100TH GENERAL ASSEMBLY State of Illinois 2017 and 2018 SB2018   Introduced 2/10/2017, by Sen. Thomas Cullerton   SYNOPSIS AS INTRODUCED:   New Act     Creates the Student Data Privacy Act. On and after October 1, 2017, requires the school board of a school district to enter into a written contract with a contractor any time the school board shares or provides access to student information, student records, or student-generated content with that contractor. Among other provisions, sets forth provisions concerning contract requirements, contractor and operator requirements and prohibitions, security breach procedures, and the establishment of a task force to study issues relating to student data privacy. Effective immediately. LRB100 09670 NHT 19839 b FISCAL NOTE ACT MAY APPLY STATE MANDATES ACT MAY REQUIRE REIMBURSEMENT     A BILL FOR
SB2018 LRB100 09670 NHT 19839 b
1		AN ACT concerning education.
2		Be it enacted by the People of the State of Illinois,
3		represented in the General Assembly:
4		Section 1. Short title. This Act may be cited as the
5		Student Data Privacy Act.
6		Section 5. Definitions. In this Act:
7		"Contractor" means an operator or consultant that is in
8		possession of or has access to student information, student
9		records, or student-generated content as a result of a contract
10		with a school board.
11		"Consultant" means a professional who provides
12		noninstructional services, including, but not limited to,
13		administrative, planning, analysis, statistical or research
14		services, to a school board pursuant to a contract with the
15		school board.
16		"De-identified student information" means any student
17		information that has been altered to prevent the identification
18		of an individual student.
19		"Directory information" has the same meaning as provided in
20		34 CFR 99.3.
21		"Operator" means any person who (i) operates an Internet
22		web site, online service, or mobile application with actual
23		knowledge that the Internet web site, online service, or mobile

SB2018 - 2 - LRB100 09670 NHT 19839 b
1		application is used for school purposes and was designed and
2		marketed for school purposes, to the extent it is engaged in
3		the operation of that Internet web site, online service, or
4		mobile application, and (ii) collects, maintains, or uses
5		student information.
6		"Persistent unique identifier" means a unique piece of
7		information that can be used to recognize a user over time and
8		across different Internet web sites, online services, or mobile
9		applications and is acquired as a result of a student's use of
10		an operator's Internet web site, online service, or mobile
11		application.
12		"School purposes" means purposes that customarily take
13		place at the direction of a teacher or a school board or aid in
14		the administration of school activities, including, but not
15		limited to, instruction in the classroom, administrative
16		activities, and collaboration among students, school
17		personnel, or parents or legal guardians of students.
18		"Student" means a person who is a resident of this State
19		and who is (i) enrolled in a school district's preschool
20		program, (ii) enrolled in any of grades kindergarten through 12
21		in a public school, (iii) receiving special education and
22		related services under an individualized education program, or
23		(iv) otherwise the responsibility of a school district.
24		"Student-generated content" means any student materials
25		created by a student, including, but not limited to, essays,
26		research papers, portfolios, creative writing, music or other

SB2018 - 3 - LRB100 09670 NHT 19839 b
1		audio files, or photographs, except "student-generated
2		content" does not include student responses to a standardized
3		assessment.
4		"Student information" means personally identifiable
5		information or material of a student in any media or format
6		that is not publicly available and is any of the following: (i)
7		created or provided by a student or the parent or legal
8		guardian of a student to the operator in the course of the
9		student, parent, or legal guardian using the operator's
10		Internet web site, online service, or mobile application for
11		school purposes, (ii) created or provided by an employee or
12		agent of a school board to an operator for school purposes, or
13		(iii) gathered by an operator through the operation of the
14		operator's Internet web site, online service, or mobile
15		application and identifies a student, including, but not
16		limited to, information in the student's records or electronic
17		mail account, first or last name, home address, telephone
18		number, date of birth, electronic mail address, discipline
19		records, test results, grades, evaluations, criminal records,
20		medical records, health records, Social Security number,
21		biometric information, disabilities, socioeconomic
22		information, food purchases, political affiliations, religious
23		affiliations, text messages, documents, student identifiers,
24		search activity, photographs, voice recordings, survey
25		responses, or behavioral assessments.
26		"Student record" means any information directly related to

