101ST GENERAL ASSEMBLY
State of Illinois
2019 and 2020
SB2089

 

Introduced 2/15/2019, by Sen. Omar Aquino

 

SYNOPSIS AS INTRODUCED:
 
New Act
105 ILCS 10/2  from Ch. 122, par. 50-2
105 ILCS 10/6  from Ch. 122, par. 50-6
105 ILCS 85/Act rep.
815 ILCS 505/2Z  from Ch. 121 1/2, par. 262Z

    Creates the Student Online Personal Protection Act of 2019. Provides for legislative intent and definitions. Provides for operator prohibitions, operator duties, school authority prohibitions, school authority duties, State Board of Education duties, and parent rights. Creates the Student Data Protection Oversight Committee and provides for the Committee's membership and support. Requires the Committee to submit an annual report to the General Assembly and the State Board of Education with recommendations, if any, for policy revisions and legislative amendments that would carry out the intent of the Act. Amends the Illinois School Student Records Act. Adds a definition of record. Requires written consent of a student's parent to publish student directories that list student names, addresses, and other identifying information and similar publications. Amends the Consumer Fraud and Deceptive Business Practices Act to make a conforming change. Repeals the Student Online Personal Protection Act. Effective immediately.


LRB101 09671 AXK 54770 b

FISCAL NOTE ACT MAY APPLY
STATE MANDATES ACT MAY REQUIRE REIMBURSEMENT

 

 

A BILL FOR

 

SB2089LRB101 09671 AXK 54770 b

1    AN ACT concerning education.
 
2    Be it enacted by the People of the State of Illinois,
3represented in the General Assembly:
 
4    Section 1. Short title. This Act may be cited as the
5Student Online Personal Protection Act of 2019.
 
6    Section 5. Legislative intent. Schools today are
7increasingly using a wide range of technologies to help
8students learn, but concerns have been raised about whether
9sufficient safeguards exist to protect the privacy and security
10of data about students and their families. This Act is intended
11to ensure that students' and families' data will be protected,
12safeguarded, and kept private and disclosed only to appropriate
13educational authorities or to properly authorized designees
14under their control to serve the best interests of the student
15and that no student shall be required to disclose data or be
16required to consent to a school authority sharing covered
17information with an operator in order to receive a free,
18high-quality public education.
 
19    Section 10. Definitions. In this Act:
20    "Biometric information" has the meaning given to that term
21under Section 10-20.40 of the School Code.
22    "Breach" means the unauthorized disclosure of data or

 

 

SB2089- 2 -LRB101 09671 AXK 54770 b

1unauthorized provision of physical or electronic means of
2gaining access to data that compromises the security,
3confidentiality, or integrity of covered information or a
4school student record.
5    "Covered information" means any information or records
6regarding a student or generated by a student collected by or
7provided to an operator, school authority, or the State Board
8of Education for or in connection with a school purpose,
9including personally identifiable information and information
10that is linked to personally identifiable information.
11"Covered information" does not include aggregated information
12or records to the extent no student may be individually
13identified from the information or records in any manner or
14other information or records that do not include personally
15identifiable information or other data by which a student may
16be identified in any manner. "Covered information" does include
17aggregated information or records that are capable of being
18de-aggregated or reconstructed to the point that any student
19may be individually identified from the information or records.
20    "Criminal records" means any criminal record or criminal
21history, including, but not limited to, juvenile delinquency
22records.
23    "Destroy" means to remove covered information so that it is
24permanently irretrievable in the normal course of business.
25    "Educational benefit" means an educational or
26instructional program, service, curriculum, course, material,

 

 

SB2089- 3 -LRB101 09671 AXK 54770 b

1aid, or intervention provided by a school authority.
2    "Electronic network activity information" means any
3information collected via the use of a technological device,
4including keystroke log, browsing history, search history,
5information regarding the user's interaction with a website,
6application, or advertisement and any persistent identifiers
7used to recognize a user over time and across different
8websites or online services. Persistent identifiers may
9include, but are not limited to, a user number held in a
10cookie, an Internet Protocol address, a processor or device
11serial number, or unique device identifier.
12    "Geolocation information" means information that (i) is
13not the contents of a communication, (ii) is generated by or
14derived from, in whole or in part, the operation of a
15technological device, and (iii) is sufficient to determine or
16infer the precise location of that device.
17    "Health information" means information or records about
18the past, present, or future physical or mental health
19condition or disability of a student or the provision of health
20care or medical treatment of a student.
21    "Highly sensitive student information" means covered
22information that includes, but is not limited to, all of the
23following types of information:
24        (1) Criminal records.
25        (2) Disciplinary records.
26        (3) Health information.

