Full Text of SB1578 102nd General Assembly
SB1578 102ND GENERAL ASSEMBLY |
| | 102ND GENERAL ASSEMBLY
State of Illinois
2021 and 2022 SB1578 Introduced 2/26/2021, by Sen. Robert F. Martwick SYNOPSIS AS INTRODUCED: |
| 105 ILCS 85/10 | | 105 ILCS 85/15 | | 105 ILCS 85/26 | | 105 ILCS 85/28 | | 105 ILCS 85/33 | |
|
Amends the Student Online Personal Protection Act. Provides than an operator shall not knowingly sell, rent, lease, or trade a student's information (rather than knowingly sell or rent a student's information). Regarding an operator's request to receive covered information from a school, a school district, or the State Board of Education, provides that the written agreement related thereto must require the operator to provide a parent with a means to view and to request edits to the covered information to be maintained by the operator. If a breach occurs and is attributed to the operator, provides that any investigation and remediation costs and expenses incurred by the school as a result of the breach shall be borne by the operator (rather than the costs and expenses shall be allocated between the operator and the school). Removes local school council members as individuals who are authorized to share, transfer, disclose, or provide access to a student's covered information without a written agreement. Requires the State Board of Education to develop and make available model student data privacy policies and procedures as soon as practical after July 1, 2021. Makes changes concerning parent and student rights. Effective immediately.
|
| |
| | | FISCAL NOTE ACT MAY APPLY | |
| | A BILL FOR |
|
| | | SB1578 | | LRB102 14184 CMG 19536 b |
|
| 1 | | AN ACT concerning education.
| 2 | | Be it enacted by the People of the State of Illinois,
| 3 | | represented in the General Assembly:
| 4 | | Section 5. The Student Online Personal Protection Act is | 5 | | amended by changing Sections 10, 15, 26, 28, and 33 as follows: | 6 | | (105 ILCS 85/10) | 7 | | (Text of Section before amendment by P.A. 101-516 )
| 8 | | Sec. 10. Operator prohibitions. An operator shall not | 9 | | knowingly do any of the following: | 10 | | (1) Engage in targeted advertising on the operator's | 11 | | site, service, or application or target advertising on any | 12 | | other site, service, or application if the targeting of | 13 | | the advertising is based on any information, including | 14 | | covered information and persistent unique identifiers, | 15 | | that the operator has acquired because of the use of that | 16 | | operator's site, service, or application for K through 12 | 17 | | school purposes. | 18 | | (2) Use information, including persistent unique | 19 | | identifiers, created or gathered by the operator's site, | 20 | | service, or application to amass a profile about a | 21 | | student, except in furtherance of K through 12 school | 22 | | purposes. "Amass a profile" does not include the | 23 | | collection and retention of account information that |
| | | SB1578 | - 2 - | LRB102 14184 CMG 19536 b |
|
| 1 | | remains under the control of the student, the student's | 2 | | parent or legal guardian, or the school. | 3 | | (3) Sell or rent a student's information, including | 4 | | covered information. This subdivision (3) does not apply | 5 | | to the purchase, merger, or other type of acquisition of | 6 | | an operator by another entity if the operator or successor | 7 | | entity complies with this Act regarding previously | 8 | | acquired student information. | 9 | | (4) Except as otherwise provided in Section 20 of this | 10 | | Act, disclose covered information, unless the disclosure | 11 | | is made for the following purposes: | 12 | | (A) In furtherance of the K through 12 school | 13 | | purposes of the site, service, or application if the | 14 | | recipient of the covered information disclosed under | 15 | | this clause (A) does not further disclose the | 16 | | information, unless done to allow or improve | 17 | | operability and functionality of the operator's site, | 18 | | service, or application. | 19 | | (B) To ensure legal and regulatory compliance or | 20 | | take precautions
against liability. | 21 | | (C) To respond to the judicial process. | 22 | | (D) To protect the safety or integrity of users of | 23 | | the site or others or the security of the site, | 24 | | service, or application. | 25 | | (E) For a school, educational, or employment | 26 | | purpose requested by the student or the student's |
| | | SB1578 | - 3 - | LRB102 14184 CMG 19536 b |
|
| 1 | | parent or legal guardian, provided that the | 2 | | information is not used or further disclosed for any | 3 | | other purpose. | 4 | | (F) To a third party if the operator contractually | 5 | | prohibits the third party from using any covered | 6 | | information for any purpose other than providing the | 7 | | contracted service to or on behalf of the operator, | 8 | | prohibits the third party from disclosing any covered | 9 | | information provided by the operator with subsequent | 10 | | third parties, and requires the third party to | 11 | | implement and maintain reasonable security procedures | 12 | | and practices. | 13 | | Nothing in this Section prohibits the operator's use of | 14 | | information for maintaining, developing, supporting, | 15 | | improving, or diagnosing the operator's site, service, or | 16 | | application.
