SB0444 Engrossed LRB100 04884 MLM 14894 b
1		AN ACT concerning education.
2		Be it enacted by the People of the State of Illinois,
3		represented in the General Assembly:
4		Section 1. Short title. This Act may be cited as the
5		Student Online Personal Protection Act.
6		Section 3. Legislative intent. Schools today are
7		increasingly using a wide range of beneficial online services
8		and other technologies to help students learn, but concerns
9		have been raised about whether sufficient safeguards exist to
10		protect the privacy and security of data about students when it
11		is collected by educational technology companies. This Act is
12		intended to ensure that student data will be protected when it
13		is collected by educational technology companies and that the
14		data may be used for beneficial purposes such as providing
15		personalized learning and innovative educational technologies.
16		Section 5. Definitions. In this Act:
17		"Covered information" means personally identifiable
18		information or material or information that is linked to
19		personally identifiable information or material in any media or
20		format that is not publicly available and is any of the
21		following:
22		(1) Created by or provided to an operator by a student

SB0444 Engrossed - 2 - LRB100 04884 MLM 14894 b
1		or the student's parent or legal guardian in the course of
2		the student's, parent's, or legal guardian's use of the
3		operator's site, service, or application for K through 12
4		school purposes.
5		(2) Created by or provided to an operator by an
6		employee or agent of a school or school district for K
7		through 12 school purposes.
8		(3) Gathered by an operator through the operation of
9		its site, service, or application for K through 12 school
10		purposes and personally identifies a student, including,
11		but not limited to, information in the student's
12		educational record or electronic mail, first and last name,
13		home address, telephone number, electronic mail address,
14		or other information that allows physical or online
15		contact, discipline records, test results, special
16		education data, juvenile dependency records, grades,
17		evaluations, criminal records, medical records, health
18		records, a social security number, biometric information,
19		disabilities, socioeconomic information, food purchases,
20		political affiliations, religious information, text
21		messages, documents, student identifiers, search activity,
22		photos, voice recordings, or geolocation information.
23		"Interactive computer service" has the meaning ascribed to
24		that term in Section 230 of the federal Communications Decency
25		Act of 1996 (47 U.S.C. 230).
26		"K through 12 school purposes" means purposes that are

SB0444 Engrossed - 3 - LRB100 04884 MLM 14894 b
1		directed by or that customarily take place at the direction of
2		a school, teacher, or school district; aid in the
3		administration of school activities, including, but not
4		limited to, instruction in the classroom or at home,
5		administrative activities, and collaboration between students,
6		school personnel, or parents; or are otherwise for the use and
7		benefit of the school.
8		"Operator" means, to the extent that an entity is operating
9		in this capacity, the operator of an Internet website, online
10		service, online application, or mobile application with actual
11		knowledge that the site, service, or application is used
12		primarily for K through 12 school purposes and was designed and
13		marketed for K through 12 school purposes.
14		"School" means (1) any preschool, public kindergarten,
15		elementary or secondary educational institution, vocational
16		school, special educational facility, or any other elementary
17		or secondary educational agency or institution or (2) any
18		person, agency, or institution that maintains school student
19		records from more than one school. "School" includes a private
20		or nonpublic school.
21		"Targeted advertising" means presenting advertisements to
22		a student where the advertisement is selected based on
23		information obtained or inferred over time from that student's
24		online behavior, usage of applications, or covered
25		information. The term does not include advertising to a student
26		at an online location based upon that student's current visit

SB0444 Engrossed - 4 - LRB100 04884 MLM 14894 b
1		to that location or in response to that student's request for
2		information or feedback, without the retention of that
3		student's online activities or requests over time for the
4		purpose of targeting subsequent ads.
5		Section 10. Operator prohibitions. An operator shall not
6		knowingly do any of the following:
7		(1) Engage in targeted advertising on the operator's
8		site, service, or application or target advertising on any
9		other site, service, or application if the targeting of the
10		advertising is based on any information, including covered
11		information and persistent unique identifiers, that the
12		operator has acquired because of the use of that operator's
13		site, service, or application for K through 12 school
14		purposes.
15		(2) Use information, including persistent unique
16		identifiers, created or gathered by the operator's site,
17		service, or application to amass a profile about a student,
18		except in furtherance of K through 12 school purposes.
19		"Amass a profile" does not include the collection and
20		retention of account information that remains under the
21		control of the student, the student's parent or legal
22		guardian, or the school.
23		(3) Sell or rent a student's information, including
24		covered information. This subdivision (3) does not apply to
25		the purchase, merger, or other type of acquisition of an

