103RD GENERAL ASSEMBLY
State of Illinois
2023 and 2024
SB2256

 

Introduced 2/10/2023, by Sen. Robert F. Martwick

 

SYNOPSIS AS INTRODUCED:
 
105 ILCS 85/5
105 ILCS 85/15
105 ILCS 85/25
105 ILCS 85/26
105 ILCS 85/27
105 ILCS 85/30

    Amends the Student Online Personal Protection Act. Provides that "covered information" does not include de-identified or aggregate information from which all personally identifiable information of a student has been removed. Makes conforming changes. Provides that the covered information restrictions shall be included as part of the operator's terms of service agreement, privacy policy, or similar document (instead of requiring that an operator enter into a written agreement with the school, school district, or State Board before the covered information may be transferred) Removes provisions requiring that if the school maintains a website, a the operator shall provide a statement that the school must publish the written agreement on the school's website. Makes related changes. Provides that a statement that the operator will implement and maintain reasonable security procedures and practices that otherwise meet or exceed industry standards designed to protect covered information from unauthorized access, destruction, use, modification, or disclosure Provides that the business address of the operator and a link to the terms of service agreement, privacy policy, or similar document shall be provided. Provides that de-identified or aggregate information from which all personally identifiable information of a student has been removed are not prohibited for an operator to use. Removes restrictions prohibiting a school from sharing, transferring, disclosing, or providing access to a students covered information to an entity of individual. Makes other changes.


LRB103 27298 RJT 53669 b

 

 

A BILL FOR

 

SB2256LRB103 27298 RJT 53669 b

1    AN ACT concerning education.
 
2    Be it enacted by the People of the State of Illinois,
3represented in the General Assembly:
 
4    Section 5. The Student Online Personal Protection Act is
5amended by changing Sections 5, 15, 25, 26, 27 and 30 as
6follows:
 
7    (105 ILCS 85/5)
8    Sec. 5. Definitions. In this Act:
9    "Breach" means the unauthorized acquisition of
10computerized data that compromises the security,
11confidentiality, or integrity of covered information
12maintained by an operator or school. "Breach" does not include
13the good faith acquisition of covered personal information by
14an employee or agent of an operator or school for a legitimate
15purpose of the operator or school if the covered information
16is not used for a purpose prohibited by this Act or subject to
17further unauthorized disclosure.
18    "Covered information" means personally identifiable
19information or material of a student or information that is
20linked to personally identifiable information or material in
21any media or format that is not publicly available and is any
22of the following:
23        (1) Created by or provided to an operator by a student

 

 

SB2256- 2 -LRB103 27298 RJT 53669 b

1    or the student's parent in the course of the student's or
2    parent's use of the operator's site, service, or
3    application for K through 12 school purposes.
4        (2) Created by or provided to an operator by an
5    employee or agent of a school or school district for K
6    through 12 school purposes.
7        (3) Gathered by an operator through the operation of
8    its site, service, or application for K through 12 school
9    purposes and personally identifies a student, including,
10    but not limited to, information in the student's
11    educational record or electronic mail, first and last
12    name, home address, telephone number, electronic mail
13    address, or other information that allows physical or
14    online contact, discipline records, test results, special
15    education data, juvenile dependency records, grades,
16    evaluations, criminal records, medical records, health
17    records, a social security number, biometric information,
18    disabilities, socioeconomic information, food purchases,
19    political affiliations, religious information, text
20    messages, documents, student identifiers, search activity,
21    photos, voice recordings, or geolocation information.
22    The term does not include de-identified or aggregate
23information from which all personally identifiable information
24of a student has been removed.
25    "Interactive computer service" has the meaning ascribed to
26that term in Section 230 of the federal Communications Decency

 

 

SB2256- 3 -LRB103 27298 RJT 53669 b

1Act of 1996 (47 U.S.C. 230).
2    "K through 12 school purposes" means purposes that are
3directed by or that customarily take place at the direction of
4a school, teacher, or school district; aid in the
5administration of school activities, including, but not
6limited to, instruction in the classroom or at home,
7administrative activities, and collaboration between students,
8school personnel, or parents; or are otherwise for the use and
9benefit of the school.
10    "Longitudinal data system" has the meaning given to that
11term under the P-20 Longitudinal Education Data System Act.
12    "Operator" means, to the extent that an entity is
13operating in this capacity, the operator of an Internet
14website, online service, online application, or mobile
15application with actual knowledge that the site, service, or
16application is used primarily for K through 12 school purposes
17and was designed and marketed for K through 12 school
18purposes.
19    "Parent" has the meaning given to that term under the
20Illinois School Student Records Act.
21    "School" means (1) any preschool, public kindergarten,
22elementary or secondary educational institution, vocational
23school, special educational facility, or any other elementary
24or secondary educational agency or institution or (2) any
25person, agency, or institution that maintains school student
26records from more than one school. Except as otherwise

