SB1578 102ND GENERAL ASSEMBLY

102ND GENERAL ASSEMBLY State of Illinois 2021 and 2022
SB1578

Introduced 2/26/2021, by Sen. Robert F. Martwick

SYNOPSIS AS INTRODUCED:

`105 ILCS 85/10`
`105 ILCS 85/15`
`105 ILCS 85/26`
`105 ILCS 85/28`
`105 ILCS 85/33`

Amends the Student Online Personal Protection Act. Provides than an operator shall not knowingly sell, rent, lease, or trade a student's information (rather than knowingly sell or rent a student's information). Regarding an operator's request to receive covered information from a school, a school district, or the State Board of Education, provides that the written agreement related thereto must require the operator to provide a parent with a means to view and to request edits to the covered information to be maintained by the operator. If a breach occurs and is attributed to the operator, provides that any investigation and remediation costs and expenses incurred by the school as a result of the breach shall be borne by the operator (rather than the costs and expenses shall be allocated between the operator and the school). Removes local school council members as individuals who are authorized to share, transfer, disclose, or provide access to a student's covered information without a written agreement. Requires the State Board of Education to develop and make available model student data privacy policies and procedures as soon as practical after July 1, 2021. Makes changes concerning parent and student rights. Effective immediately.

LRB102 14184 CMG 19536 b

FISCAL NOTE ACT MAY APPLY

A BILL FOR

SB1578

LRB102 14184 CMG 19536 b

1 AN ACT concerning education.

2 Be it enacted by the People of the State of Illinois,

3 represented in the General Assembly:

4 Section 5. The Student Online Personal Protection Act is

5 amended by changing Sections 10, 15, 26, 28, and 33 as follows:

6 (105 ILCS 85/10)

7 (Text of Section before amendment by P.A. 101-516)

8 Sec. 10. Operator prohibitions. An operator shall not

9 knowingly do any of the following:

10 (1) Engage in targeted advertising on the operator's

11 site, service, or application or target advertising on any

12 other site, service, or application if the targeting of

13 the advertising is based on any information, including

14 covered information and persistent unique identifiers,

15 that the operator has acquired because of the use of that

16 operator's site, service, or application for K through 12

17 school purposes.

18 (2) Use information, including persistent unique

19 identifiers, created or gathered by the operator's site,

20 service, or application to amass a profile about a

21 student, except in furtherance of K through 12 school

22 purposes. "Amass a profile" does not include the

23 collection and retention of account information that

SB1578

- 2 -

LRB102 14184 CMG 19536 b

1 remains under the control of the student, the student's

2 parent or legal guardian, or the school.

3 (3) Sell or rent a student's information, including

4 covered information. This subdivision (3) does not apply

5 to the purchase, merger, or other type of acquisition of

6 an operator by another entity if the operator or successor

7 entity complies with this Act regarding previously

8 acquired student information.

9 (4) Except as otherwise provided in Section 20 of this

10 Act, disclose covered information, unless the disclosure

11 is made for the following purposes:

12 (A) In furtherance of the K through 12 school

13 purposes of the site, service, or application if the

14 recipient of the covered information disclosed under

15 this clause (A) does not further disclose the

16 information, unless done to allow or improve

17 operability and functionality of the operator's site,

18 service, or application.

19 (B) To ensure legal and regulatory compliance or

20 take precautions against liability.

21 (C) To respond to the judicial process.

22 (D) To protect the safety or integrity of users of

23 the site or others or the security of the site,

24 service, or application.

25 (E) For a school, educational, or employment

26 purpose requested by the student or the student's

SB1578

- 3 -

LRB102 14184 CMG 19536 b

1 parent or legal guardian, provided that the

2 information is not used or further disclosed for any

3 other purpose.

4 (F) To a third party if the operator contractually

5 prohibits the third party from using any covered

6 information for any purpose other than providing the

7 contracted service to or on behalf of the operator,

8 prohibits the third party from disclosing any covered

9 information provided by the operator with subsequent

10 third parties, and requires the third party to

11 implement and maintain reasonable security procedures

12 and practices.

