100TH GENERAL ASSEMBLY
State of Illinois
2017 and 2018
SB0599
 
Introduced 1/24/2017, by Sen. Michael Connelly
 
SYNOPSIS AS INTRODUCED:
 

 
New Act

     Creates the  Higher Education Student Online Personal Information Protection Act. Provides that the operator of an Internet website, online service, online application, or mobile application used primarily for higher education purposes and designed and marketed for higher education purposes shall not knowingly (1) engage in targeted advertising on the operator's site, service, or application or target advertising on any other site, service, or application when the targeting of the advertising is based upon any information that the operator has acquired because of the use of that operator's site, service, or application; (2) use information created or gathered by the operator's site, service, or application to amass a profile about a student, except in furtherance of higher education purposes; (3) sell a student's information; or (4) disclose covered information, as defined in the Act, without a student's consent.  Sets forth exceptions and other provisions concerning the construction and application of the Act.  Effective January 1, 2018.
  


LRB100 06924 MLM 16975 b

FISCAL NOTE ACT MAY APPLY
 
 
A BILL FOR
 

  
SB0599LRB100 06924 MLM 16975 b


  
1    AN ACT concerning education.
  
 
2    Be it enacted by the People of the State of Illinois,
 
3represented in the General Assembly:
  
 
 
4    Section 1. Short title. This Act may be cited as the Higher 
5Education Student Online Personal Information Protection Act.
 
6    Section 5. Definitions. In this Act:
7    "Covered information" means personally identifiable 
8information or materials, in any media or format, that meets 
9any of the following:
10        (1) Is created or provided by a student to an operator 
11    in the course of the student's use of the operator's site, 
12    service, or application for higher education purposes.
13        (2) Is created or provided by an employee or agent of a 
14    school to an operator.
15        (3) Is gathered by an operator through the operation of 
16    a site, service, or application described in the definition 
17    of "operator" under this Section and is descriptive of a 
18    student or otherwise identifies a student, including 
19    without limitation information in the student's 
20    educational record or e-mail, first and last name, home 
21    address, telephone number, e-mail address, or other 
22    information that allows physical or online contact, 
23    discipline records, test results, grades, evaluations, 
 
 
SB0599- 2 -LRB100 06924 MLM 16975 b

1    criminal records, medical records, health records, social 
2    security number, biometric information, disabilities, 
3    socioeconomic information, food purchases, political 
4    affiliations, religious information, text messages, 
5    documents, student identifiers, search activity, photos, 
6    voice recordings, or geolocation information.

7    "Higher education purposes" means purposes that 
8customarily take place at the direction of a higher education 
9school or instructor or aid in the administration of school 
10activities, including without limitation instruction in the 
11classroom or at home, administrative activities, and 
12collaboration between students or school personnel, or are for 
13the use and benefit of a school.
14    "Online service" includes cloud computing services, which 
15must comply with this Act if they otherwise meet the definition 
16of an operator.
17    "Operator" means the operator of an Internet website, 
18online service, online application, or mobile application with 
19actual knowledge that the site, service, or application is used 
20primarily for higher education purposes and was designed and 
21marketed for higher education purposes.
22    "School" means a public university or public community 
23college located  in this State.
 
24    Section 10. Prohibited activities and duties of operators.
25    (a)  An operator shall not knowingly engage in any of the 
 
 
SB0599- 3 -LRB100 06924 MLM 16975 b

1following activities with respect to its site, service, or 
2application without a student's consent:
3        (1) Engage in targeted advertising on the operator's 
4    site, service, or application or target advertising on any 
5    other site, service, or application when the targeting of 
6    the advertising is based upon any information, including 
7    covered information and persistent unique identifiers, 
8    that the operator has acquired because of the use of that 
9    operator's site, service, or application described in the 
10    definition of "operator" under Section 5 of this Act.
11        (2) Use information, including persistent unique 
12    identifiers, created or gathered by the operator's site, 
13    service, or application, to amass a profile about a 
14    student, except in furtherance of higher education 
15    purposes.
16        (3) Sell a student's information, including covered 
17    information. The prohibition under this subdivision (3) 
18    does not apply to the purchase, merger, or other type of 
19    acquisition of an operator by another entity, provided that 
20    the operator or successor entity continues to be subject to 
21    the provisions of this Act with respect to previously 
22    acquired student information.
23        (4) Disclose covered information, unless the 
24    disclosure is made:
25            (A) in furtherance of the higher education 
26        purposes of the site, service, or application, 
 