SB0444 Engrossed - 5 - LRB100 04884 MLM 14894 b
1		operator by another entity if the operator or successor
2		entity complies with this Act regarding previously
3		acquired student information.
4		(4) Except as otherwise provided in Section 20 of this
5		Act, disclose covered information, unless the disclosure
6		is made for the following purposes:
7		(A) In furtherance of the K through 12 school
8		purposes of the site, service, or application if the
9		recipient of the covered information disclosed under
10		this clause (A) does not further disclose the
11		information, unless done to allow or improve
12		operability and functionality of the operator's site,
13		service, or application.
14		(B) To ensure legal and regulatory compliance or
15		take precautions against liability.
16		(C) To respond to the judicial process.
17		(D) To protect the safety or integrity of users of
18		the site or others or the security of the site,
19		service, or application.
20		(E) For a school, educational, or employment
21		purpose requested by the student or the student's
22		parent or legal guardian, provided that the
23		information is not used or further disclosed for any
24		other purpose.
25		(F) To a third party if the operator contractually
26		prohibits the third party from using any covered

SB0444 Engrossed - 6 - LRB100 04884 MLM 14894 b
1		information for any purpose other than providing the
2		contracted service to or on behalf of the operator,
3		prohibits the third party from disclosing any covered
4		information provided by the operator with subsequent
5		third parties, and requires the third party to
6		implement and maintain reasonable security procedures
7		and practices.
8		Nothing in this Section prohibits the operator's use of
9		information for maintaining, developing, supporting,
10		improving, or diagnosing the operator's site, service, or
11		application.
12		Section 15. Operator duties. An operator shall do the
13		following:
14		(1) Implement and maintain reasonable security
15		procedures and practices appropriate to the nature of the
16		covered information and designed to protect that covered
17		information from unauthorized access, destruction, use,
18		modification, or disclosure.
19		(2) Delete, within a reasonable time period, a
20		student's covered information if the school or school
21		district requests deletion of covered information under
22		the control of the school or school district, unless a
23		student or his or her parent or legal guardian consents to
24		the maintenance of the covered information.
25		(3) Publicly disclose material information about its

SB0444 Engrossed - 7 - LRB100 04884 MLM 14894 b
1		collection, use, and disclosure of covered information,
2		including, but not limited to, publishing a terms of
3		service agreement, privacy policy, or similar document.
4		Section 20. Permissive use or disclosure.
5		(a) An operator may use or disclose covered information of
6		a student under the following circumstances:
7		(1) If other provisions of federal or State law require
8		the operator to disclose the information, and the operator
9		complies with the requirements of federal and State law in
10		protecting and disclosing that information.
11		(2) For legitimate research purposes as required by
12		State or federal law and subject to the restrictions under
13		applicable State and federal law or as allowed by State or
14		federal law and under the direction of a school, school
15		district, or the State Board of Education if the covered
16		information is not used for advertising or to amass a
17		profile on the student for purposes other than for K
18		through 12 school purposes.
19		(3) To a State or local educational agency, including
20		schools and school districts, for K through 12 school
21		purposes, as permitted by State or federal law.
22		(4) For the purpose of identifying or displaying
23		information to the student about or facilitating the
24		connection of the student with a not-for-profit
25		institution of higher education or a scholarship

SB0444 Engrossed - 8 - LRB100 04884 MLM 14894 b
1		opportunity. Information under this paragraph (4) may be
2		disclosed only if the operator has first obtained the
3		express written consent of the student's parent or legal
4		guardian or, if the student is 18 years old or older or is
5		an emancipated minor, the student. For the purposes of this
6		paragraph (4), express written consent may be obtained as a
7		response to the annual notice required under 34 CFR 99.7
8		and is not required to be in addition to consent given in
9		response to that annual notice.
10		If the operator is a national assessment provider and the
11		student's covered information is not being collected or used
12		for K through 12 school purposes but is collected and used for
13		a college entrance exam, the national assessment provider may,
14		in response to a request directly from the student who owns the
15		covered information and upon securing the express written
16		consent of the student or the student's parent or legal
17		guardian given in response to clear and conspicuous notice, use
18		or disclose covered information solely to provide the student
19		with access to employment opportunities, educational
20		scholarships, financial aid, or postsecondary educational
21		opportunities.
22		(b) A school may use or disclose covered information of a
23		student for the purpose of identifying or displaying
24		information to the student about or facilitating the connection
25		of the student with a not-for-profit institution of higher
26		education or a scholarship opportunity. Information under this

SB0444 Engrossed - 9 - LRB100 04884 MLM 14894 b
1		subsection (b) may be disclosed only if the operator has first
2		obtained the express written consent of the student's parent or
3		legal guardian or, if the student is 18 years old or older or
4		is an emancipated minor, the student. For the purposes of this
5		subsection (b), express written consent may be obtained as a
6		response to the annual notice required under 34 CFR 99.7 and is
7		not required to be in addition to consent given in response to
8		that annual notice.
9		Section 25. Operator actions that are not prohibited. This
10		Act does not prohibit an operator from doing any of the
11		following:
12		(1) Using covered information to improve educational
13		products if that information is not associated with an
14		identified student within the operator's site, service, or
15		application or other sites, services, or applications
16		owned by the operator.
17		(2) Using covered information that is not associated
18		with an identified student to demonstrate the
19		effectiveness of the operator's products or services,
20		including in their marketing.
21		(3) Sharing covered information that is not associated
22		with an identified student for the development and
23		improvement of educational sites, services, or
24		applications.
25		(4) Using recommendation engines to recommend to a

