Illinois Student Data Privacy Legal Compliance Guide

The following chart provides a brief overview of the laws of the state of Illinois addressing privacy and security of student and teacher data, and the corresponding provisions of Microsoft’s standard operating documents that demonstrate compliance with those laws and regulations.

Illinois Public Act 101-0516 (HB3606) will become effective July 1, 2021.  As an entity that provides online services, Microsoft is an “operator” within the meaning of the Public Act.  Sections 10 and 15 of the Act address operator prohibitions and duties. 

Microsoft’s standard January 2020 Online Services Data Protection Addendum (“DPA”) addresses the requirements imposed on operators by Illinois’ statutory framework.  The DPA sets forth Microsoft’s standard obligations with respect to the processing and security of customer data and personal data in connection with Microsoft’s provision of online services. 

The reference chart below briefly identifies those provisions of Illinois law that are applicable to operators such as Microsoft, and the relevant provision(s) from Microsoft’s DPA that addresses Microsoft’s compliance with that requirement.

Public Act 101-0516 ProvisionCompliant Microsoft Provision(s)
105 ILCS 85/10(1)
Targeted advertising based on information, including covered information
Microsoft Online Services Data Protection Addendum -> Data Protection Terms -> Nature of Data Processing; Ownership -> Processing to Provide Customer the Online Services
105 ILCS 85/10(2)
Use of information to amass a profile about a student
Microsoft Online Services Data Protection Addendum -> Data Protection Terms -> Nature of Data Processing; Ownership -> Processing to Provide Customer the Online Services
105 ILCS 85/10(3)
Selling or renting a student’s information
Microsoft Online Services Data Protection Addendum -> Data Protection Terms -> Nature of Data Processing; Ownership -> Processing to Provide Customer the Online Services
105 ILCS 85/10(4)
No disclosure of covered information unless based on defined exceptions
Microsoft Online Services Data Protection Addendum -> Data Protection Terms -> Disclosure of Processed Data

See also Microsoft Online Services Data Protection Addendum -> Data Protection Terms -> Nature of Data Processing; Ownership -> Processing for Microsoft’s Legitimate Business Operations
105 ILCS 85/15(1)
Operator’s duty to implement and maintain reasonable security procedures and practices
Microsoft Online Services Data Protection Addendum -> Data Protection Terms -> Data Security -> Security Practices and Policies

See also Microsoft Online Services Data Protection Addendum -> Appendix A – Security Measures
105 ILCS 85/15(2)
Deletion of a student’s covered information within a reasonable time
Microsoft Online Services Data Protection Addendum -> Data Protection Terms -> Data Retention and Deletion
105 ILCS 85/15(3)
Duty to publicly disclose material information about its collection, use, and disclosure of covered information
Microsoft Online Services Terms
Microsoft Online Services Data Protection Addendum
105 ILCS 85/15(4)
Requirement of a written agreement
The requirements are addressed by Microsoft’s Online Services Terms and Microsoft Online Services Data Protection Addendum.
105 ILCS 85/15(5)
Breach notification requirement
Microsoft Online Services Data Protection Addendum -> Data Protection Terms -> Data Security -> Security Incident Notification

Microsoft Online Services Data Protection Addendum -> Appendix A – Security Measures -> Information Security Incident Management
105 ILCS 85/15(6)
Provide a list of any third parties or affiliates to whom the operator is currently disclosing covered information or has disclosed covered information by the beginning of each State fiscal year and at the beginning of each calendar year
Microsoft Online Services Data Protection Addendum -> Data Protection Terms -> Disclosure of Processed Data