|
| | 99TH GENERAL ASSEMBLY
State of Illinois
2015 and 2016 SB0776 Introduced 2/4/2015, by Sen. Michael Connelly SYNOPSIS AS INTRODUCED: |
| |
Creates the Student Online Personal Information Protection Act. Provides that the operator of an Internet website, online service, online application, or mobile application used primarily for K-12 school purposes and designed and marketed for K-12 school purposes shall not knowingly (1) engage in targeted advertising on the operator's site, service, or application or target advertising on any other site, service, or application when the targeting of the advertising is based upon any information that the operator has acquired because of the use of that operator's site, service, or application; (2) use information created or gathered by the operator's site, service, or application to amass a profile about a K-12 student except in furtherance of K-12 school purposes; (3) sell a student's information; or (4) disclose covered information, as defined in the Act, without the consent of a student's parent or legal guardian. Sets forth exceptions and other provisions concerning the construction and application of the Act. Effective January 1, 2016.
|
| |
| | | FISCAL NOTE ACT MAY APPLY | |
| | A BILL FOR |
|
|
| | SB0776 | | LRB099 03705 NHT 26058 b |
|
|
1 | | AN ACT concerning education.
|
2 | | Be it enacted by the People of the State of Illinois,
|
3 | | represented in the General Assembly:
|
4 | | Section 1. Short title. This Act may be cited as the |
5 | | Student Online Personal Information Protection Act. |
6 | | Section 5. Definitions. In this Act: |
7 | | "Covered information" means personally identifiable |
8 | | information or materials, in any media or format, that meets |
9 | | any of the following: |
10 | | (1) Is created or provided by a student or the |
11 | | student's parent or legal guardian to an operator in the |
12 | | course of the student's, parent's, or legal guardian's use |
13 | | of the operator's site, service, or application for K-12 |
14 | | school purposes. |
15 | | (2) Is created or provided by an employee or agent of a |
16 | | school or school district to an operator. |
17 | | (3) Is gathered by an operator through the operation of |
18 | | a site, service, or application described in the definition |
19 | | of "operator" under this Section and is descriptive of a |
20 | | student or otherwise identifies a student, including |
21 | | without limitation information in the student's |
22 | | educational record or e-mail, first and last name, home |
23 | | address, telephone number, e-mail address, or other |
|
| | SB0776 | - 2 - | LRB099 03705 NHT 26058 b |
|
|
1 | | information that allows physical or online contact, |
2 | | discipline records, test results, special education data, |
3 | | juvenile dependency records, grades, evaluations, criminal |
4 | | records, medical records, health records, social security |
5 | | number, biometric information, disabilities, socioeconomic |
6 | | information, food purchases, political affiliations, |
7 | | religious information, text messages, documents, student |
8 | | identifiers, search activity, photos, voice recordings, or |
9 | | geolocation information.
|
10 | | "K-12" means grades kindergarten through 12 in the public |
11 | | school system.
|
12 | | "K-12 school purposes" means K-12 purposes that |
13 | | customarily take place at the direction of a school, teacher, |
14 | | or school district or aid in the administration of school |
15 | | activities, including without limitation instruction in the |
16 | | classroom or at home, administrative activities, and |
17 | | collaboration between students, school personnel, or parents, |
18 | | or are for the use and benefit of a school. |
19 | | "Online service" includes cloud computing services, which |
20 | | must comply with this Act if they otherwise meet the definition |
21 | | of an operator. |
22 | | "Operator" means the operator of an Internet website, |
23 | | online service, online application, or mobile application with |
24 | | actual knowledge that the site, service, or application is used |
25 | | primarily for K-12 school purposes and was designed and |
26 | | marketed for K-12 school purposes. |
|
| | SB0776 | - 3 - | LRB099 03705 NHT 26058 b |
|
|
1 | | "School" means a public school in this State. |
2 | | Section 10. Prohibited activities and duties of operators. |
3 | | (a) An operator shall not knowingly engage in any of the |
4 | | following activities with respect to its site, service, or |
5 | | application without the consent of a student's parent or legal |
6 | | guardian: |
7 | | (1) Engage in targeted advertising on the operator's |
8 | | site, service, or application or target advertising on any |
9 | | other site, service, or application when the targeting of |
10 | | the advertising is based upon any information, including |
11 | | covered information and persistent unique identifiers, |
12 | | that the operator has acquired because of the use of that |
13 | | operator's site, service, or application described in the |
14 | | definition of "operator" under Section 5 of this Act. |
15 | | (2) Use information, including persistent unique |
16 | | identifiers, created or gathered by the operator's site, |
17 | | service, or application, to amass a profile about a K-12 |
18 | | student, except in furtherance of K-12 school purposes. |
19 | | (3) Sell a student's information, including covered |
20 | | information. The prohibition under this subdivision (3) |
21 | | does not apply to the purchase, merger, or other type of |
22 | | acquisition of an operator by another entity, provided that |
23 | | the operator or successor entity continues to be subject to |
24 | | the provisions of this Act with respect to previously |
25 | | acquired student information. |
|
| | SB0776 | - 4 - | LRB099 03705 NHT 26058 b |
|
|
1 | | (4) Disclose covered information, unless the |
2 | | disclosure is made: |
3 | | (A) in furtherance of the K-12 school purposes of |
4 | | the site, service, or application, provided that the |
