Full Text of HB3606 101st General Assembly
HB3606eng 101ST GENERAL ASSEMBLY |
| | HB3606 Engrossed | | LRB101 09053 AXK 54146 b |
|
| 1 | | AN ACT concerning education.
| 2 | | Be it enacted by the People of the State of Illinois,
| 3 | | represented in the General Assembly:
| 4 | | Section 5. The Student Online Personal Protection Act is | 5 | | amended by changing Sections 5, 10, and 15 and by adding | 6 | | Sections 26, 27, 28, and 33 as follows: | 7 | | (105 ILCS 85/5)
| 8 | | Sec. 5. Definitions. In this Act: | 9 | | "Breach" means the unauthorized disclosure of data or | 10 | | unauthorized provision of physical or electronic means of | 11 | | gaining access to data that compromises the security, | 12 | | confidentiality, or integrity of covered information. | 13 | | "Covered information" means personally identifiable | 14 | | information or material or information that is linked to | 15 | | personally identifiable information or material in any media or | 16 | | format that is not publicly available and is any of the | 17 | | following: | 18 | | (1) Created by or provided to an operator by a student | 19 | | or the student's parent or legal guardian in the course of | 20 | | the student's, parent's, or legal guardian's use of the | 21 | | operator's site, service, or application for K through 12 | 22 | | school purposes. | 23 | | (2) Created by or provided to an operator by an |
| | | HB3606 Engrossed | - 2 - | LRB101 09053 AXK 54146 b |
|
| 1 | | employee or agent of a school or school district for K | 2 | | through 12 school purposes. | 3 | | (3) Gathered by an operator through the operation of | 4 | | its site, service, or application for K through 12 school | 5 | | purposes and personally identifies a student, including, | 6 | | but not limited to, information in the student's | 7 | | educational record or electronic mail, first and last name, | 8 | | home address, telephone number, electronic mail address, | 9 | | or other information that allows physical or online | 10 | | contact, discipline records, test results, special | 11 | | education data, juvenile dependency records, grades, | 12 | | evaluations, criminal records, medical records, health | 13 | | records, a social security number, biometric information, | 14 | | disabilities, socioeconomic information, food purchases, | 15 | | political affiliations, religious information, text | 16 | | messages, documents, student identifiers, search activity, | 17 | | photos, voice recordings, or geolocation information. | 18 | | "Interactive computer service" has the meaning ascribed to | 19 | | that term in Section 230 of the federal Communications Decency | 20 | | Act of 1996 (47 U.S.C. 230). | 21 | | "K through 12 school purposes" means purposes that are | 22 | | directed by or that customarily take place at the direction of | 23 | | a school, teacher, or school district; aid in the | 24 | | administration of school activities, including, but not | 25 | | limited to, instruction in the classroom or at home, | 26 | | administrative activities, and collaboration between students, |
| | | HB3606 Engrossed | - 3 - | LRB101 09053 AXK 54146 b |
|
| 1 | | school personnel, or parents; or are otherwise for the use and | 2 | | benefit of the school. | 3 | | "Longitudinal data system" has the meaning given to that | 4 | | term under the P-20 Longitudinal Education Data System Act. | 5 | | "Operator" means, to the extent that an entity is operating | 6 | | in this capacity, the operator of an Internet website, online | 7 | | service, online application, or mobile application with actual | 8 | | knowledge that the site, service, or application is used | 9 | | primarily for K through 12 school purposes and was designed and | 10 | | marketed for K through 12 school purposes. | 11 | | "Parent" has the meaning given to that term under the | 12 | | Illinois School Student Records Act. | 13 | | "School" means (1) any preschool, public kindergarten, | 14 | | elementary or secondary educational institution, vocational | 15 | | school, special educational facility, or any other elementary | 16 | | or secondary educational agency or institution or (2) any | 17 | | person, agency, or institution that maintains school student | 18 | | records from more than one school. Except as otherwise provided | 19 | | in this Act, "school" "School" includes a private or nonpublic | 20 | | school. | 21 | | "State Board" means the State Board of Education. | 22 | | "Student" has the meaning given to that term under the | 23 | | Illinois School Student Records Act. | 24 | | "Targeted advertising" means presenting advertisements to | 25 | | a student where the advertisement is selected based on | 26 | | information obtained or inferred over time from that student's |
| | | HB3606 Engrossed | - 4 - | LRB101 09053 AXK 54146 b |
|
| 1 | | online behavior, usage of applications, or covered | 2 | | information. The term does not include advertising to a student | 3 | | at an online location based upon that student's current visit | 4 | | to that location or in response to that student's request for | 5 | | information or feedback, without the retention of that | 6 | | student's online activities or requests over time for the | 7 | | purpose of targeting subsequent ads.