 

 

SB2256- 4 -LRB103 27298 RJT 53669 b

1provided in this Act, "school" includes a private or nonpublic
2school.
3    "State Board" means the State Board of Education.
4    "Student" has the meaning given to that term under the
5Illinois School Student Records Act.
6    "Targeted advertising" means presenting advertisements to
7a student where the advertisement is selected based on
8information obtained or inferred from that student's online
9behavior, usage of applications, or covered information. The
10term does not include advertising to a student at an online
11location based upon that student's current visit to that
12location or in response to that student's request for
13information or feedback, without the retention of that
14student's online activities or requests over time for the
15purpose of targeting subsequent ads.
16(Source: P.A. 100-315, eff. 8-24-17; 101-516, eff. 7-1-21.)
 
17    (105 ILCS 85/15)
18    Sec. 15. Operator duties. An operator shall do the
19following:
20        (1) Implement and maintain reasonable security
21    procedures and practices that otherwise meet or exceed
22    industry standards designed to protect covered information
23    from unauthorized access, destruction, use, modification,
24    or disclosure.
25        (2) Delete, within a reasonable time period, a

 

 

SB2256- 5 -LRB103 27298 RJT 53669 b

1    student's covered information if the school or school
2    district requests deletion of covered information under
3    the control of the school or school district, unless a
4    student or his or her parent consents to the maintenance
5    of the covered information.
6        (3) Publicly disclose material information about its
7    collection, use, and disclosure of covered information,
8    including, but not limited to, publishing a terms of
9    service agreement, privacy policy, or similar document.
10        (4) Except for a nonpublic school, for any operator
11    who receives seeks to receive from a public school, school
12    district, or the State Board in any manner any covered
13    information, must include as part of their service
14    agreement, privacy policy, or similar document the
15    following: enter into a written agreement with the school,
16    school district, or State Board before the covered
17    information may be transferred. The written agreement may
18    be created in electronic form and signed with an
19    electronic or digital signature or may be a click wrap
20    agreement that is used with software licenses, downloaded
21    or online applications and transactions for educational
22    technologies, or other technologies in which a user must
23    agree to terms and conditions before using the product or
24    service. Any written agreement entered into, amended, or
25    renewed must contain all of the following:
26            (A) A listing of the categories or types of

 

 

SB2256- 6 -LRB103 27298 RJT 53669 b

1        covered information to be provided by the school to
2        the operator.
3            (B) A statement of the product or service being
4        provided to the school by the operator.
5            (C) A statement that, pursuant to the federal
6        Family Educational Rights and Privacy Act of 1974, the
7        operator is acting as a school official with a
8        legitimate educational interest, is performing an
9        institutional service or function for which the school
10        would otherwise use employees, under the direct
11        control of the school, with respect to the use and
12        maintenance of covered information, and is using the
13        covered information only for an authorized purpose and
14        may not re-disclose it to third parties or affiliates,
15        unless otherwise permitted under this Act, without
16        permission from the school or pursuant to court order.
17            (D) A statement that description of how, if a
18        breach is attributed to the operator, any costs and
19        expenses incurred by the school in investigating and
20        remediating the breach will be allocated to between
21        the operator and the school. The costs and expenses
22        shall may include, but are not limited to:
23                (i) providing notification to the parents of
24            those students whose covered information was
25            compromised and to regulatory agencies or other
26            entities as required by law or contract;

 

 

