Legal Matters

Ready or Not: Sweeping Student Data Privacy Law Impacts Illinois School Districts

By Debra Jacobson

Effective July 1, 2021, school districts in Illinois must be ready to implement major changes in how they handle student data when using educational technology. On August 23, 2019, Governor J.B. Pritzker signed into law significant amendments to the Student Online Personal Protection Act (SOPPA, Public Act 101-516), which are intended to further strengthen privacy protections for online student data and increase parent access. Illinois follows a handful of other states that have recently passed similar student data privacy laws. 

Before these latest amendments, SOPPA only regulated operators of websites, services, or applications used and marketed for K-12 purposes. However, beginning July 1, 2021, public school districts and the Illinois State Board of Education (ISBE) will have to comply with new requirements when it comes to their handling of students’ covered information. SOPPA defines covered information as personally identifiable information (PII) that is (1) created or provided by a student or parent to an operator, (2) created by or provided to an operator by an employee or agent of a school for K-12 purposes, or (3) gathered by an operator for K-12 school purposes. PII includes not only names, addresses, and the like, but other information that personally identifies a student such as geolocation information, voice recordings, search activities, and even food purchases. 

The new SOPPA requirements that impact school districts fall into four main areas: agreements, transparency, security, and parent rights. Given the scope of these changes, this law is likely to present implementation challenges and questions for small and large districts alike. These requirements are more extensive than what districts are required to do under existing student record laws, such as the Illinois School Student Records Act (ISSRA). 

Whenever an operator seeks to receive covered information from a school district, it must enter into a written agreement with the school district. Agreements entered into, amended, or renewed on or after July 1, 2021, must contain all of the following provisions; otherwise the agreement will be deemed void and unenforceable. 
  • List of types of covered information to be provided to the operator;
  • Statement of the product or service the operator is providing;
  • Statement that the operator is acting as a school official under the Family Educational Rights and Privacy Act (FERPA) and will not disclose covered information to third parties unless permitted by law, court order, or the school district;
  • Description of how costs and expenses incurred by the school district for a breach will be allocated between the operator and school;
  • Statement that the operator must delete or transfer to the school district all covered information within a specified time period when it is no longer needed for the purposes of the agreement;
  • Statement that the school district must publish the written agreement on its website, or make it available for inspection at its administrative office if it does not maintain a website.
The law also expressly prohibits a school from selling, renting, leasing, or trading covered information, with the exception of written agreements between districts and operators for the distribution or sale of class photos and yearbooks.

As districts prepare to implement this law, a critical first step will be to take inventory of existing agreements with operators, including click-wrap agreements that are commonly used by operators in connection with software licenses and online applications. Questions about whether particular products or services are subject to the SOPPA requirements should be referred to the board attorney.

Several provisions of SOPPA are now aimed at providing parents and members of the public centralized information about how student data is being used in school districts and when the security of that data is breached. More specifically, each school district must post on its website (or make available for inspection at its administrative office, if it has no website)
  • A clear, layperson explanation of the data elements of covered information that the district collects, maintains or discloses to any person, entity, third party, or governmental agency. The explanation must include how the information is used by the district, to whom it is disclosed, and for what purpose it is disclosed.
  • A list of operators the school district has written agreements with, a copy of each agreement (certain redactions are permitted under SOPPA if the school district and operator agree), and business address of each operator. Agreements must be posted within 10 business days after entering into them.
  • A list of each subcontractor to whom covered information may be disclosed (operators must provide their lists to schools by July 1 and January 1).
  • Procedures parents may use to carry out their rights under SOPPA.
  • A list of breaches of covered information going back five years, with a few exceptions.
Districts must also provide more specific information about a breach to the parents of affected students, along with consumer resource contact information. Except for the second item in the list above, districts must update all of this information on their websites on a bi-annual basis, no later than 30 calendar days after the start of each fiscal year and each calendar year.

A week rarely goes by now that a security breach involving K-12 public schools isn’t reported in the media somewhere in the country. These incidents highlight the importance of cybersecurity measures and staff training on good security practices. When it comes to security of student data, SOPPA does not mandate a particular standard, but schools will have to implement “reasonable security procedures and practices that meet or exceed industry standards.” The law requires ISBE to develop guidance on this topic and make it available to districts on its website.

SOPPA also codifies a data governance best practice by requiring boards to adopt a policy for designating which employees will be authorized to enter into written agreement with operators. Districts may also choose, but are not required, to designate a privacy officer to manage their compliance with SOPPA. 

Parent Rights
The amendments to SOPPA give parents greater access to their students’ covered information, including rights to:
  • Inspect and review their student’s covered information;
  • Request a paper or electronic copy of covered information from the school, even if that information is maintained by an operator or ISBE;
  • Request corrections to factual inaccuracies contained in a student’s covered information if the school determines such an inaccuracy exists.

ISBE is required to adopt rules to address parent requests for copies of student information. It is important to note that SOPPA does not relieve districts of their ongoing obligations to comply with FERPA and ISSRA, nor does it limit a parent’s rights to records under those laws. Unlike ISSRA, however, parents do not have a private right of action under SOPPA if they believe their rights have been violated by a district (such a right was contained in an early version of the bill). The Illinois Attorney General has the authority to investigate violations of SOPPA and pursue relief in court under the Illinois Consumer Fraud and Deceptive Business Practices Act.

Policies and Procedures
Finally, the amendments to SOPPA require ISBE to develop and make publicly available model student data privacy policies and procedures, including a notice for parents. IASB’s PRESS editors plan to collaborate with ISBE this year on policy and procedure materials for districts. In the meantime, ISBE, through the Learning Technology Center of Illinois, and other education technology organizations have started to offer professional development opportunities on SOPPA and its implementation in schools. 
Debra Jacobson is Assistant General Counsel for the Illinois Association of School Boards.