Illinois Student Data Privacy

Requires Signed Agreement

Does not require signed agreement

Illinois Student Online Personal Protection Act

Illinois Student Data Privacy Overview

Law: Student Online Personal Protection Act (SOPPA) — 105 ILCS 85

Summary

The Illinois Student Online Personal Protection Act (SOPPA) establishes strong safeguards to ensure that K–12 student data is collected, used, and protected responsibly by both schools and educational technology providers. SOPPA is designed to prevent the commercial misuse of student information, require transparency from districts and vendors, and guarantee parents clear rights to access and correct their child’s data.

SOPPA applies whenever online services, websites, or applications are used for K–12 school purposes. It requires written data-privacy agreements, public posting of vendor information, parent notifications of data breaches, and strict limits on how student information may be used.

Key Requirements

For Schools & School Districts

Illinois districts must:

Sign a SOPPA-compliant Data Privacy Agreement with every operator that collects or receives student information.
Post all executed agreements online within 10 business days of signing.
Publish a list of all approved online tools, vendors, and subcontractors used in the district.
Disclose the types of student data elements that each vendor collects or receives.
Provide parents with a process to inspect, review, and correct their child’s covered information.
Notify parents of a data breach within 30 calendar days, unless law enforcement requires a delay.
Ensure student data is used only for K–12 school purposes and is limited to what is necessary.

For Ed-Tech Vendors (“Operators”)

Operators that serve Illinois schools must:

Use student data exclusively for school purposes defined in the contract.
Prohibit targeted advertising based on student data or persistent identifiers.
Not sell, rent, disclose, or use student information for non-educational purposes.
Implement reasonable security procedures to protect student data.
Delete student data within a reasonable time upon school request.
Publish clear privacy policies describing data collection, use, disclosure, and security practices.
Disclose subcontractors and follow SOPPA’s restrictions on sharing covered information.
Report data breaches to the district within the required timeline.

Who Must Comply

SOPPA applies to:

Illinois public K–12 school districts
Nonpublic schools that contract with operators for online services
Ed-tech vendors (“operators”) providing websites, apps, or online services used primarily for K–12 school purposes
Any party receiving “covered information,” which includes personally identifiable student data, account identifiers, assessment results, demographic data, and other school-related information

General-audience websites and basic internet service providers are not considered operators under SOPPA.

Parent & Student Rights

Under SOPPA, parents (and eligible students) have the right to:

Inspect and review their student’s covered information
Request copies of the information in paper or electronic format
Request corrections to factual inaccuracies
View the district’s list of approved vendors and what data each tool collects
Receive timely notification if their child’s data is involved in a breach

SOPPA supplements existing rights under FERPA and the Illinois School Student Records Act.

Data Breach Requirements

If a student’s covered information is compromised:

Operators must notify the district of the breach.
Districts must notify parents within 30 calendar days of receiving notice.
Districts must also post additional breach details publicly when required.
Law enforcement may request delayed notification if it would interfere with an investigation.

State Resources

Districts and vendors can access SOPPA resources through:

Illinois General Assembly – SOPPA Statute
https://www.ilga.gov/legislation/ilcs/ilcs3.asp?ActID=3806
Illinois State Board of Education (ISBE) – Data Privacy Resources
https://www.isbe.net
IL Student Data Privacy Consortium (SDPC / IL-NDPA)
https://privacy.a4l.org
Model SOPPA Agreements & Data Elements Lists (varies by district)

These resources provide templates, data dictionaries, and official guidance to support compliance.

Quick Facts

Signed into law: 2019
Fully effective: July 1, 2021
Requires written DPAs for every vendor
Requires public posting of all vendor agreements and data elements
Prohibits targeted advertising, selling data, and commercial use
Mandates parent notifications of breaches within 30 days
Protects all K–12 “covered information,” including persistent identifiers used for login/authentication

Illinois Checklist (For Districts & Vendors)

Districts

□ Maintain public vendor list
□ Post DPAs within 10 business days
□ Publish data elements collected
□ Manage parent access and correction requests
□ Track subcontractors used by vendors
□ Notify parents of breaches within 30 days

Vendors

□ Ensure your privacy policy aligns with SOPPA
□ Prohibit behavioral advertising
□ Do not sell or misuse student information
□ Enter into a SOPPA-compliant DPA with each district
□ Maintain strong security controls
□ Delete data upon school request
□ Provide breach notifications promptly

How can EdPrivacy help?

EdPrivacy streamlines Illinois SOPPA (105 ILCS 85) compliance by delivering a proven, easy, and safe way to manage vendor agreements and data-element requirements, all in one trusted dashboard. Instead of juggling spreadsheets, manually updating SOPPA pages, or tracking contracts one by one, districts get a centralized, reliable system that saves time and protects the health of your compliance workflow.

The platform automatically flags vendors that are ready to do business in the state of Illinois, stores and posts all executed agreements for the district, and maintains renewals and updates securely and accuratly. EdPrivacy also keeps each vendor’s published data elements organized and current, generating SOPPA-ready summaries for reports or audits.

For ongoing oversight, EdPrivacy adds new, vital monitoring tools, including privacy-policy reviews, breach documentation, and districtwide risk scoring, giving your team the truth, results, and comfort of knowing every approved app, tool, and service continues to meet Illinois’s transparency, data-use, and security requirements. It’s the right, high-value, time-saving way for Illinois schools and districts to stay compliant, stay protected, and stay ahead.

‍