On Friday Governor Pritzker signed HB 3606, an update to Illinois’ Student Online Personal Protection Act (SOPPA) into law. The legislation, one of the most far-reaching student data protection laws in the country, will provide much greater transparency and control to parents on how schools, vendors and the Illinois State Board of Education (ISBE) are collecting and using data from public school students from preschool through 12th grade. The bill, sponsored in the House by (now) Senator Robert Martwick and in the Senate by Senator Omar Aquino, was an initiative of the public education advocacy group Illinois Families for Public Schools (formerly Raise Your Hand Action), which has been pushing for these reforms for two years.
The new law will put into place important provisions clarifying that parents have the right to inspect, correct, and have their child’s data deleted no matter who holds that data—a school or a tech company. It also affirms that student data collection is subject to two important principles, purpose limitation and minimization, that are also found in the landmark European privacy law, the General Data Processing Regulations (GDPR). Namely, schools can only collect data directly relevant to school activities, and that data won’t be further used for other purposes. The recent massive breach of data held by Pearson, the largest standardized testing vendor in the US, reinforces the need for this new law. The FBI notified Pearson of the breach in March, but Pearson only announced the breach, which affects more than 13,000 school district and universities at the end of July. At least 80,000 Illinois students in more than 30 districts are victims of the breach, but the full extent in Illinois is not yet known, and districts are currently under no obligation to tell parents or the public about the breach.