| 17 | | (Source: P.A. 100-315, eff. 8-24-17.) | 18 | | (Text of Section after amendment by P.A. 101-516 ) | 19 | | Sec. 10. Operator prohibitions. An operator shall not | 20 | | knowingly do any of the following: | 21 | | (1) Engage in targeted advertising on the operator's | 22 | | site, service, or application or target advertising on any | 23 | | other site, service, or application if the targeting of | 24 | | the advertising is based on any information, including | 25 | | covered information and persistent unique identifiers, |
| | | SB1578 | - 4 - | LRB102 14184 CMG 19536 b |
|
| 1 | | that the operator has acquired because of the use of that | 2 | | operator's site, service, or application for K through 12 | 3 | | school purposes. | 4 | | (2) Use information, including persistent unique | 5 | | identifiers, created or gathered by the operator's site, | 6 | | service, or application to amass a profile about a | 7 | | student, except in furtherance of K through 12 school | 8 | | purposes. "Amass a profile" does not include the | 9 | | collection and retention of account information that | 10 | | remains under the control of the student, the student's | 11 | | parent, or the school. | 12 | | (3) Sell , or rent , lease, or trade a student's | 13 | | information, including covered information. This | 14 | | subdivision (3) does not apply to the purchase, merger, or | 15 | | other type of acquisition of an operator by another entity | 16 | | if the operator or successor entity complies with this Act | 17 | | regarding previously acquired student information. | 18 | | (4) Except as otherwise provided in Section 20 of this | 19 | | Act, disclose covered information, unless the disclosure | 20 | | is made for the following purposes: | 21 | | (A) In furtherance of the K through 12 school | 22 | | purposes of the site, service, or application if the | 23 | | recipient of the covered information disclosed under | 24 | | this clause (A) does not further disclose the | 25 | | information, unless done to allow or improve | 26 | | operability and functionality of the operator's site, |
| | | SB1578 | - 5 - | LRB102 14184 CMG 19536 b |
|
| 1 | | service, or application. | 2 | | (B) To ensure legal and regulatory compliance or | 3 | | take precautions
against liability. | 4 | | (C) To respond to the judicial process. | 5 | | (D) To protect the safety or integrity of users of | 6 | | the site or others or the security of the site, | 7 | | service, or application. | 8 | | (E) For a school, educational, or employment | 9 | | purpose requested by the student or the student's | 10 | | parent, provided that the information is not used or | 11 | | further disclosed for any other purpose. | 12 | | (F) To a third party if the operator contractually | 13 | | prohibits the third party from using any covered | 14 | | information for any purpose other than providing the | 15 | | contracted service to or on behalf of the operator, | 16 | | prohibits the third party from disclosing any covered | 17 | | information provided by the operator with subsequent | 18 | | third parties, and requires the third party to | 19 | | implement and maintain security procedures and | 20 | | practices as required under Section 15. | 21 | | Nothing in this Section prohibits the operator's use of | 22 | | information for maintaining, developing, supporting, | 23 | | improving, or diagnosing the operator's site, service, or | 24 | | application.
