99TH GENERAL ASSEMBLY
State of Illinois
2015 and 2016
SB0775

 

Introduced 2/4/2015, by Sen. Michael Connelly

 

SYNOPSIS AS INTRODUCED:
 
New Act

    Creates the Higher Education Student Online Personal Information Protection Act. Provides that the operator of an Internet website, online service, online application, or mobile application used primarily for higher education purposes and designed and marketed for higher education purposes shall not knowingly (1) engage in targeted advertising on the operator's site, service, or application or target advertising on any other site, service, or application when the targeting of the advertising is based upon any information that the operator has acquired because of the use of that operator's site, service, or application; (2) use information created or gathered by the operator's site, service, or application to amass a profile about a student, except in furtherance of higher education purposes; (3) sell a student's information; or (4) disclose covered information, as defined in the Act, without a student's consent. Sets forth exceptions and other provisions concerning the construction and application of the Act. Effective January 1, 2016.


LRB099 03706 NHT 26059 b

FISCAL NOTE ACT MAY APPLY

 

 

A BILL FOR

 

SB0775LRB099 03706 NHT 26059 b

1    AN ACT concerning education.
 
2    Be it enacted by the People of the State of Illinois,
3represented in the General Assembly:
 
4    Section 1. Short title. This Act may be cited as the Higher
5Education Student Online Personal Information Protection Act.
 
6    Section 5. Definitions. In this Act:
7    "Covered information" means personally identifiable
8information or materials, in any media or format, that meets
9any of the following:
10        (1) Is created or provided by a student to an operator
11    in the course of the student's use of the operator's site,
12    service, or application for higher education purposes.
13        (2) Is created or provided by an employee or agent of a
14    school to an operator.
15        (3) Is gathered by an operator through the operation of
16    a site, service, or application described in the definition
17    of "operator" under this Section and is descriptive of a
18    student or otherwise identifies a student, including
19    without limitation information in the student's
20    educational record or e-mail, first and last name, home
21    address, telephone number, e-mail address, or other
22    information that allows physical or online contact,
23    discipline records, test results, grades, evaluations,

 

 

SB0775- 2 -LRB099 03706 NHT 26059 b

1    criminal records, medical records, health records, social
2    security number, biometric information, disabilities,
3    socioeconomic information, food purchases, political
4    affiliations, religious information, text messages,
5    documents, student identifiers, search activity, photos,
6    voice recordings, or geolocation information.
7    "Higher education purposes" means purposes that
8customarily take place at the direction of a higher education
9school or instructor or aid in the administration of school
10activities, including without limitation instruction in the
11classroom or at home, administrative activities, and
12collaboration between students or school personnel, or are for
13the use and benefit of a school.
14    "Online service" includes cloud computing services, which
15must comply with this Act if they otherwise meet the definition
16of an operator.
17    "Operator" means the operator of an Internet website,
18online service, online application, or mobile application with
19actual knowledge that the site, service, or application is used
20primarily for higher education purposes and was designed and
21marketed for higher education purposes.
22    "School" means a public university or public community
23college located in this State.
 
24    Section 10. Prohibited activities and duties of operators.
25    (a) An operator shall not knowingly engage in any of the

 

 

SB0775- 3 -LRB099 03706 NHT 26059 b

1following activities with respect to its site, service, or
2application without a student's consent:
3        (1) Engage in targeted advertising on the operator's
4    site, service, or application or target advertising on any
5    other site, service, or application when the targeting of
6    the advertising is based upon any information, including
7    covered information and persistent unique identifiers,
8    that the operator has acquired because of the use of that
9    operator's site, service, or application described in the
10    definition of "operator" under Section 5 of this Act.
11        (2) Use information, including persistent unique
12    identifiers, created or gathered by the operator's site,
13    service, or application, to amass a profile about a
14    student, except in furtherance of higher education
15    purposes.
16        (3) Sell a student's information, including covered
17    information. The prohibition under this subdivision (3)
18    does not apply to the purchase, merger, or other type of
19    acquisition of an operator by another entity, provided that
20    the operator or successor entity continues to be subject to
21    the provisions of this Act with respect to previously
22    acquired student information.
23        (4) Disclose covered information, unless the
24    disclosure is made:
25            (A) in furtherance of the higher education
26        purposes of the site, service, or application,

 

 

