|
| | 09900SB1393ham001 | - 2 - | LRB099 08398 MLM 51831 a |
|
|
| 1 | | districts. |
| 2 | | (2) Information generated by and about students in the |
| 3 | | course of and in connection with their education is |
| 4 | | critical to educators in helping students successfully |
| 5 | | graduate from high school and being ready to enter the |
| 6 | | workforce or postsecondary education. |
| 7 | | (3) While information generated by and about students |
| 8 | | in the course of and in connection with their education is |
| 9 | | important for educational purposes, it is also critically |
| 10 | | important to ensure that the information is protected, |
| 11 | | safeguarded, and kept private and used only by appropriate |
| 12 | | educational authorities or their permitted designees, and |
| 13 | | then only to serve the best interests of the student. |
| 14 | | To that end, this Act helps ensure that information |
| 15 | | generated by and about students in the course of and in |
| 16 | | connection with their education is protected and expectations |
| 17 | | of privacy are honored.
|
| 18 | | Section 10. Definitions. As used in this Act: |
| 19 | | "Biometric information" has the meaning ascribed to that |
| 20 | | term in Section 10-20.40 of the School Code. |
| 21 | | "Directory information" means any personally identifiable |
| 22 | | information that the State Board of Education has designated as |
| 23 | | directory information under Section 375.80 of Title 23 of the |
| 24 | | Illinois Administrative Code. |
| 25 | | "Educational online product" means an Internet website, |
|
| | 09900SB1393ham001 | - 3 - | LRB099 08398 MLM 51831 a |
|
|
| 1 | | online service, online application, cloud computing service, |
| 2 | | or mobile application that is designed and marketed or may |
| 3 | | reasonably be used for educational purposes. |
| 4 | | "Educational purposes" means any activity that is directed |
| 5 | | by an employee or agent of a school district with authority to |
| 6 | | give the direction and is intended to assist with the school |
| 7 | | district's educational curriculum. |
| 8 | | "Interactive computer service" means any service, system, |
| 9 | | or software provider that provides or enables multiple users |
| 10 | | access to a computer server, including a service or system that |
| 11 | | provides access to the Internet and systems or services offered |
| 12 | | by libraries or educational institutions. |
| 13 | | "Operator" means the owner or operator, or any agent |
| 14 | | thereof, of an educational online product or interactive |
| 15 | | computer service that may reasonably be used for educational |
| 16 | | purposes or was designed and marketed for educational purposes. |
| 17 | | For the purposes of this Act, the term "operator" shall not be |
| 18 | | construed to include any school district, or school district |
| 19 | | employee or agent acting on behalf of a school district |
| 20 | | employer, that operates or owns an educational online product |
| 21 | | that is solely used within the school district for educational |
| 22 | | purposes. |
| 23 | | "Personally identifiable information" means information |
| 24 | | that, alone or in combination, identifies an individual student |
| 25 | | with reasonable certainty or that is linked to information that |
| 26 | | identifies an individual student, including, but not limited |
|
| | 09900SB1393ham001 | - 4 - | LRB099 08398 MLM 51831 a |
|
|
| 1 | | to: (1) information in the student's school student record, |
| 2 | | student permanent record, or student temporary record, as those |
| 3 | | terms are defined in the Illinois School Student Records Act, |
| 4 | | or other educational record or electronic mail; (2) the |
| 5 | | student's first and last name or the name of the student's |
| 6 | | parent or guardian or other family members; (3) the home |
| 7 | | address of the student or student's family; (4) the telephone |
| 8 | | number of the student or student's family; (5) the electronic |
| 9 | | mail address of the student or student's family; (6) any other |
| 10 | | information that allows physical or online contact with the |
| 11 | | student; (7) discipline records; (8) test results; (9) data |
| 12 | | that is a part of or related to any individualized education |
| 13 | | program for such student; (10) juvenile dependency records; |
| 14 | | (11) grades; (12) evaluations; (13) criminal records; (14) |
| 15 | | medical records; (15) health records; (16) social security |
| 16 | | number or other personal identifiers; (17) biometric |