SB2018 - 4 - LRB100 09670 NHT 19839 b
1		a student that is maintained by a school board or the State
2		Board of Education or any information acquired from a student
3		through the use of educational software assigned to the student
4		by a teacher or employee of a school board, except "student
5		record" does not include de-identified student information
6		allowed under a contract to be used by the contractor to (i)
7		improve educational products for adaptive learning purposes
8		and customize student learning, (ii) demonstrate the
9		effectiveness of the contractor's products in the marketing of
10		those products, and (iii) develop and improve the contractor's
11		products and services.
12		"Targeted advertising" means presenting an advertisement
13		to a student where the selection of the advertisement is based
14		on student information, student records, or student-generated
15		content or inferred over time from the usage of the operator's
16		Internet web site, online service, or mobile application by a
17		student or the retention of a student's online activities or
18		requests over time for the purpose of targeting subsequent
19		advertisements. "Targeted advertising" does not include any
20		advertising to a student on an Internet web site that the
21		student is accessing at the time or in response to a student's
22		response or request for information or feedback.
23		Section 10. Contract required.
24		(a) This Section applies beginning on October 1, 2017 and
25		is applicable to contracts entered into, amended, or renewed on

SB2018 - 5 - LRB100 09670 NHT 19839 b
1		or after October 1, 2017. On and after October 1, 2017, the
2		school board of a school district shall enter into a written
3		contract with a contractor any time the school board shares or
4		provides access to student information, student records, or
5		student-generated content with the contractor. Each contract
6		shall include, but need not be limited to, the following:
7		(1) a statement that student information, student
8		records, and student-generated content are not the
9		property of or under the control of a contractor;
10		(2) a description of the means by which the school
11		board may request the deletion of student information,
12		student records, or student-generated content in the
13		possession of the contractor;
14		(3) a statement that the contractor shall not use
15		student information, student records, and
16		student-generated content for any purposes other than
17		those authorized pursuant to the contract;
18		(4) a description of the procedures by which a student
19		or parent or legal guardian of a student may review
20		personally identifiable information contained in student
21		information, student records, or student-generated content
22		and correct erroneous information, if any, in the student
23		record;
24		(5) a statement that the contractor shall take actions
25		designed to ensure the security and confidentiality of
26		student information, student records, and

SB2018 - 6 - LRB100 09670 NHT 19839 b
1		student-generated content;
2		(6) a description of the procedures that a contractor
3		will follow to notify the school board, in accordance with
4		the provisions of Section 20 of this Act, when there has
5		been an unauthorized release, disclosure, or acquisition
6		of student information, student records, or
7		student-generated content;
8		(7) a statement that student information, student
9		records, or student-generated content shall not be
10		retained or available to the contractor upon completion of
11		the contracted services unless a student or parent or legal
12		guardian of a student chooses to establish or maintain an
13		electronic account with the contractor for the purpose of
14		storing student-generated content;
15		(8) a statement that the contractor and the school
16		board shall ensure compliance with the federal Family
17		Educational Rights and Privacy Act of 1974;
18		(9) a statement that the laws of this State shall
19		govern the rights and duties of the contractor and the
20		school board; and
21		(10) a statement that if any provision of the contract
22		or the application of the contract is held invalid by a
23		court of competent jurisdiction, the invalidity does not
24		affect other provisions or applications of the contract
25		that can be given effect without the invalid provision or
26		application.

SB2018 - 7 - LRB100 09670 NHT 19839 b
1		(b) All student-generated content shall be the property of
2		the student or the parent or legal guardian of the student.
3		(c) A contractor shall implement and maintain security
4		procedures and practices designed to protect student
5		information, student records, and student-generated content
6		from unauthorized access, destruction, use, modification, or
7		disclosure that, based on the sensitivity of the data and the
8		risk from unauthorized access:
9		(1) use technologies and methodologies that are
10		consistent with the guidance issued pursuant to Section
11		13402(h)(2) of Public Law 111-5, as amended from time to
12		time;
13		(2) maintain technical safeguards as it relates to the
14		possession of student records in a manner consistent with
15		the provisions of 45 CFR 164.312; and
16		(3) otherwise meet or exceed industry standards.
17		(d) A contractor shall not use (i) student information,
18		student records, or student-generated content for any purposes
19		other than those authorized pursuant to the contract or (ii)
20		personally identifiable information contained in student
21		information, student records, or student-generated content to
22		engage in targeted advertising.
23		(e) Any provision of a contract entered into between a
24		contractor and a school board on or after October 1, 2017 that
25		conflicts with any provision of this Section shall be void.
26		(f) Any contract entered into on or after October 1, 2017