| 8 | | (Source: P.A. 100-315, eff. 8-24-17.) | 9 | | (105 ILCS 85/10)
| 10 | | Sec. 10. Operator prohibitions. An operator shall not | 11 | | knowingly do any of the following: | 12 | | (1) Engage in targeted advertising on the operator's | 13 | | site, service, or application or target advertising on any | 14 | | other site, service, or application if the targeting of the | 15 | | advertising is based on any information, including covered | 16 | | information and persistent unique identifiers, that the | 17 | | operator has acquired because of the use of that operator's | 18 | | site, service, or application for K through 12 school | 19 | | purposes. | 20 | | (2) Use information, including persistent unique | 21 | | identifiers, created or gathered by the operator's site, | 22 | | service, or application to amass a profile about a student, | 23 | | except in furtherance of K through 12 school purposes. | 24 | | "Amass a profile" does not include the collection and | 25 | | retention of account information that remains under the |
| | | HB3606 Engrossed | - 5 - | LRB101 09053 AXK 54146 b |
|
| 1 | | control of the student, the student's parent or legal | 2 | | guardian, or the school. | 3 | | (3) Sell or rent a student's information, including | 4 | | covered information. This subdivision (3) does not apply to | 5 | | the purchase, merger, or other type of acquisition of an | 6 | | operator by another entity if the operator or successor | 7 | | entity complies with this Act regarding previously | 8 | | acquired student information. | 9 | | (4) Except as otherwise provided in Section 20 of this | 10 | | Act, disclose covered information, unless the disclosure | 11 | | is made for the following purposes: | 12 | | (A) In furtherance of the K through 12 school | 13 | | purposes of the site, service, or application if the | 14 | | recipient of the covered information disclosed under | 15 | | this clause (A) does not further disclose the | 16 | | information, unless done to allow or improve | 17 | | operability and functionality of the operator's site, | 18 | | service, or application. | 19 | | (B) To ensure legal and regulatory compliance or | 20 | | take precautions
against liability. | 21 | | (C) To respond to the judicial process. | 22 | | (D) To protect the safety or integrity of users of | 23 | | the site or others or the security of the site, | 24 | | service, or application. | 25 | | (E) For a school, educational, or employment | 26 | | purpose requested by the student or the student's |
| | | HB3606 Engrossed | - 6 - | LRB101 09053 AXK 54146 b |
|
| 1 | | parent or legal guardian, provided that the | 2 | | information is not used or further disclosed for any | 3 | | other purpose. | 4 | | (F) To a third party if the operator contractually | 5 | | prohibits the third party from using any covered | 6 | | information for any purpose other than providing the | 7 | | contracted service to or on behalf of the operator, | 8 | | prohibits the third party from disclosing any covered | 9 | | information provided by the operator with subsequent | 10 | | third parties, and requires the third party to | 11 | | implement and maintain reasonable security procedures | 12 | | and practices as required under Section 15 . | 13 | | Nothing in this Section prohibits the operator's use of | 14 | | information for maintaining, developing, supporting, | 15 | | improving, or diagnosing the operator's site, service, or | 16 | | application.
