | prohibits the third party from disclosing any covered |
22 | | information provided by the operator with subsequent |
23 | | third parties, and requires the third party to |
24 | | implement and maintain reasonable security procedures |
25 | | and practices as required under Section 15 . |
26 | | Nothing in this Section prohibits the operator's use of |
|
| | 10100HB3606sam003 | - 7 - | LRB101 09053 AXK 60836 a |
|
|
1 | | information for maintaining, developing, supporting, |
2 | | improving, or diagnosing the operator's site, service, or |
3 | | application.
|
4 | | (Source: P.A. 100-315, eff. 8-24-17.) |
5 | | (105 ILCS 85/15)
|
6 | | Sec. 15. Operator duties. An operator shall do the |
7 | | following: |
8 | | (1) Implement and maintain reasonable security |
9 | | procedures and practices that otherwise meet or exceed |
10 | | industry standards appropriate to the nature of the covered |
11 | | information and designed to protect that covered |
12 | | information from unauthorized access, destruction, use, |
13 | | modification, or disclosure. |
14 | | (2) Delete, within a reasonable time period, a |
15 | | student's covered information if the school or school |
16 | | district requests deletion of covered information under |
17 | | the control of the school or school district, unless a |
18 | | student or his or her parent or legal guardian consents to |
19 | | the maintenance of the covered information. |
20 | | (3) Publicly disclose material information about its |
21 | | collection, use, and disclosure of covered information, |
22 | | including, but not limited to, publishing a terms of |
23 | | service agreement, privacy policy, or similar document. |
24 | | (4) Except for a nonpublic school, for any operator who |
25 | | seeks to receive from a school, school district, or the |
|
| | 10100HB3606sam003 | - 8 - | LRB101 09053 AXK 60836 a |
|
|
1 | | State Board in any manner any covered information, enter |
2 | | into a written agreement with the school, school district, |
3 | | or State Board before the covered information may be |
4 | | transferred. The written agreement may be created in |
5 | | electronic form and signed with an electronic or digital |
6 | | signature or may be a click wrap agreement that is used |
7 | | with software licenses, downloaded or online applications |
8 | | and transactions for educational technologies, or other |
9 | | technologies in which a user must agree to terms and |
10 | | conditions before using the product or service. Any written |
11 | | agreement entered into, amended, or renewed must contain |
12 | | all of the following: |
13 | | (A) A listing of the categories or types of covered |
14 | | information to be provided to the operator. |
15 | | (B) A statement of the product or service being |
16 | | provided to the school by the operator. |
17 | | (C) A statement that, pursuant to the federal |
18 | | Family Educational Rights and Privacy Act of 1974, the |
19 | | operator is acting as a school official with a |
20 | | legitimate educational interest, is performing an |
21 | | institutional service or function for which the school |
22 | | would otherwise use employees, under the direct |
23 | | control of the school, with respect to the use and |
24 | | maintenance of covered information, and is using the |
25 | | covered information only for an authorized purpose and |
26 | | may not re-disclose it to third parties or affiliates, |
|
| | 10100HB3606sam003 | - 9 - | LRB101 09053 AXK 60836 a |
|
|
1 | | unless otherwise permitted under this Act, without |
2 | | permission from the school or pursuant to court order. |
3 | | (D) A description of how, if a breach is attributed |
4 | | to the operator, any costs and expenses incurred by the |
5 | | school in investigating and remediating the breach |
6 | | will be allocated between the operator and the school. |
7 | | The costs and expenses may include, but are not limited |
8 | | to: |
9 | | (i) providing notification to the parents of |
10 | | those students whose covered information was |
11 | | compromised and to regulatory agencies or other |
12 | | entities as required by law or contract; |
13 | | (ii) providing credit monitoring to those |
14 | | students whose covered information was exposed in |
15 | | a manner during the breach that a reasonable person |
16 | | would believe that it could impact his or her |
17 | | credit or financial security; |
18 | | (iii) legal fees, audit costs, fines, and any |