5 | | recipient of the covered information disclosed |
6 | | pursuant to this subdivision (4) (i) shall not further |
7 | | disclose the information unless done to allow or |
8 | | improve operability and functionality within that |
9 | | student's classroom or school and (ii) is legally |
10 | | required to comply with subsection (c) of this Section; |
11 | | (B) to ensure legal and regulatory compliance; |
12 | | (C) to respond to or participate in the judicial |
13 | | process; |
14 | | (D) to protect the safety of users or others or the |
15 | | security of the site; or |
16 | | (E) to a service provider, provided that the |
17 | | operator contractually (i) prohibits the service |
18 | | provider from using any covered information for any |
19 | | purpose other than providing the contracted service to |
20 | | or on behalf of the operator, (ii) prohibits the |
21 | | service provider from disclosing any covered |
22 | | information provided by the operator with subsequent |
23 | | third parties, and (iii) requires the service provider |
24 | | to implement and maintain reasonable security |
25 | | procedures and practices as provided in subsection (c) |
26 | | of this Section. |
|
| | SB0776 | - 5 - | LRB099 03705 NHT 26058 b |
|
|
1 | | (b) Nothing in subsection (a) of this Section shall be |
2 | | construed to prohibit the operator's use of information for |
3 | | maintaining, developing, supporting, improving, or diagnosing |
4 | | the operator's site, service, or application. |
5 | | (c) An operator shall do both of the following: |
6 | | (1) Implement and maintain reasonable security |
7 | | procedures and practices appropriate to the nature of the |
8 | | covered information and protect that information from |
9 | | unauthorized access, destruction, use, modification, or |
10 | | disclosure. |
11 | | (2) Delete a student's covered information if the |
12 | | school or school district requests deletion of data under |
13 | | the control of the school or school district. |
14 | | (d) Notwithstanding subdivision (4) of subsection (a) of |
15 | | this Section, an operator may disclose covered information of a |
16 | | student, as long as subdivisions (1), (2), and (3) of |
17 | | subsection (a) of this Section are not violated, under the |
18 | | following circumstances: |
19 | | (1) If other provisions of federal or State law require |
20 | | the operator to disclose the information and the operator |
21 | | complies with the requirements of federal and State law in |
22 | | protecting and disclosing that information. |
23 | | (2) For legitimate research purposes (i) as required by |
24 | | State or federal law and subject to the restrictions under |
25 | | applicable State and federal law or (ii) as allowed by |
26 | | State or federal law and under the direction of a school or |
|
| | SB0776 | - 6 - | LRB099 03705 NHT 26058 b |
|
|
1 | | school district or the State Board of Education if no |
2 | | covered information is used in furtherance of advertising |
3 | | or to amass a profile on the student for purposes other |
4 | | than K-12 school purposes. |
5 | | (3) To a State or local educational agency, including |
6 | | schools and school districts, for K-12 school purposes, as |
7 | | permitted by State or federal law.
|
8 | | (e) Nothing in this Section prohibits an operator from |
9 | | using de-identified student covered information as follows:
|
10 | | (1) Within the operator's site, service, or |
11 | | application or other sites, services, or applications |
12 | | owned by the operator to improve educational products. |
13 | | (2) To demonstrate the effectiveness of the operator's |
14 | | products or services, including in their marketing. |
15 | | (f) Nothing in this Section prohibits an operator from |
16 | | sharing aggregated de-identified student covered information |
17 | | for the development and improvement of educational sites, |
18 | | services, or applications. |
19 | | Section 15. Construction and application of Act. |
20 | | (a) This Act shall not be construed to limit the authority |
21 | | of a law enforcement agency to obtain any content or |
22 | | information from an operator as authorized by law or pursuant |
23 | | to an order of a court of competent jurisdiction.
|
24 | | (b) This Act does not limit the ability of an operator to |
25 | | use student data, including covered information, for adaptive |
|
| | SB0776 | - 7 - | LRB099 03705 NHT 26058 b |
|
|
1 | | learning or customized student learning purposes. |
2 | | (c) This Act does not apply to general audience Internet |
3 | | websites, general audience online services, general audience |
4 | | online applications, or general audience mobile applications, |
5 | | even if login credentials created for an operator's site, |
6 | | service, or application may be used to access those general |
7 | | audience sites, services, or applications. |
8 | | (d) This Act does not limit Internet service providers from |
9 | | providing Internet connectivity to schools or students and |
10 | | their families. |
11 | | (e) This Act shall not be construed to prohibit an operator |
12 | | of an Internet website, online service, online application, or |
13 | | mobile application from marketing educational products |
14 | | directly to parents so long as the marketing did not result |
15 | | from the use of covered information obtained by the operator |
16 | | through the provision of services covered under this Act. |
17 | | (f) This Act does not impose a duty upon a provider of an |
18 | | electronic store, a gateway, a marketplace, or other means of |
19 | | purchasing or downloading software or applications to review or |
20 | | enforce compliance of this Act on those applications or |
21 | | software. |
22 | | (g) This Act does not impose a duty upon a provider of an |
23 | | interactive computer service, as defined in Section 230 of |
24 | | Title 47 of the United States Code, to review or enforce |
25 | | compliance with this Act by third-party content providers. |
26 | | (h) This Act does not impede the ability of students to |