The changes to IL's Student Online Personal Protection Act (SOPPA) that passed in spring 2019 went into effect on July 1, 2021. We've been in conversation with CPS since fall of 2020 about how CPS would comply with the amendments via policy and guidelines.
While the final policy incorporated some of our suggestions, including a crucial change barring students from signing agreements with operators, the final guidelines, had some significant issues remaining. We met with representatives of the district from the IT and Law Departments in mid-June, and then sent a follow-up letter on June 29, 2021. You can read that here. The letter asked for clarification on a variety of issues including data deletion, data inspection requests, and how the district was classifying third parties as operators, the definition of which is quite clear under SOPPA and should apply to almost all whom the district is sharing students' personally-identifiable information with.
At the meeting and in the letter, we asked several questions about the Aspen Student Information System provided by the vendor Follett; CPS officials refused to say whether Follett was an operator with respect to Aspen. (It is!) We also asked whether the following were operators:
- Apple
- Battelle for Kids
- Blackboard
- Bookshare
- Cityspan
- ClassDoJo
- College Entrance Exam Board
- Data Recognition Corporation
- Docusign
- Forall Systems
- GoGuardian
- Hobsons
- Houghton Mifflin Harcourt Publishing Company
- Lifetouch
- Microsoft
- NWEA
- Omicron
- Pearson
- PowerSchool Group
- Seon
- ServiceNow
- Teaching Strategies
- Thorsen Consulting
In the letter they sent to us after the meeting, they said merely:
"Your letter seeks confirmation of whether certain third parties will be considered SOPPA operators. While we cannot comment on negotiations with third parties, please be advised that any third party who has access to student data can only do so in accordance with student privacy laws such as FERPA, ISSRA and SOPPA."
[Update: As of May 2022, many of these operators' products, including Follett's Aspen SIS, are still missing from the CPS SOPPA database site or their page is incomplete with no agreement and no list of data elements posted. In other words, CPS is in violation of state law with respect to these software companies.]