SB2256- 7 -LRB103 27298 RJT 53669 b

1                (ii) providing credit monitoring to those
2            students whose covered information was exposed in
3            a manner during the breach that a reasonable
4            person would believe that it could impact his or
5            her credit or financial security;
6                (iii) legal fees, audit costs, fines, and any
7            other fees or damages imposed against the school
8            as a result of the security breach; and
9                (iv) providing any other notifications or
10            fulfilling any other requirements adopted by the
11            State Board or of any other State or federal laws.
12            (E) A statement that the operator must delete or
13        transfer to the school all covered information if the
14        information is no longer needed for the purposes of
15        the school's use of the operator's site, service, or
16        application the written agreement and to specify the
17        time period in which the information must be deleted
18        or transferred once the operator is made aware that
19        the information is no longer needed for the purposes
20        of the school's use of the operator's site, service,
21        or application written agreement.
22            (F) (Blank) If the school maintains a website, a
23        statement that the school must publish the written
24        agreement on the school's website. If the school does
25        not maintain a website, a statement that the school
26        must make the written agreement available for

 

 

SB2256- 8 -LRB103 27298 RJT 53669 b

1        inspection by the general public at its administrative
2        office. If mutually agreed upon by the school and the
3        operator, provisions of the written agreement, other
4        than those under subparagraphs (A), (B), and (C), may
5        be redacted in the copy of the written agreement
6        published on the school's website or made available at
7        its administrative office.
8            (G) A statement that the operator will implement
9        and maintain reasonable security procedures and
10        practices that otherwise meet or exceed industry
11        standards designed to protect covered information from
12        unauthorized access, destruction, use, modification,
13        or disclosure.
14            (H) The business address of the operator and a
15        link to the terms of service agreement, privacy
16        policy, or similar document.
17        (5) In case of any breach, within the most expedient
18    time possible and without unreasonable delay, but no later
19    than 30 calendar days after the determination that a
20    breach has occurred, notify the school of any breach of
21    the students' covered information.
22        (6) Except for a nonpublic school, maintain provide to
23    the school a list of any third parties or affiliates to
24    whom the operator is currently disclosing covered
25    information or has disclosed covered information on its
26    site, service, or application. This list must, at a

 

 

SB2256- 9 -LRB103 27298 RJT 53669 b

1    minimum, be updated and provided to the school by the
2    beginning of each State fiscal year and at the beginning
3    of each calendar year.
4(Source: P.A. 100-315, eff. 8-24-17; 101-516, eff. 7-1-21.)
 
5    (105 ILCS 85/25)
6    Sec. 25. Operator actions that are not prohibited. This
7Act does not prohibit an operator from doing any of the
8following:
9        (1) Using de-identified or aggregate information from
10    which all personally identifiable information of a student
11    has been removed covered information to improve
12    educational products if that information is not associated
13    with an identified student within the operator's site,
14    service, or application or other sites, services, or
15    applications owned by the operator.
16        (2) Using de-identified or aggregate information from
17    which all personally identifiable information of a student
18    has been removed covered information that is not
19    associated with an identified student to demonstrate the
20    effectiveness of the operator's products or services,
21    including in their marketing.
22        (3) Sharing de-identified or aggregate information
23    from which all personally identifiable information of a
24    student has been removed covered information that is not
25    associated with an identified student for the development

 

 

SB2256- 10 -LRB103 27298 RJT 53669 b

1    and improvement of educational sites, services, or
2    applications.
3        (4) Using recommendation engines to recommend to a
4    student either of the following:
5            (A) Additional content relating to an educational,
6        other learning, or employment opportunity purpose
7        within an online site, service, or application if the
8        recommendation is not determined in whole or in part
9        by payment or other consideration from a third party.
10            (B) Additional services relating to an
11        educational, other learning, or employment opportunity
12        purpose within an online site, service, or application
13        if the recommendation is not determined in whole or in
14        part by payment or other consideration from a third
15        party.
16        (5) Responding to a student's request for information
17    or for feedback without the information or response being
18    determined in whole or in part by payment or other
19    consideration from a third party.
20(Source: P.A. 100-315, eff. 8-24-17.)
 
21    (105 ILCS 85/26)
22    Sec. 26. School prohibitions. A school may not do either
23of the following:
24        (1) Sell, rent, lease, or trade covered information.
25        (2) (Blank). Share, transfer, disclose, or provide

 

 

SB2256- 11 -LRB103 27298 RJT 53669 b

1    access to a student's covered information to an entity or
2    individual, other than the student's parent, school
3    personnel, appointed or elected school board members or
4    local school council members, or the State Board, without
5    a written agreement, unless the disclosure or transfer is:
6            (A) to the extent permitted by State or federal
7        law, to law enforcement officials to protect the
8        safety of users or others or the security or integrity
9        of the operator's service;
10            (B) required by court order or State or federal
11        law; or
12            (C) to ensure legal or regulatory compliance.
13        This paragraph (2) does not apply to nonpublic
14    schools.
15(Source: P.A. 101-516, eff. 7-1-21.)
 
