Illinois General Assembly - Full Text of SB0444
Illinois General Assembly

Previous General Assemblies

Full Text of SB0444  100th General Assembly

SB0444sam002 100TH GENERAL ASSEMBLY

Sen. James F. Clayborne, Jr.

Filed: 5/22/2017

 

 


 

 


 
10000SB0444sam002LRB100 04884 MLM 26708 a

1
AMENDMENT TO SENATE BILL 444

2    AMENDMENT NO. ______. Amend Senate Bill 444 by replacing
3everything after the enacting clause with the following:
 
4    "Section 1. Short title. This Act may be cited as the
5Student Online Personal Protection Act.
 
6    Section 3. Legislative intent. Schools today are
7increasingly using a wide range of beneficial online services
8and other technologies to help students learn, but concerns
9have been raised about whether sufficient safeguards exist to
10protect the privacy and security of data about students when it
11is collected by educational technology companies. This Act is
12intended to ensure that student data will be protected when it
13is collected by educational technology companies and that the
14data may be used for beneficial purposes such as providing
15personalized learning and innovative educational technologies.
 

 

 

10000SB0444sam002- 2 -LRB100 04884 MLM 26708 a

1    Section 5. Definitions. In this Act:
2    "Covered information" means personally identifiable
3information or material or information that is linked to
4personally identifiable information or material in any media or
5format that is not publicly available and is any of the
6following:
7        (1) Created by or provided to an operator by a student
8    or the student's parent or legal guardian in the course of
9    the student's, parent's, or legal guardian's use of the
10    operator's site, service, or application for K through 12
11    school purposes.
12        (2) Created by or provided to an operator by an
13    employee or agent of a school or school district for K
14    through 12 school purposes.
15        (3) Gathered by an operator through the operation of
16    its site, service, or application for K through 12 school
17    purposes and personally identifies a student, including,
18    but not limited to, information in the student's
19    educational record or electronic mail, first and last name,
20    home address, telephone number, electronic mail address,
21    or other information that allows physical or online
22    contact, discipline records, test results, special
23    education data, juvenile dependency records, grades,
24    evaluations, criminal records, medical records, health
25    records, a social security number, biometric information,
26    disabilities, socioeconomic information, food purchases,

 

 

10000SB0444sam002- 3 -LRB100 04884 MLM 26708 a

1    political affiliations, religious information, text
2    messages, documents, student identifiers, search activity,
3    photos, voice recordings, or geolocation information.
4    "Interactive computer service" has the meaning ascribed to
5that term in Section 230 of the federal Communications Decency
6Act of 1996 (47 U.S.C. 230).
7    "K through 12 school purposes" means purposes that are
8directed by or that customarily take place at the direction of
9a school, teacher, or school district; aid in the
10administration of school activities, including, but not
11limited to, instruction in the classroom or at home,
12administrative activities, and collaboration between students,
13school personnel, or parents; or are otherwise for the use and
14benefit of the school.
15    "Operator" means, to the extent that an entity is operating
16in this capacity, the operator of an Internet website, online
17service, online application, or mobile application with actual
18knowledge that the site, service, or application is used
19primarily for K through 12 school purposes and was designed and
20marketed for K through 12 school purposes.
21    "School" means (1) any preschool, public kindergarten,
22elementary or secondary educational institution, vocational
23school, special educational facility, or any other elementary
24or secondary educational agency or institution or (2) any
25person, agency, or institution that maintains school student
26records from more than one school. "School" includes a private

 

 

10000SB0444sam002- 4 -LRB100 04884 MLM 26708 a

1or nonpublic school.
2    "Targeted advertising" means presenting advertisements to
3a student where the advertisement is selected based on
4information obtained or inferred over time from that student's
5online behavior, usage of applications, or covered
6information. The term does not include advertising to a student
7at an online location based upon that student's current visit
8to that location or in response to that student's request for
9information or feedback, without the retention of that
10student's online activities or requests over time for the
11purpose of targeting subsequent ads.
 
12    Section 10. Operator prohibitions. An operator shall not
13knowingly do any of the following:
14        (1) Engage in targeted advertising on the operator's
15    site, service, or application or target advertising on any
16    other site, service, or application if the targeting of the
17    advertising is based on any information, including covered
18    information and persistent unique identifiers, that the
19    operator has acquired because of the use of that operator's
20    site, service, or application for K through 12 school
21    purposes.
22        (2) Use information, including persistent unique
23    identifiers, created or gathered by the operator's site,
24    service, or application to amass a profile about a student,
25    except in furtherance of K through 12 school purposes.

 

 

10000SB0444sam002- 5 -LRB100 04884 MLM 26708 a

1    "Amass a profile" does not include the collection and
2    retention of account information that remains under the
3    control of the student, the student's parent or legal
4    guardian, or the school.
5        (3) Sell or rent a student's information, including
6    covered information. This subdivision (3) does not apply to
7    the purchase, merger, or other type of acquisition of an
8    operator by another entity if the operator or successor
9    entity complies with this Act regarding previously
10    acquired student information.
11        (4) Except as otherwise provided in Section 20 of this
12    Act, disclose covered information, unless the disclosure
13    is made for the following purposes:
14            (A) In furtherance of the K through 12 school
15        purposes of the site, service, or application if the
16        recipient of the covered information disclosed under
17        this clause (A) does not further disclose the
18        information, unless done to allow or improve
19        operability and functionality of the operator's site,
20        service, or application.
21            (B) To ensure legal and regulatory compliance or
22        take precautions against liability.
23            (C) To respond to the judicial process.
24            (D) To protect the safety or integrity of users of
25        the site or others or the security of the site,
26        service, or application.