| 25 | | (Source: P.A. 100-315, eff. 8-24-17; 101-516, eff. 7-1-21.) |
| | | SB1578 | - 6 - | LRB102 14184 CMG 19536 b |
|
| 1 | | (105 ILCS 85/15) | 2 | | (Text of Section before amendment by P.A. 101-516 )
| 3 | | Sec. 15. Operator duties. An operator shall do the | 4 | | following: | 5 | | (1) Implement and maintain reasonable security | 6 | | procedures and practices appropriate to the nature of the | 7 | | covered information and designed to protect that covered | 8 | | information from unauthorized access, destruction, use, | 9 | | modification, or disclosure. | 10 | | (2) Delete, within a reasonable time period, a | 11 | | student's covered information if the school or school | 12 | | district requests deletion of covered information under | 13 | | the control of the school or school district, unless a | 14 | | student or his or her parent or legal guardian consents to | 15 | | the maintenance of the covered information. | 16 | | (3) Publicly disclose material information about its | 17 | | collection, use, and disclosure of covered information, | 18 | | including, but not limited to, publishing a terms of | 19 | | service agreement, privacy policy, or similar document.
| 20 | | (Source: P.A. 100-315, eff. 8-24-17.) | 21 | | (Text of Section after amendment by P.A. 101-516 ) | 22 | | Sec. 15. Operator duties. An operator shall do the | 23 | | following: | 24 | | (1) Implement and maintain reasonable security | 25 | | procedures and practices that otherwise meet or exceed |
| | | SB1578 | - 7 - | LRB102 14184 CMG 19536 b |
|
| 1 | | industry standards designed to protect covered information | 2 | | from unauthorized access, destruction, use, modification, | 3 | | or disclosure. | 4 | | (2) Delete, within a reasonable time period, a | 5 | | student's covered information if the school or school | 6 | | district requests deletion of covered information under | 7 | | the control of the school or school district, unless a | 8 | | student or his or her parent consents to the maintenance | 9 | | of the covered information. | 10 | | (3) Publicly disclose material information about its | 11 | | collection, use, and disclosure of covered information, | 12 | | including, but not limited to, publishing a terms of | 13 | | service agreement, privacy policy, or similar document. | 14 | | (4) Except for a nonpublic school, for any operator | 15 | | who seeks to receive from a school, school district, or | 16 | | the State Board in any manner any covered information, | 17 | | enter into a written agreement with the school, school | 18 | | district, or State Board before the covered information | 19 | | may be transferred. The written agreement may be created | 20 | | in electronic form and signed with an electronic or | 21 | | digital signature or may be a click wrap agreement that is | 22 | | used with software licenses, downloaded or online | 23 | | applications and transactions for educational | 24 | | technologies, or other technologies in which a user must | 25 | | agree to terms and conditions before using the product or | 26 | | service. Any written agreement entered into, amended, or |
| | | SB1578 | - 8 - | LRB102 14184 CMG 19536 b |
|
| 1 | | renewed must contain all of the following: | 2 | | (A) A listing of the categories or types of | 3 | | covered information to be provided to the operator. | 4 | | (A-5) A requirement that the operator provide to a | 5 | | parent a means through the parent's dashboard to view | 6 | | and to request edits to the covered information to be | 7 | | maintained by the operator. | 8 | | (B) A statement of the product or service being | 9 | | provided to the school by the operator. | 10 | | (C) A statement that, pursuant to the federal | 11 | | Family Educational Rights and Privacy Act of 1974, the | 12 | | operator is acting as a school official with a | 13 | | legitimate educational interest, is performing an | 14 | | institutional service or function for which the school | 15 | | would otherwise use employees, under the direct | 16 | | control of the school, with respect to the use and | 17 | | maintenance of covered information, and is using the | 18 | | covered information only for an authorized purpose and | 19 | | may not re-disclose it to third parties or affiliates, | 20 | | unless otherwise permitted under this Act, without | 21 | | permission from the school or pursuant to court order. | 22 | | (D) A description of how, if a breach is | 23 | | attributed to the operator, any costs and expenses | 24 | | incurred by the school in investigating and | 25 | | remediating the breach will be borne by allocated | 26 | | between the operator and the school . The costs and |