 

 

SB2089- 4 -LRB101 09671 AXK 54770 b

1        (4) Immigration and citizenship status.
2        (5) Information protected under the federal Protection
3    of Pupil Rights Amendment of 1978.
4        (6) Personally identifiable information.
5        (7) Geolocation information.
6        (8) Electronic network activity information.
7        (9) Photograph, video, or audio files in which the file
8    contains a student's image or voice.
9    "Longitudinal data system" has the meaning given to that
10term under the P-20 Longitudinal Education Data System Act.
11    "Operator" means any entity that, for a fee or free of
12charge:
13        (1) provides a product or service to a school authority
14    that collects, maintains, utilizes, or discloses covered
15    information;
16        (2) designs or markets a product or service for use by
17    a school authority or, with the school authority's or its
18    officials' involvement, by the student that collects,
19    maintains, utilizes, or discloses covered information; or
20        (3) knows or reasonably should know that a product or
21    service that collects, retains, or uses covered
22    information will be used for a school purpose.
23    "Parent" has the meaning given to that term in the Illinois
24School Student Records Act.
25    "Personally identifiable information" means any data
26concerning a student by which a student may be individually or

 

 

SB2089- 5 -LRB101 09671 AXK 54770 b

1personally identified and includes, but is not limited to, any
2of the following:
3        (1) The student's name.
4        (2) The name of the student's parent or other family
5    members.
6        (3) The address of the student or the student's family.
7        (4) A personal identifier, such as the student's social
8    security number, student number, or biometric information.
9        (5) Other indirect identifiers, such as the student's
10    date of birth, place of birth, or mother's maiden name.
11        (6) Other information that, alone or in combination, is
12    linked or linkable to a specific student and that would
13    allow a reasonable person in the school community who does
14    not have personal knowledge of the relevant circumstances
15    to identify the student with reasonable certainty.
16        (7) Information requested by a person whom a school
17    reasonably believes knows the identity of the student to
18    whom the school student record relates.
19    "Profile" means a file or other mechanism used to collect
20and retain, and that uses, covered information or other
21information by which to identify or otherwise keep track of an
22individual student or group of students.
23    "Publicly available" means information that is lawfully
24made available from federal, State, or local government
25records. "Publicly available" does not mean biometric
26information collected by an operator about a student without

 

 

SB2089- 6 -LRB101 09671 AXK 54770 b

1the parent's knowledge. "Publicly available" does not include
2information that is used for a purpose that is not compatible
3with the purpose for which the data is maintained and made
4available in the government records or for which it is publicly
5maintained and aggregate information or information that is
6de-identified in a manner that precludes the possibility of
7re-identification.
8    "Record" has the meaning given to that term under the
9Illinois School Student Records Act.
10    "School" means (i) any preschool, day care center, nursery,
11kindergarten, elementary or secondary educational institution,
12vocational school, or special educational facility or any other
13elementary or secondary educational agency or institution or
14(ii) any person, agency, or institution that maintains school
15student records from more than one school. "School" includes a
16private or nonpublic school.
17    "School authority" means any school board, school
18district, board of directors, or other governing body of a
19school established under the School Code or through any other
20means.
21    "School purpose" means any activity that is directed by or
22takes place at the direction of a school authority or its
23employees or designees. "School purpose" does not include
24advertising that is not otherwise specifically authorized in
25this Act is not a school purpose.
26    "School student record" has the meaning given to that term

 

 

SB2089- 7 -LRB101 09671 AXK 54770 b

1under the Illinois School Student Records Act.
2    "State Board" means the State Board of Education.
3    "Student" has the meaning given to that term under the
4Illinois School Student Records Act.
5    "Targeted advertising" means advertising to an individual
6student or group of students in which the advertisements are
7selected based on a known or assumed trait of the student or
8group of students or information obtained or inferred from the
9student's or group of students' online behavior within an
10operator's product or service or the student's or group of
11students' use of an operator's products or services, whether
12over time or at the time of access. "Targeted advertising" does
13not include providing a response to a request for information
14or feedback or a recommendation from a student, provided the
15response or recommendation is not determined in whole or in
16part by payment or other consideration from a third party.
17    "Technological device" means any computer, cellular phone,
18smart phone, digital camera, video camera, audio recording
19device, radio frequency identification tag reader, or other
20electronic device that can be used for creating, storing, or
21transmitting information in the form of electronic data.
 
22    Section 15. Operator prohibitions. An operator may not do
23any of the following:
24        (1) Sell, lease, or rent covered information.
25        (2) Disclose covered information to any person,

 

 

SB2089- 8 -LRB101 09671 AXK 54770 b

1    entity, or third party other than the school authority or
2    State Board.
3        (3) Unless it is already publicly available, use,
4    disclose, or share covered information, including
5    de-identified or aggregated student information, for any
6    commercial purpose that is not a school purpose, including,
7    without limitation:
8            (A) to develop, maintain, support, improve,
9        evaluate, or diagnose the operator's software or
10        website;
11            (B) for adaptive learning purposes or customized
12        student learning;
13            (C) to provide recommendation engines to recommend
14        content or services;
15            (D) to demonstrate or market the effectiveness of
16        the operator's website, online service, or mobile
17        application; or
18            (E) for targeted advertising.
19        (4) Disclose or otherwise allow any third party to have
20    access to covered information, unless such disclosure is:
21            (A) made only in furtherance of a school purpose
22        with the school authority's prior consent and the
23        recipient of the covered information is legally
24        required to comply with this Act;
25            (B) to the extent permitted by federal law, to law
26        enforcement to protect the safety of users or others or

 

 

SB2089- 9 -LRB101 09671 AXK 54770 b

1        the security or integrity of the operator's service;
2            (C) required by court order or State or federal
3        law;
4            (D) to ensure legal or regulatory compliance; or
5            (E) to a subcontractor, agent, independent
6        contractor or other entity hired by the operator for
7        the purpose of enabling the operator to meet its
8        contractual obligations to the school authority if
9        that entity first acknowledges in writing that it has
10        read and understands the requirements of this Act and
11        agrees in writing to be bound by its provisions and the
12        terms of any agreement entered into between the
13        operator and the school authority and a copy of that
14        written acknowledgment and agreement is provided to
15        the school authority.
 