 

 

10000SB0444sam002- 6 -LRB100 04884 MLM 26708 a

1            (E) For a school, educational, or employment
2        purpose requested by the student or the student's
3        parent or legal guardian, provided that the
4        information is not used or further disclosed for any
5        other purpose.
6            (F) To a third party if the operator contractually
7        prohibits the third party from using any covered
8        information for any purpose other than providing the
9        contracted service to or on behalf of the operator,
10        prohibits the third party from disclosing any covered
11        information provided by the operator with subsequent
12        third parties, and requires the third party to
13        implement and maintain reasonable security procedures
14        and practices.
15    Nothing in this Section prohibits the operator's use of
16information for maintaining, developing, supporting,
17improving, or diagnosing the operator's site, service, or
18application.
 
19    Section 15. Operator duties. An operator shall do the
20following:
21        (1) Implement and maintain reasonable security
22    procedures and practices appropriate to the nature of the
23    covered information and designed to protect that covered
24    information from unauthorized access, destruction, use,
25    modification, or disclosure.

 

 

10000SB0444sam002- 7 -LRB100 04884 MLM 26708 a

1        (2) Delete, within a reasonable time period, a
2    student's covered information if the school or school
3    district requests deletion of covered information under
4    the control of the school or school district, unless a
5    student or his or her parent or legal guardian consents to
6    the maintenance of the covered information.
7        (3) Publicly disclose material information about its
8    collection, use, and disclosure of covered information,
9    including, but not limited to, publishing a terms of
10    service agreement, privacy policy, or similar document.
 
11    Section 20. Permissive use or disclosure.
12    (a) An operator may use or disclose covered information of
13a student under the following circumstances:
14        (1) If other provisions of federal or State law require
15    the operator to disclose the information, and the operator
16    complies with the requirements of federal and State law in
17    protecting and disclosing that information.
18        (2) For legitimate research purposes as required by
19    State or federal law and subject to the restrictions under
20    applicable State and federal law or as allowed by State or
21    federal law and under the direction of a school, school
22    district, or the State Board of Education if the covered
23    information is not used for advertising or to amass a
24    profile on the student for purposes other than for K
25    through 12 school purposes.

 

 

10000SB0444sam002- 8 -LRB100 04884 MLM 26708 a

1        (3) To a State or local educational agency, including
2    schools and school districts, for K through 12 school
3    purposes, as permitted by State or federal law.
4        (4) For the purpose of identifying or displaying
5    information to the student about or facilitating the
6    connection of the student with a not-for-profit
7    institution of higher education or a scholarship
8    opportunity. Information under this paragraph (4) may be
9    disclosed only if the operator has first obtained the
10    express written consent of the student's parent or legal
11    guardian or, if the student is 18 years old or older or is
12    an emancipated minor, the student. For the purposes of this
13    paragraph (4), express written consent may be obtained as a
14    response to the annual notice required under 34 CFR 99.7
15    and is not required to be in addition to consent given in
16    response to that annual notice.
17    If the operator is a national assessment provider and the
18student's covered information is not being collected or used
19for K through 12 school purposes but is collected and used for
20a college entrance exam, the national assessment provider may,
21in response to a request directly from the student who owns the
22covered information and upon securing the express written
23consent of the student or the student's parent or legal
24guardian given in response to clear and conspicuous notice, use
25or disclose covered information solely to provide the student
26with access to employment opportunities, educational

 

 

10000SB0444sam002- 9 -LRB100 04884 MLM 26708 a

1scholarships, financial aid, or postsecondary educational
2opportunities.
3    (b) A school may use or disclose covered information of a
4student for the purpose of identifying or displaying
5information to the student about or facilitating the connection
6of the student with a not-for-profit institution of higher
7education or a scholarship opportunity. Information under this
8subsection (b) may be disclosed only if the operator has first
9obtained the express written consent of the student's parent or
10legal guardian or, if the student is 18 years old or older or
11is an emancipated minor, the student. For the purposes of this
12subsection (b), express written consent may be obtained as a
13response to the annual notice required under 34 CFR 99.7 and is
14not required to be in addition to consent given in response to
15that annual notice.
 