SB2018 - 8 - LRB100 09670 NHT 19839 b
1		that does not include a provision required by subsection (a) of
2		this Section shall be void, provided that the school board has
3		given reasonable notice to the contractor and the contractor
4		has failed within a reasonable time to amend the contract to
5		include the provision required by subsection (a) of this
6		Section.
7		(g) Not later than 5 business days after executing a
8		contract pursuant to this Section, a school board shall provide
9		electronic notice to any student and the parent or legal
10		guardian of a student affected by the contract. The notice
11		shall (i) state that the contract has been executed and the
12		date that the contract was executed, (ii) provide a brief
13		description of the contract and the purpose of the contract,
14		and (iii) state what student information, student records, or
15		student-generated content may be collected as a result of the
16		contract. The school board shall post the notice and the
17		contract on the school district's Internet web site.
18		Section 15. Operators.
19		(a) This Section applies beginning October 1, 2017. An
20		operator shall:
21		(1) implement and maintain security procedures and
22		practices that meet or exceed industry standards and that
23		are designed to protect student information, student
24		records, and student-generated content from unauthorized
25		access, destruction, use, modification, or disclosure; and

SB2018 - 9 - LRB100 09670 NHT 19839 b
1		(2) delete any student information, student records,
2		or student-generated content within a reasonable amount of
3		time if a student, parent or legal guardian of a student,
4		or school board that has the right to control the student
5		information requests the deletion of the student
6		information, student records, or student-generated
7		content.
8		(b) An operator shall not knowingly:
9		(1) engage in (i) targeted advertising on the
10		operator's Internet web site, online service, or mobile
11		application or (ii) targeted advertising on any other
12		Internet web site, online service, or mobile application if
13		the advertising is based on any student information,
14		student records, student-generated content, or persistent
15		unique identifiers that the operator has acquired because
16		of the use of the operator's Internet web site, online
17		service, or mobile application for school purposes;
18		(2) collect, store, and use student information,
19		student records, student-generated content, or persistent
20		unique identifiers for purposes other than the furtherance
21		of school purposes;
22		(3) sell, rent, or trade student information, student
23		records, or student-generated content unless the sale is
24		part of the purchase, merger, or acquisition of an operator
25		by a successor operator and the operator and successor
26		operator continue to be subject to the provisions of this

SB2018 - 10 - LRB100 09670 NHT 19839 b
1		Section regarding student information; or
2		(4) disclose student information, student records, or
3		student-generated content unless the disclosure is made:
4		(A) in furtherance of school purposes of the
5		Internet web site, online service, or mobile
6		application, provided that the recipient of the
7		student information uses the student information to
8		improve the operability and functionality of the
9		Internet web site, online service, or mobile
10		application and complies with subsection (a) of this
11		Section;
12		(B) to ensure compliance with federal or State law
13		or rules or pursuant to a court order;
14		(C) in response to a judicial order;
15		(D) to protect the safety or integrity of users or
16		others or the security of the Internet web site, online
17		service, or mobile application;
18		(E) to an entity hired by the operator to provide
19		services for the operator's Internet web site, online
20		service, or mobile application, provided that the
21		operator contractually (i) prohibits the entity from
22		using student information, student records, or
23		student-generated content for any purpose other than
24		providing the contracted service to or on behalf of the
25		operator, (ii) prohibits the entity from disclosing
26		student information, student records, or

SB2018 - 11 - LRB100 09670 NHT 19839 b
1		student-generated content provided by the operator to
2		subsequent third parties, and (iii) requires the
3		entity to comply with subsection (a) of this Section;
4		or
5		(F) for a school purpose or other educational or
6		employment purpose requested by a student or the parent
7		or legal guardian of a student, provided that the
8		student information is not used or disclosed for any
9		other purpose.
10		(c) An operator may use student information:
11		(1) to maintain, support, improve, evaluate, or
12		diagnose the operator's Internet web site, online service,
13		or mobile application;
14		(2) for adaptive learning purposes or customized
15		student learning;
16		(3) to provide recommendation engines to recommend
17		content or services relating to school purposes or other
18		educational or employment purposes, provided that the
19		recommendation is not determined in whole or in part by
20		payment or other consideration from a third party; or
21		(4) to respond to a request for information or feedback
22		from a student, provided that the response is not
23		determined in whole or in part by payment or other
24		consideration from a third party.
25		(d) An operator may use de-identified student information
26		or aggregated student information:

