HB 2696 will address ongoing issues with ed tech and standardized testing vendors violating Illinois' Student Online Personal Protection Act (SOPPA), including selling student data and not keeping it secure.

WHAT DOES THIS BILL DO?

This bill adds a private right of action to SOPPA’s enforcement mechanisms for operator (=vendor) violations. This gives families recourse to bring lawsuits against vendors that violate SOPPA.

WHY IS THIS BILL NEEDED?

SOPPA's enforcement relies solely on our State’s Attorney General. Privacy laws that rely solely on AG enforcement are simply not strong enough, primarily due to limited resources for AG offices. Due to dramatically increased workload under the new presidential administration, IL’s AG is requesting $15M additional for FY2026 budget.

Without an expectation of enforcement, tech companies are not motivated to comply with the law. Since its passage in 2017, there have been no enforcement actions for violations of SOPPA:

Data sales: State standardized testing vendors (College Board and ACT, Inc.) continue to sell student data under their multi-million contracts with the IL State Board of Education for state-mandated tests.

Data breaches: Students and staff across the state have been impacted by massive breaches and ransomware attacks where companies failed to secure student data:

2018: Pearson, 40+ IL districts (13K districts, 11M records worldwide)
2022: Battelle for Kids, 495K students, 56K staff
2024: Powerschool, 50+ IL districts (62M students, 9.5M staff worldwide)
2024: Cleo, 700K current and former student records

Budget cuts and mass firings at federal agencies—including the US Department of Education, Federal Trade Commission, Federal Bureau of Investigation, and Cybersecurity and Infrastructure Security Agency—are weakening already inadequate protection of student privacy by the federal government.

Student data is very valuable on the black market, and ransomware attacks on ed tech sites and software are ever more frequent. Breaches may impact highly sensitive data collected in schools, including grades, test scores, intelligence test results, medical and health records, behavior and discipline data, or records of abuse or neglect, country of birth, and disability status.

Under PA 103-0204, IL’s public institutions of higher ed now have free access to an ISBE database of IL public high school students’ contact info they can use for admissions recruitment.

Download a 1-pager to share with your legislator here.