Last Thursday, I attended IDEACon in Schaumberg, IL for the singular purpose of learning as much as possible about the new student privacy law passed law Fall, which updates SOPPA and takes effect in July 2021.

Google is in some hot water via a lawsuit from New Mexico’s Attorney General (link) (thank you Mary Furbush for the article). Full text of the lawsuit (link). There is a very real (and legally actionable) fear from parents that the tech giants are acting, at best, carelessly, and at worst in a predatory manner vis-a-vis student data.

Although those fears range in terms of their factual backing, the biggest concern is that leaked student information could wind up compromising a child’s opportunities later in life. It’s easy to imagine a scenario in which a competitive university’s admissions office might purchase troves of data in a search for any basis to tip the scales in favor or against a backlog of qualified applicants. But that is only one example.

As a special ed organization we have a responsibility to keep out the prying eyes of s stigmatizing society. SOPPA wasn’t specifically written for special ed joint agreements (and in parts seems to forget we exist). But SOPPA should have prime significance for us who work for and defend equity for our student population, who are at risk for discrimination in their adult lives.

At IDEACon, I listened to Linnette Attai of Playwell, LLC (link) and Erich Grauke of ISBE address SOPPA and it’s implementation. For what it’s worth, both of them expressed skepticism of the merits of the New Mexico AG lawsuit, saying that it looks as though the suit was written without a nuanced understanding of another law, COPPA. Google will probably come out of it unscathed.

But there are likely hundreds of other ed-tech platforms and companies that all of us sign up for in order to assist the mission. For better or for worse, we are now in the twilight of this “wild west” as all Illinois K-12 schools become a target for scrutiny. In the CASE Central Office, we are only just beginning to work out the best implementation for SOPPA. However, in the most general terms, here are what the law will require.

1. FERPA recommendations become requirements.

As part of FERPA, the DoE recommended a set of guidelines. SOPPA takes these guidelines and makes them law. For example, the DoE recommended the following:

  • K-12 orgs inventory their edtech services and apps and what student PII access is granted to them.
  • K-12 orgs have a policy limiting and directing who is permitted to enter written agreements with service providers (including clicking “I Accept” on any Terms of Use).
  • K-12 orgs have written agreement with each vendor containing certain required provisions re: student data.
  • K-12 orgs post these written agreements and other information on a website.

You can see these and more in the 2014 “Requirements and Best Practices” document from the DoE, starting on Page 8 (link). There is a stunning resemblance to SOPPA.

The one unique aspect of Illinois’ new law, accord to Attai, is the high record-keeping burden it imposes on k-12 organizations. Essentially, our ability to learn, adapt, and use new technologies will continue only in proportion to the ease and speed with which we inventory PII; vet and approve products; and negotiate, publish, and update written agreements.

2. Stronger security requirements

Like more than 30 similar laws around the country, SOPPA calls for K-12 orgs to “implement and maintain reasonable security procedures and practices that otherwise meet or exceed industry standards.” What “reasonable security practices?” According to SOPPA, it’s ISBE’s job to define them.

Mr. Grauke from ISBE has said that he hopes that this guidance document will be available this Summer. However, as Attai said: “Don’t wait.” In her review of similar state laws, she has not seen any state board successfully release binding security rules to meet this criterion. Instead, she suggests referencing the FTC’s definition of “reasonable security,” which in all likelihood will be the inspiration for the guidelines. Here is the FTC’s “Guide for Business” as a starting point (link).

There is also the NIST (National Institute of Standards and Technology) cybersecurity framework, which is more comprehensive, and probably more like an aspirational guidepost (link).

Guiding principals in CASE’s implementation

The law can seem overwhelming, but I am confident that CASE can tackle this in a way that best serves our students. As we comb through every new requirement, here are the guideposts that will inform our thinking:

  1. We will protect student privacy in accord with the letter and spirit of the law, while as much as possible minimizing burdens on our professional staff and faculty.
  2. We will build a sustainable apparatus to ensure continued compliance without overly depending on one individual to pull all of the levers. This means clear roles and responsibilities for the CASE implementation team and selecting the right tools to facilitate the flow of records and processes year after year.

As a byproduct of these, I believe CASE can reap other benefits beyond only guarding our students’ privacy. SOPPA essentially forces us to discuss and share information about the tool our professionals use to serve students. There is a tremendous built-in opportunity for professional learning here in areas of assistive and instructional technology.

I will keep everyone posted on our progress as we work out the steps. As per my January email, expect me to send you an initial “Student PII Inventory” Microsoft form and to visit Learning Team Meetings.