13 Nothing in this Section prohibits the operator's use of

14 information for maintaining, developing, supporting,

15 improving, or diagnosing the operator's site, service, or

16 application.

17 (Source: P.A. 100-315, eff. 8-24-17.)

18 (Text of Section after amendment by P.A. 101-516)

19 Sec. 10. Operator prohibitions. An operator shall not

20 knowingly do any of the following:

21 (1) Engage in targeted advertising on the operator's

22 site, service, or application or target advertising on any

23 other site, service, or application if the targeting of

24 the advertising is based on any information, including

25 covered information and persistent unique identifiers,

SB1578

- 4 -

LRB102 14184 CMG 19536 b

1 that the operator has acquired because of the use of that

2 operator's site, service, or application for K through 12

3 school purposes.

4 (2) Use information, including persistent unique

5 identifiers, created or gathered by the operator's site,

6 service, or application to amass a profile about a

7 student, except in furtherance of K through 12 school

8 purposes. "Amass a profile" does not include the

9 collection and retention of account information that

10 remains under the control of the student, the student's

11 parent, or the school.

12 (3) Sell, ~~or~~ rent, lease, or trade a student's

13 information, including covered information. This

14 subdivision (3) does not apply to the purchase, merger, or

15 other type of acquisition of an operator by another entity

16 if the operator or successor entity complies with this Act

17 regarding previously acquired student information.

18 (4) Except as otherwise provided in Section 20 of this

19 Act, disclose covered information, unless the disclosure

20 is made for the following purposes:

21 (A) In furtherance of the K through 12 school

22 purposes of the site, service, or application if the

23 recipient of the covered information disclosed under

24 this clause (A) does not further disclose the

25 information, unless done to allow or improve

26 operability and functionality of the operator's site,

SB1578

- 5 -

LRB102 14184 CMG 19536 b

1 service, or application.

2 (B) To ensure legal and regulatory compliance or

3 take precautions against liability.

4 (C) To respond to the judicial process.

5 (D) To protect the safety or integrity of users of

6 the site or others or the security of the site,

7 service, or application.

8 (E) For a school, educational, or employment

9 purpose requested by the student or the student's

10 parent, provided that the information is not used or

11 further disclosed for any other purpose.

12 (F) To a third party if the operator contractually

13 prohibits the third party from using any covered

14 information for any purpose other than providing the

15 contracted service to or on behalf of the operator,

16 prohibits the third party from disclosing any covered

17 information provided by the operator with subsequent

18 third parties, and requires the third party to

19 implement and maintain security procedures and

20 practices as required under Section 15.

21 Nothing in this Section prohibits the operator's use of

22 information for maintaining, developing, supporting,

23 improving, or diagnosing the operator's site, service, or

24 application.

25 (Source: P.A. 100-315, eff. 8-24-17; 101-516, eff. 7-1-21.)

SB1578

- 6 -

LRB102 14184 CMG 19536 b

1 (105 ILCS 85/15)

2 (Text of Section before amendment by P.A. 101-516)

3 Sec. 15. Operator duties. An operator shall do the

4 following:

5 (1) Implement and maintain reasonable security

6 procedures and practices appropriate to the nature of the

7 covered information and designed to protect that covered

8 information from unauthorized access, destruction, use,

9 modification, or disclosure.

10 (2) Delete, within a reasonable time period, a

11 student's covered information if the school or school

12 district requests deletion of covered information under

13 the control of the school or school district, unless a

14 student or his or her parent or legal guardian consents to

15 the maintenance of the covered information.

16 (3) Publicly disclose material information about its

17 collection, use, and disclosure of covered information,

18 including, but not limited to, publishing a terms of

19 service agreement, privacy policy, or similar document.

20 (Source: P.A. 100-315, eff. 8-24-17.)

21 (Text of Section after amendment by P.A. 101-516)

22 Sec. 15. Operator duties. An operator shall do the

23 following:

24 (1) Implement and maintain reasonable security

25 procedures and practices that otherwise meet or exceed

SB1578

- 7 -

LRB102 14184 CMG 19536 b

1 industry standards designed to protect covered information

2 from unauthorized access, destruction, use, modification,

3 or disclosure.