| | | SB1578 | - 9 - | LRB102 14184 CMG 19536 b |
|
| 1 | | expenses may include, but are not limited to: | 2 | | (i) providing notification to the parents of | 3 | | those students whose covered information was | 4 | | compromised and to regulatory agencies or other | 5 | | entities as required by law or contract; | 6 | | (ii) providing credit monitoring to those | 7 | | students whose covered information was exposed in | 8 | | a manner during the breach that a reasonable | 9 | | person would believe that it could impact his or | 10 | | her credit or financial security; | 11 | | (iii) legal fees, audit costs, fines, and any | 12 | | other fees or damages imposed against the school | 13 | | as a result of the security breach; and | 14 | | (iv) providing any other notifications or | 15 | | fulfilling any other requirements adopted by the | 16 | | State Board or of any other State or federal laws. | 17 | | (E) A statement that the operator must delete or | 18 | | transfer to the school all covered information if the | 19 | | information is no longer needed for the purposes of | 20 | | the written agreement and to specify the time period | 21 | | in which the information must be deleted or | 22 | | transferred once the operator is made aware that the | 23 | | information is no longer needed for the purposes of | 24 | | the written agreement. | 25 | | (F) If the school maintains a website, a statement | 26 | | that the school must publish the written agreement on |
| | | SB1578 | - 10 - | LRB102 14184 CMG 19536 b |
|
| 1 | | the school's website. If the school does not maintain | 2 | | a website, a statement that the school must make the | 3 | | written agreement available for inspection by the | 4 | | general public at its administrative office. If | 5 | | mutually agreed upon by the school and the operator, | 6 | | provisions of the written agreement, other than those | 7 | | under subparagraphs (A), (B), and (C), may be redacted | 8 | | in the copy of the written agreement published on the | 9 | | school's website or made available at its | 10 | | administrative office. | 11 | | (5) In case of any breach, within the most expedient | 12 | | time possible and without unreasonable delay, but no later | 13 | | than 30 calendar days after the determination that a | 14 | | breach has occurred, notify the school of any breach of | 15 | | the students' covered information.
| 16 | | (6) Except for a nonpublic school, provide to the | 17 | | school a list of any third parties or affiliates to whom | 18 | | the operator is currently disclosing covered information | 19 | | or has disclosed covered information. This list must, at a | 20 | | minimum, be updated and provided to the school by the | 21 | | beginning of each State fiscal year and at the beginning | 22 | | of each calendar year. | 23 | | (Source: P.A. 100-315, eff. 8-24-17; 101-516, eff. 7-1-21.) | 24 | | (105 ILCS 85/26) | 25 | | (This Section may contain text from a Public Act with a |
| | | SB1578 | - 11 - | LRB102 14184 CMG 19536 b |
|
| 1 | | delayed effective date ) | 2 | | Sec. 26. School prohibitions. A school may not do either | 3 | | of the following: | 4 | | (1) Sell, rent, lease, or trade covered information. | 5 | | (2) Share, transfer, disclose, or provide access to a | 6 | | student's covered information to an entity or individual, | 7 | | other than the student's parent, school personnel, | 8 | | appointed or elected school board members or local school | 9 | | council members , or the State Board, without a written | 10 | | agreement, unless the disclosure or transfer is: | 11 | | (A) to the extent permitted by State or federal | 12 | | law, to law enforcement officials to protect the | 13 | | safety of users or others or the security or integrity | 14 | | of the operator's service; | 15 | | (B) required by court order or State or federal | 16 | | law; or | 17 | | (C) to ensure legal or regulatory compliance. | 18 | | This paragraph (2) does not apply to nonpublic | 19 | | schools.
