99TH GENERAL ASSEMBLY
State of Illinois
2015 and 2016
SB0776

 

Introduced 2/4/2015, by Sen. Michael Connelly

 

SYNOPSIS AS INTRODUCED:
 
New Act

    Creates the Student Online Personal Information Protection Act. Provides that the operator of an Internet website, online service, online application, or mobile application used primarily for K-12 school purposes and designed and marketed for K-12 school purposes shall not knowingly (1) engage in targeted advertising on the operator's site, service, or application or target advertising on any other site, service, or application when the targeting of the advertising is based upon any information that the operator has acquired because of the use of that operator's site, service, or application; (2) use information created or gathered by the operator's site, service, or application to amass a profile about a K-12 student except in furtherance of K-12 school purposes; (3) sell a student's information; or (4) disclose covered information, as defined in the Act, without the consent of a student's parent or legal guardian. Sets forth exceptions and other provisions concerning the construction and application of the Act. Effective January 1, 2016.


LRB099 03705 NHT 26058 b

FISCAL NOTE ACT MAY APPLY

 

 

A BILL FOR

 

SB0776LRB099 03705 NHT 26058 b

1    AN ACT concerning education.
 
2    Be it enacted by the People of the State of Illinois,
3represented in the General Assembly:
 
4    Section 1. Short title. This Act may be cited as the
5Student Online Personal Information Protection Act.
 
6    Section 5. Definitions. In this Act:
7    "Covered information" means personally identifiable
8information or materials, in any media or format, that meets
9any of the following:
10        (1) Is created or provided by a student or the
11    student's parent or legal guardian to an operator in the
12    course of the student's, parent's, or legal guardian's use
13    of the operator's site, service, or application for K-12
14    school purposes.
15        (2) Is created or provided by an employee or agent of a
16    school or school district to an operator.
17        (3) Is gathered by an operator through the operation of
18    a site, service, or application described in the definition
19    of "operator" under this Section and is descriptive of a
20    student or otherwise identifies a student, including
21    without limitation information in the student's
22    educational record or e-mail, first and last name, home
23    address, telephone number, e-mail address, or other

 

 

SB0776- 2 -LRB099 03705 NHT 26058 b

1    information that allows physical or online contact,
2    discipline records, test results, special education data,
3    juvenile dependency records, grades, evaluations, criminal
4    records, medical records, health records, social security
5    number, biometric information, disabilities, socioeconomic
6    information, food purchases, political affiliations,
7    religious information, text messages, documents, student
8    identifiers, search activity, photos, voice recordings, or
9    geolocation information.
10    "K-12" means grades kindergarten through 12 in the public
11school system.
12    "K-12 school purposes" means K-12 purposes that
13customarily take place at the direction of a school, teacher,
14or school district or aid in the administration of school
15activities, including without limitation instruction in the
16classroom or at home, administrative activities, and
17collaboration between students, school personnel, or parents,
18or are for the use and benefit of a school.
19    "Online service" includes cloud computing services, which
20must comply with this Act if they otherwise meet the definition
21of an operator.
22    "Operator" means the operator of an Internet website,
23online service, online application, or mobile application with
24actual knowledge that the site, service, or application is used
25primarily for K-12 school purposes and was designed and
26marketed for K-12 school purposes.

 

 

SB0776- 3 -LRB099 03705 NHT 26058 b

1    "School" means a public school in this State.
 
2    Section 10. Prohibited activities and duties of operators.
3    (a) An operator shall not knowingly engage in any of the
4following activities with respect to its site, service, or
5application without the consent of a student's parent or legal
6guardian:
7        (1) Engage in targeted advertising on the operator's
8    site, service, or application or target advertising on any
9    other site, service, or application when the targeting of
10    the advertising is based upon any information, including
11    covered information and persistent unique identifiers,
12    that the operator has acquired because of the use of that
13    operator's site, service, or application described in the
14    definition of "operator" under Section 5 of this Act.
15        (2) Use information, including persistent unique
16    identifiers, created or gathered by the operator's site,
17    service, or application, to amass a profile about a K-12
18    student, except in furtherance of K-12 school purposes.
19        (3) Sell a student's information, including covered
20    information. The prohibition under this subdivision (3)
21    does not apply to the purchase, merger, or other type of
22    acquisition of an operator by another entity, provided that
23    the operator or successor entity continues to be subject to
24    the provisions of this Act with respect to previously
25    acquired student information.