16    Section 25. Operator actions that are not prohibited. This
17Act does not prohibit an operator from doing any of the
18following:
19        (1) Using covered information to improve educational
20    products if that information is not associated with an
21    identified student within the operator's site, service, or
22    application or other sites, services, or applications
23    owned by the operator.
24        (2) Using covered information that is not associated
25    with an identified student to demonstrate the

 

 

10000SB0444sam002- 10 -LRB100 04884 MLM 26708 a

1    effectiveness of the operator's products or services,
2    including in their marketing.
3        (3) Sharing covered information that is not associated
4    with an identified student for the development and
5    improvement of educational sites, services, or
6    applications.
7        (4) Using recommendation engines to recommend to a
8    student either of the following:
9            (A) Additional content relating to an educational,
10        other learning, or employment opportunity purpose
11        within an online site, service, or application if the
12        recommendation is not determined in whole or in part by
13        payment or other consideration from a third party.
14            (B) Additional services relating to an
15        educational, other learning, or employment opportunity
16        purpose within an online site, service, or application
17        if the recommendation is not determined in whole or in
18        part by payment or other consideration from a third
19        party.
20        (5) Responding to a student's request for information
21    or for feedback without the information or response being
22    determined in whole or in part by payment or other
23    consideration from a third party.
 
24    Section 30. Applicability. This Act does not do any of the
25following:

 

 

10000SB0444sam002- 11 -LRB100 04884 MLM 26708 a

1        (1) Limit the authority of a law enforcement agency to
2    obtain any content or information from an operator as
3    authorized by law or under a court order.
4        (2) Limit the ability of an operator to use student
5    data, including covered information, for adaptive learning
6    or customized student learning purposes.
7        (3) Apply to general audience Internet websites,
8    general audience online services, general audience online
9    applications, or general audience mobile applications,
10    even if login credentials created for an operator's site,
11    service, or application may be used to access those general
12    audience sites, services, or applications.
13        (4) Limit service providers from providing Internet
14    connectivity to schools or students and their families.
15        (5) Prohibit an operator of an Internet website, online
16    service, online application, or mobile application from
17    marketing educational products directly to parents if the
18    marketing did not result from the use of covered
19    information obtained by the operator through the provision
20    of services covered under this Act.
21        (6) Impose a duty upon a provider of an electronic
22    store, gateway, marketplace, or other means of purchasing
23    or downloading software or applications to review or
24    enforce compliance with this Act on those applications or
25    software.
26        (7) Impose a duty upon a provider of an interactive

 

 

10000SB0444sam002- 12 -LRB100 04884 MLM 26708 a

1    computer service to review or enforce compliance with this
2    Act by third-party content providers.
3        (8) Prohibit students from downloading, exporting,
4    transferring, saving, or maintaining their own student
5    data or documents.
6        (9) Supersede the federal Family Educational Rights
7    and Privacy Act of 1974 or rules adopted pursuant to that
8    Act or the Illinois School Student Records Act.
 
9    Section 35. Enforcement. Violations of this Act shall
10constitute unlawful practices for which the Attorney General
11may take appropriate action under the Consumer Fraud and
12Deceptive Business Practices Act.
 
13    Section 40. Severability. The provisions of this Act are
14severable under Section 1.31 of the Statute on Statutes.
 
15    Section 50. The Consumer Fraud and Deceptive Business
16Practices Act is amended by changing Section 2Z as follows:
 
17    (815 ILCS 505/2Z)  (from Ch. 121 1/2, par. 262Z)
18    Sec. 2Z. Violations of other Acts. Any person who knowingly
19violates the Automotive Repair Act, the Automotive Collision
20Repair Act, the Home Repair and Remodeling Act, the Dance
21Studio Act, the Physical Fitness Services Act, the Hearing
22Instrument Consumer Protection Act, the Illinois Union Label

 

 

10000SB0444sam002- 13 -LRB100 04884 MLM 26708 a

1Act, the Job Referral and Job Listing Services Consumer
2Protection Act, the Travel Promotion Consumer Protection Act,
3the Credit Services Organizations Act, the Automatic Telephone
4Dialers Act, the Pay-Per-Call Services Consumer Protection
5Act, the Telephone Solicitations Act, the Illinois Funeral or
6Burial Funds Act, the Cemetery Oversight Act, the Cemetery Care
7Act, the Safe and Hygienic Bed Act, the Pre-Need Cemetery Sales
8Act, the High Risk Home Loan Act, the Payday Loan Reform Act,
9the Mortgage Rescue Fraud Act, subsection (a) or (b) of Section
103-10 of the Cigarette Tax Act, subsection (a) or (b) of Section
113-10 of the Cigarette Use Tax Act, the Electronic Mail Act, the
12Internet Caller Identification Act, paragraph (6) of
13subsection (k) of Section 6-305 of the Illinois Vehicle Code,
14Section 11-1431, 18d-115, 18d-120, 18d-125, 18d-135, 18d-150,
15or 18d-153 of the Illinois Vehicle Code, Article 3 of the
16Residential Real Property Disclosure Act, the Automatic
17Contract Renewal Act, the Reverse Mortgage Act, Section 25 of
18the Youth Mental Health Protection Act, or the Personal
19Information Protection Act, or the Student Online Personal
20Protection Act commits an unlawful practice within the meaning
21of this Act.
22(Source: P.A. 99-331, eff. 1-1-16; 99-411, eff. 1-1-16; 99-642,
23eff. 7-28-16.)
 
24    Section 99. Effective date. This Act takes effect upon
25becoming law.".