New Illinois Statutes Strengthen Parental Rights and Update Data Security Protections and Responsibilities

On August 23, 2019, Governor J.B. Pritzker of Illinois signed House Bill 3606 (HB3606), which is a far-reaching update to Illinois’s Student Online Personal Protection Act (SOPPA). Among other things, the bill requires more transparency on how student information is used and gives parents greater control over how schools, education companies, and the Illinois State Board of Education are collecting and using personally identifiable information (PII) from K-12 public school students.

This bill authorizes parental privacy rights for student data collection. It also borrows two guiding principles from the landmark European privacy law, the General Data Processing Regulations (GDPR) which provide stronger data privacy protection than required in the U.S. Schools can only collect data directly related to school activities, and students’ PII cannot be used for any other purpose except school activities. [1]

Key Takeaways from Illinois’s HB3606

The bill defines “breach” as the unauthorized acquisition of digital data that compromises the security, confidentiality, or integrity of either the school or the vendor (defined as operator). Also, the bill defines “operator” as the person in charge of a website, online service, online or mobile application for K–12 education. “Covered information” is defined as personally identifiable information or material that is publicly unavailable.

Vendor/operators must:

  •     Implement and maintain reasonable security practices that otherwise meet or exceed industry practices to protect student information from unauthorized access, destruction, use, moderation, or disclosure.
  •     Enter into written agreements with schools, districts, and boards of education before PII is transferred.
  •     Notify schools of any breach of students’ PII as quickly as possible but absolutely within 30 days of the breach.
  •     Provide schools with a list of any third parties or affiliates to whom the operator is disclosing covered information. 

Schools, districts, and the state board of education are prohibited from: 

  •     Selling, renting, leasing, or trading covered information.
  •     Sharing, disclosing, or providing access to students’ PII with any entity except the student’s parent, school personnel, appointed/elected school board members, including the State Board of Education, without a written agreement, unless the disclosure is:
    • To law enforcement officials for the protection of the user or security of the operator’s service
    • Required by a court order or a state or federal law 
    • To ensure legal or regulatory compliance.

Additional HB3606 requirements:

The bill calls for schools to post on their website a list of the data elements of information collected by the school, a list of third party vendors working with the schools (including subcontractors), security practices, and a description of how parents can ensure their rights, and a list of information breaches impacting student PII.  

  • Schools are authorized to designate a staff privacy officer to carry out the duties required to maintain compliance with data security procedures.  
  • Parents now have permission to request the deletion of their child’s student information as long as no state or federal laws are violated. 
  • The State Board is required to annually update a public list of all third-party written agreements that include students’ PII. They must publicly post a copy of each contract or agreement.  
  • The State Board must maintain a public posting of all student information that is collected or maintained and to model student data privacy policies and procedures in compliance with state and federal law. 
  • This secure data will only be collected for K–12 purposes. 
  • Parents’ rights include the ability to:
    • Inspect and review the student’s covered information
    • Request a paper or electronic copy of their child’s covered information
    • Request corrections of factual inaccuracies in their child’s covered information.[2] 

How EdPrivacy Can Help

HB3606 is one of the most far reaching student data security laws in the country. It is rigorous and prescriptive about keeping student data private. However, most Illinois districts are not fully prepared for compliance even though the law is now in effect. But EdPrivacy can help. EdPrivacy utilizes machine learning-based artificial intelligence to create privacy quality scores for thousands of online technology resources commonly used in classrooms across the nation. The scores help educators and administrators quickly identify safe online technologies and easily determine which service providers respect and protect student data privacy. With EdPrivacy, school district leaders better understand school privacy laws for students, and enjoy student data privacy peace of mind. 

For more information on what school and district administrators should know about federal student privacy laws, read EFI’s federal legislation page.

[1] Retrieved from

[2] Retrieved from