Student Online Personal Protection Act (SOPPA)
Since July 1, 2021, Illinois school districts are required by the Student Online Personal Protection Act (SOPPA) to provide additional guarantees that student data is protected when collected by educational technology companies, and that the data collected is used for beneficial purposes only (105 ILCS 85).
In compliance with SOPPA requirements, District 401's information concerning operators of online services and applications used by the District can be found at the following link:
District Requirements Under SOPPA
Below is an overview of SOPPA requirements. Please refer to the legislation (105 ILCS 85) for specific timelines and components of each element.
Under SOPPA, school districts must:
- Annually post a list of all operators of online services or applications utilized by the district.
- Annually post all data elements that the school collects, maintains or discloses to any entity. This information must also explain how the school uses the data, and to whom and why it discloses the data.
- Post contracts for each operator within 10 days of signing.
- Annually post subcontractors for each operator.
- Post the process for how parents can exercise their rights to inspect, review and correct information maintained by the school, operator or ISBE.
- Post data breaches within 10 days and notify parents within 30 days.
- Create a policy for who can sign contracts with operators.
- Designate a privacy officer to ensure compliance.
- Maintain reasonable security procedures and practices. Agreements with vendors in which information is shared must include a provision that the vendor maintains reasonable security procedures and practices.
Although not required by law, school districts will also need to undertake the following to meet the above requirements:
- Provide teachers with the list of online operators that are safe and approved for use.
- Develop a process for keeping data inventory up-to-date.