4 (2) Delete, within a reasonable time period, a

5 student's covered information if the school or school

6 district requests deletion of covered information under

7 the control of the school or school district, unless a

8 student or his or her parent consents to the maintenance

9 of the covered information.

10 (3) Publicly disclose material information about its

11 collection, use, and disclosure of covered information,

12 including, but not limited to, publishing a terms of

13 service agreement, privacy policy, or similar document.

14 (4) Except for a nonpublic school, for any operator

15 who seeks to receive from a school, school district, or

16 the State Board in any manner any covered information,

17 enter into a written agreement with the school, school

18 district, or State Board before the covered information

19 may be transferred. The written agreement may be created

20 in electronic form and signed with an electronic or

21 digital signature or may be a click wrap agreement that is

22 used with software licenses, downloaded or online

23 applications and transactions for educational

24 technologies, or other technologies in which a user must

25 agree to terms and conditions before using the product or

26 service. Any written agreement entered into, amended, or

SB1578

- 8 -

LRB102 14184 CMG 19536 b

1 renewed must contain all of the following:

2 (A) A listing of the categories or types of

3 covered information to be provided to the operator.

4 (A-5) A requirement that the operator provide to a

5 parent a means through the parent's dashboard to view

6 and to request edits to the covered information to be

7 maintained by the operator.

8 (B) A statement of the product or service being

9 provided to the school by the operator.

10 (C) A statement that, pursuant to the federal

11 Family Educational Rights and Privacy Act of 1974, the

12 operator is acting as a school official with a

13 legitimate educational interest, is performing an

14 institutional service or function for which the school

15 would otherwise use employees, under the direct

16 control of the school, with respect to the use and

17 maintenance of covered information, and is using the

18 covered information only for an authorized purpose and

19 may not re-disclose it to third parties or affiliates,

20 unless otherwise permitted under this Act, without

21 permission from the school or pursuant to court order.

22 (D) A description of how, if a breach is

23 attributed to the operator, any costs and expenses

24 incurred by the school in investigating and

25 remediating the breach will be borne by ~~allocated~~

26 ~~between~~ the operator ~~and the school~~. The costs and

SB1578

- 9 -

LRB102 14184 CMG 19536 b

1 expenses may include, but are not limited to:

2 (i) providing notification to the parents of

3 those students whose covered information was

4 compromised and to regulatory agencies or other

5 entities as required by law or contract;

6 (ii) providing credit monitoring to those

7 students whose covered information was exposed in

8 a manner during the breach that a reasonable

9 person would believe that it could impact his or

10 her credit or financial security;

11 (iii) legal fees, audit costs, fines, and any

12 other fees or damages imposed against the school

13 as a result of the security breach; and

14 (iv) providing any other notifications or

15 fulfilling any other requirements adopted by the

16 State Board or of any other State or federal laws.

17 (E) A statement that the operator must delete or

18 transfer to the school all covered information if the

19 information is no longer needed for the purposes of

20 the written agreement and to specify the time period

21 in which the information must be deleted or

22 transferred once the operator is made aware that the

23 information is no longer needed for the purposes of

24 the written agreement.

25 (F) If the school maintains a website, a statement

26 that the school must publish the written agreement on

SB1578

- 10 -

LRB102 14184 CMG 19536 b

1 the school's website. If the school does not maintain

2 a website, a statement that the school must make the

3 written agreement available for inspection by the

4 general public at its administrative office. If

5 mutually agreed upon by the school and the operator,

6 provisions of the written agreement, other than those

7 under subparagraphs (A), (B), and (C), may be redacted

8 in the copy of the written agreement published on the

9 school's website or made available at its

10 administrative office.

11 (5) In case of any breach, within the most expedient

12 time possible and without unreasonable delay, but no later

13 than 30 calendar days after the determination that a

14 breach has occurred, notify the school of any breach of

15 the students' covered information.

16 (6) Except for a nonpublic school, provide to the

17 school a list of any third parties or affiliates to whom

18 the operator is currently disclosing covered information

19 or has disclosed covered information. This list must, at a

20 minimum, be updated and provided to the school by the

21 beginning of each State fiscal year and at the beginning

22 of each calendar year.