| 20 | | (Source: P.A. 101-516, eff. 7-1-21.) | 21 | | (105 ILCS 85/28) | 22 | | (This Section may contain text from a Public Act with a | 23 | | delayed effective date ) | 24 | | Sec. 28. State Board duties. | 25 | | (a) The State Board may not sell, rent, lease, or trade |
| | | SB1578 | - 12 - | LRB102 14184 CMG 19536 b |
|
| 1 | | covered information. | 2 | | (b) Except for an employee of the State Board or a State | 3 | | Board official acting within his or her official capacity, the | 4 | | State Board may not share, transfer, disclose, or provide | 5 | | covered information to an entity or individual without a | 6 | | contract or written agreement, except for disclosures required | 7 | | by State or federal law. | 8 | | (c) At least once annually, the State Board must publish | 9 | | and maintain on its website a list of all of the entities or | 10 | | individuals, including, but not limited to, operators, | 11 | | individual researchers, research organizations, institutions | 12 | | of higher education, or government agencies, that the State | 13 | | Board contracts with or has written agreements with and that | 14 | | hold covered information and a copy of each contract or | 15 | | written agreement. The list must include all of the following | 16 | | information: | 17 | | (1) The name of the entity or individual. In naming an | 18 | | individual, the list must include the entity that sponsors | 19 | | the individual or with which the individual is affiliated, | 20 | | if any. If the individual is conducting research at an | 21 | | institution of higher education, the list may include the | 22 | | name of that institution and a contact person in the | 23 | | department that is associated with the research in lieu of | 24 | | the name of the researcher. If the entity is an operator, | 25 | | the list must include its business address. | 26 | | (2) The purpose and scope of the contract or |
| | | SB1578 | - 13 - | LRB102 14184 CMG 19536 b |
|
| 1 | | agreement. | 2 | | (3) The duration of the contract or agreement. | 3 | | (4) The types of covered information that the entity | 4 | | or individual holds under the contract or agreement. | 5 | | (5) The use of the covered information under the | 6 | | contract or agreement. | 7 | | (6) The length of time for which the entity or | 8 | | individual may hold the covered information. | 9 | | (7) A list of any subcontractors to whom covered | 10 | | information may be disclosed under Section 15 or a link to | 11 | | a page on the operator's website that clearly lists that | 12 | | information. | 13 | | If mutually agreed upon by the State Board and the | 14 | | operator, provisions of a contract or written agreement, other | 15 | | than those pertaining to paragraphs (1) through (7), may be | 16 | | redacted on the State Board's website. | 17 | | (d) The State Board shall create, publish, and make | 18 | | publicly available an inventory, along with a dictionary or | 19 | | index of data elements and their definitions, of covered | 20 | | information collected or maintained by the State Board, | 21 | | including, but not limited to, both of the following: | 22 | | (1) Covered information that schools are required to | 23 | | report to the State Board by State or federal law. | 24 | | (2) Covered information in the State longitudinal data | 25 | | system or any data warehouse used by the State Board to | 26 | | populate the longitudinal data system. |
| | | SB1578 | - 14 - | LRB102 14184 CMG 19536 b |
|
| 1 | | The inventory shall make clear for what purposes the State | 2 | | Board uses the covered information. | 3 | | (e) As soon as practical after July 1, 2021 (the effective | 4 | | date of Public Act 101-516), the The State Board shall | 5 | | develop, publish, and make publicly available, for the benefit | 6 | | of schools, model student data privacy policies and procedures | 7 | | that comply with relevant State and federal law, including, | 8 | | but not limited to, a model notice that schools must use to | 9 | | provide notice to parents and students about operators. The | 10 | | notice must state, in general terms, the types of student data | 11 | | that are collected by the schools and shared with operators | 12 | | under this Act and the purposes of collecting and using the | 13 | | student data. After creation of the notice under this | 14 | | subsection, a school shall, at the beginning of each school | 15 | | year, provide the notice to parents by the same means | 16 | | generally used to send notices to them. This subsection does | 17 | | not apply to nonpublic schools.