19 | | other fees or damages imposed against the school as |
20 | | a result of the security breach; and |
21 | | (iv) providing any other notifications or |
22 | | fulfilling any other requirements adopted by the |
23 | | State Board or of any other State or federal laws. |
24 | | (E) A statement that the operator must delete or |
25 | | transfer to the school all covered information if the |
26 | | information is no longer needed for the purposes of the |
|
| | 10100HB3606sam003 | - 10 - | LRB101 09053 AXK 60836 a |
|
|
1 | | written agreement and to specify the time period in |
2 | | which the information must be deleted or transferred |
3 | | once the operator is made aware that the information is |
4 | | no longer needed for the purposes of the written |
5 | | agreement. |
6 | | (F) If the school maintains a website, a statement |
7 | | that the school must publish the written agreement on |
8 | | the school's website. If the school does not maintain a |
9 | | website, a statement that the school must make the |
10 | | written agreement available for inspection by the |
11 | | general public at its administrative office. If |
12 | | mutually agreed upon by the school and the operator, |
13 | | provisions of the written agreement, other than those |
14 | | under subparagraphs (A), (B), and (C), may be redacted |
15 | | in the copy of the written agreement published on the |
16 | | school's website or made available at its |
17 | | administrative office. |
18 | | (5) In case of any breach, within the most expedient |
19 | | time possible and without unreasonable delay, but no later |
20 | | than 30 calendar days after the determination that a breach |
21 | | has occurred, notify the school of any breach of the |
22 | | students' covered information.
|
23 | | (6) Except for a nonpublic school, provide to the |
24 | | school a list of any third parties or affiliates to whom |
25 | | the operator is currently disclosing covered information |
26 | | or has disclosed covered information. This list must, at a |
|
| | 10100HB3606sam003 | - 11 - | LRB101 09053 AXK 60836 a |
|
|
1 | | minimum, be updated and provided to the school by the |
2 | | beginning of each State fiscal year and at the beginning of |
3 | | each calendar year. |
4 | | (Source: P.A. 100-315, eff. 8-24-17.) |
5 | | (105 ILCS 85/26 new) |
6 | | Sec. 26. School prohibitions. A school may not do either of |
7 | | the following: |
8 | | (1) Sell, rent, lease, or trade covered information. |
9 | | (2) Share, transfer, disclose, or provide access to a |
10 | | student's covered information to an entity or individual, |
11 | | other than the student's parent, school personnel, |
12 | | appointed or elected school board members or local school |
13 | | council members, or the State Board, without a written |
14 | | agreement, unless the disclosure or transfer is: |
15 | | (A) to the extent permitted by State or federal |
16 | | law, to law enforcement officials to protect the safety |
17 | | of users or others or the security or integrity of the |
18 | | operator's service; |
19 | | (B) required by court order or State or federal |
20 | | law; or |
21 | | (C) to ensure legal or regulatory compliance. |
22 | | This paragraph (2) does not apply to nonpublic schools. |
23 | | (105 ILCS 85/27 new) |
24 | | Sec. 27. School duties. |
|
| | 10100HB3606sam003 | - 12 - | LRB101 09053 AXK 60836 a |
|
|
1 | | (a) Each school shall post and maintain on its website or, |
2 | | if the school does not maintain a website, make available for |
3 | | inspection by the general public at its administrative office |
4 | | all of the following information: |
5 | | (1) An explanation, that is clear and understandable by |
6 | | a layperson, of the data elements of covered information |
7 | | that the school collects, maintains, or discloses to any |
8 | | person, entity, third party, or governmental agency. The |
9 | | information must explain how the school uses, to whom or |
10 | | what entities it discloses, and for what purpose it |
11 | | discloses the covered information. |
12 | | (2) A list of operators that the school has written |
13 | | agreements with, a copy of each written agreement, and a |
14 | | business address for each operator. A copy of a written |
15 | | agreement posted or made available by a school under this |
16 | | paragraph may contain redactions, as provided under |
17 | | subparagraph (F) of paragraph (4) of Section 15. |
18 | | (3) For each operator, a list of any subcontractors to |