SB2018 - 12 - LRB100 09670 NHT 19839 b
1		(1) to develop or improve the operator's Internet web
2		site, online service, or mobile application or other
3		Internet web sites, online services, or mobile
4		applications owned by the operator; or
5		(2) to demonstrate or market the effectiveness of the
6		operator's Internet web site, online service, or mobile
7		application.
8		(e) An operator may share aggregated student information or
9		de-identified student information for the improvement and
10		development of Internet web sites, online services, or mobile
11		applications designed for school purposes.
12		(f) Nothing in this Section shall be construed to:
13		(1) limit the ability of a law enforcement agency to
14		obtain student information, student records, or
15		student-generated content from an operator as authorized
16		by law or pursuant to a court order;
17		(2) limit the ability of a student or the parent or
18		legal guardian of a student to download, export, transfer,
19		or otherwise save or maintain student information, student
20		records, or student-generated content;
21		(3) impose a duty upon a provider of an interactive
22		computer service, as defined in 47 U.S.C. 230, to ensure
23		compliance with this Section by third-party information
24		content providers, as defined in 47 U.S.C. 230;
25		(4) impose a duty upon a seller or provider of an
26		electronic store, gateway, marketplace, or other means of

SB2018 - 13 - LRB100 09670 NHT 19839 b
1		purchasing or downloading software applications to review
2		or enforce compliance with this Section on the software
3		applications;
4		(5) limit an Internet service provider from providing a
5		student, parent or legal guardian of a student, or school
6		board with the ability to connect to the Internet;
7		(6) prohibit an operator from advertising other
8		Internet web sites, online services, or mobile
9		applications that are used for school purposes to parents
10		or legal guardians of students, provided that the
11		advertising does not result from the operator's use of
12		student information, student records, or student-generated
13		content; or
14		(7) apply to Internet web sites, online services, or
15		mobile applications that are designed and marketed for use
16		by individuals generally, even if the account credentials
17		created for an operator's Internet web site, online
18		service, or mobile application may be used to access
19		Internet web sites, online services, or mobile
20		applications that are designed and marketed for school
21		purposes.
22		Section 20. Security breach.
23		(a) This Section applies beginning October 1, 2017.
24		(1) Upon the discovery of a breach of security that
25		results in the unauthorized release, disclosure, or

SB2018 - 14 - LRB100 09670 NHT 19839 b
1		acquisition of student information, excluding any
2		directory information contained in the student
3		information, a contractor shall notify, without
4		unreasonable delay, but not more than 30 days after the
5		discovery, the school board of the breach of security.
6		During the 30-day period, the contractor may:
7		(A) conduct an investigation to determine the
8		nature and scope of the unauthorized release,
9		disclosure, or acquisition and the identity of the
10		students whose student information is involved in the
11		unauthorized release, disclosure, or acquisition; or
12		(B) restore the reasonable integrity of the
13		contractor's data system.
14		(2) Upon the discovery of a breach of security that
15		results in the unauthorized release, disclosure, or
16		acquisition of directory information, student records, or
17		student-generated content, a contractor shall notify,
18		without unreasonable delay, but not more than 60 days after
19		the discovery, the school board of the breach of security.
20		During the 60-day period, the contractor may:
21		(A) conduct an investigation to determine the
22		nature and scope of the unauthorized release,
23		disclosure, or acquisition and the identity of the
24		students whose directory information, student records,
25		or student-generated content is involved in the
26		unauthorized release, disclosure, or acquisition; or

SB2018 - 15 - LRB100 09670 NHT 19839 b
1		(B) restore the reasonable integrity of the
2		contractor's data system.
3		(3) Upon receipt of notice of a breach of security
4		under subdivisions (1) or (2) of this subsection (a), a
5		school board shall electronically notify, not later than 48
6		hours after receipt of the notice, the student and the
7		parents or legal guardians of the student whose student
8		information, student records, or student-generated content
9		is involved in the breach of security. The school board
10		shall post the notice on the school district's Internet web
11		site.
12		(b) Upon the discovery of a breach of security that results
13		in the unauthorized release, disclosure, or acquisition of
14		student information, student records, or student-generated
15		content, an operator that is in possession of or maintains
16		student information, student records, or student-generated
17		content as a result of a student's use of the operator's
18		Internet web site, online service, or mobile application shall:
19		(1) notify, without unreasonable delay, but not more
20		than 30 days after the discovery, the student or the
21		parents or legal guardians of the student of any breach of
22		security that results in the unauthorized release,
23		disclosure, or acquisition of student information,
24		excluding any directory information contained in the
25		student information; and
26		(2) notify, without unreasonable delay, but not more

