The Chicago Public Schools are preparing for compliance with the changes to IL's Student Online Protection Act, passed in spring 2019 and going into effect on July 1, 2021. As the largest district in IL, CPS's policy will have important implications for the rest of IL's public schools.
After feedback on their initial policy draft from IL-FPS back in November and some ensuing discussions with us, the policy on the agenda for the Chicago BoE's January meeting has improved---and we're especially pleased to see it will mean students themselves can no longer be required to sign contracts with vendors anymore.
Yes, you read the correctly! Up to this point, students were being asked to enter into legal agreements with testing and tech vendors, typically via a click-wrap agreement when they first created an account on an educational website. The College Board was one of those vendors.
Cassie Creswell spoke about this issue at the September 2020 Chicago Board of Ed meeting, as a parent whose child was asked to create an account on the College Board's website in order to enroll and receive instruction in an Advanced Placement course. Students creating this account were in fact agreeing to forego their right to sue the College Board according to the agreement they signed, which is a right families have under the IL School Student Records Act.
IL-FPS initially submitted comments to the Board of Education in November on the policy they drafted to comply with SOPPA. One of our major requests then was that language be added to CPS' policy so that vendors/operators would no longer be permitted to force children into individual contracts separate from the districts’ own contract. Without this, students could be required to sign contracts that don't comply with SOPPA or other state and federal privacy laws.
We're happy to say that our request was met, and the updated language was approved by the Board on January 27th.
You can read our full letter to the board about the updated policy here.
There are still aspects where this policy falls short of the protections children need. For example, a company might be exchanging access to student data for data processing services with another company; they could argue that this isn't an instance of selling or renting data and thus isn't prohibited. We'd like the CPS policy to assert more strongly that any commercial exploitation of student data is prohibited whether or not money is exchanged.
We'd also like this policy to include a description of the ability parents will now have to request deletion of their child's data. These requests are made to the school/district, and then the school will pass them along to the operator/vendor who holds the data. This is required by the SOPPA law language, but there's no mention of it in CPS's SOPPA policy, either in the list of operator duties, or the list of parent rights. Parents should be informed of this clearly. Data that is no longer in use for an educational purpose or that was mistakenly collected on a child in the first place should be deleted.
In fact, some districts (e.g. Riverside (IL) District 96 and Montgomery County (MD) Public Schools) are now implementing a regular scheduled data deletion to get rid of legacy data that is no longer being used but can still pose a hazard to privacy if it is breached. This is a practice that CPS and other districts in Illinois should adopt, and we encourage CPS to do so in our comments.