19 | | whom covered information may be disclosed or a link to a |
20 | | page on the operator's website that clearly lists that |
21 | | information, as provided by the operator to the school |
22 | | under paragraph (6) of Section 15. |
23 | | (4) A written description of the procedures that a |
24 | | parent may use to carry out the rights enumerated under |
25 | | Section 33. |
26 | | (5) A list of any breaches of covered information |
|
| | 10100HB3606sam003 | - 13 - | LRB101 09053 AXK 60836 a |
|
|
1 | | maintained by the school or breaches under Section 15 that |
2 | | includes, but is not limited to, all of the following |
3 | | information: |
4 | | (A) The number of students whose covered |
5 | | information is involved in the breach, unless |
6 | | disclosing that number would violate the provisions of |
7 | | the Personal Information Protection Act. |
8 | | (B) The date, estimated date, or estimated date |
9 | | range of the breach. |
10 | | (C) For a breach under Section 15, the name of the |
11 | | operator. |
12 | | The school may omit from the list required under this |
13 | | paragraph (5) (i) any breach in which, to the best of the |
14 | | school's knowledge at the time of updating the list, the |
15 | | number of students whose covered information is involved in |
16 | | the breach is less than 10% of the school's enrollment, |
17 | | (ii) any breach in which, at the time of posting the list, |
18 | | the school is not required to notify the parent of a |
19 | | student under subsection (d), (iii) any breach in which the |
20 | | date, estimated date, or estimated date range in which it |
21 | | occurred is earlier than July 1, 2021, or (iv) any breach |
22 | | previously posted on a list under this paragraph (5) no |
23 | | more than 5 years prior to the school updating the current |
24 | | list. |
25 | | The school must, at a minimum, update the items under |
26 | | paragraphs (1), (3), (4), and (5) no later than 30 calendar |
|
| | 10100HB3606sam003 | - 14 - | LRB101 09053 AXK 60836 a |
|
|
1 | | days following the start of a fiscal year and no later than 30 |
2 | | days following the beginning of a calendar year. |
3 | | (b) Each school must adopt a policy for designating which |
4 | | school employees are authorized to enter into written |
5 | | agreements with operators. This subsection may not be construed |
6 | | to limit individual school employees outside of the scope of |
7 | | their employment from entering into agreements with operators |
8 | | on their own behalf and for non-K through 12 school purposes, |
9 | | provided that no covered information is provided to the |
10 | | operators. Any agreement or contract entered into in violation |
11 | | of this Act is void and unenforceable as against public policy. |
12 | | (c) A school must post on its website or, if the school |
13 | | does not maintain a website, make available at its |
14 | | administrative office for inspection by the general public each |
15 | | written agreement entered into under this Act, along with any |
16 | | information required under subsection (a), no later than 10 |
17 | | business days after entering into the agreement. |
18 | | (d) After receipt of notice of a breach under Section 15 or |
19 | | determination of a breach of covered information maintained by |
20 | | the school, a school shall notify, no later than 30 calendar |
21 | | days after receipt of the notice or determination that a breach |
22 | | has occurred, the parent of any student whose covered |
23 | | information is involved in the breach. The notification must |
24 | | include, but is not limited to, all of the following: |
25 | | (1) The date, estimated date, or estimated date range |
26 | | of the breach. |
|
| | 10100HB3606sam003 | - 15 - | LRB101 09053 AXK 60836 a |
|
|
1 | | (2) A description of the covered information that was |
2 | | compromised or reasonably believed to have been |
3 | | compromised in the breach. |
4 | | (3) Information that the parent may use to contact the |
5 | | operator and school to inquire about the breach. |
6 | | (4) The toll-free numbers, addresses, and websites for |
7 | | consumer reporting agencies. |
8 | | (5) The toll-free number, address, and website for the |
9 | | Federal Trade Commission. |
10 | | (6) A statement that the parent may obtain information |
11 | | from the Federal Trade Commission and consumer reporting |
12 | | agencies about fraud alerts and security freezes. |
13 | | A notice of breach required under this subsection may be |
