Student Online Personal Protection Act (SOPPA)
Effective July 1, 2021, school districts will be required by the Student Online Personal Protection Act (SOPPA) to provide additional guarantees that student data is protected when collected by educational technology companies, and that data is used for beneficial purposes only (105 ILCS 85). Note that SOPPA also places new expectations on the Illinois State Board of Education and operators of online services or applications.
Below is a high-level overview of the new requirements. Please refer to the legislation for specific timelines and components of each element.
School districts must:
- Annually post a list of all operators of online services or applications utilized by the district. Link
- Annually post all data elements that the school collects, maintains, or discloses to any entity. This information must also explain how the school uses the data, and to whom and why it discloses the data.
- Post contracts for each operator within 10 days of signing.
- Annually post subcontractors for each operator.
- Post the process for how parents can exercise their rights to inspect, review, and correct information maintained by the school, operator, or ISBE.
- Post data breaches within 10 days and notify parents within 30 days.
- Create a policy for who can sign contracts with operators.
- Designate a privacy officer to ensure compliance.
- Maintain reasonable security procedures and practices. Agreements with vendors in which information is shared must include a provision that the vendor maintains reasonable security procedures and practices.
Although not required by law, school districts will also need to undertake the following to meet the above requirements:
- Provide teachers with the list of online operators that are safe and approved for use.
- Develop a process for keeping data inventory up-to-date.
Family Educational Rights and Privacy Act (FERPA)
Effective February 21, 2017, the Family Educational Rights and Privacy Act (FERPA) (20 U.S.C. § 1232g; 34 CFR Part 99) is a Federal law that protects the privacy of student education records. The law applies to all schools that receive funds under an applicable program of the U.S. Department of Education.
- Generally prohibits districts from disclosing students’ education records without a written parent or eligible student consent.
- “Education records” are broadly defined to include any records, files, or documents maintained by a school district that contain personally identifiable information on students.
- Grants parents and guardians the right to inspect and review education records; request that a school amends the student’s records; consent in writing to the disclosure of personally identifiable information from the student's records, subject to certain enumerated exceptions.
Children’s Online Privacy Protection Act (COPPA)
Children’s Online Privacy Protection Act (COPPA) (P.L. 105-277; 15 U.S.C. § 6501 et seq.; 16 C.F.R. part 312.) restricts the collection of personal information from children under 13 by companies operating websites, games, mobile applications, and digital services that are directed to children or that collect personal information from individuals known to be children.
Children’s Internet Protection Act (CIPA)
Children’s Internet Protection Act (CIPA) (47 U.S.C. §254(h); 47 C.F.R. §54.520.) imposes certain requirements on schools that utilize the federal E-Rate program to receive discounts for internet access and other technology services, or that receive federal grants for other technology expenses.
- Requires that districts adopt an internet safety policy that includes protection measures to block or filter internet access to visual depictions that are obscene, child pornography, or harmful to minors.
- School districts must monitor the online activities of children and educate children about appropriate online behavior, including interacting with other individuals on social networking websites and cyberbullying awareness and response.