| 17 | | (Source: P.A. 100-315, eff. 8-24-17.) | 18 | | (105 ILCS 85/15)
| 19 | | Sec. 15. Operator duties. An operator shall do the | 20 | | following: | 21 | | (1) Implement and maintain reasonable security | 22 | | procedures and practices appropriate to the nature of the | 23 | | covered information and designed to protect that covered | 24 | | information from unauthorized access, destruction, use, | 25 | | modification, or disclosure that, based on the sensitivity |
| | | HB3606 Engrossed | - 7 - | LRB101 09053 AXK 54146 b |
|
| 1 | | of the data and the risk from unauthorized access, (i) use | 2 | | technologies and methodologies that are consistent with | 3 | | the U.S. Department of Commerce's National Institute of | 4 | | Standards and Technology's Framework for Improving | 5 | | Critical Infrastructure Cybersecurity Version 1.1 and any | 6 | | updates to it or (ii) maintain technical safeguards as they | 7 | | relate to the possession of covered information in a manner | 8 | | consistent with the provisions of 45 CFR 164.312 . | 9 | | (2) Delete, within a reasonable time period, a | 10 | | student's covered information if the school or school | 11 | | district requests deletion of covered information under | 12 | | the control of the school or school district, unless a | 13 | | student or his or her parent or legal guardian consents to | 14 | | the maintenance of the covered information. | 15 | | (3) Publicly disclose material information about its | 16 | | collection, use, and disclosure of covered information, | 17 | | including, but not limited to, publishing a terms of | 18 | | service agreement, privacy policy, or similar document. | 19 | | (4) Except for a nonpublic school, for any operator who | 20 | | seeks to receive from a school, school district, or the | 21 | | State Board in any manner any covered information, enter | 22 | | into a written agreement with the school, school district, | 23 | | or State Board before the covered information may be | 24 | | transferred. The written agreement may be created in | 25 | | electronic form and signed with an electronic or digital | 26 | | signature or may be a click wrap agreement that is used |
| | | HB3606 Engrossed | - 8 - | LRB101 09053 AXK 54146 b |
|
| 1 | | with software licenses, downloaded or online applications | 2 | | and transactions for educational technologies, or other | 3 | | technologies in which a user must agree to terms and | 4 | | conditions before using the product or service. The written | 5 | | agreement must contain all of the following: | 6 | | (A) A listing of the categories or types of covered | 7 | | information to be provided to the operator. | 8 | | (B) A statement of the product or service being | 9 | | provided to the school by the operator. | 10 | | (C) A statement that the operator is acting as a | 11 | | school official with a legitimate educational | 12 | | interest, is performing an institutional service or | 13 | | function for which the school would otherwise use | 14 | | employees, under the direct control of the school, with | 15 | | respect to the use and maintenance of covered | 16 | | information, and is using the covered information only | 17 | | for an authorized purpose and may not re-disclose it to | 18 | | third parties or affiliates, unless otherwise | 19 | | permitted under this Act, without permission from the | 20 | | school or pursuant to court order. | 21 | | (D) A description of how, if a breach is attributed | 22 | | to the operator, any costs and expenses incurred by the | 23 | | school in investigating and remediating the breach | 24 | | will be allocated between the operator and the school. | 25 | | The costs and expenses may include, but are not limited | 26 | | to: |
| | | HB3606 Engrossed | - 9 - | LRB101 09053 AXK 54146 b |
|
| 1 | | (i) providing notification to the parents of | 2 | | those students whose covered information was | 3 | | compromised and to regulatory agencies or other | 4 | | entities as required by law or contract; | 5 | | (ii) providing credit monitoring to those | 6 | | students whose covered information was exposed in | 7 | | a manner during the breach that a reasonable person | 8 | | would believe that it could impact his or her | 9 | | credit or financial security; | 10 | | (iii) legal fees, audit costs, fines, and any | 11 | | other fees or damages imposed against the school as | 12 | | a result of the security breach; and | 13 | | (iv) providing any other notifications or | 14 | | fulfilling any other requirements adopted by the | 15 | | State Board or of any other State or federal laws. | 16 | | (E) A statement that the operator must delete or | 17 | | transfer to the school all covered information if the | 18 | | information is no longer needed for the purposes of the | 19 | | written agreement and to specify the time period in | 20 | | which the information must be deleted or transferred | 21 | | once the operator is made aware that the information is | 22 | | no longer needed for the purposes of the written | 23 | | agreement. | 24 | | (F) A statement that the school must publish the | 25 | | written agreement on the school's website. If mutually | 26 | | agreed upon by the school and the operator, provisions |
| | | HB3606 Engrossed | - 10 - | LRB101 09053 AXK 54146 b |
|
| 1 | | of the written agreement, other than those under | 2 | | subparagraphs (A), (B), and (C), may be redacted in the | 3 | | copy of the written agreement published on the school's | 4 | | website. | 5 | | (5) In case of any breach, within the most expedient | 6 | | time possible and without unreasonable delay, but no later | 7 | | than 30 calendar days after the determination that a breach | 8 | | has occurred, notify the school of any breach of the | 9 | | students' covered information.
