Back to Utah

HB0055 • 2026

Privacy Compliance for Education Technology Vendors

Privacy Compliance for Education Technology Vendors

Education Privacy Technology
Enacted

This bill passed the Legislature and reached final enactment based on the latest official action.

Sponsor
Rep. Auxier, Tiara
Last action
2026-02-27
Official status
Governor Signed
Effective date
Not listed

Plain English Breakdown

Using official source text because the generated explanation was unavailable or could not be confirmed against the official bill text.

Privacy Compliance for Education Technology Vendors

This bill requires the termination of a contract with a third-party provider in certain circumstances involving a failure to comply with state or federal privacy laws.

What This Bill Does

  • This bill requires the termination of a contract with a third-party provider in certain circumstances involving a failure to comply with state or federal privacy laws.

Limits and Unknowns

  • This entry is temporarily using official source text because the generated explanation could not be confirmed against the official bill text during the last sync.

Bill History

  1. 2026-02-27 Lieutenant Governor's office for filing

    Governor Signed

  2. 2026-02-20 Clerk of the House

    House/ received enrolled bill from Printing

  3. 2026-02-20 Executive Branch - Governor

    House/ to Governor

  4. 2026-02-18 Clerk of the House

    Enrolled Bill Returned to House or Senate

  5. 2026-02-18 Clerk of the House

    House/ enrolled bill to Printing

  6. 2026-02-17 Legislative Research and General Counsel / Enrolling

    Bill Received from House for Enrolling

  7. 2026-02-17 Legislative Research and General Counsel / Enrolling

    Draft of Enrolled Bill Prepared

  8. 2026-02-17 House Speaker

    House/ received from Senate

  9. 2026-02-17 Legislative Research and General Counsel / Enrolling

    House/ signed by Speaker/ sent for enrolling

  10. 2026-02-17 Released

    LFA/ fiscal note publicly available for HB0055S01

  11. 2026-02-16 Version Sponsor

    LFA/ fiscal note sent to sponsor for HB0055S01

  12. 2026-02-12 Senate 3rd Reading Calendar

    Senate/ 3rd reading

  13. 2026-02-12 Senate President

    Senate/ passed 3rd reading

  14. 2026-02-12 House Speaker

    Senate/ signed by President/ returned to House

  15. 2026-02-12 House Speaker

    Senate/ to House

  16. 2026-02-11 Legislative Fiscal Analyst

    LFA/ bill assigned to staff for fiscal analysis for HB0055S01

  17. 2026-02-11 Legislative Fiscal Agency

    LFA/ bill sent to agencies for fiscal input for HB0055S01

  18. 2026-02-11 Senate 2nd Reading Calendar

    Senate/ 2nd reading

  19. 2026-02-11 Senate 3rd Reading Calendar

    Senate/ passed 2nd reading

  20. 2026-02-09 Senate Education Committee

    Senate/ committee report favorable

  21. 2026-02-09 Senate 2nd Reading Calendar

    Senate/ placed on 2nd Reading Calendar

  22. 2026-02-06 Senate Education Committee

    Senate Comm - Favorable Recommendation

  23. 2026-02-05 Released

    LFA/ fiscal note publicly available for HB0055

  24. 2026-02-05 Version Sponsor

    LFA/ fiscal note sent to sponsor for HB0055

  25. 2026-02-04 Senate Education Committee

    Senate/ to standing committee

  26. 2026-02-03 Senate Rules Committee

    Senate/ 1st reading (Introduced)

  27. 2026-02-02 House 3rd Reading Calendar for House bills

    House/ 3rd reading

  28. 2026-02-02 House 3rd Reading Calendar for House bills

    House/ floor amendment

  29. 2026-02-02 Senate Secretary

    House/ passed 3rd reading

  30. 2026-02-02 Senate Secretary

    House/ to Senate

  31. 2026-02-02 Released

    LFA/ fiscal note publicly available for HB0055

  32. 2026-02-02 Waiting for Introduction in the Senate

    Senate/ received from House

  33. 2026-01-28 Version Sponsor

    LFA/ fiscal note sent to sponsor for HB0055

  34. 2026-01-23 House Consent Calendar

    House/ 2nd reading

  35. 2026-01-23 House Education Committee

    House/ comm rpt/ amended/ placed on Consent Cal

  36. 2026-01-23 House 3rd Reading Calendar for House bills

    House/ placed back on 3rd Reading Calendar

  37. 2026-01-22 House Education Committee

    House Comm - Amendment Recommendation

  38. 2026-01-22 House Education Committee

    House Comm - Consent Calendar Recommendation

  39. 2026-01-22 House Education Committee

    House Comm - Favorable Recommendation

  40. 2026-01-21 House Education Committee

    House/ to standing committee

  41. 2026-01-20 House Rules Committee

    House/ 1st reading (Introduced)

