HB 2696 addresses ongoing issues with State standardized testing vendors violating Illinois' Student Online Personal Protection Act (SOPPA)’s prohibition on selling student data.

What does HB 2696 do?

1. Reinforces prohibition on data sales in SOPPA by adding explicit prohibition to the School Code, barring state assessment vendors from selling or commercially exploiting students’ covered information they have access to as vendors.

2. Adds private right of action for operator (vendor) violations to SOPPA’s enforcement mechanisms.

Why is this bill needed?

• The State Board of Education and the Attorney General continue to permit illegal data sales by standardized test vendors with state contracts.
• SOPPA lacks a private right of action, and enforcement relies solely on the State AG, unlike our other state privacy laws, the Personal Information Protection Act (PIPA), Biometric Information Privacy Act (BIPA) and Illinois School Student Records Act (ISSRA).
• A hybrid enforcement mechanism which allows parents and students to bring suits against operators (vendors) would greatly strengthen SOPPA’s protectiveness and effectiveness.

• For decades, ACT, Inc and the College Board have sold test takers’ personal information to higher ed institutions and other third-parties. In Illinois sales were made illegal in 2017 if the data has been collected via in-school testing.

• While the SAT was Illinois' required high school test, the College Board sold data under its multi-million dollar contracts with ISBE. Now the ACT is the state test, and sales continue under ISBE’s 6-year, $57M contract with ACT Education Corp.

• Enforcement of SOPPA’s prohibition on data sales lies solely with our State Attorney General, who has failed to act. In February 2024, NY State AG Letitia James fined the College Board and put a stop to sales of NY students’ data.

• SOPPA lacks a private right of action because Big Tech lobbied against it when SOPPA was amended in 2019. But AG enforcement alone for SOPPA is insufficient due to the AG Office’s limited resources or unwillingness to act, so vendors —even those with state contracts—have little motivation to comply.

• Student data is highly valuable on the black market, and ransomware attacks on ed tech are ever more frequent. IL’s Personal Information Protection Act often does not apply to K-12 student breaches because they may not include certain identifiers like Social Security numbers. Nonetheless, breaches may impact highly sensitive data like grades, test scores, intelligence test results, behavior and discipline data, or records of abuse or neglect.  

• Major ransomware attacks in the last three years have impacted public school districts in Minneapolis, New York City and Los Angeles. In a 2021 ransomware attack involving data of 500K Chicago Public Schools students, 60K employees, the vendor, Battelle for Kids, did not inform the district for four months and possibly paid a ransom demand. In December 2024 a massive breach of PowerSchool’s portal exposed four decades worth of data from 62 million students and almost 10 million educators due to PowerSchool’s lack of multi-factor authentication; dozens of Illinois districts were impacted.

• Budget cuts and mass firings at federal agencies including the US Department of Education, Federal Trade Commission, Federal Bureau of Investigation and Cybersecurity and Infrastructure Security Agency are likely to weaken already inadequate protection of student privacy by the federal government.

• Under PA 103-0204, Illinois’ public institutions of higher ed now have free access to an ISBE database of Illinois public high school students’ names, addresses and telephone numbers that they can use for admissions recruitment; they shouldn't be buying data from test vendors who can't even legally sell it!