Illinois SOPPA Compliance

03/12/2021

 

On July 1, 2021 the Student Online Personal Protection Act (SOPPA) will take effect in Illinois. We reviewed the new legislation, and made changes to be in compliance with its mandates. At a high level, we believe that Common Goal Systems (CGS) now meets SOPPA's "operator duties," doesn't practice any "operator prohibitions," and that our Terms of Service (TOS) meets the requirements for a "written agreement" between operators and schools. Illinois customers should be able to renew their subscription and be comfortable that CGS, as a vendor, is meeting SOPPA requirements.

 

We've long followed the spirit of SOPPA.  We’ve been handling confidential student data for many years, and it’s essential to our business to effectively protect it.  The new act reiterates many restrictions already enacted by the Family Education Rights and Privacy Act (FERPA) and the Children’s Online Privacy Protection Act (COPPA), and we've complied with these requirements for some time.  SOPPA does create some new requirements, which we've recently implemented. 

 

Some context about SOPPA and privacy/security would likely be helpful.  Our business is to provide software tools for schools and districts to manage sensitive data.  We charge customers subscription fees for the use of our software, which is the primary revenue stream for the company.  Unlike many tech companies, we do NOT own customer data housed in our system (this is called out specifically in our TOS).  As such, we do not ever use confidential data for commercial purposes, and have always steered clear of bad behavior that "big tech" uses to monetize user data.  We do not serve advertising on our site.  We do not sell or rent data.  We do not transmit data to third parties unless asked by individual school districts (such as sending roster information to a learning management system).  We implement industry standard security practices to protect the data.  While we have not yet experienced a security breach, it is possible that one might occur in the future. If such a problem ever arises, we will investigate the incident, remedy the security flaw(s), notify the affected parties as required by law, and publish a summary report.

 

As mentioned above, to become fully compliant with SOPPA, we updated our TOS.  We would encourage interested customers to review it, it's linked at the bottom of every web page.  The new TOS is integrated with the 2021-22 renewal order forms (which go out shortly). For the more nerdy among us, we wrote a Knowledge Base article to discuss the specific changes we made to our TOS in response to SOPPA. Feel free to dig into it, if you're so inclined.

KB Article: Student Online Personal Protection Act(SOPPA) Terms of Service(TOS) Changes 

 

Some customers have reached out to us with supplemental agreements, which made sense prior to our TOS update. Given the changes, we believe external agreements are unnecessary. We like to be cooperative with customers, so we are not philosophically opposed to external SOPPA agreements (even when unnecessary). We will be happy to review, respond to, and sign the reasonable ones. We would temper expectations, however. Some agreements go well beyond SOPPA requirements, and are more of a software buyer's TOS wish list. We'll probably push back on aggressive contract terms, especially if it would negatively affect our internal operations.

 

Feel free to reach out to us if you have any questions.  Thank you for allowing us to serve you.

 

 

The Common Goal Team