For Immediate Release, Monday Aug 26, 2019
Contact: Cassie Creswell, 773-916-7794
On Friday Governor Pritzker signed PA 101-0516 (HB3606), an update to Illinois’ Student Online Personal Protection Act (SOPPA) into law. The legislation, one of the most far-reaching student data protection laws in the country, will provide much greater transparency and control to parents on how schools, vendors and the Illinois State Board of Education (ISBE) are collecting and using data from public school students from preschool through 12th grade.
The bill, sponsored in the House by (now) Senator Robert Martwick and in the Senate by Senator Omar Aquino, was an initiative of the public ed advocacy group Illinois Families for Public Schools (formerly Raise Your Hand Action), which has been pushing for these reforms for two years. The original version of SOPPA prohibited some commercial exploitation of student data, but parents did not feel it went far enough.
“Parents need to have confidence that our public schools are exercising due diligence when they give companies access to our children’s data. This law is a major step towards restoring that confidence,” said Illinois Families for Public Schools’ president and director Cassie Creswell.
The new law will put into place important provisions clarifying that parents have the right to inspect, correct, and have their child’s data deleted no matter who holds that data—a school or a tech company.
It also affirms that student data collection is subject to two important principles, purpose limitation and minimization, that are also found in the landmark European privacy law, the General Data Processing Regulations (GDPR). Namely, schools can only collect data directly relevant to school activities, and that data won’t be further used for other purposes.
The law also closes loopholes allowing targeted advertising based on data collected by ed tech vendors and prohibits not just companies, but schools from selling student data.
Schools and the State Board will now only be able to share data with third parties with whom they have a written agreement. Written agreements must meet certain specific criteria established in the law, like disclosure of subcontractors, and schools will make those agreements publicly available along with inventories of what data is being collected and shared.
Schools will also now be required to notify parents of data breaches—within 30 days for data held by a school and 60 days for data held by a company. Previously, SOPPA contained no provisions for what companies or schools needed to do in the event of a data breach, and most student data was not covered under other Illinois data breach notification laws.
The recent massive breach of data held by Pearson, the largest standardized testing vendor in the US, reinforces the need for this new law. The FBI notified Pearson of the breach in March, but Pearson only announced the breach, which affects more than 13,000 school district and universities at the end of July. At least 80,000 Illinois students in more than 30 districts are victims of the breach, but the full extent in Illinois is not yet known, and districts are currently under no obligation to tell parents or the public about the breach.
“Educational records aren’t just in a locked file cabinet in the school office anymore. Parents need to have information and a real say in what happens to their child’s data when they enter the schoolhouse door,” said parent Catherine Francis, Illinois Families for Public Schools’ board member.