  42. 2026-01-14 Clerk of the House

    House/ received bill from Legislative Research

  43. 2026-01-14 Clerk of the House

    House/ received fiscal note from Fiscal Analyst

  44. 2026-01-05 Released

    LFA/ fiscal note publicly available for HB0055

  45. 2026-01-05 Version Sponsor

    LFA/ fiscal note sent to sponsor for HB0055

  46. 2025-12-19 Legislative Research and General Counsel

    Bill Numbered but not Distributed

  47. 2025-12-19 Legislative Fiscal Analyst

    LFA/ bill assigned to staff for fiscal analysis for HB0055

  48. 2025-12-19 Legislative Fiscal Agency

    LFA/ bill sent to agencies for fiscal input for HB0055

  49. 2025-12-19 Legislative Research and General Counsel

    Numbered Bill Publicly Distributed

Official Summary Text

This bill requires the termination of a contract with a third-party provider in certain circumstances involving a failure to comply with state or federal privacy laws.

Current Bill Text

Read the full stored bill text
20
53E-9-309
53E-9-309
12
11
Privacy Compliance for Education Technology Vendors
2026 GENERAL SESSION
STATE OF UTAH
Chief Sponsor: Tiara Auxier
Senate Sponsor: John D. Johnson
LONG TITLE
General Description:
This bill requires the termination of a contract with a third-party provider in certain
circumstances involving a failure to comply with state or federal privacy laws.
Highlighted Provisions:
This bill:
requires an education entity or a government agency contracting on behalf of an education
entity to:
include certain provisions in a contract with a third-party contractor;
notify a third-party contractor of the contractor's unauthorized sale of student data or
information in violation of state or federal privacy laws; and
terminate a contract with a third-party contractor that does not remedy the privacy
violation after notification;
repeals a provision allowing a third-party contractor to respond to a student's request for
information or feedback;
requires the State Board of Education to conduct investigations of certain alleged
violations and audits of certain agreements; and
makes technical changes.
Money Appropriated in this Bill:
None
Other Special Clauses:
This bill provides a special effective date.
Utah Code Sections Affected:
AMENDS:
53E-9-309
, as last amended by Laws of Utah 2020, Chapter 388
Be it enacted by the Legislature of the state of Utah:
Section 1. Section
53E-9-309
is amended to read:
53E-9-309
. Third-party contractors.
(1)
A third-party contractor shall use personally identifiable student data received under a
contract with an education entity strictly for the purpose of providing the contracted
product or service within the negotiated contract terms.
(2)
(a)
When contracting with a third-party contractor, an education entity, or a
government agency contracting on behalf of an education entity, shall

