Student Online Personal Protection Act

Student Online Personal Protection Act (SOPPA)

Protecting student data is of the utmost importance to the Board of Education of Cicero District 99 (the District). Throughout the implementation and rollout of digital educational and learning management systems, District 99 has adhered to internally developed, board-approved technology best practices to ensure the safety and security of all users. 

What is SOPPA?

Effective July 1, 2021, the District will be required by the Student Online Personal Protection Act (SOPPA) to provide additional guarantees that student data is protected when collected by educational technology companies, and that data is used for beneficial purposes only (105 ILCS 85). 

SOPPA also places new expectations on the Illinois State Board of Education (ISBE) and operators of online services (Operator) and applications. 

The Learning Technology Center of Illinois — a statewide program that supports all public K-12 districts, schools and educators through technology initiatives, services and professional learning opportunities — has created a brief walk-through video explaining the ins and outs of SOPPA. 

Click here to watch the video

Responsibilities of District 99 to comply with SOPPA

1) Designate a Data Privacy Officer

As required by SOPPA, the District appoints the Chief Information Officer as the Student Data Privacy officer. This role oversees a committee of district personnel charged with making sure that all educational technology partners and services adhere to the regulations of SOPPA. These regulations are put in place to ensure the sale, rental, lease or trading of any District student records or covered information by the District is prohibited. Any operator of such service is required to have a signed agreement with the District accepting the strict regulations of SOPPA. 

The Chief Information Officer is also designated to sign contracts with operators and review operator privacy policies to ensure they meet the requirements of SOPPA.

2) Post Data Breaches

In the event of a data breach, the District is required to notify parents via the District's communication system within 30 days of the breach and within 60 days if a third party is responsible for the data breach. 

3) Post Parental Rights Regarding the Review of Student Personal Data

SOPPA regulations state that parents and/or legal guardians have the right to inspect, review and correct information maintained by the school, operators and ISBE. All requests should be made via email to the Chief Information Officer (the designated Data Privacy Officer) using this email address: 

4) Annually Post District-Approved Services, Applications and Technology Tools

To ensure all educational technology partners, operators and services that collect student data comply with SOPPA, the District will annually review electronic services and applications, as vetted through the District's SOPPA Committee and approved or denied based on the operator's willingness to agree to the terms defined in SOPPA.

Click here to view all District SOPPA Compliant Learning Platforms. 

5) Maintain Reasonable Security Procedures and Practices

The District adheres to its own Student and Family Privacy rights, as outlined in approved Board policy and Information Services Department guidelines. Click here to review the District's policy. 

6) Post Contracts for Each Operator

Click here to search for contracts and see a comprehensive list of approved operators.

Additionally, operators are required to sign the Illinois Student Data Privacy Agreement (SDPA) before any service, application or tool can be adopted by the District or any contract renewed. A copy of the IL-NDPA can be found on the SDPC Website. This agreement is directly tied to the strict regulations of SOPPA and helps ensure the data shared with approved operators is not sold, leased or rented and is used solely for educational purposes. Each operator must specifically list the data elements they collect, and they must specifically state how this data is stored on their servers (or the servers of their subcontractors). 

Frequently asked questions about the implementation of SOPPA

The following answers provide information regarding what happens to our students' data and the steps taken by the District to protect our students' privacy. 

Who must comply with SOPPA?

Websites, online services and mobile apps that are designed, marketed and used for K-12 school purposes must comply with SOPPA regardless of whether they have a contract with a school or district.

Does SOPPA apply to all vendors, including Google, Microsoft, Apple and SIS platforms?

Yes, all vendors that operate in Illinois must adhere to SOPPA requirements.

What does it mean to be SOPPA-compliant? 

If a vendor states that they are SOPPA-compliant, that means they are:

-Not using collected data to provide targeted ads;

-Not profiling students except in furtherance of school purposes;

-Not selling or renting student information;

-Not disclosing information unless required to by law or as part of the maintenance and development of its service;

-Using sound security practices;

-Deleting student data when requested by the school or district;

-Publicly disclosing information about its use, terms of service, agreement and privacy policy;

-Entered into a written agreement with the school district.

How does SOPPA impact teachers?

Teachers must follow District-created policies for vetting third-party applications that utilize personally identifiable information. 

What does personally identifiable student information mean? 

This information includes any identifying information including, but not limited to, name (first and/or last), initials, student ID, kid-code number, email address, home address, telephone number, student identifiers, discipline records, test results, special education data, juvenile dependency records, grades, evaluations, criminal records, medical records, health records, Social Security number, biometric information, disabilities, socioeconomic information, food purchases, political affiliations, religious information, text messages, documents, search activity, photos, voice recordings or geolocation information.