16    Section 20. Operator duties. An operator must do the
17following:
18        (1) For any operator who seeks to receive from a school
19    authority or the State Board in any manner any covered
20    information, enter into a written agreement with the school
21    authority before any covered information may be
22    transferred, which agreement must contain all of the
23    following:
24            (A) Provisions consistent with each prohibition or
25        requirement set forth in this Act.

 

 

SB2089- 10 -LRB101 09671 AXK 54770 b

1            (B) A listing of the categories or types of covered
2        information to be provided to the operator.
3            (C) A statement of the product or service being
4        provided to the school authority by the operator.
5            (D) A statement that the operator is acting as a
6        school official with a legitimate educational
7        interest, is performing an institutional service or
8        function for which the school authority would
9        otherwise use employees, under the direct control of
10        the school authority, with respect to the use and
11        maintenance of covered information, and is using the
12        covered information for only an authorized purpose and
13        will not re-disclose it to third parties or affiliates,
14        unless otherwise permitted under this Act, without
15        permission from the school authority or pursuant to
16        court order.
17            (E) A description of the actions the operator will
18        take, including a description of the training the
19        operator will provide to anyone who receives or has
20        access to covered information, to ensure the security
21        and confidentiality of covered information. Compliance
22        with this subparagraph shall not, in itself, absolve
23        the operator of liability in the event of an
24        unauthorized disclosure of covered information.
25            (F) A statement that the operator will destroy or
26        transfer to the school authority all covered

 

 

SB2089- 11 -LRB101 09671 AXK 54770 b

1        information if the information is no longer needed for
2        the purposes of the contract and to specify the time
3        period in which the information must be destroyed or
4        returned.
5            (G) A statement that the school authority will
6        publish the contract on the school authority's
7        website.
8            (H) A statement that the agreement is the entire
9        agreement with the school authority, including school
10        authority employees and other end users, and the
11        operator.
12        (2) For any operator with covered information in its
13    possession, implement and maintain security procedures and
14    practices designed to protect covered information from
15    unauthorized access, destruction, use, modification or
16    disclosure that, based on the sensitivity of the data and
17    the risk from unauthorized access (i) uses technologies and
18    methodologies that are consistent with the guidance issued
19    pursuant to the federal American Recovery and Reinvestment
20    Act of 2009, (ii) maintains technical safeguards as it
21    relates to the possession of covered information in a
22    manner consistent with the provisions of 45 CFR 164.312,
23    and (iii) otherwise meets or exceeds industry standards.
24        (3) Destroy, within a reasonable time period, a
25    student's covered information if the school authority
26    requests destruction of covered information under the

 

 

SB2089- 12 -LRB101 09671 AXK 54770 b

1    control of the operator, unless the student's parent
2    consents in writing to the maintenance of the covered
3    information. A school authority shall make such a request
4    to the operator on behalf of a student's parent if the
5    parent requests that the student's covered information be
6    destroyed, if the destruction is not in violation of the
7    Illinois School Student Records Act.
8        (4) In the case of any breach, within the most
9    expedient time possible and without unreasonable delay,
10    but no later than 72 hours after the determination that a
11    breach has occurred, notify the school authority of the
12    breach of the school authority's student's covered
13    information.
14        (5) Permit a school authority or its designee to audit
15    and inspect, on an annual basis or after any breach, the
16    operator's practices with respect to any covered
17    information received by the operator from the school
18    authority or any student profiles, provided that this
19    requirement shall be satisfied if the operator provides the
20    school authority with an independent, third-party audit
21    acceptable to the school authority that has been conducted
22    within the previous 12 months or, in the case of a breach,
23    within 3 months after the breach.
24        (6) In the event of a breach resulting, in whole or in
25    part, from the operator's conduct, in addition to any other
26    remedies available to the school authority under law or

 

 

SB2089- 13 -LRB101 09671 AXK 54770 b

1    equity, reimburse the school authority in full for all
2    reasonable costs and expenses incurred by the school
3    authority as a result of the operator's conduct in
4    investigating and remediating the breach, including, but
5    not limited to:
6            (A) providing notification to the parents of those
7        students whose covered information was compromised and
8        to regulatory agencies or other entities as required by
9        law or contract;
10            (B) providing one year of credit monitoring to
11        those students whose covered information was exposed
12        in such a manner during the breach that a reasonable
13        person would believe that it could impact his or her
14        credit or financial security;
15            (C) legal fees, audit costs, fines, and any other
16        fees or damages imposed against the school authority as
17        a result of the security breach; and
18            (D) providing any other notifications or
19        fulfilling any other requirements adopted by the State
20        Board or of any other State or federal laws.
 
