Student Online Personal Protection Act (SOPPA)
Effective July 1, 2021, school districts will be required by the Student Online Personal Protection Act (SOPPA) to provide additional guarantees that student data is protected when collected by educational technology companies, and that data is used for beneficial purposes only (105 ILCS 85).
Below is a high-level overview of the new requirements. Please refer to the legislation for specific timelines and components of each element. School districts must:
1. Annually post a list of all operators of online services or applications utilized by the district.
2. Annually post all data elements that the school collects, maintains, or discloses to any entity. This information must also explain how the school uses the data, and to whom and why it discloses the data.
3. Post contracts for each operator within 10 days of signing.
4. Annually post subcontractors for each operator.
5. Post the process for how parents can exercise their rights to inspect, review and correct information maintained by the school, operator, or ISBE.
6. Post data breaches within 10 days and notify parents within 30 days.
7. Create a policy for who can sign contracts with operators.
8. Designate a privacy officer to ensure compliance.
9. Maintain reasonable security procedures and practices. Agreements with vendors in which information is shared must include a provision that the vendor maintains reasonable security procedures and practices.
Parent and Student Rights:
A student's covered information shall be collected only for K through 12 school purposes and not further processed in a manner that is incompatible with those purposes.
A student's covered information shall only be adequate, relevant, and limited to what is necessary in relation to the K through 12 school purposes for which it is processed.
Except for a parent of a student enrolled in a nonpublic school, the parent of a student enrolled in a school has the right to all of the following:
(1) Inspect and review the student's covered information, regardless of whether it is maintained by the school, the State Board, or an operator.
(2) Request from a school a paper or electronic copy of the student's covered information, including covered information maintained by an operator or the State Board. If a parent requests an electronic copy of the student's covered information under this paragraph, the school must provide an electronic copy of that information, unless the school does not maintain the information in an electronic format and reproducing the information in an electronic format would be unduly burdensome to the school. If a parent requests a paper copy of the student's covered information, the school may charge the parent the reasonable cost for copying the information in an amount not to exceed the amount fixed in a schedule adopted by the State Board, except that no parent may be denied a copy of the information due to the parent's inability to bear the cost of the copying. The State Board must adopt rules on the methodology and frequency of requests under this paragraph.
(3) Request corrections of factual inaccuracies contained in the student's covered information. After receiving a request for corrections and determining that a factual inaccuracy exists, a school must do either of the following:
(A) If the school maintains or possesses the covered information that contains the factual inaccuracy, correct the factual inaccuracy and confirm the correction with the parent within 90 calendar days after receiving the parent's request.
(B) If the operator or State Board maintains or possesses the covered information that contains the factual inaccuracy, notify the operator or the State Board of the correction. The operator or the State Board must correct the factual inaccuracy and confirm the correction with the school within 90 calendar days after receiving the notice. Within 10 business days after receiving confirmation of the correction from the operator or State Board, the school must confirm the correction with the parent.
Nothing in this Section shall be construed to limit the rights granted to parents and students under the Illinois School Student Records Act or the federal Family Educational Rights and Privacy Act of 1974.
To what entities do the new SOPPA requirements apply?
“Operator” means, to the extent that an entity is operating in this capacity, the operator of an internet website online service, online application, or mobile application with actual knowledge that the site, service, or application is used primarily for K through 12 school purposes and was designed and marketed for K through 12 school purposes. 105 ILCS 85/5.
“K through 12 school purposes” means purposes that are directed by or that customarily take place at the direction of a school, teacher, or school district; aid in the administration of school activities, including, but not limited to, instruction in the classroom or at home, administrative activities, and collaboration between students, school personnel, or parents; and are otherwise fror the use and benefit of the school. 105 ILCS 85/5.