Public Act 100-0315
 
SB1796 EnrolledLRB100 08966 MLM 19112 b

    AN ACT concerning education.
 
    Be it enacted by the People of the State of Illinois,
represented in the General Assembly:
 
    Section 1. Short title. This Act may be cited as the
Student Online Personal Protection Act.
 
    Section 3. Legislative intent. Schools today are
increasingly using a wide range of beneficial online services
and other technologies to help students learn, but concerns
have been raised about whether sufficient safeguards exist to
protect the privacy and security of data about students when it
is collected by educational technology companies. This Act is
intended to ensure that student data will be protected when it
is collected by educational technology companies and that the
data may be used for beneficial purposes such as providing
personalized learning and innovative educational technologies.
 
    Section 5. Definitions. In this Act:
    "Covered information" means personally identifiable
information or material or information that is linked to
personally identifiable information or material in any media or
format that is not publicly available and is any of the
following:
        (1) Created by or provided to an operator by a student
    or the student's parent or legal guardian in the course of
    the student's, parent's, or legal guardian's use of the
    operator's site, service, or application for K through 12
    school purposes.
        (2) Created by or provided to an operator by an
    employee or agent of a school or school district for K
    through 12 school purposes.
        (3) Gathered by an operator through the operation of
    its site, service, or application for K through 12 school
    purposes and personally identifies a student, including,
    but not limited to, information in the student's
    educational record or electronic mail, first and last name,
    home address, telephone number, electronic mail address,
    or other information that allows physical or online
    contact, discipline records, test results, special
    education data, juvenile dependency records, grades,
    evaluations, criminal records, medical records, health
    records, a social security number, biometric information,
    disabilities, socioeconomic information, food purchases,
    political affiliations, religious information, text
    messages, documents, student identifiers, search activity,
    photos, voice recordings, or geolocation information.
    "Interactive computer service" has the meaning ascribed to
that term in Section 230 of the federal Communications Decency
Act of 1996 (47 U.S.C. 230).
    "K through 12 school purposes" means purposes that are
directed by or that customarily take place at the direction of
a school, teacher, or school district; aid in the
administration of school activities, including, but not
limited to, instruction in the classroom or at home,
administrative activities, and collaboration between students,
school personnel, or parents; or are otherwise for the use and
benefit of the school.
    "Operator" means, to the extent that an entity is operating
in this capacity, the operator of an Internet website, online
service, online application, or mobile application with actual
knowledge that the site, service, or application is used
primarily for K through 12 school purposes and was designed and
marketed for K through 12 school purposes.
    "School" means (1) any preschool, public kindergarten,
elementary or secondary educational institution, vocational
school, special educational facility, or any other elementary
or secondary educational agency or institution or (2) any
person, agency, or institution that maintains school student
records from more than one school. "School" includes a private
or nonpublic school.
    "Targeted advertising" means presenting advertisements to
a student where the advertisement is selected based on
information obtained or inferred over time from that student's
online behavior, usage of applications, or covered
information. The term does not include advertising to a student
at an online location based upon that student's current visit
to that location or in response to that student's request for
information or feedback, without the retention of that
student's online activities or requests over time for the
purpose of targeting subsequent ads.
 