| 17 | | information; (18) disabilities; (19) socioeconomic |
| 18 | | information; (20) food purchases; (21) political affiliations; |
| 19 | | (22) religious information; (23) text messages; (24) |
| 20 | | documents; (25) student identifiers, such as date of birth, |
| 21 | | place of birth, and mother's maiden name; (26) search activity; |
| 22 | | (27) photos; (28) voice recordings; (29) geolocation |
| 23 | | information; (30) directory information; (31) online accounts; |
| 24 | | (32) other information that, alone or in combination, is linked |
| 25 | | or linkable to a specific student that would allow a reasonable |
| 26 | | person in the school community who does not have knowledge of |
|
| | 09900SB1393ham001 | - 5 - | LRB099 08398 MLM 51831 a |
|
|
| 1 | | the relevant circumstances to identify the student with |
| 2 | | reasonable certainty; or (33) information requested by a person |
| 3 | | whom the school district or an employee or agent of the school |
| 4 | | district reasonably believes knows the identity of the student |
| 5 | | to whom the information relates. |
| 6 | | "Service provider" means a person, subcontractor, agent, |
| 7 | | independent contractor, or other entity that provides a service |
| 8 | | to an operator or provides a service that enables users to |
| 9 | | access content, information, electronic mail, or other |
| 10 | | services offered over the Internet or a computer network. |
| 11 | | "Student data" means any information or record, including |
| 12 | | personally identifiable information, not otherwise available |
| 13 | | to the public that was collected or created by or otherwise |
| 14 | | provided to an operator, in any media or format, for or in |
| 15 | | connection with an educational purpose. "Student data" |
| 16 | | includes any aggregated information or records capable of being |
| 17 | | de-aggregated or reconstructed to the point that any student |
| 18 | | may be individually identified therefrom. |
| 19 | | "Targeted advertising" means presenting an advertisement |
| 20 | | to a student or group of students in which the advertisement is |
| 21 | | selected based on a known or assumed trait of the student or |
| 22 | | group of students or information obtained or inferred over time |
| 23 | | from that student's or group of students' online behavior; |
| 24 | | usage of online applications, educational online products, |
| 25 | | online services, cloud computing services, or mobile |
| 26 | | applications; or student data. Targeted advertising does not |
|
| | 09900SB1393ham001 | - 6 - | LRB099 08398 MLM 51831 a |
|
|
| 1 | | include information provided to a student for an educational |
| 2 | | purpose.
|
| 3 | | Section 15. Operator and service provider duties. |
| 4 | | (a) An operator or service provider shall not knowingly: |
| 5 | | (1) engage in targeted advertising based in whole or in |
| 6 | | part on any student data; |
| 7 | | (2) use data created or collected through the operation |
| 8 | | of educational online products or interactive services to |
| 9 | | amass a profile about a student, except in furtherance of |
| 10 | | specifically defined educational purposes that are set |
| 11 | | forth in writing as required by subsection (e) of this |
| 12 | | Section; |
| 13 | | (3) sell, rent, or provide student data to a third |
| 14 | | party, unless the data is part of assets being transferred |
| 15 | | during the purchase, merger, or other acquisition of an |
| 16 | | operator by another entity, provided that the successor |
| 17 | | entity agrees in writing to be subject to and bound by the |
| 18 | | provisions of this Act as though it were an operator with |
| 19 | | respect to the acquired student data and information; |
| 20 | | (4) exercise or claim any rights, implied or otherwise, |
| 21 | | to any student data, unless otherwise authorized by this |
| 22 | | Act; |
| 23 | | (5) disclose student data, unless the disclosure is |
| 24 | | made for the following purposes: |
| 25 | | (A) for legitimate research purposes, subject to |
|
| | 09900SB1393ham001 | - 7 - | LRB099 08398 MLM 51831 a |
|
|
| 1 | | and as allowed by federal law and in compliance with |
| 2 | | subsection (a) of Section 6 of the Illinois School |
| 3 | | Student Records Act, and under the direction of a |
| 4 | | school district, provided that the student data is not |
| 5 | | used for advertising or to amass a profile on the |
| 6 | | student or for any other purposes other than |
