Illinois Amends Student Online Personal Protection Act, Adding Data Breach Notification Provisions
On August 23, 2019, Illinois Governor J.B. Pritzker signed into law the Student Online Personal Protection Act of 2019 (SOPPA). Amending the previous version of SOPPA, this ambitious legislation gives parents greater control over student data, imposes new breach notification requirements, and regulates the collection and use of student data by schools, the Illinois State Board of Education, and education technology (EdTech) vendors. Because of the time needed to fully implement the law, it will not go into effect until July 1, 2021.
Taking a page from the EU’s GDPR, SOPPA gives parents the right to inspect, correct, and delete their child’s data, regardless of whether it is held by a school or a third party EdTech vendor. Illinois schools will also be required to obtain written parental consent before sharing some types of student data with third parties.
As originally enacted, SOPPA contained no breach notification requirements, and Illinois’ general breach notification law did not apply to all of the student data covered by SOPPA. The 2019 amendments, however, require EdTech vendors to notify schools within 30 days of a determination that a breach of their student information has occurred. Similarly, the amendments require schools to notify parents within 30 days after receipt of such a notice from an EdTech vendor or a determination that a breach of their child’s data occurred.
SOPPA now imposes strict limits on the collection and use of student data. Data can only be collected by schools, the Illinois State Board of Education, or technology vendors for a purpose related to school activities. Once collected, student data cannot be used for any alternative non-school purpose — e.g. it cannot be sold or used for targeted advertising.
SOPPA also requires greater transparency from the Illinois school system. Schools must publicly disclose the type of data that is collected, the purpose of collection, and the third parties with whom it is shared. When outside vendors will have access to student data, their contracts must be publicly posted. SOPPA mandates that such contracts include specific data privacy and protection provisions.
Under SOPPA, schools and vendors must also implement data privacy policies and practices in line with industry standards and best practices. The Illinois State Board of Education must publish model policies that schools can use as a reference point.
Many view Illinois’ sweeping SOPPA amendments as a reaction to a massive data breach last year which affected schools and students nationwide. SOPPA may be the first of a new wave of state-level efforts to provide strong protections for student data.