On July 1st, the threshold requirements ramped up for Illinois schools and the software vendors that provide them services under the Illinois Student Online Personal Privacy Act (SOPPA). Most of the new requirements fall within the purview of the schools, such as maintaining a publicly available list of all software vendors providing software to the school, providing an explanation of all kinds of personal data the school collects, and publishing a description of how parents can exercise their rights under SOPPA. That last one may be of interest to our readers that are parents of Illinois schoolchildren.
The law also requires schools to enter into contracts with each software vendor the school utilizes. This is a requirement both schools and vendors share. The law also spells out what terms must be included in the contract, such as a description of the services provided, the data the vendor will collect, a statement that the vendor will comply with the Family Educational Rights and Privacy Act (FERPA), notification procedures in the event of a data breach, how the school and vendor will share costs in addressing a breach, and a list of third parties with whom the vendor shares the data collected. Schools are then required to make these contracts publicly available on their websites.
These changes to SOPPA are certainly in line with the trends in recent years in state legislatures to enact stricter data protection measures on companies holding their residents’ data. Software vendors for Illinois schools can expect new contracts with those schools that meet the new requirements. For other software vendors, this is still a great opportunity to review existing policies and procedures to make sure they have a clear grasp on what data is captured, how that data is protected, how data breaches are addressed, how users can access their data, and how data is erased or deleted. As mentioned earlier, there will only be more data privacy laws popping up in more states as time goes on. This means the sooner those policies and procedures are in place internally, the easier the transition will be once a vendor starts doing business in a state with data protection laws.
For anyone interested in further reading on the Illinois SOPPA law, The Illinois Association of School Boards wrote a helpful piece here. For those who enjoy digging into the weeds, the link to the text of the law can be found here.