:
(i)
require the following provisions in the contract:
(a)
(A)
requirements and restrictions related to the collection, use, storage, or
sharing of student data by the third-party contractor that are necessary for the
education entity to ensure compliance with the provisions of this part and state
board rule;
(b)
(B)
a description of a person, or type of person, including an affiliate of the
third-party contractor, with whom the third-party contractor may share student
data;
(c)
(C)
provisions that, at the request of the education entity, govern the deletion
of the student data received by the third-party contractor;
(d)
(D)
except as provided in Subsection
(4)
and if required by the education
entity, provisions that prohibit the secondary use of personally identifiable
student data by the third-party contractor;
and
(e)
(E)
an agreement by the third-party contractor that, at the request of the
education entity that is a party to the contract, the education entity or the
education entity's designee may audit the third-party contractor to verify
compliance with the contract
.
; and
(F)
provisions describing the education entity's or government agency's statutory
duty to terminate the contract in the case of a privacy violation in accordance
with Subsection
(2)(a)(iii)
and prohibiting any fee or financial liability for the
termination;
(ii)
within 30 days after the day on which the education entity or government agency
discovers a third-party contractor's unauthorized usage of student data or
information in violation of state or federal privacy laws, including this chapter, the
Family Education Rights and Privacy Act and related provisions under 20 U.S.C.
Secs. 1232g and 1232h, the Children's Online Privacy Protection Act, 15 U.S.C.
Sec. 6501 et seq., and any associated regulations, provide notice to the third-party
contractor of:
(A)
the violation of the relevant state or federal privacy law; and
(B)
the education entity's or government agency's duty to terminate the contract
under Subsection
(2)(a)(iii)
; and
(iii)
no sooner than 30 days after the day on which the education entity or
government agency provides the notice described in Subsection
(2)(a)(ii)
,
terminate the contract with the third-party contractor if the contractor does not:
(A)
remedy the privacy violation to the greatest extent practicable, in the
determination of the education entity or government agency; and
(B)
establish processes and procedures to prevent the failure of compliance from
re-occurring.
(b)
A third-party contractor may not impose a fee, seek damages, or otherwise assert any
financial liability against an education entity or government agency that terminates a
contract as a consequence of the contractor's unauthorized usage of student data or
information in violation of a relevant state or federal privacy law under Subsection
(2)(a)(iii)
.
(c)
(i)
A person may submit a report of a suspected violation directly to the state board
student data privacy team, through a reporting process that state board policy
establishes.
(ii)
Upon receipt of a report described in Subsection
(2)(c)(i)
, the state board student
data privacy team shall, in accordance with state board policies and procedures:
(A)
conduct an initial review to determine whether the report is credible, relevant,
and sufficiently specific to warrant action; and
(B)
if the report meets the standard described in Subsection
(2)(c)(ii)(A)
, initiate a
compliance audit or investigation of the relevant third-party contractor.
(d)
To combat data protection misunderstandings or misconceptions, state board staff
shall create materials or resources to be made available to third-party contractors.
(3)
As authorized by law or court order, a third-party contractor shall share student data as
requested by law enforcement.
(4)
A third-party contractor may:
(a)
use student data for adaptive learning or customized student learning purposes;
(b)
market an educational application or product to a parent of a student if the third-party
contractor did not use student data, shared by or collected on behalf of an education
entity, to market the educational application or product;
(c)
use a recommendation engine to recommend to a student:
(i)
content that relates to learning or employment, within the third-party contractor's
application, if the recommendation is not motivated by payment or other
consideration from another party; or
(ii)
services that relate to learning or employment, within the third-party contractor's
application, if the recommendation is not motivated by payment or other
consideration from another party;
(d)
respond to a student request for information or feedback, if the content of the
response is not motivated by payment or other consideration from another party;
(e)
(d)
use student data to allow or improve operability and functionality of the
third-party contractor's application; or
(f)
(e)
identify for a student nonprofit institutions of higher education or scholarship
providers that are seeking students who meet specific criteria
if the criteria does not
include a personal identity characteristic as that term is defined in Section
53B-1-118
:
(i)
regardless of whether the identified nonprofit institutions of higher education or
scholarship providers provide payment or other consideration to the third-party
contractor; and
(ii)
only if the third-party contractor obtains authorization in writing from:
(A)
a student's parent through the student's school or LEA; or
(B)
for an adult student, the student.
(5)
At the completion of a contract with an education entity, if the contract has not been
renewed, a third-party contractor shall return or delete
upon the education entity's
request
all personally identifiable student data under the control of the education entity
unless
a student or
the student's parent
consents
gives written consent
to the
third-party contractor's
maintenance of the personally identifiable student data.
(6)
(a)
A third-party contractor may not:
(i)
except as provided in Subsection
(6)(b)
, sell student data;
(ii)
collect, use, or share student data, if the collection, use, or sharing of the student
data is inconsistent with the third-party contractor's contract with the education
entity; or
(iii)
use student data for targeted advertising.
(b)
A person may obtain student data through the purchase of, merger with, or otherwise
acquiring a third-party contractor if the third-party contractor remains in compliance
with this section.
(7)
The provisions of this section do not:
(a)
apply to the use of a general audience application, including the access of a general
audience application with login credentials created by a third-party contractor's
application;
(b)
apply if the student data is shared in accordance with the education entity's directory
information policy, as described in 34 C.F.R. 99.37;
(c)
apply to the providing of Internet service; or
(d)
impose a duty on a provider of an interactive computer service, as defined in 47
U.S.C. Sec. 230, to review or enforce compliance with this section.
(8)
A provision of this section that relates to a student's student data does not apply to a
third-party contractor if the education entity or third-party contractor obtains
authorization from the following individual, in writing, to waive that provision:
(a)
the student's parent, if the student is not an adult student; or
(b)
the student, if the student is an adult student.
Section 2.
Effective Date.
This bill takes effect on
July 1, 2026
.
2-17-26 1:39 PM