| 10 | | (Source: P.A. 100-315, eff. 8-24-17.) | 11 | | (105 ILCS 85/26 new) | 12 | | Sec. 26. School prohibitions. A school may not do either of | 13 | | the following: | 14 | | (1) Sell, rent, lease, or trade covered information. | 15 | | (2) Share, transfer, disclose, or provide access to a | 16 | | student's covered information to an entity or individual, | 17 | | other than the student's parent or the State Board, without | 18 | | a written agreement, unless the disclosure or transfer is: | 19 | | (A) to the extent permitted by federal law, to law | 20 | | enforcement officials to protect the safety of users or | 21 | | others or the security or integrity of the operator's | 22 | | service; | 23 | | (B) required by court order or State or federal | 24 | | law; or | 25 | | (C) to ensure legal or regulatory compliance. |
| | | HB3606 Engrossed | - 11 - | LRB101 09053 AXK 54146 b |
|
| 1 | | This paragraph (2) does not apply to nonpublic schools. | 2 | | (105 ILCS 85/27 new) | 3 | | Sec. 27. School duties. | 4 | | (a) Each school shall post and maintain on its website all | 5 | | of the following information: | 6 | | (1) An explanation, that is clear and understandable by | 7 | | a layperson, of the data elements of covered information | 8 | | that the school collects, maintains, or discloses to any | 9 | | person, entity, third party, or governmental agency. The | 10 | | information must explain how the school uses, to whom or | 11 | | what entities it discloses, and for what purpose it | 12 | | discloses the covered information. | 13 | | (2) A list of operators that the school has written | 14 | | agreements with, a copy of each written agreement, and a | 15 | | business address for each operator. | 16 | | (3) For each operator, a list of any subcontractors to | 17 | | whom covered information may be disclosed under Section 15. | 18 | | (4) A written description of the procedures that a | 19 | | parent may use to carry out the rights enumerated under | 20 | | Section 33. | 21 | | (5) A list of any breaches of covered information | 22 | | maintained by the school or breaches under Section 15 that | 23 | | includes, but is not limited to, all of the following | 24 | | information: | 25 | | (A) The number of students whose covered |
| | | HB3606 Engrossed | - 12 - | LRB101 09053 AXK 54146 b |
|
| 1 | | information is involved in the breach. | 2 | | (B) The date, estimated date, or estimated date | 3 | | range of the breach. | 4 | | (C) For a breach under Section 15, the name of the | 5 | | operator. | 6 | | The school must, at a minimum, update the items under | 7 | | paragraphs (1), (3), (4), and (5) no later than 30 calendar | 8 | | days following the start of a school year and no later than 30 | 9 | | days following the beginning of a calendar year. | 10 | | (b) Each school must adopt a policy designating which | 11 | | school employees are authorized to enter into written | 12 | | agreements with operators. This subsection may not be construed | 13 | | to limit individual school employees outside of the scope of | 14 | | their employment from entering into agreements with operators | 15 | | on their own behalf and for non-K through 12 school purposes, | 16 | | provided that no covered information is provided to the | 17 | | operators. Any agreement or contract entered into in violation | 18 | | of this Act is void and unenforceable as against public policy. | 19 | | (c) A school must post on its website each written | 20 | | agreement entered into under this Act, along with any | 21 | | information required under subsection (a), no later than 5 | 22 | | business days after entering into the agreement. | 23 | | (d) After receipt of notice of a breach under Section 15 or | 24 | | determination of a breach of covered information maintained by | 25 | | the school, a school shall electronically notify, no later than | 26 | | 30 calendar days after receipt of the notice or determination |
| | | HB3606 Engrossed | - 13 - | LRB101 09053 AXK 54146 b |
|
