Student Data Privacy

Student Online Personal Protection Act (SOPPA)

Effective July 1, 2021, school districts will be required by the Student Online Personal Protection Act (SOPPA) to provide additional guarantees that student data is protected when collected by educational technology companies, and that data is used for beneficial purposes only (105 ILCS 85).

School districts are required to take the following actions: 

  • Post a list of all vendors or online services or applications utilized by the district
  • Post all data elements that the school collects, maintains, or discloses to any entity including an explaination on how the school uses the data, and to whom and why it discloses the data
  • Post the written agreement for each vendor within 10 days of signing
  • Post subcontractors for each vendor
  • Post the process for how parents can exercise their rights to inspect, review, and correct information maintained by the school, vendor, or ISBE.
  • Post data breaches within 10 days and notify parents within 30 days
  • Create a policy for who can sign contracts with vendors
  • Designate a privacy officer to ensure compliance
  • Maintain reasonable security procedures and practices. Agreements with vendors in which information is shared must include a provision that the vendor maintains reasonable security procedures and practices
  • Provide teachers with the list of online operators that are safe and approved for use
  • Develop a process for keeping data inventory up-to-date

Family Educational Rights and Privacy Act (FERPA)

Effective February 21, 2017, the Family Educational Rights and Privacy Act (FERPA) (20 U.S.C. § 1232g; 34 CFR Part 99) is a Federal law that protects the privacy of student education records. The law applies to all schools that receive funds under an applicable program of the U.S. Department of Education. School districts ae prohibited from disclosing students' educational records, including files or documents that content personally identifying information without parental concent. Also, parents and guardians have he right to inspect and review educational records, and request that a school amend the records. 

Children’s Online Privacy Protection Act (COPPA)

Children’s Online Privacy Protection Act (COPPA) (P.L. 105-277; 15 U.S.C. § 6501 et seq.; 16 C.F.R. part 312.) restricts the collection of personal information from children under 13 by companies operating websites, games, mobile applications, and digital services that are directed to children or that collect personal information from individuals known to be children. COPPA requires companies to have a clear privacy policy, provide direct notice to parents, and obtain parental consent before collecting information from children under 13. 

Children’s Internet Protection Act (CIPA)

Children’s Internet Protection Act (CIPA) (47 U.S.C. §254(h); 47 C.F.R. §54.520.) was enacted by Congress in 2000 to address concerns about children's access to content on the Internet that is harmful or obscene. School districts are required to adopt an Internet safety policy that includes that include the following:

  • Blocking or filtering inappropriate content on the Internet
  • Addressing the safety and security of students when using email and other forms of direct electronic communications
  • Prohibiting unauthorized access, including so-called “hacking,” and other unlawful activities by students 
  • Prohibiting unauthorized disclosure, use, and dissemination of personal information
  • Restricting students' access to harmful materials online
  • Providing explicit instruction for how to be safe, responsible, and respectful online

This site provides information using PDF, visit this link to download the Adobe Acrobat Reader DC software.