As of July 1, 2021, the amendments to the Student Online Personal Protection Act (SOPPA), passed and signed into law in 2019, will take effect. These amendments require school districts to provide protection for student data when collected by educational technology companies, and require that data to be used for beneficial purposes only. (105 ILCS 85).

Prior to the amendments, SOPPA only regulated operators of websites, services, or applications that were used and marketed for K-12 educational purposes. Now, in addition to regulating those technology providers, SOPPA imposes requirements on school districts as well as the Illinois State Board of Education. This summary focuses on the new requirements imposed on schools/ school districts.

School districts have the following new requirements, which are set forth in 105 ILCS 85/27:

1) Posting duties.

Each school/ school district must post and maintain on its website, or, if no website is maintained, make available for inspection by the general public at its administrative office, all of the following information. The school must update the items under paragraphs a, c, d, and e below twice per year; by January 30, and within 30 days of the start of each fiscal year.

a) A clear and understandable explanation of the data elements of covered information (this is defined as personally identifiable information or material or information that is linked to personally identifiable information) collected or maintained by the school, or which is disclosed by the school to any entity. The explanation must also contain information about how the school uses the data, and to whom and for what purpose any disclosures are made.

b) A list of all operators of websites, online services, and applications (internet and/or mobile) with which the school has written agreements, along with a copy of each agreement (can be redacted as provided), and a business address for each operator. Contracts must be posted within 10 days of signing.

c) For each of the disclosed operators, a list of any subcontractors to whom covered information may be disclosed, or a link to a page on the operator’s website that clearly lists that information.

d) A written description of the procedures that a parent can use to carry out their SOPPA rights, which are to inspect, review, and correct the information maintained by the school, operator, or ISBE.

e) A list of any data breaches of covered information, including the number of students whose information is involved (unless disclosure would otherwise violate the provisions of the Personal Information Protection Act (815 ILCS 530/et seq); the date, estimated date, or estimated date range of the breach, and, if applicable, the name of the operator. There are a number of exemptions from this provision: data breaches where less than 10% of the enrolled students are involved; any breach in which there is no duty to notify a parent as described below; and any breach previously posted no more than 5 years prior to the list update.

2) Policy duties.

Schools/ school districts have to adopt a policy for designating which school employees are authorized to enter into written agreements with operators. Individual employees can enter into agreements on their own behalf and not for school purposes, so long as no covered information is provided to operators.

Schools also must implement reasonable security procedures and practices that meet or exceed industry standards, designed to protect covered information from unauthorized access, destruction, use, modification, or disclosure. Written agreements where information is shared must include a provision requiring the operator to implement and maintain the same security procedures and practices.

Each school may designate an appropriate staff person as a privacy officer, who may also be an official records custodian under the Illinois School Student Records Act.

A policy for ensuring that parents can exercise their parental rights under SOPPA must be developed (and posted, as described above) which provides procedures for inspection and review of the student’s information, whether maintained by the school, operator, or ISBE; requesting a paper or electronic copy of the same information; and requesting the correction of factual inaccuracies in the covered information. The policy must provide that the school correct the inaccuracy within 90 days if the school maintains the information; and must notify ISBE or the operator if those parties maintain the information.

Finally, the school/ school district must implement a policy for parental notification of any data breach involving their children. This notification must occur no later than 30 calendar days after receipt of the notice of the breach and must include the date, estimated date, or estimated date range of the breach, a description of the covered information compromised, contact information the parent may use to contact the operator and school regarding the breach, the toll-free numbers, addresses, and websites for the consumer reporting agencies and the Federal Trade Commission, and a statement that the parent may obtain information from the FTC about fraud alerts and security freezes.

3) Prohibitions.

The SOPPA amendments also contain a blanket prohibition on schools/ school districts selling, renting, leasing, or trading covered information; as well as sharing, transferring, disclosing, or providing access to a student’s covered information to any individual or entity other than the student’s parent, school personnel, school board members, or ISBE, without a written agreement—unless required by law.

If you have any further questions, please feel free to contact the authors of this article; Thomas M. Melody (tmmelody@ktjlaw.com) or Anne M. Skrodzki (amskrodzki@ktjlaw.com)