| 1 | | that a breach has occurred, the parent of any student whose | 2 | | covered information is involved in the breach. The notification | 3 | | must include, but is not limited to, all of the following: | 4 | | (1) The date, estimated date, or estimated date range | 5 | | of the breach. | 6 | | (2) A description of the covered information that was | 7 | | compromised or reasonably believed to have been | 8 | | compromised in the breach. | 9 | | (3) Information that the parent may use to contact the | 10 | | operator and school to inquire about the breach. | 11 | | (4) The toll-free numbers, addresses, and websites for | 12 | | consumer reporting agencies. | 13 | | (5) The toll-free number, address, and website for the | 14 | | Federal Trade Commission. | 15 | | (6) A statement that the parent may obtain information | 16 | | from the Federal Trade Commission and consumer reporting | 17 | | agencies about fraud alerts and security freezes. | 18 | | (e) Each school must implement and maintain security | 19 | | procedures and practices designed to protect covered | 20 | | information from unauthorized access, destruction, use, | 21 | | modification, or disclosure that, based on the sensitivity of | 22 | | the covered information and the risk from unauthorized access, | 23 | | (i) use technologies and methodologies that are consistent with | 24 | | the U.S. Department of Commerce's National Institute of | 25 | | Standards and Technology's Framework for Improving Critical | 26 | | Infrastructure Cybersecurity Version 1.1 and any updates to it |
| | | HB3606 Engrossed | - 14 - | LRB101 09053 AXK 54146 b |
|
| 1 | | or (ii) maintain technical safeguards as they relate to the | 2 | | possession of student records in a manner consistent with the | 3 | | provisions of 45 CFR 164.312. | 4 | | (f) Each school shall designate an appropriate staff person | 5 | | as a privacy officer, who may also be an official records | 6 | | custodian as designated under the Illinois School Student | 7 | | Records Act, to carry out the duties and responsibilities | 8 | | assigned to schools and to ensure compliance with the | 9 | | requirements of this Section and Section 26. | 10 | | (g) A school shall make a request, pursuant to paragraph | 11 | | (2) of Section 15, to an operator to delete covered information | 12 | | on behalf of a student's parent if the parent requests from the | 13 | | school that the student's covered information held by the | 14 | | operator be deleted, so long as the deletion of the covered | 15 | | information is not in violation of the Illinois School Student | 16 | | Records Act. | 17 | | (h) This Section does not apply to nonpublic schools. | 18 | | (105 ILCS 85/28 new) | 19 | | Sec. 28. State Board duties. | 20 | | (a) The State Board may not sell, rent, lease, or trade | 21 | | covered information. | 22 | | (b) The State Board may not share, transfer, disclose, or | 23 | | provide covered information to an entity or individual without | 24 | | a contract or written agreement, except for disclosures | 25 | | required by federal law to federal agencies. |
| | | HB3606 Engrossed | - 15 - | LRB101 09053 AXK 54146 b |
|
| 1 | | (c) At least twice annually, the State Board must publish | 2 | | and maintain on its website a list of all of the entities or | 3 | | individuals, including, but not limited to, operators, | 4 | | individual researchers, research organizations, institutions | 5 | | of higher education, or government agencies, that the State | 6 | | Board contracts with or has agreements with and that hold | 7 | | covered information and a copy of each contract or agreement. | 8 | | The list must include all of the following information: | 9 | | (1) The name of the entity or individual. In naming an | 10 | | individual, the list must include the entity that sponsors | 11 | | the individual or with which the individual is affiliated, | 12 | | if any. If the individual is conducting research at an | 13 | | institution of higher education, the list may include the | 14 | | name of that institution and a contact person in the | 15 | | department that is associated with the research in lieu of | 16 | | the name of the researcher. If the entity is an operator, | 17 | | the list must include its business address. | 18 | | (2) The purpose and scope of the contract or agreement. | 19 | | (3) The duration of the contract or agreement. | 20 | | (4) The types of covered information that the entity or | 21 | | individual holds under the contract or agreement. | 22 | | (5) The use of the covered information under the | 23 | | contract or agreement. | 24 | | (6) The length of time for which the entity or | 25 | | individual may hold the covered information. | 26 | | (7) A list of any subcontractors to whom covered |
| | | HB3606 Engrossed | - 16 - | LRB101 09053 AXK 54146 b |
|