16    (105 ILCS 85/27)
17    Sec. 27. School duties.
18    (a) Each school shall post and maintain on its website or,
19if the school does not maintain a website, make available for
20inspection by the general public at its administrative office
21all of the following information:
22        (1) An explanation, that is clear and understandable
23    by a layperson, of the data elements of covered
24    information that the school collects, maintains, or
25    discloses to any operator person, entity, third party, or

 

 

SB2256- 12 -LRB103 27298 RJT 53669 b

1    governmental agency. The information must explain how the
2    school uses, to whom or what entities it discloses, and
3    for what purpose it discloses the covered information.
4        (2) A list of the operators of any educational sites,
5    services, or applications used by the school, that the
6    school has written agreements with, a copy of each written
7    agreement, and a business address for each operator, and a
8    link to each operator's terms of service, privacy policy,
9    or similar document. A copy of a written agreement posted
10    or made available by a school under this paragraph may
11    contain redactions, as provided under subparagraph (F) of
12    paragraph (4) of Section 15.
13        (3) For each operator, a list of any subcontractors to
14    whom covered information may be disclosed or a link to a
15    page on the operator's website that clearly lists the that
16    information third parties or affiliates to whom the
17    operator is currently disclosing covered information or
18    has disclosed covered information, as provided by the
19    operator to the school under paragraph (6) of Section 15.
20        (4) A written description of the procedures that a
21    parent may use to carry out the rights enumerated under
22    Section 33.
23        (5) A list of any breaches of covered information
24    maintained by the school or breaches under Section 15 that
25    includes, but is not limited to, all of the following
26    information:

 

 

SB2256- 13 -LRB103 27298 RJT 53669 b

1            (A) The number of students whose covered
2        information is involved in the breach, unless
3        disclosing that number would violate the provisions of
4        the Personal Information Protection Act.
5            (B) The date, estimated date, or estimated date
6        range of the breach.
7            (C) For a breach under Section 15, the name of the
8        operator.
9        The school may omit from the list required under this
10    paragraph (5): (i) any breach in which, to the best of the
11    school's knowledge at the time of updating the list, the
12    number of students whose covered information is involved
13    in the breach is less than 10% of the school's enrollment,
14    (ii) any breach in which, at the time of posting the list,
15    the school is not required to notify the parent of a
16    student under subsection (d), (iii) any breach in which
17    the date, estimated date, or estimated date range in which
18    it occurred is earlier than July 1, 2021, or (iv) any
19    breach previously posted on a list under this paragraph
20    (5) no more than 5 years prior to the school updating the
21    current list.
22    The school must, at a minimum, update the items under
23paragraphs (1), (3), (4), and (5) no later than 30 calendar
24days following the start of a fiscal year and no later than 30
25days following the beginning of a calendar year.
26    (b) Each school must adopt a policy for designating which

 

 

SB2256- 14 -LRB103 27298 RJT 53669 b

1school employees are authorized to enter into written
2agreements with operators. This subsection may not be
3construed to limit individual school employees outside of the
4scope of their employment from entering into agreements with
5operators on their own behalf and for non-K through 12 school
6purposes, provided that no covered information is provided to
7the operators. Any agreement or contract entered into in
8violation of this Act is void and unenforceable as against
9public policy.
10    (c) A school must post on its website or, if the school
11does not maintain a website, make available at its
12administrative office for inspection by the general public
13each written agreement entered into under this Act, along with
14any information required under subsection (a), no later than
1510 business days after entering into the agreement.
16    (d) After receipt of notice of a breach under Section 15 or
17determination of a breach of covered information maintained by
18the school, a school shall notify, no later than 30 calendar
19days after receipt of the notice or determination that a
20breach has occurred, the parent of any student whose covered
21information is involved in the breach. The notification must
22include, but is not limited to, all of the following:
23        (1) The date, estimated date, or estimated date range
24    of the breach.
25        (2) A description of the covered information that was
26    compromised or reasonably believed to have been

 

 