| 7 | | specifically defined educational purposes that are set |
| 8 | | forth in writing as required by subsection (e) of this |
| 9 | | Section; |
| 10 | | (B) in response to requests by a school district or |
| 11 | | State agency for personal information for educational |
| 12 | | purposes; |
| 13 | | (C) in response to legally permissible and |
| 14 | | authorized requests or orders by law enforcement |
| 15 | | agencies or courts of competent jurisdiction, as long |
| 16 | | as the operator complies with the requirements of |
| 17 | | federal and State law in protecting and disclosing that |
| 18 | | information; or |
| 19 | | (D) to a service provider, provided that the |
| 20 | | operator contractually: (i) prohibits the service |
| 21 | | provider from using any student data for any purpose |
| 22 | | prohibited by this Act; (ii) prohibits the service |
| 23 | | provider from disclosing any student data provided by |
| 24 | | the operator with subsequent third parties; and (iii) |
| 25 | | requires the service provider to implement and |
| 26 | | maintain reasonable security procedures and practices |
|
| | 09900SB1393ham001 | - 8 - | LRB099 08398 MLM 51831 a |
|
|
| 1 | | to ensure the confidentiality of the student data; or |
| 2 | | (6) subject to the provisions of subsection (e) of this |
| 3 | | Section, modify or otherwise alter the terms and conditions |
| 4 | | of any agreement with a school district related to student |
| 5 | | data without the express written consent of the school |
| 6 | | district. |
| 7 | | (b) An operator or service provider shall: |
| 8 | | (1) implement and maintain reasonable security |
| 9 | | procedures and practices appropriate to the nature of |
| 10 | | the student data that are designed to protect the |
| 11 | | information from unauthorized access, destruction, |
| 12 | | use, modification, or disclosure; and |
| 13 | | (2) delete student data within a reasonable period |
| 14 | | of time, not to exceed 60 days, upon written request by |
| 15 | | the school district, provided that the school district |
| 16 | | provides the student or the student's parent or legal |
| 17 | | guardian with written notice of the request and |
| 18 | | provides an opportunity to object. |
| 19 | | (c) Nothing in this Section shall be construed to prohibit |
| 20 | | an operator or service provider from: |
| 21 | | (1) using or sharing aggregated, de-identified student |
| 22 | | data that is not capable of being deaggregated or otherwise |
| 23 | | manipulated to allow for the identification of any |
| 24 | | individual student to maintain, develop, support, improve, |
| 25 | | or diagnose educational online products or interactive |
| 26 | | computer services; |
|
| | 09900SB1393ham001 | - 9 - | LRB099 08398 MLM 51831 a |
|
|
| 1 | | (2) using aggregated, de-identified student data that |
| 2 | | is not capable of being deaggregated or otherwise |
| 3 | | manipulated to allow for the identification of any |
| 4 | | individual student to demonstrate the effectiveness of |
| 5 | | educational online products or interactive computer |
| 6 | | services, including marketing; or |
| 7 | | (3) providing a response for a non-advertising, |
| 8 | | educational purpose to a student's request for information |
| 9 | | or feedback, provided that (i) the response is not |
| 10 | | determined in whole or in part by payment or other |
| 11 | | consideration from a third party, (ii) the operator does |
| 12 | | not receive any payment or other consideration upon a |
| 13 | | student selecting any information or responding to the |
| 14 | | request, and (iii) the operator does not keep a record or |
| 15 | | otherwise collect or retain data regarding a student's |
| 16 | | online activities over time or that links or otherwise ties |
| 17 | | the student to the request. |
| 18 | | (d) Nothing in this Section shall be construed to: |
| 19 | | (1) limit the authority of a law enforcement agency to |
| 20 | | obtain any content or information from an operator as |
| 21 | | authorized by law or pursuant to a court order; |
| 22 | | (2) limit the ability of a school district to authorize |
| 23 | | an operator to use student data for adaptive learning or |
| 24 | | customized student-learning purposes, provided it is done |
| 25 | | in a manner consistent with this Act; |
| 26 | | (3) limit service providers from providing Internet |
|
| | 09900SB1393ham001 | - 10 - | LRB099 08398 MLM 51831 a |
|
|
| 1 | | connectivity to schools or to students and the students' |
| 2 | | parents or legal guardians; |