SB2018 - 16 - LRB100 09670 NHT 19839 b
1		than 60 days after the discovery, the student or the
2		parents or legal guardians of the student of any breach of
3		security that results in the unauthorized release,
4		disclosure, or acquisition of directory information,
5		student records, or student-generated content of the
6		student.
7		During the 30-day or 60-day period, the operator may (i)
8		conduct an investigation to determine the nature and scope of
9		the unauthorized release, disclosure, or acquisition and the
10		identity of the students whose student information, student
11		records, or student-generated content are involved in the
12		unauthorized release, disclosure, or acquisition or (ii)
13		restore the reasonable integrity of the operator's data system.
14		Section 25. Task force.
15		(a) There is established a task force to study issues
16		relating to student data privacy. The study shall include, but
17		not be limited to, an examination of:
18		(1) when a parent or legal guardian of a student may
19		reasonably or appropriately request the deletion of
20		student information, student records, or student-generated
21		content that is in the possession of a contractor or
22		operator;
23		(2) means of providing notice to parents and legal
24		guardians of students when a student uses an Internet web
25		site, online service, or mobile application of an operator

SB2018 - 17 - LRB100 09670 NHT 19839 b
1		for instructional purposes in a classroom or as part of an
2		assignment by a teacher;
3		(3) reasonable penalties for violations of this Act,
4		such as restricting a contractor or operator from accessing
5		or collecting student information, student records, or
6		student-generated content;
7		(4) strategies in effect in other states that ensure
8		that school employees, contractors, and operators are
9		trained in data security handling, compliance, and best
10		practices;
11		(5) the feasibility of developing a school
12		district-wide list of approved Internet web sites, online
13		services, and mobile applications;
14		(6) the use of an administrative hearing process
15		designed to provide legal recourse to students and parents
16		and legal guardians of students aggrieved by any violation
17		of this Act;
18		(7) the feasibility of creating an inventory of student
19		information, student records, and student-generated
20		content currently collected pursuant to State and federal
21		law;
22		(8) the feasibility of developing a tool kit for use by
23		school boards to:
24		(A) improve student data contracting practices and
25		compliance, including a statewide template for use by
26		districts;

SB2018 - 18 - LRB100 09670 NHT 19839 b
1		(B) increase school employee awareness of student
2		data security best practices, including model training
3		components;
4		(C) develop district-wide lists of approved
5		software applications and Internet web sites; and
6		(D) increase the availability and accessibility of
7		information on student data privacy for parents and
8		legal guardians of students and educators; and
9		(9) any other issue involving student data security
10		that the task force deems relevant.
11		(b) The task force shall consist of all of the following
12		members, who shall serve without compensation but may be
13		reimbursed for their reasonable and necessary expenses from
14		funds appropriated for that purpose:
15		(1) Members appointed by the State Superintendent of
16		Education as follows:
17		(A) One operator, one representative of a
18		contractor, and 2 experts in information technology
19		systems.
20		(B) One representative or member of a statewide
21		professional teachers' organization and one
22		representative or member of a different statewide
23		professional teachers' organization.
24		(C) One representative or member of a statewide
25		parent teacher association and one high school student
26		in this State.

SB2018 - 19 - LRB100 09670 NHT 19839 b
1		(D) One student privacy advocate.
2		(E) One representative or member of a statewide
3		association of school boards.
4		(F) One representative of a statewide association
5		of school administrators and one representative or
6		member of a statewide association of school district
7		superintendents.
8		(2) The Attorney General or the Attorney General's
9		designee.
10		(3) The State Superintendent of Education, who shall
11		serve as chairperson.
12		(c) All appointments to the task force shall be made not
13		later than 30 days after the effective date of this Act. Any
14		vacancy shall be filled by the appointing authority.
15		(d) The chairperson shall schedule the first meeting of the
16		task force, which shall be held not later than 60 days after
17		the effective date of this Act.
18		(e) The State Board of Education shall provide
19		administrative and other support to the task force.
20		(f) Not later than January 1, 2018, the task force shall
21		submit a report on its findings and recommendations to the
22		General Assembly. The task force shall terminate on the date
23		that it submits its report or January 1, 2018, whichever is
24		later.
25		(g) This Section is repealed on January 1, 2019.
26		Section 99. Effective date. This Act takes effect upon

SB2018 - 20 - LRB100 09670 NHT 19839 b
1		becoming law.