21    Section 25. School authority prohibitions. A school
22authority may not do any of the following:
23        (1) Access, search, read, inspect, copy, monitor, log
24    or otherwise use information transmitted via a
25    technological device unless it is owned by a school

 

 

SB2089- 14 -LRB101 09671 AXK 54770 b

1    authority and the information is used for a school purpose.
2    Information obtained or collected in violation of this
3    paragraph must be promptly destroyed and may not be used by
4    a school authority in any legal proceeding, disciplinary
5    action, or administrative hearing or for any other purpose.
6        (2) Require that any student must, as part of any
7    applicable program, disclose highly sensitive student
8    information to an operator without prior written consent of
9    the student's parent, which must include an explanation
10    that is clear and understandable by a layperson of the data
11    elements of highly sensitive student information to be
12    shared and for what purpose and to whom it will be
13    disclosed.
14        (3) Withhold an educational benefit from or take a
15    punitive measure against a student or a student's parent
16    based in whole or in part upon the student's or parent's
17    (i) refusal to allow disclosure or sharing of covered
18    information to an operator, (ii) revocation of consent for
19    disclosure or sharing of covered information to an
20    operator, or (iii) request for destruction of covered
21    information maintained by an operator.
22        (4) Sell, rent, lease, or trade covered information.
23        (5) Share, transfer, disclose, or provide access to a
24    student's covered information to an entity or individual,
25    other than the student's parent or the State Board, without
26    a contract, unless such disclosure or transfer is:

 

 

SB2089- 15 -LRB101 09671 AXK 54770 b

1            (A) to the extent permitted by federal law, to law
2        enforcement to protect the safety of users or others or
3        the security or integrity of the operator's service;
4            (B) required by court order or State or federal
5        law; or
6            (C) to ensure legal or regulatory compliance.
 
7    Section 30. School authority duties.
8    (a) Each school authority shall post and maintain on its
9website all of the following information:
10        (1) An explanation that is clear and understandable by
11    a layperson of the data elements of covered information
12    that the school authority collects, maintains, or
13    discloses to any person, entity, third party, or
14    governmental agency. The information must explain how the
15    school authority uses, to whom it discloses, and for what
16    purpose it discloses the covered information.
17        (2) A list of operators that the school authority
18    contracts with, a copy of each contract, and a business
19    address and telephone number for each operator.
20        (3) For each operator, a list of any subcontractors to
21    whom covered information may be disclosed under Section 15.
22        (4) A written description of the procedures that a
23    parent may use to carry out the rights enumerated under
24    Section 40.
25        (5) An explanation that if a school authority does not

 

 

SB2089- 16 -LRB101 09671 AXK 54770 b

1    comply with the requirements of this subsection, a parent
2    may submit a complaint with the State Board in accordance
3    with the complaint policy adopted under Section 35.
4    (b) Each school authority must adopt a policy regarding
5school employees who are authorized to enter into contracts
6with operators. A school authority must post on its website
7each contract, along with the information under subsection (a)
8before the contract is implemented and before any covered
9information is disclosed to an operator. Any agreement or
10contract entered into in violation of this Act shall be void
11and unenforceable as against public policy. This subsection may
12not be construed to limit individual school employees outside
13of the scope of their employment from entering into agreements
14with operators on their own behalf and for a non-school
15purpose, provided that no covered information is provided to
16the operators.
17    (c) Upon receipt of notice of a breach under Section 20 or
18determination of a breach of covered information maintained by
19the school authority, a school authority shall electronically
20notify, no later than 72 hours after receipt of the notice or
21determination that a breach has occurred, the parent of any
22student whose covered information is involved in the breach.
23The school authority must also post the notice on the school
24authority's website. The notification must include, but is not
25limited to, all of the following:
26        (1) The date, estimated date, or estimated date range

 

 

SB2089- 17 -LRB101 09671 AXK 54770 b

1    of the breach.
2        (2) A description of the covered information that was
3    compromised or reasonably believed to have been
4    compromised in the breach.
5        (3) Information that the parent may use to contact the
6    operator and school authority to inquire about the breach.
7        (4) The toll-free numbers, addresses, and websites for
8    consumer reporting agencies.
9        (5) The toll-free number, address, and website for the
10    Federal Trade Commission.
11        (6) A statement that the parent may obtain information
12    from the Federal Trade Commission and credit reporting
13    agencies about fraud alerts and security freezes.
14    (d) Each school authority must implement and maintain
15security procedures and practices designed to protect covered
16information from unauthorized access, destruction, use,
17modification, or disclosure that, based on the sensitivity of
18the covered information and the risk from unauthorized access,
19(i) use technologies and methodologies that are consistent with
20the guidance issued pursuant to the federal American Recovery
21and Reinvestment Act of 2009, (ii) maintain technical
22safeguards as they relate to the possession of student records
23in a manner consistent with the provisions of 45 CFR 164.312,
24and (iii) otherwise meet or exceed industry standards.
25    (e) Each school authority shall designate an appropriate
26staff person as a privacy officer, who may also be official

 

 

SB2089- 18 -LRB101 09671 AXK 54770 b

1records custodian as designated under the Illinois School
2Student Records Act, to carry out the duties and
3responsibilities assigned to school authorities and to ensure
4compliance with the requirements under Sections 25 and 30.
 