    Section 10. Operator prohibitions. An operator shall not
knowingly do any of the following:
        (1) Engage in targeted advertising on the operator's
    site, service, or application or target advertising on any
    other site, service, or application if the targeting of the
    advertising is based on any information, including covered
    information and persistent unique identifiers, that the
    operator has acquired because of the use of that operator's
    site, service, or application for K through 12 school
    purposes.
        (2) Use information, including persistent unique
    identifiers, created or gathered by the operator's site,
    service, or application to amass a profile about a student,
    except in furtherance of K through 12 school purposes.
    "Amass a profile" does not include the collection and
    retention of account information that remains under the
    control of the student, the student's parent or legal
    guardian, or the school.
        (3) Sell or rent a student's information, including
    covered information. This subdivision (3) does not apply to
    the purchase, merger, or other type of acquisition of an
    operator by another entity if the operator or successor
    entity complies with this Act regarding previously
    acquired student information.
        (4) Except as otherwise provided in Section 20 of this
    Act, disclose covered information, unless the disclosure
    is made for the following purposes:
            (A) In furtherance of the K through 12 school
        purposes of the site, service, or application if the
        recipient of the covered information disclosed under
        this clause (A) does not further disclose the
        information, unless done to allow or improve
        operability and functionality of the operator's site,
        service, or application.
            (B) To ensure legal and regulatory compliance or
        take precautions against liability.
            (C) To respond to the judicial process.
            (D) To protect the safety or integrity of users of
        the site or others or the security of the site,
        service, or application.
            (E) For a school, educational, or employment
        purpose requested by the student or the student's
        parent or legal guardian, provided that the
        information is not used or further disclosed for any
        other purpose.
            (F) To a third party if the operator contractually
        prohibits the third party from using any covered
        information for any purpose other than providing the
        contracted service to or on behalf of the operator,
        prohibits the third party from disclosing any covered
        information provided by the operator with subsequent
        third parties, and requires the third party to
        implement and maintain reasonable security procedures
        and practices.
    Nothing in this Section prohibits the operator's use of
information for maintaining, developing, supporting,
improving, or diagnosing the operator's site, service, or
application.
 
    Section 15. Operator duties. An operator shall do the
following:
        (1) Implement and maintain reasonable security
    procedures and practices appropriate to the nature of the
    covered information and designed to protect that covered
    information from unauthorized access, destruction, use,
    modification, or disclosure.
        (2) Delete, within a reasonable time period, a
    student's covered information if the school or school
    district requests deletion of covered information under
    the control of the school or school district, unless a
    student or his or her parent or legal guardian consents to
    the maintenance of the covered information.
        (3) Publicly disclose material information about its
    collection, use, and disclosure of covered information,
    including, but not limited to, publishing a terms of
    service agreement, privacy policy, or similar document.
 
    Section 20. Permissive use or disclosure. An operator may
use or disclose covered information of a student under the
following circumstances:
        (1) If other provisions of federal or State law require
    the operator to disclose the information, and the operator
    complies with the requirements of federal and State law in
    protecting and disclosing that information.
        (2) For legitimate research purposes as required by
    State or federal law and subject to the restrictions under
    applicable State and federal law or as allowed by State or
    federal law and under the direction of a school, school
    district, or the State Board of Education if the covered
    information is not used for advertising or to amass a
    profile on the student for purposes other than for K
    through 12 school purposes.
        (3) To a State or local educational agency, including
    schools and school districts, for K through 12 school
    purposes, as permitted by State or federal law.
 
    Section 25. Operator actions that are not prohibited. This
Act does not prohibit an operator from doing any of the
following:
        (1) Using covered information to improve educational
    products if that information is not associated with an
    identified student within the operator's site, service, or
    application or other sites, services, or applications
    owned by the operator.
        (2) Using covered information that is not associated
    with an identified student to demonstrate the
    effectiveness of the operator's products or services,
    including in their marketing.
        (3) Sharing covered information that is not associated
    with an identified student for the development and
    improvement of educational sites, services, or
    applications.
        (4) Using recommendation engines to recommend to a
    student either of the following:
            (A) Additional content relating to an educational,
        other learning, or employment opportunity purpose
        within an online site, service, or application if the
        recommendation is not determined in whole or in part by
        payment or other consideration from a third party.
            (B) Additional services relating to an
        educational, other learning, or employment opportunity
        purpose within an online site, service, or application
        if the recommendation is not determined in whole or in
        part by payment or other consideration from a third
        party.
        (5) Responding to a student's request for information
    or for feedback without the information or response being
    determined in whole or in part by payment or other
    consideration from a third party.
 