 
SB0599- 4 -LRB100 06924 MLM 16975 b

1        provided that the recipient of the covered information 
2        disclosed pursuant to this subdivision (4) (i) shall 
3        not further disclose the information unless done to 
4        allow or improve operability and functionality within 
5        that student's classroom or school and (ii) is legally 
6        required to comply with subsection (c) of this Section;
7            (B) to ensure legal and regulatory compliance;
8            (C) to respond to or participate in the judicial 
9        process;
10            (D) to protect the safety of users or others or the 
11        security of the site; or
12            (E) to a service provider, provided that the 
13        operator contractually (i) prohibits the service 
14        provider from using any covered information for any 
15        purpose other than providing the contracted service to 
16        or on behalf of the operator, (ii) prohibits the 
17        service provider from disclosing any covered 
18        information provided by the operator with subsequent 
19        third parties, and (iii) requires the service provider 
20        to implement and maintain reasonable security 
21        procedures and practices as provided in subsection (c) 
22        of this Section.
23    (b) Nothing in subsection (a) of this Section shall be 
24construed to prohibit the operator's use of information for 
25maintaining, developing, supporting, improving, or diagnosing 
26the operator's site, service, or application.
 
 
SB0599- 5 -LRB100 06924 MLM 16975 b

1    (c) An operator shall do both of the following:
2        (1) Implement and maintain reasonable security 
3    procedures and practices appropriate to the nature of the 
4    covered information and protect that information from 
5    unauthorized access, destruction, use, modification, or 
6    disclosure.
7        (2) Delete a student's covered information if the 
8    school requests deletion of data under the control of the 
9    school.
10    (d) Notwithstanding subdivision (4) of subsection (a) of 
11this Section, an operator may disclose covered information of a 
12student, as long as subdivisions (1), (2), and (3) of 
13subsection (a) of this Section are not violated, under the 
14following circumstances:
15        (1) If other provisions of federal or State law require 
16    the operator to disclose the information and the operator 
17    complies with the requirements of federal and State law in 
18    protecting and disclosing that information.
19        (2) For legitimate research purposes (i) as required by 
20    State or federal law and subject to the restrictions under 
21    applicable State and federal law or (ii) as allowed by 
22    State or federal law and under the direction of a school or 
23    the Board of Higher Education if no covered information is 
24    used in furtherance of advertising or to amass a profile on 
25    the student for purposes other than higher education 
26    purposes.
 
 
SB0599- 6 -LRB100 06924 MLM 16975 b

1        (3) To a State agency or school, for higher education 
2    purposes, as permitted by State or federal law.

3    (e) Nothing in this Section prohibits an operator from 
4using de-identified student covered information as follows:

5        (1) Within the operator's site, service, or 
6    application or other sites, services, or applications 
7    owned by the operator to improve educational products.
8        (2) To demonstrate the effectiveness of the operator's 
9    products or services, including in their marketing.
10    (f) Nothing in this Section prohibits an operator from 
11sharing aggregated de-identified student covered information 
12for the development and improvement of educational sites, 
13services, or applications.
 
14    Section 15. Construction and application of Act. 
15    (a) This Act shall not be construed to limit the authority 
16of a law enforcement agency to obtain any content or 
17information from an operator as authorized by law or pursuant 
18to an order of a court of competent jurisdiction.

19    (b) This Act does not limit the ability of an operator to 
20use student data, including covered information, for adaptive 
21learning or customized student learning purposes.
22    (c) This Act does not apply to general audience Internet 
23websites, general audience online services, general audience 
24online applications, or general audience mobile applications, 
25even if login credentials created for an operator's site, 
 
 
SB0599- 7 -LRB100 06924 MLM 16975 b

1service, or application may be used to access those general 
2audience sites, services, or applications.
3    (d) This Act does not limit Internet service providers from 
4providing Internet connectivity to schools or students.
5    (e) This Act shall not be construed to prohibit an operator 
6of an Internet website, online service, online application, or 
7mobile application from marketing educational products 
8directly to students so long as the marketing did not result 
9from the use of covered information obtained by the operator 
10through the provision of services covered under this Act.
11    (f) This Act does not impose a duty upon a provider of an 
12electronic store, a gateway, a marketplace, or other means of 
13purchasing or downloading software or applications to review or 
14enforce compliance of this Act on those applications or 
15software.
16    (g) This Act does not impose a duty upon a provider of an 
17interactive computer service, as defined in Section 230 of 
18Title 47 of the United States Code, to review or enforce 
19compliance with this Act by third-party content providers.
20    (h) This Act does not impede the ability of students to 
21download, export, or otherwise save or maintain their own 
22student-created data or documents.
 
23    Section 97. Severability. The provisions of this Act are 
24severable under Section 1.31 of the Statute on Statutes.
 
 
25    Section 99. Effective date. This Act takes effect January 
 
 
SB0599- 8 -LRB100 06924 MLM 16975 b

11, 2018.