5    Section 35. State Board duties.
6    (a) The State Board may not sell, rent, lease, or trade
7covered information.
8    (b) The State Board may not share, transfer, disclose, or
9provide covered information to an entity or individual without
10a contract or agreement, with an exception for disclosures
11required by federal law to federal agencies.
12    (c) The State Board must publish and maintain on its
13website a list of all of the entities or individuals,
14including, but not limited to, operators, individual
15researchers, research organizations, institutions of higher
16education, and government agencies, that the State Board
17contracts with or has agreements with and that hold covered
18information and a copy of each contract or agreement. The list
19must include all of the following information:
20        (1) The name of the entity or individual. In naming an
21    individual, the list must include the entity that sponsors
22    the individual or with which the individual is affiliated,
23    if any. If the individual is conducting research at an
24    institution of higher education, the list may include the
25    name of that institution and a contact person in the

 

 

SB2089- 19 -LRB101 09671 AXK 54770 b

1    department that is associated with the research in lieu of
2    the name of the researcher. If the entity is an operator,
3    the list must include a business address and telephone
4    number for the operator.
5        (2) The purpose and scope of the contract or agreement.
6        (3) The duration of the contract or agreement.
7        (4) The types of covered information that the entity or
8    individual holds under the contract or agreement.
9        (5) The use of the covered information under the
10    contract.
11        (6) The length of time for which the entity or
12    individual may hold the covered information.
13        (7) A list of any subcontractors to whom covered
14    information may be disclosed under Section 15.
15    (d) The State Board shall create, publish, and make
16publicly available an inventory, along with a dictionary or
17index of data elements and their definitions, of covered
18information collected or maintained by the State Board,
19including, but not limited to, both of the following:
20        (1) Covered information that school authorities are
21    required to report to the State Board by State or federal
22    law.
23        (2) Covered information in the State longitudinal data
24    system or any data warehouse used by the State Board to
25    populate the longitudinal data system.
26The inventory shall make clear for what purposes the State

 

 

SB2089- 20 -LRB101 09671 AXK 54770 b

1Board uses the covered information.
2    (e) Within 180 days after the effective date of this Act,
3the State Board shall develop, publish, and make publicly
4available for the benefit of school authorities model student
5data privacy policies and procedures that comply with relevant
6State and federal law, including, but not limited to, all of
7the following:
8        (1) A model notice that school authorities must use to
9    provide notice to parents and students about operators. The
10    notice must be titled "Student Data Shared With Operators"
11    and state, in general terms, the types of student data that
12    are collected by the school authority and shared with
13    operators under this Act and the purposes of collecting and
14    using the student data. Upon the creation of the notice
15    under this paragraph, a school authority shall, at the
16    beginning of each school year, provide the notice to
17    parents by the same means generally used to send notices to
18    them.
19        (2) A model consent form that school authorities may
20    use to obtain written consent from a parent to allow
21    disclosure of highly sensitive information to an operator,
22    as required under Section 25. The consent form must be
23    titled "Consent for Highly Sensitive Data Sharing with
24    Operators" and must include an explanation that is clear
25    and understandable by a layperson of the data elements of
26    highly sensitive student information to be shared and for

 

 

SB2089- 21 -LRB101 09671 AXK 54770 b

1    what purpose and to whom it will be disclosed.
2    (f) The State Board must adopt, implement, and administer a
3policy for hearing complaints from a parent regarding a school
4authority's compliance with Sections 25 and 30. At a minimum,
5the policy must provide a parent the opportunity to submit
6information and receive a hearing from the State Board and must
7require the State Board to take action on the parent's
8complaint no later than 60 days after the hearing.
 
9    Section 40. Parent rights.
10    (a) A student's covered information is the sole property of
11the student's parent.
12    (b) A student's covered information shall be collected only
13for specified, explicit, and legitimate school purposes and not
14further processed in a manner that is incompatible with those
15purposes.
16    (c) A student's covered information shall only be adequate,
17relevant, and limited to what is necessary in relation to the
18school purpose for which it is processed.
19    (d) The parent of a student enrolled in a school has the
20right to all of the following:
21        (1) Inspect and review the student's student data,
22    regardless of whether it is maintained by the school, the
23    school authority, the State Board, or an operator.
24        (2) Request from a school authority a paper or
25    electronic copy of the student's covered information,

 

 

SB2089- 22 -LRB101 09671 AXK 54770 b

1    including covered information maintained by an operator or
2    the State Board. If a parent requests an electronic copy of
3    the student's covered information under this paragraph,
4    the school authority must provide an electronic copy of
5    that information unless the school authority does not
6    maintain the information in an electronic format and
7    reproducing the information in an electronic format would
8    be unduly burdensome to the school authority. If a parent
9    requests a paper copy of the student's covered information,
10    the school authority may charge the parent the reasonable
11    cost for copying the information in an amount not to exceed
12    the amount fixed in a schedule adopted by the State Board,
13    except that no parent may be denied a copy of the
14    information due to the parent's inability to bear the cost
15    of the copying.
16        (3) Request corrections of factual inaccuracies
17    contained in the student's covered information. After
18    receiving a request for corrections that documents a
19    factual inaccuracy, a school authority must complete
20    either of the following:
21            (A) Confirm the correction with the parent within
22        90 days after receiving the parent's request if the
23        school authority or State Board maintains the covered
24        information that contains the factual inaccuracy.
25            (B) Notify the operator who must confirm the
26        correction with the parent within 90 days after

 

 

SB2089- 23 -LRB101 09671 AXK 54770 b

1        receiving the parent's request if the covered
2        information that contains the factual inaccuracy is
3        maintained by an operator.
4    (e) Nothing in this Act shall be construed to limit the
5rights granted to parents and students under the Illinois
6School Student Records Act.
 