 

 

SB0776- 4 -LRB099 03705 NHT 26058 b

1        (4) Disclose covered information, unless the
2    disclosure is made:
3            (A) in furtherance of the K-12 school purposes of
4        the site, service, or application, provided that the
5        recipient of the covered information disclosed
6        pursuant to this subdivision (4) (i) shall not further
7        disclose the information unless done to allow or
8        improve operability and functionality within that
9        student's classroom or school and (ii) is legally
10        required to comply with subsection (c) of this Section;
11            (B) to ensure legal and regulatory compliance;
12            (C) to respond to or participate in the judicial
13        process;
14            (D) to protect the safety of users or others or the
15        security of the site; or
16            (E) to a service provider, provided that the
17        operator contractually (i) prohibits the service
18        provider from using any covered information for any
19        purpose other than providing the contracted service to
20        or on behalf of the operator, (ii) prohibits the
21        service provider from disclosing any covered
22        information provided by the operator with subsequent
23        third parties, and (iii) requires the service provider
24        to implement and maintain reasonable security
25        procedures and practices as provided in subsection (c)
26        of this Section.

 

 

SB0776- 5 -LRB099 03705 NHT 26058 b

1    (b) Nothing in subsection (a) of this Section shall be
2construed to prohibit the operator's use of information for
3maintaining, developing, supporting, improving, or diagnosing
4the operator's site, service, or application.
5    (c) An operator shall do both of the following:
6        (1) Implement and maintain reasonable security
7    procedures and practices appropriate to the nature of the
8    covered information and protect that information from
9    unauthorized access, destruction, use, modification, or
10    disclosure.
11        (2) Delete a student's covered information if the
12    school or school district requests deletion of data under
13    the control of the school or school district.
14    (d) Notwithstanding subdivision (4) of subsection (a) of
15this Section, an operator may disclose covered information of a
16student, as long as subdivisions (1), (2), and (3) of
17subsection (a) of this Section are not violated, under the
18following circumstances:
19        (1) If other provisions of federal or State law require
20    the operator to disclose the information and the operator
21    complies with the requirements of federal and State law in
22    protecting and disclosing that information.
23        (2) For legitimate research purposes (i) as required by
24    State or federal law and subject to the restrictions under
25    applicable State and federal law or (ii) as allowed by
26    State or federal law and under the direction of a school or

 

 

SB0776- 6 -LRB099 03705 NHT 26058 b

1    school district or the State Board of Education if no
2    covered information is used in furtherance of advertising
3    or to amass a profile on the student for purposes other
4    than K-12 school purposes.
5        (3) To a State or local educational agency, including
6    schools and school districts, for K-12 school purposes, as
7    permitted by State or federal law.
8    (e) Nothing in this Section prohibits an operator from
9using de-identified student covered information as follows:
10        (1) Within the operator's site, service, or
11    application or other sites, services, or applications
12    owned by the operator to improve educational products.
13        (2) To demonstrate the effectiveness of the operator's
14    products or services, including in their marketing.
15    (f) Nothing in this Section prohibits an operator from
16sharing aggregated de-identified student covered information
17for the development and improvement of educational sites,
18services, or applications.
 
19    Section 15. Construction and application of Act.
20    (a) This Act shall not be construed to limit the authority
21of a law enforcement agency to obtain any content or
22information from an operator as authorized by law or pursuant
23to an order of a court of competent jurisdiction.
24    (b) This Act does not limit the ability of an operator to
25use student data, including covered information, for adaptive

 

 

SB0776- 7 -LRB099 03705 NHT 26058 b

1learning or customized student learning purposes.
2    (c) This Act does not apply to general audience Internet
3websites, general audience online services, general audience
4online applications, or general audience mobile applications,
5even if login credentials created for an operator's site,
6service, or application may be used to access those general
7audience sites, services, or applications.
8    (d) This Act does not limit Internet service providers from
9providing Internet connectivity to schools or students and
10their families.
11    (e) This Act shall not be construed to prohibit an operator
12of an Internet website, online service, online application, or
13mobile application from marketing educational products
14directly to parents so long as the marketing did not result
15from the use of covered information obtained by the operator
16through the provision of services covered under this Act.
17    (f) This Act does not impose a duty upon a provider of an
18electronic store, a gateway, a marketplace, or other means of
19purchasing or downloading software or applications to review or
20enforce compliance of this Act on those applications or
21software.
22    (g) This Act does not impose a duty upon a provider of an
23interactive computer service, as defined in Section 230 of
24Title 47 of the United States Code, to review or enforce
25compliance with this Act by third-party content providers.
26    (h) This Act does not impede the ability of students to

 

 

SB0776- 8 -LRB099 03705 NHT 26058 b

1download, export, or otherwise save or maintain their own
2student-created data or documents.
 
3    Section 97. Severability. The provisions of this Act are
4severable under Section 1.31 of the Statute on Statutes.
 
5    Section 99. Effective date. This Act takes effect January
61, 2016.