SOPPA takes effect on 7/1/2021 and affects all Illinois school districts. We wanted to make it as easy as possible for our customers to meet SOPPA requirements when using our system. The law contains sections on “operator prohibitions” and “operator duties” and we’ve made changes to our TOS and internal procedures to meet those requirements. We also modified our order forms so that a signed form meets the requirement for a “written agreement” between school districts and providers.
This is a pretty big claim, so we wanted to allow customers to check our work. This document goes into detail on our TOS and procedural changes to comply with SOPPA. We’ll basically list all language that applies to us, discuss the situation if necessary, and show our TOS sections that satisfy the requirements. The full text of SOPPA can be found at:
https://www.ilga.gov/legislation/publicacts/fulltext.asp?Name=101-0516
In addition to signing an agreement with CGS, customers will have their own responsibilities under SOPPA. We want to help them by making the operator portions easy to verify, and handling the “written agreement.” There are other actions customers will need to take that are beyond the purview of CGS.
Here are the sections of SOPPA that apply to CGS, and what we did to meet those requirements. SOPPA and TOS text is italicized, and normal text is for our commentary.
- 105 ILCS 85/10 Sec. 10 Operator Prohibitions. An operator shall not knowingly do any of the following:
- (1) Engage in targeted advertising on the operator's site, service, or application or target advertising on any other site, service, or application if the targeting of the advertising is based on any information, including covered information and persistent unique identifiers, that the operator has acquired because of the use of that operator's site, service, or application for K through 12 school purposes.
CGS has never served advertising on our site. It was also added to our TOS in the Privacy section:
Privacy: [...] CGS will not serve advertising to its users. - (2) Use information, including persistent unique identifiers, created or gathered by the operator's site, service, or application to amass a profile about a student, except in furtherance of K through 12 school purposes. "Amass a profile" does not include the collection and retention of account information that remains under the control of the student, the student's parent or legal guardian, or the school.
CGS does not use persistent cookies (beyond a session cookie to maintain a login), and does not track users on other sites. - (3) Sell or rent a student's information, including covered information.
CGS does not sell or rent user information. This is also covered in the Privacy section of our TOS:
Privacy: [...] CGS will not knowingly disclose or disseminate any confidential information to third parties without prior written consent of the School, or as required by law. [...] - (4) Except as otherwise provided in Section 20 of this Act, disclose covered information, unless the disclosure is made for the following purposes: [...]
CGS does not disclose private/confidential information, unless we’ve gotten consent from our customer, or it’s required by law. This is covered by the Privacy section of our TOS:
Privacy: [...] CGS will not knowingly disclose or disseminate any confidential information to third parties without prior written consent of the School, or as required by law. [...]
- (1) Engage in targeted advertising on the operator's site, service, or application or target advertising on any other site, service, or application if the targeting of the advertising is based on any information, including covered information and persistent unique identifiers, that the operator has acquired because of the use of that operator's site, service, or application for K through 12 school purposes.
- 105 ILCS 85/15 Sec. 15 Operator duties. An operator shall do the following:
-
- (1) Implement and maintain reasonable security procedures and practices that otherwise meet or exceed industry standards appropriate to the nature of the covered information and designed to protect that covered information from unauthorized access, destruction, use, modification, or disclosure.
CGS has implemented industry standard security practices. This is also covered in the Security section of the TOS:
Security: The Services have been designed to withstand breaches in the system from unknown entities. CGS will maintain the technical security of the Services to prevent unauthorized viewing of data; unauthorized modification of data; and denial of service to the user base. [...] - (2) Delete, within a reasonable time period, a student's covered information if the school or school district requests deletion of covered information under the control of the school or school district
In most cases, schools need us to retain the data for some time, as it’s covered by more generic public sector data destruction policies. So data destruction requests for our product is pretty uncommon. We are happy to delete user data as requested. We can remove it from our online servers within 90 days, but it will persist in the backups for a long time. A single backup holds all data for all customers on the site, and it is technically infeasible to restore, delete, and resave every backup in response to a single user’s request. As such backup data will be deleted after 7 years, which is the duration we keep all backups. This is described in our TOS:
Deletion of Data: Should the School choose not to extend the Agreement, they can request deletion of their data from the Service, which will be performed within 90 days. Their data will also exist in backups (referenced in “Data Integrity” above) commingled with all other CGS customers’ data. Backups are primarily stored offline, but may be restored onto internal servers (not accessible from the Internet) from time to time. Due to the backups technical nature, it is not feasible to remove a single School’s data from the backups. As a consequence, the School’s data will exist in CGS backups until the backups are destroyed, typically after 7 years. - (3) Publicly disclose material information about its collection, use, and disclosure of covered information, including, but not limited to, publishing a terms of service agreement, privacy policy, or similar document.
CGS publishes both a privacy policy and terms of service. - (4) [...] any operator who seeks to receive [...] any covered information, enter into a written agreement with the school [...] before the covered information may be transferred. [...] a user must agree to terms and conditions before using the product or service. Any written agreement entered into, amended, or renewed must contain all of the following:
All customers must sign our order form and agree to our TOS. This is the mechanism to onboard new customers, and renew existing ones. The TOS includes all the required verbiage listed below.
- (A) A listing of the categories or types of covered information to be provided to the operator.