7    Section 45. Right of action.
8    (a) Any person aggrieved by a violation of this Act shall
9have a right of action in a State circuit court or as a
10supplemental claim in federal district court against an
11offending party. A prevailing party may recover for each
12violation any of the following:
13        (1) Against a private entity that negligently violates
14    a provision of this Act, liquidated damages of $1,000 or
15    actual damages, whichever one is greater.
16        (2) Against a private entity that intentionally or
17    recklessly violates a provision of this Act, liquidated
18    damages of $5,000 or actual damages, whichever one is
19    greater.
20        (3) Reasonable attorney's fees and costs, including
21    expert witness fees and other litigation expenses.
22        (4) Other relief, including an injunction, as the State
23    or federal court deems appropriate.
24    (b) An individual who knowingly or intentionally permits
25the unauthorized collecting, sharing, or using of covered

 

 

SB2089- 24 -LRB101 09671 AXK 54770 b

1information under this Act is guilty of a class A misdemeanor.
 
2    Section 50. Oversight.
3    (a) There is created a Student Data Protection Oversight
4Committee that consists of all of the following members,
5appointed by the State Board of Education:
6        (1) A high school student enrolled in a public school
7    in this State.
8        (2) A parent of a student in a school district
9    organized under Article 34 of the School Code.
10        (3) A parent of a student in a school district located
11    in Lake, Kane, Will, DuPage, McHenry, or Cook County, but
12    not in a school district organized under Article 34 of the
13    School Code.
14        (4) A parent of a student enrolled in a small, rural
15    school district.
16        (5) An expert in information technology systems.
17        (6) An expert in digital privacy law.
18        (7) A representative of a computer and information
19    technology trade group.
20        (8) A representative of a civil rights advocacy
21    organization.
22        (9) A representative of a different civil rights or a
23    privacy rights advocacy organization.
24        (10) A representative of an association representing
25    principals in a city having a population exceeding 500,000.

 

 

SB2089- 25 -LRB101 09671 AXK 54770 b

1        (11) A representative of a statewide association
2    representing school administrators.
3        (12) A representative of a statewide professional
4    teachers' organization.
5        (13) A representative of a different statewide
6    professional teachers' organization.
7        (14) A representative of a professional teachers'
8    organization in a city having a population exceeding
9    500,000.
10        (15) A representative of a statewide association
11    representing school boards.
12        (16) A representative of a school district organized
13    under Article 34 of the School Code.
14        (17) The Attorney General or his or her designee.
15        (18) The State Superintendent of Education or his or
16    her designee.
17    The State Board, in consultation with the Committee, may
18appoint no more than 2 additional individuals to the Committee
19who shall serve in an advisory role and may not have voting or
20other decision-making rights.
21    (b) The Committee shall initially meet at the call of the
22Governor, at which meeting it shall designate a chairperson.
23The Committee shall meet thereafter at the call of the
24chairperson, but no less than 4 times within one year after the
25effective date of this Act and at least once per year
26thereafter to review existing laws and federal regulations on

 

 

SB2089- 26 -LRB101 09671 AXK 54770 b

1covered information in light of technological and legal
2developments. The Committee shall serve without compensation
3but may be reimbursed for reasonable and necessary expenses
4incurred in performing their duties from funds appropriated to
5the State Board for that purpose. The State Board must provide
6administrative and other support to the Committee. The
7Committee shall submit an annual report to the General Assembly
8and the State Board no later than December 15, 2019 and each
9December 15 thereafter with recommendations, if any, for policy
10revisions and legislative amendments that would carry out the
11intent of this Act. The Committee is subject to the Open
12Meetings Act.
 
13    Section 100. Severability. The provisions of this Act are
14severable under Section 1.31 of the Statute on Statutes.
 
15    Section 105. The Illinois School Student Records Act is
16amended by changing Sections 2 and 6 as follows:
 
17    (105 ILCS 10/2)  (from Ch. 122, par. 50-2)
18    Sec. 2. As used in this Act,
19    (a) "Student" means any person enrolled or previously
20enrolled in a school.
21    (b) "School" means any public preschool, day care center,
22kindergarten, nursery, elementary or secondary educational
23institution, vocational school, special educational facility

 

 

SB2089- 27 -LRB101 09671 AXK 54770 b

1or any other elementary or secondary educational agency or
2institution and any person, agency or institution which
3maintains school student records from more than one school, but
4does not include a private or non-public school.
5    (c) "State Board" means the State Board of Education.
6    (d) "School Student Record" means any writing or other
7recorded information concerning a student and by which a
8student may be individually identified or personally
9identified that is , maintained by a school or at its direction
10or by an employee of a school, regardless of how or where the
11information is stored. The following shall not be deemed school
12student records under this Act: writings or other recorded
13information maintained by an employee of a school or other
14person at the direction of a school for his or her exclusive
15use; provided that all such writings and other recorded
16information are destroyed not later than the student's
17graduation or permanent withdrawal from the school; and
18provided further that no such records or recorded information
19may be released or disclosed to any person except a person
20designated by the school as a substitute unless they are first
21incorporated in a school student record and made subject to all
22of the provisions of this Act. School student records shall not
23include information maintained by law enforcement
24professionals working in the school.
25    (e) "Student Permanent Record" means the minimum personal
26information necessary to a school in the education of the

 

 

