Illinois Schools Should Immediately Take Steps To Comply With New Privacy Laws Related To Student Data
Todd Rowe – Partner, Tressler LLP

While protecting data is always important, there is a heightened effort to protect private data belonging to children and young adults. Unfortunately, there has also been a recent uptick in the number of recent breach incidents involving data from schools and vendors entrusted with data by schools. Of course, this data held by schools inevitably includes information belonging to children and young adults.

Perhaps the worst incident involving students’ data was seen this summer when it was discovered that a breach at Pearson, an education publisher, may have compromised the data belonging to nearly one million students in thirteen states. The September 6, 2019 edition of the Chicago Tribune reported that a student filed a lawsuit against Pearson after learning their information was compromised in this incident. In addition to seeking damages related to the Pearson breach, this lawsuit further acknowledged what has increasingly become more of a problem: that “[c]hildren’s data is becoming more attractive to hackers because they are less likely to check their credit reports or implement credit freezes…and educational platforms are popular targets.”

The importance of this data has not gone unnoticed by legislatures around the country. For example, new legislation coming into effect in Illinois in July of 2021 will create more regulations on Illinois schools’ collection and storage of personal information. In turn, these regulations should make student information safer if there is a breach at the school or one of its vendors. We can expect many other states to watch the development of this law in Illinois.

• Introduction To The Illinois Student Online Personal Protection Act

The Illinois Legislature passed amendments to the Student Online Personal Protection Act (“SOPPA”) that will take effect on July 1, 2021. In short, this new law will directly impact how Illinois public schools collect and store student information. At first blush, Illinois schools may not see the need to take immediate action to comply with changes, since the law does not take effect for at least eighteen months. However, after reviewing the amendments to SOPPA, some schools may realize that they will need at least that much time to implement SOPPA and meet its deadlines.

Privacy law is in an interesting place. Remarkably, SOPPA has not received much treatment in the media. Last year, it was difficult to escape news related to the General Data Protection Regulation, or GDPR, adopted by European Union member states. The impact of GDPR, however, is limited data belonging to residents of the European Union. Therefore, proper storage of data belonging to EU residents may not be a primary concern for an Illinois school district. On the other hand, SOPPA will require significant resources from Illinois public schools. It will impact far more data collectors and Illinois residents than GDPR. Consequently, Illinois school districts should be far more concerned with SOPPA than GDPR compliance.

• A Snapshot of the Operation Of SOPPA

The significant burden imposed by SOPPA will surprise many public schools. The only hope is that a school will work toward compliance sooner rather than later. As an initial matter, the Illinois legislature has stated its intent to enact SOPPA as follows:

Schools today are increasingly using a wide range of beneficial online services and other technologies to help students learn, but concerns have been raised about whether sufficient safeguards exist to protect the privacy and security of data about students when it is collected by educational technology companies. This Act is intended to ensure that student data will be protected when it is collected by educational technology companies and that the data may be used for beneficial purposes such as providing personalized learning and innovative educational technologies.

The SOPPA amendments are broken into four broad categories, school prohibitions, school duties, parent and student rights and operator (or vendor) prohibitions. Each of these categories place different restrictions and obligations on Illinois public schools. For example, Section 26, entitled “School Prohibitions,” states “[a] school may not do either of the following:

(1) Sell, rent, lease, or trade covered information.

(2) Share, transfer, disclose, or provide access to a student’s covered information to an entity or individual, other than the student’s parent, school personnel, appointed or elected school board members or local school council members, or the State Board, without a written agreement, unless the disclosure or transfer is:

(A) to the extent permitted by State or federal law, to law enforcement officials to protect the safety of users or others or the security or integrity of the operator’s service;

(B) required by court order or State or federal law; or

(C) to ensure legal or regulatory compliance.

This paragraph (2) does not apply to nonpublic schools.

Paragraph (1) regulates how schools may use what is referred to as “Covered Information.” SOPPA defines “Covered Information” as “personally identifiable information or material or information that is linked to personally identifiable information or material in any media or format that is not publicly available.” This provision is admittedly broad and subject to interpretation. From a practical standpoint, a school may be best served to complete an inventory of material that may fall into the definition of “Covered Information” under SOPPA and put safeguards in place to make sure this information is closely monitored. The key will be for a school to fully understand what information may viewed as being sold, rented, leased or traded, and, therefore, potentially subject to SOPPA.

Under Paragraph (2), a school district must have procedures in place that will allow certain individuals to have access to Covered Information while not allowing others to access the same information. Requirements that a data collector provide access to a limited number of individuals while simultaneously providing access to other individuals force data collectors to walk a fine line. The key to compliance will be to consider, before the deadline, the best strategy to provide access to the correct individuals while simultaneously limiting access to the incorrect individuals.

The regulations found under the “School Prohibitions” section will be just the beginning for SOPPA compliance. In the months leading up to SOPPA taking effect, public schools will need to take steps to confirm that their vendors with access to Covered Information are taking steps to protect student data. Without taking the steps necessary to fully comply with SOPPA, Illinois public schools may be subject to liability not only for their own acts or omissions, but the missteps of the vendors they entrusted with student information. Therefore, it is never too early to begin taking steps toward SOPPA compliance.