23 (Source: P.A. 100-315, eff. 8-24-17; 101-516, eff. 7-1-21.)

24 (105 ILCS 85/26)

25 (This Section may contain text from a Public Act with a

SB1578

- 11 -

LRB102 14184 CMG 19536 b

1 delayed effective date)

2 Sec. 26. School prohibitions. A school may not do either

3 of the following:

4 (1) Sell, rent, lease, or trade covered information.

5 (2) Share, transfer, disclose, or provide access to a

6 student's covered information to an entity or individual,

7 other than the student's parent, school personnel,

8 appointed or elected school board members ~~or local school~~

9 ~~council members~~, or the State Board, without a written

10 agreement, unless the disclosure or transfer is:

11 (A) to the extent permitted by State or federal

12 law, to law enforcement officials to protect the

13 safety of users or others or the security or integrity

14 of the operator's service;

15 (B) required by court order or State or federal

16 law; or

17 (C) to ensure legal or regulatory compliance.

18 This paragraph (2) does not apply to nonpublic

19 schools.

20 (Source: P.A. 101-516, eff. 7-1-21.)

21 (105 ILCS 85/28)

22 (This Section may contain text from a Public Act with a

23 delayed effective date)

24 Sec. 28. State Board duties.

25 (a) The State Board may not sell, rent, lease, or trade

SB1578

- 12 -

LRB102 14184 CMG 19536 b

1 covered information.

2 (b) Except for an employee of the State Board or a State

3 Board official acting within his or her official capacity, the

4 State Board may not share, transfer, disclose, or provide

5 covered information to an entity or individual without a

6 contract or written agreement, except for disclosures required

7 by State or federal law.

8 (c) At least once annually, the State Board must publish

9 and maintain on its website a list of all of the entities or

10 individuals, including, but not limited to, operators,

11 individual researchers, research organizations, institutions

12 of higher education, or government agencies, that the State

13 Board contracts with or has written agreements with and that

14 hold covered information and a copy of each contract or

15 written agreement. The list must include all of the following

16 information:

17 (1) The name of the entity or individual. In naming an

18 individual, the list must include the entity that sponsors

19 the individual or with which the individual is affiliated,

20 if any. If the individual is conducting research at an

21 institution of higher education, the list may include the

22 name of that institution and a contact person in the

23 department that is associated with the research in lieu of

24 the name of the researcher. If the entity is an operator,

25 the list must include its business address.

26 (2) The purpose and scope of the contract or

SB1578

- 13 -

LRB102 14184 CMG 19536 b

1 agreement.

2 (3) The duration of the contract or agreement.

3 (4) The types of covered information that the entity

4 or individual holds under the contract or agreement.

5 (5) The use of the covered information under the

6 contract or agreement.

7 (6) The length of time for which the entity or

8 individual may hold the covered information.

9 (7) A list of any subcontractors to whom covered

10 information may be disclosed under Section 15 or a link to

11 a page on the operator's website that clearly lists that

12 information.

13 If mutually agreed upon by the State Board and the

14 operator, provisions of a contract or written agreement, other

15 than those pertaining to paragraphs (1) through (7), may be

16 redacted on the State Board's website.

17 (d) The State Board shall create, publish, and make

18 publicly available an inventory, along with a dictionary or

19 index of data elements and their definitions, of covered

20 information collected or maintained by the State Board,

21 including, but not limited to, both of the following:

22 (1) Covered information that schools are required to

23 report to the State Board by State or federal law.

24 (2) Covered information in the State longitudinal data

25 system or any data warehouse used by the State Board to

26 populate the longitudinal data system.

SB1578

- 14 -

LRB102 14184 CMG 19536 b

1 The inventory shall make clear for what purposes the State

2 Board uses the covered information.

3 (e) As soon as practical after July 1, 2021 (the effective

4 date of Public Act 101-516), the ~~The~~ State Board shall

5 develop, publish, and make publicly available, for the benefit

6 of schools, model student data privacy policies and procedures

7 that comply with relevant State and federal law, including,

8 but not limited to, a model notice that schools must use to

9 provide notice to parents and students about operators. The

10 notice must state, in general terms, the types of student data

11 that are collected by the schools and shared with operators

12 under this Act and the purposes of collecting and using the

13 student data. After creation of the notice under this

14 subsection, a school shall, at the beginning of each school

15 year, provide the notice to parents by the same means

16 generally used to send notices to them. This subsection does

17 not apply to nonpublic schools.