This is covered in the “Services to Schools” section of the TOS:
Services to Schools: [...] As part of these services, the school provides certain data covered under the Illinois Student Online Personal Protection Act (SOPPA). These data may include, but are not limited to, student demographic information, education records, discipline records, and other personally identifiable information. - (B) A statement of the product or service being provided to the school by the operator.
This is also covered in the “Services to Schools” section of the TOS:
Services to Schools: CGS, through one or more products, provides enterprise data management software to schools and school districts. [...] - (C) A statement that, pursuant to the federal Family Educational Rights and Privacy Act of 1974, the operator is acting as a school official with a legitimate educational interest, is performing an institutional service or function for which the school would otherwise use employees, under the direct control of the school, with respect to the use and maintenance of covered information, and is using the covered information only for an authorized purpose and may not re-disclose it to third parties or affiliates, unless otherwise permitted under this Act, without permission from the school or pursuant to court order.
While our TOS does not list the specific cases explicitly called out by SOPPA, these requirements are effectively covered by the “Privacy” section of our TOS.
Privacy: The Services store data of a confidential nature. The School owns this data and CGS interacts with it as an agent of the School. [...] CGS will not knowingly disclose or disseminate any confidential information to third parties without prior written consent of the School, or as required by law. [...] - (D) A description of how, if a breach is attributed to the operator, any costs and expenses incurred by the school in investigating and remediating the breach will be allocated between the operator and the school. [...]
This is covered by the “Security” section of our TOS. CGS has defined a set of tasks we will perform in the event of a breach, and will cover the expenses for those tasks.
Security: [...] In the unlikely event of a security breach into the Services, CGS, at its own expense, will undertake an investigation of the incident, make best efforts to remedy any security flaws that allowed unauthorized access, notify affected parties as required by law, and provide a summary report at the conclusion of the investigation. In the case of breach, the School may also incur expenses, which will be the sole responsibility of the School.
The school will also likely experience costs too, and it raises a valid point of discussion. If CGS allows a breach, shouldn’t we be responsible for the costs incurred by all schools? Not necessarily. The reason is that these costs are unusual and unexpected, and as such should be covered by insurance in the unlikely event that a breach occurs.
CGS could purchase insurance for all customers and pass the costs along in the form of higher subscription fees. While this is a possible path, it feels like the wrong solution to us. Insurance purchasing decisions involve weighing risks and costs, then choosing an appropriate plan from the available options. Customers’ budgets and risk tolerance vary, and it would be unlikely that CGS could find a single plan that works simultaneously for the most risk averse and most budget conscious customers. It’s better for customers to choose their own plans that meet their specific needs.
The second issue is scalability. Districts have the same breach costs/insurance issue for ALL their software services. If any vendor pushes the liability for costs onto districts, then districts will need to engage with their insurance agent and purchase a plan. It’s basically just as easy for districts to purchase plans for all products they use, as it is for a single product (or subset). - (E) A statement that the operator must delete or transfer to the school all covered information if the information is no longer needed for the purposes of the written agreement and to specify the time period in which the information must be deleted or transferred once the operator is made aware that the information is no longer needed for the purposes of the written agreement.
This was discussed above (check that section for details) and is documented in “Deletion of Data” section of our TOS:
Deletion of Data: Should the School choose not to extend the Agreement, they can request deletion of their data from the Service, which will be performed within 90 days. Their data will also exist in backups (referenced in “Data Integrity” above) commingled with all other CGS customers’ data. Backups are primarily stored offline, but may be restored onto internal servers (not accessible from the Internet) from time to time. Due to the backups technical nature, it is not feasible to remove a single School’s data from the backups. As a consequence, the School’s data will exist in CGS backups until the backups are destroyed, typically after 7 years. - (F) If the school maintains a website, a statement that the school must publish the written agreement on the school's website. If the school does not maintain a website, a statement that the school must make the written agreement available for inspection by the general public at its administrative office. [...]
This is documented in the “SOPPA Agreement Publishing” section of our TOS:
SOPPA Agreement Publishing: For Illinois public school districts, if the School maintains a website, they must publish the Common Goal Systems Terms of Service (version 3/2021) on their website. If not, a copy must be available for inspection by the general public at its administrative offices.
- (A) A listing of the categories or types of covered information to be provided to the operator.
- (5) In case of any breach, within the most expedient time possible and without unreasonable delay, but no later than 30 calendar days after the determination that a breach has occurred, notify the school of any breach of the students' covered information.
This is also covered by the “Security” section of the TOS. Our wording is less specific but still effectively covers the case. A number of legislative acts talk about requirements for notification of affected users, and we wanted to make our TOS longer lived by not being specific and document-fragile.
Security: [...] In the unlikely event of a security breach into the Services, CGS, at its own expense, will [...], notify affected parties as required by law, and [...] - (6) [...] provide to the school a list of any third parties or affiliates to whom the operator is currently disclosing covered information [...]
CGS does not disclose any information to any external vendors without express permission of the School. So all schools will start with an empty list of third parties receiving their data. When a school requests that we share information with a third party, we will provide confirmation that it is being shared, and will be happy to confirm all the third parties currently receiving the School’s information, at any time.
- (1) Implement and maintain reasonable security procedures and practices that otherwise meet or exceed industry standards appropriate to the nature of the covered information and designed to protect that covered information from unauthorized access, destruction, use, modification, or disclosure.