14 | | delayed if an appropriate law enforcement agency determines |
15 | | that the notification will interfere with a criminal |
16 | | investigation and provides the school with a written request |
17 | | for a delay of notice. A school must comply with the |
18 | | notification requirements as soon as the notification will no |
19 | | longer interfere with the investigation. |
20 | | (e) Each school must implement and maintain reasonable |
21 | | security procedures and practices that otherwise meet or exceed |
22 | | industry standards designed to protect covered information |
23 | | from unauthorized access, destruction, use, modification, or |
24 | | disclosure. Any written agreement under which the disclosure of |
25 | | covered information between the school and a third party takes |
26 | | place must include a provision requiring the entity to whom the |
|
| | 10100HB3606sam003 | - 16 - | LRB101 09053 AXK 60836 a |
|
|
1 | | covered information is disclosed to implement and maintain |
2 | | reasonable security procedures and practices that otherwise |
3 | | meet or exceed industry standards designed to protect covered |
4 | | information from unauthorized access, destruction, use, |
5 | | modification, or disclosure. The State Board must make |
6 | | available on its website a guidance document for schools |
7 | | pertaining to reasonable security procedures and practices |
8 | | under this subsection. |
9 | | (f) Each school may designate an appropriate staff person |
10 | | as a privacy officer, who may also be an official records |
11 | | custodian as designated under the Illinois School Student |
12 | | Records Act, to carry out the duties and responsibilities |
13 | | assigned to schools and to ensure compliance with the |
14 | | requirements of this Section and Section 26. |
15 | | (g) A school shall make a request, pursuant to paragraph |
16 | | (2) of Section 15, to an operator to delete covered information |
17 | | on behalf of a student's parent if the parent requests from the |
18 | | school that the student's covered information held by the |
19 | | operator be deleted, so long as the deletion of the covered |
20 | | information is not in violation of State or federal records |
21 | | laws. |
22 | | (h) This Section does not apply to nonpublic schools. |
23 | | (105 ILCS 85/28 new) |
24 | | Sec. 28. State Board duties. |
25 | | (a) The State Board may not sell, rent, lease, or trade |
|
| | 10100HB3606sam003 | - 17 - | LRB101 09053 AXK 60836 a |
|
|
1 | | covered information. |
2 | | (b) Except for an employee of the State Board or a State |
3 | | Board official acting within his or her official capacity, the |
4 | | State Board may not share, transfer, disclose, or provide |
5 | | covered information to an entity or individual without a |
6 | | contract or written agreement, except for disclosures required |
7 | | by State or federal law. |
8 | | (c) At least once annually, the State Board must publish |
9 | | and maintain on its website a list of all of the entities or |
10 | | individuals, including, but not limited to, operators, |
11 | | individual researchers, research organizations, institutions |
12 | | of higher education, or government agencies, that the State |
13 | | Board contracts with or has written agreements with and that |
14 | | hold covered information and a copy of each contract or written |
15 | | agreement. The list must include all of the following |
16 | | information: |
17 | | (1) The name of the entity or individual. In naming an |
18 | | individual, the list must include the entity that sponsors |
19 | | the individual or with which the individual is affiliated, |
20 | | if any. If the individual is conducting research at an |
21 | | institution of higher education, the list may include the |
22 | | name of that institution and a contact person in the |
23 | | department that is associated with the research in lieu of |
24 | | the name of the researcher. If the entity is an operator, |
25 | | the list must include its business address. |
26 | | (2) The purpose and scope of the contract or agreement. |
|
| | 10100HB3606sam003 | - 18 - | LRB101 09053 AXK 60836 a |
|
|
1 | | (3) The duration of the contract or agreement. |
2 | | (4) The types of covered information that the entity or |
3 | | individual holds under the contract or agreement. |
4 | | (5) The use of the covered information under the |
5 | | contract or agreement. |
6 | | (6) The length of time for which the entity or |