18 (Source: P.A. 101-516, eff. 7-1-21.)

19 (105 ILCS 85/33)

20 (This Section may contain text from a Public Act with a

21 delayed effective date)

22 Sec. 33. Parent and student rights.

23 (a) A student's covered information shall be collected

24 only for K through 12 school purposes and not further

25 processed in a manner that is incompatible with those

SB1578

- 15 -

LRB102 14184 CMG 19536 b

1 purposes.

2 (b) A student's covered information shall only be

3 adequate, relevant, and limited to what is necessary in

4 relation to the K through 12 school purposes for which it is

5 processed.

6 (c) Except for a parent of a student enrolled in a

7 nonpublic school, the parent of a student enrolled in a school

8 has the right to all of the following:

9 (1) Inspect and review the student's covered

10 information, regardless of whether it is maintained by the

11 school, the State Board, or an operator.

12 (1.5) Request from the operator the ability to edit

13 the student's covered information.

14 (2) Request from a school a paper or electronic copy

15 of the student's covered information, including covered

16 information maintained by an operator ~~or the State Board~~.

17 If a parent requests an electronic copy of the student's

18 covered information under this paragraph, the school must

19 provide an electronic copy of that information, unless the

20 school does not maintain the information in an electronic

21 format and reproducing the information in an electronic

22 format would be unduly burdensome to the school. If a

23 parent requests a paper copy of the student's covered

24 information, the school may charge the parent the

25 reasonable cost for copying the information in an amount

26 not to exceed the amount fixed in a schedule adopted by the

SB1578

- 16 -

LRB102 14184 CMG 19536 b

1 State Board, except that no parent may be denied a copy of

2 the information due to the parent's inability to bear the

3 cost of the copying. The State Board must adopt rules on

4 the methodology and frequency of requests under this

5 paragraph.

6 (2.5) Request from the State Board a paper or

7 electronic copy of the student's covered information,

8 including covered information maintained by an operator of

9 the State Board or by the State Board.

10 (3) Request corrections of factual inaccuracies

11 contained in the student's covered information. After

12 receiving a request for corrections and determining that a

13 factual inaccuracy exists, a school or the State Board

14 must do either of the following:

15 (A) If the school or the State Board maintains or

16 possesses the covered information that contains the

17 factual inaccuracy, correct the factual inaccuracy and

18 confirm the correction with the parent within 90

19 calendar days after receiving the parent's request.

20 (B) If the operator ~~or State Board~~ maintains or

21 possesses the covered information that contains the

22 factual inaccuracy, notify the operator ~~or the State~~

23 ~~Board~~ of the correction. The operator ~~or the State~~

24 ~~Board~~ must correct the factual inaccuracy and confirm

25 the correction with the school or the State Board

26 within 90 calendar days after receiving the notice.

SB1578

- 17 -

LRB102 14184 CMG 19536 b

1 Within 10 business days after receiving confirmation

2 of the correction from the operator ~~or State Board~~,

3 the school or the State Board must confirm the

4 correction with the parent.

5 (d) Nothing in this Section shall be construed to limit

6 the rights granted to parents and students under the Illinois

7 School Student Records Act or the federal Family Educational

8 Rights and Privacy Act of 1974.

9 (Source: P.A. 101-516, eff. 7-1-21.)

10 Section 95. No acceleration or delay. Where this Act makes

11 changes in a statute that is represented in this Act by text

12 that is not yet or no longer in effect (for example, a Section

13 represented by multiple versions), the use of that text does

14 not accelerate or delay the taking effect of (i) the changes

15 made by this Act or (ii) provisions derived from any other

16 Public Act.

17 Section 99. Effective date. This Act takes effect upon

18 becoming law.