The Chicago Public Schools are preparing for compliance with the changes to IL's Student Online Personal Protection Act (SOPPA), passed in spring 2019 and going into effect on July 1, 2021. Their new policy on SOPPA was passed at the January board meeting, and we were encouraged to see that some of the input we had provided was incorporated into an improved final version. Now CPS is developing more detailed guidelines on how the policy will be implemented.
As with the CPS SOPPA policy, we are still concerned that the guideliness too do not mention that parents can ask to have data deleted by an operator via a request mediated by the school.
We're also concerned that the factors they are using to determine whether data collection and disclosure requires parental notification, parental consent or neither are poorly defined and do not take into account the sensitivity of the data to be shared. For example, consent vs notification appears in some cases to rest on whether information is being shared via software or websites being used for instruction rather than software or websites used by central office or school administrators. The intent of SOPPA is to give parents control and transparency over their children's data, and that should not depend on a distinction like this one.
We hope that our comments will result in an improved set of guidelines in CPS as the deadline nears for all schools and districts to comply with SOPPA.