Student Online Personal Protection Act (SOPPA)

What is SOPPA?
The Student Online Personal Protection Act, or SOPPA, is the Illinois data privacy law that regulates student data collection and use by Illinois schools, the Illinois State Board of Education, and educational technology providers/operators/vendors.

The Student Online Personal Protection Act (SOPPA) protects the privacy and security of student data when collected by companies operating websites, online services, or online/mobile applications primarily used for K-12 school purposes.

One of the most significant changes under SOPPA is the new requirement that Illinois school districts are prohibited from providing any personally identifiable student information, referred to as “covered information” under the Act, to any entity or individual (an “operator”) without entering into a written agreement with the operator.

Effective July 1, 2021, all Illinois school districts will be required (among other things) to enter into a written agreement with educational technology providers/operators/vendors and to post a list of educational technology providers/operators/vendors with which the district has written agreements, copies of those written agreements, and other information about such providers/operators/vendors on the school’s website; as well as to notify students and parents of any breach of student data by any providers/operators/vendors of the school. (105 ILCS 85/1 et seq.) SOPPA applies to all Illinois school districts, the Illinois State Board of Education, and operators of online services and applications. 

The Union Ridge School Board of Education and staff are committed to protecting the privacy our students. For more information about our student privacy or the implementation of SOPPA at Union Ridge School please contact us at 


Below is a high-level overview of the SOPPA requirements. Please refer to the legislation for specific timelines and components of each element. 

School districts must:

  • Enter into written agreements with all K-12 service providers who collect student data to provide technology services to student.
  • Implement and maintain reasonable security practices. Agreements with vendors in which information is shared must include a provision that the vendor maintains reasonable security procedures and practices.
  • Post on their website: 
    • A list of all operators of online services or applications utilized by the district (annually). 
    • All data elements that the school collects, maintains, or discloses to any entity (annually). This information must also explain how the school uses the data, and to whom and why it discloses the data.
    • Contracts for each operator within 10 days of signing.
    • Subcontractors for each operator (annually).
    • The process for how parents can exercise their rights to inspect, review and correct information maintained by the school, operator, or ISBE.
    • Data breaches within 10 days and notify parents within 30 days.
  • Create a policy for who can sign contracts with operators.

Under SOPPA, Educational Technology Providers/Operators/Vendors 

  • Are not using any data collected via its service to target ads;
  • Are not creating advertising profiles on students;
  • Are not selling student information;
  • Won't disclose information, unless required by law or as part of the maintenance and development of its service;
  • Are using sound information-security practices, which often include encrypting data;
  • Will delete data that it has collected from students in a school when the school or district requests it;
  • Will share breaches information with school as soon as they are aware. 

For more resources on SOPPA visit and the Learning Technology Center of Illinois ( LTC  Illinois ) at

Check Our SOPPA Resources Page

This site provides information using PDF, visit this link to download the Adobe Acrobat Reader DC software.