| 3 | | (4) prohibit an operator from marketing educational |
| 4 | | products to general audiences, provided that the marketing |
| 5 | | is not based on any student data and does not constitute |
| 6 | | targeted advertising; |
| 7 | | (5) impose a duty upon a provider of an electronic |
| 8 | | store, gateway, marketplace, or other means of purchasing |
| 9 | | or downloading software or applications to review or |
| 10 | | enforce compliance with this Section on such software or |
| 11 | | applications, unless the provider is also an operator or |
| 12 | | affiliated with an operator, in which case the provider is |
| 13 | | required to comply with this Section with respect to |
| 14 | | software or applications offered by or otherwise provided |
| 15 | | by the operator or affiliate; |
| 16 | | (6) impose a duty upon a provider of an interactive |
| 17 | | computer service to review or enforce compliance with this |
| 18 | | Section by third-party content providers, unless the |
| 19 | | third-party content providers are affiliated with the |
| 20 | | interactive computer service, in which case the |
| 21 | | interactive computer service is required to comply with |
| 22 | | this Section with respect to software or applications |
| 23 | | offered or otherwise provided by those content providers; |
| 24 | | or |
| 25 | | (7) prohibit students from downloading, exporting, |
| 26 | | transferring, saving, or maintaining the student's own |
|
| | 09900SB1393ham001 | - 11 - | LRB099 08398 MLM 51831 a |
|
|
| 1 | | student data or documents, provided that an operator does |
| 2 | | not offer or receive any consideration from a student |
| 3 | | engaging in such an activity. |
| 4 | | (e) Any operator who seeks to receive any student data may |
| 5 | | do so only by entering into a written agreement with the |
| 6 | | applicable school district before any records may be released |
| 7 | | or transferred. |
| 8 | | (1) The agreement shall include, but not be limited to, |
| 9 | | all of the following: |
| 10 | | (A) Provisions consistent with the prohibitions or |
| 11 | | requirements of this Section. |
| 12 | | (B) A statement of the educational products or |
| 13 | | interactive computer services being provided. |
| 14 | | (C) A statement that the operator is acting as a |
| 15 | | school official with a legitimate educational |
| 16 | | interest, is performing an institutional service or |
| 17 | | function for which the school district would otherwise |
| 18 | | use employees, is under the direct control of the |
| 19 | | school district with respect to the use and maintenance |
| 20 | | of student data, and is using such student data only |
| 21 | | for an authorized purpose and will not redisclose it to |
| 22 | | third parties or affiliates unless otherwise permitted |
| 23 | | under this Act. |
| 24 | | (D) A description of the actions the operator will |
| 25 | | take, including a description of the training the |
| 26 | | operator will provide to anyone who will receive or |
|
| | 09900SB1393ham001 | - 12 - | LRB099 08398 MLM 51831 a |
|
|
| 1 | | have access to student data, to ensure the security and |
| 2 | | confidentiality of student data. Compliance with this |
| 3 | | subdivision (D) does not, in itself, absolve the |
| 4 | | operator of liability in the event of an unauthorized |
| 5 | | disclosure of student data. |
| 6 | | (E) A provision stating that (i) any dispute |
| 7 | | arising out of or otherwise connected to student data |
| 8 | | must be litigated using Illinois law, (ii) the proper |
| 9 | | venue is in the county in which the school district is |
| 10 | | located, and (iii) the court in the proper venue shall |
| 11 | | have jurisdiction over the operator. |
| 12 | | (F) A statement that the agreement is the entire |
| 13 | | agreement between the school district, including |
| 14 | | school district employees or agents and other users, |
| 15 | | and the operator. |
| 16 | | (2) The agreement shall not include any provisions that |
| 17 | | require a school district or its employees or agents to: |
| 18 | | (A) pay the operator's attorney's fees or costs in |
| 19 | | connection with any dispute arising out of or otherwise |
| 20 | | connected to student data, except in the case of |
| 21 | | willful or wanton conduct by a school district or its |
| 22 | | employees or agents, in which case indemnification by |
| 23 | | the school district may be permitted; or |
| 24 | | (B) arbitrate any dispute arising out of or |
| 25 | | otherwise connected to student data.