SB2256- 15 -LRB103 27298 RJT 53669 b

1    compromised in the breach.
2        (3) Information that the parent may use to contact the
3    operator and school to inquire about the breach.
4        (4) The toll-free numbers, addresses, and websites for
5    consumer reporting agencies.
6        (5) The toll-free number, address, and website for the
7    Federal Trade Commission.
8        (6) A statement that the parent may obtain information
9    from the Federal Trade Commission and consumer reporting
10    agencies about fraud alerts and security freezes.
11    A notice of breach required under this subsection may be
12delayed if an appropriate law enforcement agency determines
13that the notification will interfere with a criminal
14investigation and provides the school with a written request
15for a delay of notice. A school must comply with the
16notification requirements as soon as the notification will no
17longer interfere with the investigation.
18    (e) Each school must implement and maintain reasonable
19security procedures and practices that otherwise meet or
20exceed industry standards designed to protect covered
21information from unauthorized access, destruction, use,
22modification, or disclosure. Any written agreement under which
23the disclosure of covered information between the school and a
24third party takes place must include a provision requiring the
25entity to whom the covered information is disclosed to
26implement and maintain reasonable security procedures and

 

 

SB2256- 16 -LRB103 27298 RJT 53669 b

1practices that otherwise meet or exceed industry standards
2designed to protect covered information from unauthorized
3access, destruction, use, modification, or disclosure. The
4State Board must make available on its website a guidance
5document for schools pertaining to reasonable security
6procedures and practices under this subsection.
7    (f) Each school may designate an appropriate staff person
8as a privacy officer, who may also be an official records
9custodian as designated under the Illinois School Student
10Records Act, to carry out the duties and responsibilities
11assigned to schools and to ensure compliance with the
12requirements of this Section and Section 26.
13    (g) A school shall make a request, pursuant to paragraph
14(2) of Section 15, to an operator to delete covered
15information on behalf of a student's parent if the parent
16requests from the school that the student's covered
17information held by the operator be deleted, so long as the
18deletion of the covered information is not in violation of
19State or federal records laws and the school has determined
20the covered information is not needed to administer its
21curriculum.
22    (h) This Section does not apply to nonpublic schools.
23(Source: P.A. 101-516, eff. 7-1-21; 102-558, eff. 8-20-21.)
 
24    (105 ILCS 85/30)
25    Sec. 30. Applicability. This Act does not do any of the

 

 

SB2256- 17 -LRB103 27298 RJT 53669 b

1following:
2        (1) Limit the authority of a law enforcement agency to
3    obtain any content or information from an operator as
4    authorized by law or under a court order.
5        (2) Limit the ability of an operator to use student
6    data, including covered information, for adaptive learning
7    or customized student learning purposes.
8        (3) Apply to general audience Internet websites,
9    general audience online services, general audience online
10    applications, or general audience mobile applications,
11    even if login credentials created for an operator's site,
12    service, or application may be used to access those
13    general audience sites, services, or applications.
14        (4) Limit service providers from providing Internet
15    connectivity to schools or students and their families.
16        (5) Prohibit an operator of an Internet website,
17    online service, online application, or mobile application
18    from marketing educational products directly to parents if
19    the marketing did not result from the use of covered
20    information obtained by the operator through the provision
21    of services covered under this Act.
22        (6) Impose a duty upon a provider of an electronic
23    store, gateway, marketplace, or other means of purchasing
24    or downloading software or applications to review or
25    enforce compliance with this Act on those applications or
26    software.

 

 

SB2256- 18 -LRB103 27298 RJT 53669 b

1        (7) Impose a duty upon a provider of an interactive
2    computer service to review or enforce compliance with this
3    Act by third-party content providers.
4        (8) Prohibit students from downloading, exporting,
5    transferring, saving, or maintaining their own student
6    data or documents.
7        (9) Supersede the federal Family Educational Rights
8    and Privacy Act of 1974, the Illinois School Student
9    Records Act, or any rules adopted pursuant to those Acts.
10        (10) Prohibit an operator or school from producing and
11    distributing, free or for consideration, student class
12    photos and yearbooks to the school, libraries, students,
13    parents, or individuals authorized by parents and to no
14    others, in accordance with the terms of a written
15    agreement between the operator and the school.
16(Source: P.A. 100-315, eff. 8-24-17; 101-516, eff. 7-1-21.)