On July 1, 2021, amendments to Illinois’ Student Online Personal Protection Act (SOPPA) will go into effect. They place new obligations on Illinois public schools and operators of websites, apps, or online services designed and primarily used for K-12 school purposes, to the extent that operators receive student information from Illinois public schools.
The SOPPA amendments attempt to strengthen the protection of student data, which SOPPA calls “covered information” (CI). This means nonpublic, personally identifiable information in any media or format that (1) an operator gathers through the operation of its site, service, or app, and that personally identifies a student; or (2) is created or provided to an operator by a student, a student’s parent or guardian, or an employee or agent of a school or school district in the course of using an operator’s services.
Students’ CI may be collected only for K-12 school purposes and may not be processed in ways that are incompatible with these purposes. In addition, the amendments grant a student’s parents the right to inspect and review the student’s CI, request a copy of the CI, and request corrections to factual inaccuracies.
Requirements for Operators
The amendments place three new obligations on operators. First, operators must contract with schools before receiving CI from them. The contracts must:
- List the types of CI that the operator will receive;
- State the products or services the operator will provide;
- State (pursuant to the Family Educational Rights and Privacy Act (FERPA)) that the operator is acting as a “school official” under FERPA with a legitimate educational interest, is performing an institutional service or function under the direct control of the school concerning the CI, is using the CI only for an authorized purpose, and may not disclose CI to third parties without the school’s permission;
- Describe how the costs incurred by the school in handling a breach attributed to the operator will be allocated between the operator and the school;
- State that the operator must delete CI or transfer it to the school if the CI is no longer needed for the purposes of the contract, and the length of time that the operator has to delete or transfer the CI after it is made aware that the CI is no longer needed; and
- State that the school must make the contract publicly available on the school’s website or, if the school has no website, at its administrative offices.
Second, operators must notify schools of a breach of students’ CI as expediently as possible, and no more than thirty calendar days after determining that there has been a breach. “Breach” is newly defined as “the unauthorized acquisition of computerized data that compromises the security, confidentiality, or integrity of [CI] maintained by an operator or school.”
Third, operators must provide schools with a list of any third parties or affiliates to whom the operator discloses CI. The list must be updated and provided to the school by the beginning of every state fiscal year and at the beginning of each calendar year, at a minimum.
Requirements for Schools
For operators, it is important to understand the obligations imposed on schools, including their contractual and disclosure obligations. The SOPPA amendments prohibit a school from selling, renting, leasing, or trading CI. With limited exceptions, a school must have written agreements to share access to students’ CI to anyone other than the student’s parent, school personnel, and certain state and local officials.
School websites must explain how schools collect, use, and disclose CI, and to whom and why they disclose CI. School websites must also contain:
- A list of operators with whom the school has contracts, copies of the contracts, and a business address for each operator;
- A list of subcontractors to whom operators disclose CI (or a link to this information on the operator’s website);
- Procedures for parents to exercise their new rights (see above); and
- A list of breaches of CI maintained by the school.
The amendments also strengthen information security. They require schools to implement and maintain reasonable security procedures and practices – matching or exceeding industry standards – to protect CI from unauthorized access, destruction, use, modification, or disclosure, and schools must require at least the same level of security from third parties to whom the school discloses CI. If there is a breach of student CI, schools must notify parents of the affected students of a number of relevant facts, outlined in the amendments.