7 | | individual may hold the covered information. |
8 | | (7) A list of any subcontractors to whom covered |
9 | | information may be disclosed under Section 15 or a link to |
10 | | a page on the operator's website that clearly lists that |
11 | | information. |
12 | | If mutually agreed upon by the State Board and the |
13 | | operator, provisions of a contract or written agreement, other |
14 | | than those pertaining to paragraphs (1) through (7), may be |
15 | | redacted on the State Board's website. |
16 | | (d) The State Board shall create, publish, and make |
17 | | publicly available an inventory, along with a dictionary or |
18 | | index of data elements and their definitions, of covered |
19 | | information collected or maintained by the State Board, |
20 | | including, but not limited to, both of the following: |
21 | | (1) Covered information that schools are required to |
22 | | report to the State Board by State or federal law. |
23 | | (2) Covered information in the State longitudinal data |
24 | | system or any data warehouse used by the State Board to |
25 | | populate the longitudinal data system. |
26 | | The inventory shall make clear for what purposes the State |
|
| | 10100HB3606sam003 | - 19 - | LRB101 09053 AXK 60836 a |
|
|
1 | | Board uses the covered information. |
2 | | (e) The State Board shall develop, publish, and make |
3 | | publicly available, for the benefit of schools, model student |
4 | | data privacy policies and procedures that comply with relevant |
5 | | State and federal law, including, but not limited to, a model |
6 | | notice that schools must use to provide notice to parents and |
7 | | students about operators. The notice must state, in general |
8 | | terms, the types of student data that are collected by the |
9 | | schools and shared with operators under this Act and the |
10 | | purposes of collecting and using the student data. After |
11 | | creation of the notice under this subsection, a school shall, |
12 | | at the beginning of each school year, provide the notice to |
13 | | parents by the same means generally used to send notices to |
14 | | them. This subsection does not apply to nonpublic schools. |
15 | | (105 ILCS 85/30)
|
16 | | Sec. 30. Applicability. This Act does not do any of the |
17 | | following: |
18 | | (1) Limit the authority of a law enforcement agency to |
19 | | obtain any content or information from an operator as |
20 | | authorized by law or under a court order. |
21 | | (2) Limit the ability of an operator to use student |
22 | | data, including covered information, for adaptive learning |
23 | | or customized student learning purposes. |
24 | | (3) Apply to general audience Internet websites, |
25 | | general audience online services, general audience online |
|
| | 10100HB3606sam003 | - 20 - | LRB101 09053 AXK 60836 a |
|
|
1 | | applications, or general audience mobile applications, |
2 | | even if login credentials created for an operator's site, |
3 | | service, or application may be used to access those general |
4 | | audience sites, services, or applications. |
5 | | (4) Limit service providers from providing Internet |
6 | | connectivity to schools or students and their families. |
7 | | (5) Prohibit an operator of an Internet website, online |
8 | | service, online application, or mobile application from |
9 | | marketing educational products directly to parents if the |
10 | | marketing did not result from the use of covered |
11 | | information obtained by the operator through the provision |
12 | | of services covered under this Act. |
13 | | (6) Impose a duty upon a provider of an electronic |
14 | | store, gateway, marketplace, or other means of purchasing |
15 | | or downloading software or applications to review or |
16 | | enforce compliance with this Act on those applications or |
17 | | software. |
18 | | (7) Impose a duty upon a provider of an interactive |
19 | | computer service to review or enforce compliance with this |
20 | | Act by third-party content providers. |
21 | | (8) Prohibit students from downloading, exporting, |
22 | | transferring, saving, or maintaining their own student |
23 | | data or documents. |
24 | | (9) Supersede the federal Family Educational Rights |
25 | | and Privacy Act of 1974 , or rules adopted pursuant to that |
26 | | Act or the Illinois School Student Records Act , or any |
|
| | 10100HB3606sam003 | - 21 - | LRB101 09053 AXK 60836 a |
|
|
1 | | rules adopted pursuant to those Acts .