| 18 | | (Source: P.A. 101-516, eff. 7-1-21.) | 19 | | (105 ILCS 85/33) | 20 | | (This Section may contain text from a Public Act with a | 21 | | delayed effective date ) | 22 | | Sec. 33. Parent and student rights. | 23 | | (a) A student's covered information shall be collected | 24 | | only for K through 12 school purposes and not further | 25 | | processed in a manner that is incompatible with those |
| | | SB1578 | - 15 - | LRB102 14184 CMG 19536 b |
|
| 1 | | purposes. | 2 | | (b) A student's covered information shall only be | 3 | | adequate, relevant, and limited to what is necessary in | 4 | | relation to the K through 12 school purposes for which it is | 5 | | processed. | 6 | | (c) Except for a parent of a student enrolled in a | 7 | | nonpublic school, the parent of a student enrolled in a school | 8 | | has the right to all of the following: | 9 | | (1) Inspect and review the student's covered | 10 | | information, regardless of whether it is maintained by the | 11 | | school, the State Board, or an operator. | 12 | | (1.5) Request from the operator the ability to edit | 13 | | the student's covered information. | 14 | | (2) Request from a school a paper or electronic copy | 15 | | of the student's covered information, including covered | 16 | | information maintained by an operator or the State Board . | 17 | | If a parent requests an electronic copy of the student's | 18 | | covered information under this paragraph, the school must | 19 | | provide an electronic copy of that information, unless the | 20 | | school does not maintain the information in an electronic | 21 | | format and reproducing the information in an electronic | 22 | | format would be unduly burdensome to the school. If a | 23 | | parent requests a paper copy of the student's covered | 24 | | information, the school may charge the parent the | 25 | | reasonable cost for copying the information in an amount | 26 | | not to exceed the amount fixed in a schedule adopted by the |
| | | SB1578 | - 16 - | LRB102 14184 CMG 19536 b |
|
| 1 | | State Board, except that no parent may be denied a copy of | 2 | | the information due to the parent's inability to bear the | 3 | | cost of the copying. The State Board must adopt rules on | 4 | | the methodology and frequency of requests under this | 5 | | paragraph. | 6 | | (2.5) Request from the State Board a paper or | 7 | | electronic copy of the student's covered information, | 8 | | including covered information maintained by an operator of | 9 | | the State Board or by the State Board. | 10 | | (3) Request corrections of factual inaccuracies | 11 | | contained in the student's covered information. After | 12 | | receiving a request for corrections and determining that a | 13 | | factual inaccuracy exists, a school or the State Board | 14 | | must do either of the following: | 15 | | (A) If the school or the State Board maintains or | 16 | | possesses the covered information that contains the | 17 | | factual inaccuracy, correct the factual inaccuracy and | 18 | | confirm the correction with the parent within 90 | 19 | | calendar days after receiving the parent's request. | 20 | | (B) If the operator or State Board maintains or | 21 | | possesses the covered information that contains the | 22 | | factual inaccuracy, notify the operator or the State | 23 | | Board of the correction. The operator or the State | 24 | | Board must correct the factual inaccuracy and confirm | 25 | | the correction with the school or the State Board | 26 | | within 90 calendar days after receiving the notice. |
| | | SB1578 | - 17 - | LRB102 14184 CMG 19536 b |
|
| 1 | | Within 10 business days after receiving confirmation | 2 | | of the correction from the operator or State Board , | 3 | | the school or the State Board must confirm the | 4 | | correction with the parent. | 5 | | (d) Nothing in this Section shall be construed to limit | 6 | | the rights granted to parents and students under the Illinois | 7 | | School Student Records Act or the federal Family Educational | 8 | | Rights and Privacy Act of 1974.
| 9 | | (Source: P.A. 101-516, eff. 7-1-21.)
| 10 | | Section 95. No acceleration or delay. Where this Act makes | 11 | | changes in a statute that is represented in this Act by text | 12 | | that is not yet or no longer in effect (for example, a Section | 13 | | represented by multiple versions), the use of that text does | 14 | | not accelerate or delay the taking effect of (i) the changes | 15 | | made by this Act or (ii) provisions derived from any other | 16 | | Public Act. | 17 | | Section 99. Effective date. This Act takes effect upon | 18 | | becoming law.
|
|