|
|
| | 09900SB1393ham001 | - 13 - | LRB099 08398 MLM 51831 a |
|
|
| 1 | | Section 20. Disclosure of student data by school district. |
| 2 | | A school district or its employees or agents shall only |
| 3 | | disclose student data in accordance with the provisions of this |
| 4 | | Section. |
| 5 | | Without prior written authorization from the school |
| 6 | | district in which an individual employee or agent works, no |
| 7 | | individual employee or agent of that school district may enter |
| 8 | | into any agreements with operators or service providers that |
| 9 | | concern the use of educational online products that utilize |
| 10 | | student data. If an operator enters into an agreement with any |
| 11 | | unauthorized individual employee or agent or other user, then |
| 12 | | the school district must have the authority to unilaterally |
| 13 | | cancel the agreement and require the operator or service |
| 14 | | provider to provide all collected student data to the school |
| 15 | | district or to delete it. |
| 16 | | The school district may disclose personally identifiable |
| 17 | | information or directory information if the student (if the |
| 18 | | student is an adult) or the student's parent or legal guardian |
| 19 | | (if the student is a minor) consents to the disclosure in |
| 20 | | writing. An operator may not solicit any student or parent or |
| 21 | | legal guardian to disclose student data.
|
| 22 | | Section 25. Collection of biometric information. No school |
| 23 | | district may collect biometric information from a student or |
| 24 | | use any device or mechanism to assess a student's physiological |
| 25 | | or emotional state, unless the student (if the student is an |
|
| | 09900SB1393ham001 | - 14 - | LRB099 08398 MLM 51831 a |
|
|
| 1 | | adult) or the student's parent or legal guardian (if student is |
| 2 | | a minor) consents in writing.
|
| 3 | | Section 30. Security breach. |
| 4 | | (a) Each school district must establish a policy for |
| 5 | | notifying students and parents of any security breach or |
| 6 | | unauthorized disclosure of student data by the school district |
| 7 | | or by an operator, service provider, or other entity or third |
| 8 | | party given access to student data or personally identifiable |
| 9 | | information of a student. |
| 10 | | (b) In the event of any security breach or unauthorized |
| 11 | | disclosure of any student data by an operator, service |
| 12 | | provider, or other entity or third party given access to |
| 13 | | student data or personally identifiable information of any |
| 14 | | student, the operator, service provider, or other entity or |
| 15 | | third party shall immediately notify any Illinois school |
| 16 | | district that has provided student data to the operator, |
| 17 | | service provider, or other entity or third party of the breach |
| 18 | | or unauthorized disclosure, investigate the causes and |
| 19 | | consequences of the breach or unauthorized disclosure, and |
| 20 | | reimburse the school district in full for all reasonable costs |
| 21 | | and expenses incurred by the school district as a result of the |
| 22 | | breach, including (i) providing notification to students, |
| 23 | | parents, and guardians; (ii) providing at least one year's |
| 24 | | credit monitoring to impacted students; and (iii) paying all |
| 25 | | legal fees, costs, fines, and damages imposed against the |
|
| | 09900SB1393ham001 | - 15 - | LRB099 08398 MLM 51831 a |
|
|
| 1 | | school district as a result of the breach. |
| 2 | | (c) In the event of a security breach or unauthorized |
| 3 | | disclosure of student data by a school district, State agency, |
| 4 | | or other third party not covered by subsection (b) of this |
| 5 | | Section and given access to student data or personally |
| 6 | | identifiable information of any student, the school district, |
| 7 | | State agency, or other third party shall immediately notify |
| 8 | | each affected student (if the student is an adult) or the |
| 9 | | student's parent or legal guardian (if the student is a minor) |
| 10 | | of the breach or unauthorized disclosure and investigate the |
| 11 | | causes and consequences of the breach or unauthorized |
| 12 | | disclosure.
