New Student Data Privacy Legislation in Illinois

Illinois’s Student Online Personal Protection Act or SOPPA is an amended student data privacy law that was recently passed in the U.S. state of Illinois in 2019. To this point, the provisions of the law recently went into effect on July, 1st 2021. As online access has come to play an enormous role in the functionality of K-12 education within the U.S., many states around the country have passed legislation geared toward protecting the personal information and privacy of students. With this being said, the SOPPA sets forth various regulations that school districts are required to follow when collecting, using, modifying, disclosing, and destroying personal information pertaining to students within the state of Illinois.

What are the requirements of school districts under the law?

Under the provisions of the Illinois Student Online Personal Protection Act, school districts within the state have a number of responsibilities as it concerns the protection of the personal information of their respective students. These responsibilities include but are not limited to:

• School districts are required to enter into written agreements or contracts with all K-12 service providers that collect student information within the state of Illinois.
• School districts are required to create a policy that will govern which members of the said district are permitted to enter into written agreements or contracts with online operators and service providers.
• School districts are required to implement and maintain “reasonable security practices” for the purpose of protecting the personal information of students. Moreover, in instances where a school district shares information with third parties or vendors, the school district must also enter into a written agreement or contract with the said vendor that ensures that the vendor will also implement and maintain reasonable security practices that can be used to safeguard personal information.

Furthermore, the provisions of SOPPA also mandate that school districts within Illinois post various forms of information on their respective websites. This information must provide parents, guardians, students, and applicable third parties with the following details:

• A list of all of the online operators, service providers, or applications that will be utilized by a particular school district on an annual basis.
• All forms of personal data that a school collects, maintains, or discloses to any entity on an annual basis. This information must also explain how the school uses the data, and to whom and why it discloses the data.
• All digital resources that collect student data will need to be reviewed, approved, and have a data privacy agreement in place prior to use.
• The process for how parents can exercise their rights to inspect, review, and correct information maintained by the school, online operator, or other relevant parties.
• Written contracts for each online operator or service provider, within 10 days of signing.
• In the event that a data breach occurs, school districts are required to provide notification to all parents and affected parties within 30 days.

What categories of personal data are protected under the SOPPA?

Under the SOPPA, the following forms of personal information regarding students within the state of Illinois are legally protected from unauthorized access, use, modification, disclosure, and destruction:

• First and last names.
• Email addresses.
• Physical addresses.
• Telephone numbers.
• Information that facilities physical or online communication.
• Disciplinary records.
• Medical information and records.
• Information concerning food purchases.
• Juvenile dependency and criminal records.
• Special education data.
• Personal characteristics.
• Text messages and voice recordings.
• Search activity.
• Biometric identifiers.

What are the penalties for violating the SOPPA?

In terms of the penalties that can be imposed against school districts, online operators, and associated third parties that are found to be in violation of the SOPPA, the law provides Illinois residents with “a right of action in a State circuit court or as a supplemental claim in federal district court against an offending party.” To this point, individuals and organizations that are found to be in violation of the law are subject to monetary penalties ranging from $1,000 to $5,000, depending on the scope and severity of the offense, as well as an injunction, reasonable attorney, and legal fees, and other related litigation costs and expenses.

Through amendments that were made to the Illinois Student Online Personal Protection Act or SOPPA in 2019, parents and guardians within the state were provided with the legal means to ensure the personal information of their children is being protected at all times as it relates to their online engagement in the context of educational endeavors. Notably, as the law provides Illinois residents with a private right of action, parents and guardians within the state can also seek monetary compensation in the event that the rights of their children are violated under the law. To this point, school districts that fail to comply with the provisions of the law stand to face steep and expensive penalties.