SB0775- 4 -LRB099 03706 NHT 26059 b

1        provided that the recipient of the covered information
2        disclosed pursuant to this subdivision (4) (i) shall
3        not further disclose the information unless done to
4        allow or improve operability and functionality within
5        that student's classroom or school and (ii) is legally
6        required to comply with subsection (c) of this Section;
7            (B) to ensure legal and regulatory compliance;
8            (C) to respond to or participate in the judicial
9        process;
10            (D) to protect the safety of users or others or the
11        security of the site; or
12            (E) to a service provider, provided that the
13        operator contractually (i) prohibits the service
14        provider from using any covered information for any
15        purpose other than providing the contracted service to
16        or on behalf of the operator, (ii) prohibits the
17        service provider from disclosing any covered
18        information provided by the operator with subsequent
19        third parties, and (iii) requires the service provider
20        to implement and maintain reasonable security
21        procedures and practices as provided in subsection (c)
22        of this Section.
23    (b) Nothing in subsection (a) of this Section shall be
24construed to prohibit the operator's use of information for
25maintaining, developing, supporting, improving, or diagnosing
26the operator's site, service, or application.

 

 

SB0775- 5 -LRB099 03706 NHT 26059 b

1    (c) An operator shall do both of the following:
2        (1) Implement and maintain reasonable security
3    procedures and practices appropriate to the nature of the
4    covered information and protect that information from
5    unauthorized access, destruction, use, modification, or
6    disclosure.
7        (2) Delete a student's covered information if the
8    school requests deletion of data under the control of the
9    school.
10    (d) Notwithstanding subdivision (4) of subsection (a) of
11this Section, an operator may disclose covered information of a
12student, as long as subdivisions (1), (2), and (3) of
13subsection (a) of this Section are not violated, under the
14following circumstances:
15        (1) If other provisions of federal or State law require
16    the operator to disclose the information and the operator
17    complies with the requirements of federal and State law in
18    protecting and disclosing that information.
19        (2) For legitimate research purposes (i) as required by
20    State or federal law and subject to the restrictions under
21    applicable State and federal law or (ii) as allowed by
22    State or federal law and under the direction of a school or
23    the Board of Higher Education if no covered information is
24    used in furtherance of advertising or to amass a profile on
25    the student for purposes other than higher education
26    purposes.

 

 

SB0775- 6 -LRB099 03706 NHT 26059 b

1        (3) To a State agency or school, for higher education
2    purposes, as permitted by State or federal law.
3    (e) Nothing in this Section prohibits an operator from
4using de-identified student covered information as follows:
5        (1) Within the operator's site, service, or
6    application or other sites, services, or applications
7    owned by the operator to improve educational products.
8        (2) To demonstrate the effectiveness of the operator's
9    products or services, including in their marketing.
10    (f) Nothing in this Section prohibits an operator from
11sharing aggregated de-identified student covered information
12for the development and improvement of educational sites,
13services, or applications.
 
14    Section 15. Construction and application of Act.
15    (a) This Act shall not be construed to limit the authority
16of a law enforcement agency to obtain any content or
17information from an operator as authorized by law or pursuant
18to an order of a court of competent jurisdiction.
19    (b) This Act does not limit the ability of an operator to
20use student data, including covered information, for adaptive
21learning or customized student learning purposes.
22    (c) This Act does not apply to general audience Internet
23websites, general audience online services, general audience
24online applications, or general audience mobile applications,
25even if login credentials created for an operator's site,

 

 

SB0775- 7 -LRB099 03706 NHT 26059 b

1service, or application may be used to access those general
2audience sites, services, or applications.
3    (d) This Act does not limit Internet service providers from
4providing Internet connectivity to schools or students.
5    (e) This Act shall not be construed to prohibit an operator
6of an Internet website, online service, online application, or
7mobile application from marketing educational products
8directly to students so long as the marketing did not result
9from the use of covered information obtained by the operator
10through the provision of services covered under this Act.
11    (f) This Act does not impose a duty upon a provider of an
12electronic store, a gateway, a marketplace, or other means of
13purchasing or downloading software or applications to review or
14enforce compliance of this Act on those applications or
15software.
16    (g) This Act does not impose a duty upon a provider of an
17interactive computer service, as defined in Section 230 of
18Title 47 of the United States Code, to review or enforce
19compliance with this Act by third-party content providers.
20    (h) This Act does not impede the ability of students to
21download, export, or otherwise save or maintain their own
22student-created data or documents.
 
23    Section 97. Severability. The provisions of this Act are
24severable under Section 1.31 of the Statute on Statutes.
 
25    Section 99. Effective date. This Act takes effect January

 

 

SB0775- 8 -LRB099 03706 NHT 26059 b

11, 2016.