    Section 30. Applicability. This Act does not do any of the
following:
        (1) Limit the authority of a law enforcement agency to
    obtain any content or information from an operator as
    authorized by law or under a court order.
        (2) Limit the ability of an operator to use student
    data, including covered information, for adaptive learning
    or customized student learning purposes.
        (3) Apply to general audience Internet websites,
    general audience online services, general audience online
    applications, or general audience mobile applications,
    even if login credentials created for an operator's site,
    service, or application may be used to access those general
    audience sites, services, or applications.
        (4) Limit service providers from providing Internet
    connectivity to schools or students and their families.
        (5) Prohibit an operator of an Internet website, online
    service, online application, or mobile application from
    marketing educational products directly to parents if the
    marketing did not result from the use of covered
    information obtained by the operator through the provision
    of services covered under this Act.
        (6) Impose a duty upon a provider of an electronic
    store, gateway, marketplace, or other means of purchasing
    or downloading software or applications to review or
    enforce compliance with this Act on those applications or
    software.
        (7) Impose a duty upon a provider of an interactive
    computer service to review or enforce compliance with this
    Act by third-party content providers.
        (8) Prohibit students from downloading, exporting,
    transferring, saving, or maintaining their own student
    data or documents.
        (9) Supersede the federal Family Educational Rights
    and Privacy Act of 1974 or rules adopted pursuant to that
    Act or the Illinois School Student Records Act.
 
    Section 35. Enforcement. Violations of this Act shall
constitute unlawful practices for which the Attorney General
may take appropriate action under the Consumer Fraud and
Deceptive Business Practices Act.
 
    Section 40. Severability. The provisions of this Act are
severable under Section 1.31 of the Statute on Statutes.
 
    Section 50. The Consumer Fraud and Deceptive Business
Practices Act is amended by changing Section 2Z as follows:
 
    (815 ILCS 505/2Z)  (from Ch. 121 1/2, par. 262Z)
    Sec. 2Z. Violations of other Acts. Any person who knowingly
violates the Automotive Repair Act, the Automotive Collision
Repair Act, the Home Repair and Remodeling Act, the Dance
Studio Act, the Physical Fitness Services Act, the Hearing
Instrument Consumer Protection Act, the Illinois Union Label
Act, the Job Referral and Job Listing Services Consumer
Protection Act, the Travel Promotion Consumer Protection Act,
the Credit Services Organizations Act, the Automatic Telephone
Dialers Act, the Pay-Per-Call Services Consumer Protection
Act, the Telephone Solicitations Act, the Illinois Funeral or
Burial Funds Act, the Cemetery Oversight Act, the Cemetery Care
Act, the Safe and Hygienic Bed Act, the Pre-Need Cemetery Sales
Act, the High Risk Home Loan Act, the Payday Loan Reform Act,
the Mortgage Rescue Fraud Act, subsection (a) or (b) of Section
3-10 of the Cigarette Tax Act, subsection (a) or (b) of Section
3-10 of the Cigarette Use Tax Act, the Electronic Mail Act, the
Internet Caller Identification Act, paragraph (6) of
subsection (k) of Section 6-305 of the Illinois Vehicle Code,
Section 11-1431, 18d-115, 18d-120, 18d-125, 18d-135, 18d-150,
or 18d-153 of the Illinois Vehicle Code, Article 3 of the
Residential Real Property Disclosure Act, the Automatic
Contract Renewal Act, the Reverse Mortgage Act, Section 25 of
the Youth Mental Health Protection Act, or the Personal
Information Protection Act, or the Student Online Personal
Protection Act commits an unlawful practice within the meaning
of this Act.
(Source: P.A. 99-331, eff. 1-1-16; 99-411, eff. 1-1-16; 99-642,
eff. 7-28-16.)
 
    Section 99. Effective date. This Act takes effect upon
becoming law.