SB2089- 28 -LRB101 09671 AXK 54770 b

1student and contained in a school student record. Such
2information may include the student's name, birth date,
3address, grades and grade level, parents' names and addresses,
4attendance records, and such other entries as the State Board
5may require or authorize.
6    (f) "Student Temporary Record" means all information
7contained in a school student record but not contained in the
8student permanent record. Such information may include family
9background information, intelligence test scores, aptitude
10test scores, psychological and personality test results,
11teacher evaluations, and other information of clear relevance
12to the education of the student, all subject to regulations of
13the State Board. The information shall include information
14provided under Section 8.6 of the Abused and Neglected Child
15Reporting Act. In addition, the student temporary record shall
16include information regarding serious disciplinary infractions
17that resulted in expulsion, suspension, or the imposition of
18punishment or sanction. For purposes of this provision, serious
19disciplinary infractions means: infractions involving drugs,
20weapons, or bodily harm to another.
21    (g) "Parent" means a person who is the natural parent of
22the student or other person who has the primary responsibility
23for the care and upbringing of the student. All rights and
24privileges accorded to a parent under this Act shall become
25exclusively those of the student upon his 18th birthday,
26graduation from secondary school, marriage or entry into

 

 

SB2089- 29 -LRB101 09671 AXK 54770 b

1military service, whichever occurs first. Such rights and
2privileges may also be exercised by the student at any time
3with respect to the student's permanent school record.
4    (h) "Record" means any information maintained in any way,
5including, but not limited to, electronically-generated data,
6handwriting, print, computer media, video or audio tape, film,
7microfilm, and microfiche.
8(Source: P.A. 92-295, eff. 1-1-02.)
 
9    (105 ILCS 10/6)  (from Ch. 122, par. 50-6)
10    Sec. 6. (a) No school student records or information
11contained therein may be released, transferred, disclosed or
12otherwise disseminated, except as follows:
13        (1) to a parent or student or person specifically
14    designated as a representative by a parent, as provided in
15    paragraph (a) of Section 5;
16        (2) to an employee or official of the school or school
17    district or State Board with current demonstrable
18    educational or administrative interest in the student, in
19    furtherance of such interest;
20        (3) to the official records custodian of another school
21    within Illinois or an official with similar
22    responsibilities of a school outside Illinois, in which the
23    student has enrolled, or intends to enroll, upon the
24    request of such official or student;
25        (4) to any person for the purpose of research,

 

 

SB2089- 30 -LRB101 09671 AXK 54770 b

1    statistical reporting, or planning, provided that such
2    research, statistical reporting, or planning is
3    permissible under and undertaken in accordance with the
4    federal Family Educational Rights and Privacy Act (20
5    U.S.C. 1232g);
6        (5) pursuant to a court order, provided that the parent
7    shall be given prompt written notice upon receipt of such
8    order of the terms of the order, the nature and substance
9    of the information proposed to be released in compliance
10    with such order and an opportunity to inspect and copy the
11    school student records and to challenge their contents
12    pursuant to Section 7;
13        (6) to any person as specifically required by State or
14    federal law;
15        (6.5) to juvenile authorities when necessary for the
16    discharge of their official duties who request information
17    prior to adjudication of the student and who certify in
18    writing that the information will not be disclosed to any
19    other party except as provided under law or order of court.
20    For purposes of this Section "juvenile authorities" means:
21    (i) a judge of the circuit court and members of the staff
22    of the court designated by the judge; (ii) parties to the
23    proceedings under the Juvenile Court Act of 1987 and their
24    attorneys; (iii) probation officers and court appointed
25    advocates for the juvenile authorized by the judge hearing
26    the case; (iv) any individual, public or private agency

 

 

SB2089- 31 -LRB101 09671 AXK 54770 b

1    having custody of the child pursuant to court order; (v)
2    any individual, public or private agency providing
3    education, medical or mental health service to the child
4    when the requested information is needed to determine the
5    appropriate service or treatment for the minor; (vi) any
6    potential placement provider when such release is
7    authorized by the court for the limited purpose of
8    determining the appropriateness of the potential
9    placement; (vii) law enforcement officers and prosecutors;
10    (viii) adult and juvenile prisoner review boards; (ix)
11    authorized military personnel; (x) individuals authorized
12    by court;
13        (7) subject to regulations of the State Board, in
14    connection with an emergency, to appropriate persons if the
15    knowledge of such information is necessary to protect the
16    health or safety of the student or other persons;
17        (8) to any person, with the prior specific dated
18    written consent of the parent designating the person to
19    whom the records may be released, provided that at the time
20    any such consent is requested or obtained, the parent shall
21    be advised in writing that he has the right to inspect and
22    copy such records in accordance with Section 5, to
23    challenge their contents in accordance with Section 7 and
24    to limit any such consent to designated records or
25    designated portions of the information contained therein;
26        (9) to a governmental agency, or social service agency

 

 