SB0444 Engrossed - 10 - LRB100 04884 MLM 14894 b
1		student either of the following:
2		(A) Additional content relating to an educational,
3		other learning, or employment opportunity purpose
4		within an online site, service, or application if the
5		recommendation is not determined in whole or in part by
6		payment or other consideration from a third party.
7		(B) Additional services relating to an
8		educational, other learning, or employment opportunity
9		purpose within an online site, service, or application
10		if the recommendation is not determined in whole or in
11		part by payment or other consideration from a third
12		party.
13		(5) Responding to a student's request for information
14		or for feedback without the information or response being
15		determined in whole or in part by payment or other
16		consideration from a third party.
17		Section 30. Applicability. This Act does not do any of the
18		following:
19		(1) Limit the authority of a law enforcement agency to
20		obtain any content or information from an operator as
21		authorized by law or under a court order.
22		(2) Limit the ability of an operator to use student
23		data, including covered information, for adaptive learning
24		or customized student learning purposes.
25		(3) Apply to general audience Internet websites,

SB0444 Engrossed - 11 - LRB100 04884 MLM 14894 b
1		general audience online services, general audience online
2		applications, or general audience mobile applications,
3		even if login credentials created for an operator's site,
4		service, or application may be used to access those general
5		audience sites, services, or applications.
6		(4) Limit service providers from providing Internet
7		connectivity to schools or students and their families.
8		(5) Prohibit an operator of an Internet website, online
9		service, online application, or mobile application from
10		marketing educational products directly to parents if the
11		marketing did not result from the use of covered
12		information obtained by the operator through the provision
13		of services covered under this Act.
14		(6) Impose a duty upon a provider of an electronic
15		store, gateway, marketplace, or other means of purchasing
16		or downloading software or applications to review or
17		enforce compliance with this Act on those applications or
18		software.
19		(7) Impose a duty upon a provider of an interactive
20		computer service to review or enforce compliance with this
21		Act by third-party content providers.
22		(8) Prohibit students from downloading, exporting,
23		transferring, saving, or maintaining their own student
24		data or documents.
25		(9) Supersede the federal Family Educational Rights
26		and Privacy Act of 1974 or rules adopted pursuant to that

SB0444 Engrossed - 12 - LRB100 04884 MLM 14894 b
1		Act or the Illinois School Student Records Act.
2		Section 35. Enforcement. Violations of this Act shall
3		constitute unlawful practices for which the Attorney General
4		may take appropriate action under the Consumer Fraud and
5		Deceptive Business Practices Act.
6		Section 40. Severability. The provisions of this Act are
7		severable under Section 1.31 of the Statute on Statutes.
8		Section 50. The Consumer Fraud and Deceptive Business
9		Practices Act is amended by changing Section 2Z as follows:
10		(815 ILCS 505/2Z)  (from Ch. 121 1/2, par. 262Z)
11		Sec. 2Z. Violations of other Acts. Any person who knowingly
12		violates the Automotive Repair Act, the Automotive Collision
13		Repair Act, the Home Repair and Remodeling Act, the Dance
14		Studio Act, the Physical Fitness Services Act, the Hearing
15		Instrument Consumer Protection Act, the Illinois Union Label
16		Act, the Job Referral and Job Listing Services Consumer
17		Protection Act, the Travel Promotion Consumer Protection Act,
18		the Credit Services Organizations Act, the Automatic Telephone
19		Dialers Act, the Pay-Per-Call Services Consumer Protection
20		Act, the Telephone Solicitations Act, the Illinois Funeral or
21		Burial Funds Act, the Cemetery Oversight Act, the Cemetery Care
22		Act, the Safe and Hygienic Bed Act, the Pre-Need Cemetery Sales

SB0444 Engrossed - 13 - LRB100 04884 MLM 14894 b
1		Act, the High Risk Home Loan Act, the Payday Loan Reform Act,
2		the Mortgage Rescue Fraud Act, subsection (a) or (b) of Section
3		3-10 of the Cigarette Tax Act, subsection (a) or (b) of Section
4		3-10 of the Cigarette Use Tax Act, the Electronic Mail Act, the
5		Internet Caller Identification Act, paragraph (6) of
6		subsection (k) of Section 6-305 of the Illinois Vehicle Code,
7		Section 11-1431, 18d-115, 18d-120, 18d-125, 18d-135, 18d-150,
8		or 18d-153 of the Illinois Vehicle Code, Article 3 of the
9		Residential Real Property Disclosure Act, the Automatic
10		Contract Renewal Act, the Reverse Mortgage Act, Section 25 of
11		the Youth Mental Health Protection Act, or the Personal
12		Information Protection Act, or the Student Online Personal
13		Protection Act commits an unlawful practice within the meaning
14		of this Act.
15		(Source: P.A. 99-331, eff. 1-1-16; 99-411, eff. 1-1-16; 99-642,
16		eff. 7-28-16.)
17		Section 99. Effective date. This Act takes effect upon
18		becoming law.