|
2 | | (10) Prohibit an operator or school from producing and |
3 | | distributing, free or for consideration, student class |
4 | | photos and yearbooks to the school, students, parents, or |
5 | | individuals authorized by parents and to no others, in |
6 | | accordance with the terms of a written agreement between |
7 | | the operator and the school. |
8 | | (Source: P.A. 100-315, eff. 8-24-17.) |
9 | | (105 ILCS 85/33 new) |
10 | | Sec. 33. Parent and student rights. |
11 | | (a) A student's covered information shall be collected only |
12 | | for K through 12 school purposes and not further processed in a |
13 | | manner that is incompatible with those purposes. |
14 | | (b) A student's covered information shall only be adequate, |
15 | | relevant, and limited to what is necessary in relation to the K |
16 | | through 12 school purposes for which it is processed. |
17 | | (c) Except for a parent of a student enrolled in a |
18 | | nonpublic school, the parent of a student enrolled in a school |
19 | | has the right to all of the following: |
20 | | (1) Inspect and review the student's covered |
21 | | information, regardless of whether it is maintained by the |
22 | | school, the State Board, or an operator. |
23 | | (2) Request from a school a paper or electronic copy of |
24 | | the student's covered information, including covered |
25 | | information maintained by an operator or the State Board. |
|
| | 10100HB3606sam003 | - 22 - | LRB101 09053 AXK 60836 a |
|
|
1 | | If a parent requests an electronic copy of the student's |
2 | | covered information under this paragraph, the school must |
3 | | provide an electronic copy of that information, unless the |
4 | | school does not maintain the information in an electronic |
5 | | format and reproducing the information in an electronic |
6 | | format would be unduly burdensome to the school. If a |
7 | | parent requests a paper copy of the student's covered |
8 | | information, the school may charge the parent the |
9 | | reasonable cost for copying the information in an amount |
10 | | not to exceed the amount fixed in a schedule adopted by the |
11 | | State Board, except that no parent may be denied a copy of |
12 | | the information due to the parent's inability to bear the |
13 | | cost of the copying. The State Board must adopt rules on |
14 | | the methodology and frequency of requests under this |
15 | | paragraph. |
16 | | (3) Request corrections of factual inaccuracies |
17 | | contained in the student's covered information. After |
18 | | receiving a request for corrections and determining that a |
19 | | factual inaccuracy exists, a school must do either of the |
20 | | following: |
21 | | (A) If the school maintains or possesses the |
22 | | covered information that contains the factual |
23 | | inaccuracy, correct the factual inaccuracy and confirm |
24 | | the correction with the parent within 90 calendar days |
25 | | after receiving the parent's request. |
26 | | (B) If the operator or State Board maintains or |
|
| | 10100HB3606sam003 | - 23 - | LRB101 09053 AXK 60836 a |
|
|
1 | | possesses the covered information that contains the |
2 | | factual inaccuracy, notify the operator or the State |
3 | | Board of the correction. The operator or the State |
4 | | Board must correct the factual inaccuracy and confirm |
5 | | the correction with the school within 90 calendar days |
6 | | after receiving the notice. Within 10 business days |
7 | | after receiving confirmation of the correction from |
8 | | the operator or State Board, the school must confirm |
9 | | the correction with the parent. |
10 | | (d) Nothing in this Section shall be construed to limit the |
11 | | rights granted to parents and students under the Illinois |
12 | | School Student Records Act or the federal Family Educational |
13 | | Rights and Privacy Act of 1974.
|
14 | | Section 99. Effective date. This Act takes effect July 1, |
15 | | 2021.".
|