SB2089- 32 -LRB101 09671 AXK 54770 b

1    contracted by a governmental agency, in furtherance of an
2    investigation of a student's school attendance pursuant to
3    the compulsory student attendance laws of this State,
4    provided that the records are released to the employee or
5    agent designated by the agency;
6        (10) to those SHOCAP committee members who fall within
7    the meaning of "state and local officials and authorities",
8    as those terms are used within the meaning of the federal
9    Family Educational Rights and Privacy Act, for the purposes
10    of identifying serious habitual juvenile offenders and
11    matching those offenders with community resources pursuant
12    to Section 5-145 of the Juvenile Court Act of 1987, but
13    only to the extent that the release, transfer, disclosure,
14    or dissemination is consistent with the Family Educational
15    Rights and Privacy Act;
16        (11) to the Department of Healthcare and Family
17    Services in furtherance of the requirements of Section
18    2-3.131, 3-14.29, 10-28, or 34-18.26 of the School Code or
19    Section 10 of the School Breakfast and Lunch Program Act;
20    or
21        (12) to the State Board or another State government
22    agency or between or among State government agencies in
23    order to evaluate or audit federal and State programs or
24    perform research and planning, but only to the extent that
25    the release, transfer, disclosure, or dissemination is
26    consistent with the federal Family Educational Rights and

 

 

SB2089- 33 -LRB101 09671 AXK 54770 b

1    Privacy Act (20 U.S.C. 1232g).
2    (b) No information may be released pursuant to subparagraph
3(3) or (6) of paragraph (a) of this Section 6 unless the parent
4receives prior written notice of the nature and substance of
5the information proposed to be released, and an opportunity to
6inspect and copy such records in accordance with Section 5 and
7to challenge their contents in accordance with Section 7.
8Provided, however, that such notice shall be sufficient if
9published in a local newspaper of general circulation or other
10publication directed generally to the parents involved where
11the proposed release of information is pursuant to subparagraph
12(6) of paragraph (a) of this Section 6 and relates to more than
1325 students.
14    (c) A record of any release of information pursuant to this
15Section must be made and kept as a part of the school student
16record and subject to the access granted by Section 5. Such
17record of release shall be maintained for the life of the
18school student records and shall be available only to the
19parent and the official records custodian. Each record of
20release shall also include:
21        (1) the nature and substance of the information
22    released;
23        (2) the name and signature of the official records
24    custodian releasing such information;
25        (3) the name of the person requesting such information,
26    the capacity in which such a request has been made, and the

 

 

SB2089- 34 -LRB101 09671 AXK 54770 b

1    purpose of such request;
2        (4) the date of the release; and
3        (5) a copy of any consent to such release.
4    (d) Except for the student and his parents, no person to
5whom information is released pursuant to this Section and no
6person specifically designated as a representative by a parent
7may permit any other person to have access to such information
8without a prior consent of the parent obtained in accordance
9with the requirements of subparagraph (8) of paragraph (a) of
10this Section.
11    (e) Nothing contained in this Act shall prohibit, with the
12written consent of a student's parent, the publication of
13student directories which list student names, addresses and
14other identifying information and similar publications which
15comply with regulations issued by the State Board.
16(Source: P.A. 99-78, eff. 7-20-15.)
 
17    (105 ILCS 85/Act rep.)
18    Section 110. The Student Online Personal Protection Act is
19repealed.
 
20    Section 115. The Consumer Fraud and Deceptive Business
21Practices Act is amended by changing Section 2Z as follows:
 
22    (815 ILCS 505/2Z)  (from Ch. 121 1/2, par. 262Z)
23    Sec. 2Z. Violations of other Acts. Any person who knowingly

 

 

SB2089- 35 -LRB101 09671 AXK 54770 b

1violates the Automotive Repair Act, the Automotive Collision
2Repair Act, the Home Repair and Remodeling Act, the Dance
3Studio Act, the Physical Fitness Services Act, the Hearing
4Instrument Consumer Protection Act, the Illinois Union Label
5Act, the Installment Sales Contract Act, the Job Referral and
6Job Listing Services Consumer Protection Act, the Travel
7Promotion Consumer Protection Act, the Credit Services
8Organizations Act, the Automatic Telephone Dialers Act, the
9Pay-Per-Call Services Consumer Protection Act, the Telephone
10Solicitations Act, the Illinois Funeral or Burial Funds Act,
11the Cemetery Oversight Act, the Cemetery Care Act, the Safe and
12Hygienic Bed Act, the Illinois Pre-Need Cemetery Sales Act, the
13High Risk Home Loan Act, the Payday Loan Reform Act, the
14Mortgage Rescue Fraud Act, subsection (a) or (b) of Section
153-10 of the Cigarette Tax Act, subsection (a) or (b) of Section
163-10 of the Cigarette Use Tax Act, the Electronic Mail Act, the
17Internet Caller Identification Act, paragraph (6) of
18subsection (k) of Section 6-305 of the Illinois Vehicle Code,
19Section 11-1431, 18d-115, 18d-120, 18d-125, 18d-135, 18d-150,
20or 18d-153 of the Illinois Vehicle Code, Article 3 of the
21Residential Real Property Disclosure Act, the Automatic
22Contract Renewal Act, the Reverse Mortgage Act, Section 25 of
23the Youth Mental Health Protection Act, the Personal
24Information Protection Act, or the Student Online Personal
25Protection Act of 2019 commits an unlawful practice within the
26meaning of this Act.

 

 

SB2089- 36 -LRB101 09671 AXK 54770 b

1(Source: P.A. 99-331, eff. 1-1-16; 99-411, eff. 1-1-16; 99-642,
2eff. 7-28-16; 100-315, eff. 8-24-17; 100-416, eff. 1-1-18;
3100-863, eff. 8-14-18.)
 
4    Section 999. Effective date. This Act takes effect upon
5becoming law.