| 1 | | information may be disclosed under Section 15. | 2 | | (d) The State Board shall create, publish, and make | 3 | | publicly available an inventory, along with a dictionary or | 4 | | index of data elements and their definitions, of covered | 5 | | information collected or maintained by the State Board, | 6 | | including, but not limited to, both of the following: | 7 | | (1) Covered information that schools are required to | 8 | | report to the State Board by State or federal law. | 9 | | (2) Covered information in the State longitudinal data | 10 | | system or any data warehouse used by the State Board to | 11 | | populate the longitudinal data system. | 12 | | The inventory shall make clear for what purposes the State | 13 | | Board uses the covered information. | 14 | | (e) The State Board shall develop, publish, and make | 15 | | publicly available, for the benefit of schools, model student | 16 | | data privacy policies and procedures that comply with relevant | 17 | | State and federal law, including, but not limited to, a model | 18 | | notice that schools must use to provide notice to parents and | 19 | | students about operators. The notice must state, in general | 20 | | terms, the types of student data that are collected by the | 21 | | schools and shared with operators under this Act and the | 22 | | purposes of collecting and using the student data. After | 23 | | creation of the notice under this subsection, a school shall, | 24 | | at the beginning of each school year, provide the notice to | 25 | | parents by the same means generally used to send notices to | 26 | | them. This subsection does not apply to nonpublic schools. |
| | | HB3606 Engrossed | - 17 - | LRB101 09053 AXK 54146 b |
|
| 1 | | (105 ILCS 85/33 new) | 2 | | Sec. 33. Parent and student rights. | 3 | | (a) A student's covered information is the sole property of | 4 | | the student's parent. | 5 | | (b) A student's covered information shall be collected only | 6 | | for K through 12 school purposes and not further processed in a | 7 | | manner that is incompatible with those purposes. | 8 | | (c) A student's covered information shall only be adequate, | 9 | | relevant, and limited to what is necessary in relation to the K | 10 | | through 12 school purposes for which it is processed. | 11 | | (d) Except for a parent of a student enrolled in a | 12 | | nonpublic school, the parent of a student enrolled in a school | 13 | | has the right to all of the following: | 14 | | (1) Inspect and review the student's covered | 15 | | information, regardless of whether it is maintained by the | 16 | | school, the State Board, or an operator. | 17 | | (2) Request from a school a paper or electronic copy of | 18 | | the student's covered information, including covered | 19 | | information maintained by an operator or the State Board. | 20 | | If a parent requests an electronic copy of the student's | 21 | | covered information under this paragraph, the school must | 22 | | provide an electronic copy of that information, unless the | 23 | | school does not maintain the information in an electronic | 24 | | format and reproducing the information in an electronic | 25 | | format would be unduly burdensome to the school. If a |
| | | HB3606 Engrossed | - 18 - | LRB101 09053 AXK 54146 b |
|
| 1 | | parent requests a paper copy of the student's covered | 2 | | information, the school may charge the parent the | 3 | | reasonable cost for copying the information in an amount | 4 | | not to exceed the amount fixed in a schedule adopted by the | 5 | | State Board, except that no parent may be denied a copy of | 6 | | the information due to the parent's inability to bear the | 7 | | cost of the copying. The State Board must adopt rules on | 8 | | the methodology and frequency of requests under this | 9 | | paragraph. | 10 | | (3) Request corrections of factual inaccuracies | 11 | | contained in the student's covered information. After | 12 | | receiving a request for corrections that documents a | 13 | | factual inaccuracy, a school must do either of the | 14 | | following: | 15 | | (A) Confirm the correction with the parent within | 16 | | 90 calendar days after receiving the parent's request | 17 | | if the school or State Board maintains the covered | 18 | | information that contains the factual inaccuracy. | 19 | | (B) Notify the operator who must confirm the | 20 | | correction with the parent within 90 calendar days | 21 | | after receiving the parent's request if the covered | 22 | | information that contains the factual inaccuracy is | 23 | | maintained by an operator. | 24 | | (e) Nothing in this Section shall be construed to limit the | 25 | | rights granted to parents and students under the Illinois | 26 | | School Student Records Act.
|
| | | HB3606 Engrossed | - 19 - | LRB101 09053 AXK 54146 b |
|
| 1 | | Section 99. Effective date. This Act takes effect July 1, | 2 | | 2021. |
|