Illinois Governor Signs Student Online Personal Protection Act

Illinois Governor J.B. Pritzker has signed into law the Student Online Personal Protection Act of 2019 to amend and strengthen the state’s existing student data privacy law. The new version of the student privacy law as amended by HB 3606 will go into effect on July 1, 2021.

The new law borrows from some of the principles of the European Union General Data Protection Regulation (GDPR) in that it puts restrictions on data processing, third-party data sharing, and authorizes the right to access and correct information. Here are some of the Illinois law’s requirements:

Any operator who seeks to receive covered information from a school, school district or the State Board must enter into a written agreement with the entity before the covered information may be transferred. The agreement must provide for:

* A listing of the categories or types of information to be provided.

* A statement of the product or service being provided to the school.

* A statement concerning the Family Educational Rights and Privacy Act of 1974 which includes that it will use the covered information only for an authorized purpose and will not redisclose it to third parties unless permitted by the Act, the school’s permission or court order.

* The allocation of the school’s costs and expenses if a breach is attributed to the operator.

* A requirement that the operator delete or transfer to the school covered information if it is no longer needed for the purposes in the written agreement, as well as the time period for that deletion or transfer.

A public school is prohibited from selling, renting, leasing or trading covered information. It is also prohibited from sharing, transferring, disclosing, or providing access to covered information to an entity or individual other than the student’s parent, school personnel, appointed or elected school board members, or local school council members, or the State Board, without a written agreement or the disclosure meeting one of three exceptions.

The school must post on its website (if it maintains one) a clear and understandable explanation to a layperson of the covered information “that the school collects, maintains, or discloses to any person, entity, third party, or governmental agency.” The disclosure must explain how the school uses it, to whom or what entities it discloses, and the purposes of its disclosures of covered information. It also must post a list of operators that the school has signed written agreements with, as well as a copy of each written agreement. It must also disclose any breaches of covered information maintained by the school, and a written description of how parents may exercise their rights under the law.

Data collection shall be only for K through 12 school purposes and not further processed in a manner that is incompatible with those purposes. Covered information shall only be “adequate, relevant, and limited to what is necessary ….”

The school must provide a parent of a student in a public school, upon request, a paper or electronic copy of the student’s covered information, including information maintained by an operator or the State Board. If a school receives a deletion request for an operator, it must pass that request on to the operator.

A school must also correct a factual inaccuracy in covered information upon request. If the school possesses the information, it must correct it within 90 calendar days. If an operator or State Board possesses it, the school must notify them and they must correct it and confirm the correction to the school within 90 calendar days of receiving the notice. The school then has 10 business day to confirm the correction with the parent.

The law also requires a school to designate an appropriate staff person as the privacy officer to carry out the duties and responsibilities assigned to schools, as well as to ensure compliance with the law’s requirements.