|
| 13 | | Section 35. Rulemaking; notice. |
| 14 | | (a) The State Board of Education shall adopt rules in |
| 15 | | accordance with this Act and applicable federal and State laws |
| 16 | | and rules to protect the right of privacy of any student and |
| 17 | | his or her family regarding personally identifiable records, |
| 18 | | files, and data directly related to the student by January 1, |
| 19 | | 2018. The rules shall provide for: |
| 20 | | (1) means by which any student (if the student is an |
| 21 | | adult) or the student's parent or guardian (if the student |
| 22 | | is a minor) may inspect and review any records or files |
| 23 | | directly related to the student; |
| 24 | | (2) restricting the accessibility and availability of |
| 25 | | any personally identifiable information in records or |
|
| | 09900SB1393ham001 | - 16 - | LRB099 08398 MLM 51831 a |
|
|
| 1 | | files of any student and preventing disclosure thereof |
| 2 | | unless made upon written consent of such student (if the |
| 3 | | student is an adult) or the student's parent or guardian |
| 4 | | (if the student is a minor); and |
| 5 | | (3) which employees or agents may bind the school |
| 6 | | district to the terms of any written agreements, not |
| 7 | | including electronic, click-through, or click-wrap |
| 8 | | agreements, which agreements may not be entered into with a |
| 9 | | school district. |
| 10 | | (b) The State Board of Education must create a model notice |
| 11 | | that school districts shall annually provide to parents, legal |
| 12 | | guardians, and students that student data may be disclosed in |
| 13 | | accordance with this Act. The notice shall be signed by the |
| 14 | | student (if the student is an adult) or by the student's parent |
| 15 | | or legal guardian (if the student is a minor) and maintained on |
| 16 | | file with the school district. The notice must provide what |
| 17 | | types of student data are collected and shared with operators |
| 18 | | or service providers and the purpose for collection or use.
|
| 19 | | Section 40. Enforcement. |
| 20 | | (a) Any person aggrieved by any violation of this Act may |
| 21 | | institute an action for injunctive relief in the circuit court |
| 22 | | of the county in which the violation has occurred or the |
| 23 | | circuit court of any of the counties in which the school |
| 24 | | district is located. |
| 25 | | (b) Any person injured by a willful or negligent violation |
|
| | 09900SB1393ham001 | - 17 - | LRB099 08398 MLM 51831 a |
|
|
| 1 | | of this Act may institute an action for damages in the circuit |
| 2 | | court of the county in which the violation has occurred or the |
| 3 | | circuit court of any of the counties in which the school |
| 4 | | district is located. |
| 5 | | (c) In the case of any successful action under subsection |
| 6 | | (a) or (b) of this Section, any person or entity found to have |
| 7 | | willfully or negligently violated any provision of this Act is |
| 8 | | liable to the plaintiff for the plaintiff's damages, the costs |
| 9 | | of the action, and reasonable attorney's fees, as determined by |
| 10 | | the court. |
| 11 | | (d) Actions for injunctive relief to secure compliance with |
| 12 | | this Act may be brought by the State Board of Education, by the |
| 13 | | State's Attorney of the county in which the alleged violation |
| 14 | | has occurred, or by the State's Attorney of any of the counties |
| 15 | | in which the school district is located, in each case in the |
| 16 | | circuit court of such county. |
| 17 | | (e) Willful failure to comply with any Section of this Act |
| 18 | | is a petty offense.
|
| 19 | | Section 95. The Children's Privacy Protection and Parental |
| 20 | | Empowerment Act is amended by changing Section 5 as follows:
|
| 21 | | (325 ILCS 17/5)
|
| 22 | | Sec. 5. Definitions. As used in this Act:
|
| 23 | | "Child" means a person under the age of 18 16. "Child" does |
| 24 | | not include a minor
emancipated by operation of law.
|
|
| | 09900SB1393ham001 | - 18 - | LRB099 08398 MLM 51831 a |
|
|
| 1 | | "Parent" means a parent, step-parent, or legal guardian.
|
| 2 | | "Personal information" means any of the following:
|
| 3 | | (1) A person's name.
|
| 4 | | (2) A person's address.
|
| 5 | | (3) A person's telephone number.
|
| 6 | | (4) A person's driver's license number or State of |
| 7 | | Illinois identification
card as
assigned by the Illinois |
| 8 | | Secretary of State or by a similar agency of another
state.
|
| 9 | | (5) A person's social security number.
|
| 10 | | (6) Any other information that can be used to locate or |
| 11 | | contact a specific
individual.
|
| 12 | | "Personal information" does not include any of the
|
| 13 | | following:
|
| 14 | | (1) Public records as defined by Section 2 of the |
| 15 | | Freedom of Information
Act.
|
| 16 | | (2) Court records.
|
| 17 | | (3) Information found in publicly available sources, |
| 18 | | including newspapers,
magazines, and telephone |
| 19 | | directories.
|
| 20 | | (4) Any other information that is not known to concern |
| 21 | | a child.
|
| 22 | | (Source: P.A. 93-462, eff. 1-1-04.)".
|