Read the full stored bill text
20
53E-9-309
53E-9-309
12
11
Privacy Compliance for Education Technology Vendors
2026 GENERAL SESSION
STATE OF UTAH
Chief Sponsor: Tiara Auxier
Senate Sponsor: John D. Johnson
LONG TITLE
General Description:
This bill requires the termination of a contract with a third-party provider in certain
circumstances involving a failure to comply with state or federal privacy laws.
Highlighted Provisions:
This bill:
requires an education entity or a government agency contracting on behalf of an education
entity to:
include certain provisions in a contract with a third-party contractor;
notify a third-party contractor of the contractor's unauthorized sale of student data or
information in violation of state or federal privacy laws; and
terminate a contract with a third-party contractor that does not remedy the privacy
violation after notification;
repeals a provision allowing a third-party contractor to respond to a student's request for
information or feedback;
requires the State Board of Education to conduct investigations of certain alleged
violations and audits of certain agreements; and
makes technical changes.
Money Appropriated in this Bill:
None
Other Special Clauses:
This bill provides a special effective date.
Utah Code Sections Affected:
AMENDS:
53E-9-309
, as last amended by Laws of Utah 2020, Chapter 388
Be it enacted by the Legislature of the state of Utah:
Section 1. Section
53E-9-309
is amended to read:
53E-9-309
. Third-party contractors.
(1)
A third-party contractor shall use personally identifiable student data received under a
contract with an education entity strictly for the purpose of providing the contracted
product or service within the negotiated contract terms.
(2)
(a)
When contracting with a third-party contractor, an education entity, or a
government agency contracting on behalf of an education entity, shall
:
(i)
require the following provisions in the contract:
(a)
(A)
requirements and restrictions related to the collection, use, storage, or
sharing of student data by the third-party contractor that are necessary for the
education entity to ensure compliance with the provisions of this part and state
board rule;
(b)
(B)
a description of a person, or type of person, including an affiliate of the
third-party contractor, with whom the third-party contractor may share student
data;
(c)
(C)
provisions that, at the request of the education entity, govern the deletion
of the student data received by the third-party contractor;
(d)
(D)
except as provided in Subsection
(4)
and if required by the education
entity, provisions that prohibit the secondary use of personally identifiable
student data by the third-party contractor;
and
(e)
(E)
an agreement by the third-party contractor that, at the request of the
education entity that is a party to the contract, the education entity or the
education entity's designee may audit the third-party contractor to verify
compliance with the contract
.
; and
(F)
provisions describing the education entity's or government agency's statutory
duty to terminate the contract in the case of a privacy violation in accordance
with Subsection
(2)(a)(iii)
and prohibiting any fee or financial liability for the
termination;
(ii)
within 30 days after the day on which the education entity or government agency
discovers a third-party contractor's unauthorized usage of student data or
information in violation of state or federal privacy laws, including this chapter, the
Family Education Rights and Privacy Act and related provisions under 20 U.S.C.
Secs. 1232g and 1232h, the Children's Online Privacy Protection Act, 15 U.S.C.
Sec. 6501 et seq., and any associated regulations, provide notice to the third-party
contractor of:
(A)
the violation of the relevant state or federal privacy law; and
(B)
the education entity's or government agency's duty to terminate the contract
under Subsection
(2)(a)(iii)
; and
(iii)
no sooner than 30 days after the day on which the education entity or
government agency provides the notice described in Subsection
(2)(a)(ii)
,
terminate the contract with the third-party contractor if the contractor does not:
(A)
remedy the privacy violation to the greatest extent practicable, in the
determination of the education entity or government agency; and
(B)
establish processes and procedures to prevent the failure of compliance from
re-occurring.
(b)
A third-party contractor may not impose a fee, seek damages, or otherwise assert any
financial liability against an education entity or government agency that terminates a
contract as a consequence of the contractor's unauthorized usage of student data or
information in violation of a relevant state or federal privacy law under Subsection
(2)(a)(iii)
.
(c)
(i)
A person may submit a report of a suspected violation directly to the state board
student data privacy team, through a reporting process that state board policy
establishes.
(ii)
Upon receipt of a report described in Subsection
(2)(c)(i)
, the state board student
data privacy team shall, in accordance with state board policies and procedures:
(A)
conduct an initial review to determine whether the report is credible, relevant,
and sufficiently specific to warrant action; and
(B)
if the report meets the standard described in Subsection
(2)(c)(ii)(A)
, initiate a
compliance audit or investigation of the relevant third-party contractor.
(d)
To combat data protection misunderstandings or misconceptions, state board staff
shall create materials or resources to be made available to third-party contractors.
(3)
As authorized by law or court order, a third-party contractor shall share student data as
requested by law enforcement.
(4)
A third-party contractor may:
(a)
use student data for adaptive learning or customized student learning purposes;
(b)
market an educational application or product to a parent of a student if the third-party
contractor did not use student data, shared by or collected on behalf of an education
entity, to market the educational application or product;
(c)
use a recommendation engine to recommend to a student:
(i)
content that relates to learning or employment, within the third-party contractor's
application, if the recommendation is not motivated by payment or other
consideration from another party; or
(ii)
services that relate to learning or employment, within the third-party contractor's
application, if the recommendation is not motivated by payment or other
consideration from another party;
(d)
respond to a student request for information or feedback, if the content of the
response is not motivated by payment or other consideration from another party;
(e)
(d)
use student data to allow or improve operability and functionality of the
third-party contractor's application; or
(f)
(e)
identify for a student nonprofit institutions of higher education or scholarship
providers that are seeking students who meet specific criteria
if the criteria does not
include a personal identity characteristic as that term is defined in Section
53B-1-118
:
(i)
regardless of whether the identified nonprofit institutions of higher education or
scholarship providers provide payment or other consideration to the third-party
contractor; and
(ii)
only if the third-party contractor obtains authorization in writing from:
(A)
a student's parent through the student's school or LEA; or
(B)
for an adult student, the student.
(5)
At the completion of a contract with an education entity, if the contract has not been
renewed, a third-party contractor shall return or delete
upon the education entity's
request
all personally identifiable student data under the control of the education entity
unless
a student or
the student's parent
consents
gives written consent
to the
third-party contractor's
maintenance of the personally identifiable student data.
(6)
(a)
A third-party contractor may not:
(i)
except as provided in Subsection
(6)(b)
, sell student data;
(ii)
collect, use, or share student data, if the collection, use, or sharing of the student
data is inconsistent with the third-party contractor's contract with the education
entity; or
(iii)
use student data for targeted advertising.
(b)
A person may obtain student data through the purchase of, merger with, or otherwise
acquiring a third-party contractor if the third-party contractor remains in compliance
with this section.
(7)
The provisions of this section do not:
(a)
apply to the use of a general audience application, including the access of a general
audience application with login credentials created by a third-party contractor's
application;
(b)
apply if the student data is shared in accordance with the education entity's directory
information policy, as described in 34 C.F.R. 99.37;
(c)
apply to the providing of Internet service; or
(d)
impose a duty on a provider of an interactive computer service, as defined in 47
U.S.C. Sec. 230, to review or enforce compliance with this section.
(8)
A provision of this section that relates to a student's student data does not apply to a
third-party contractor if the education entity or third-party contractor obtains
authorization from the following individual, in writing, to waive that provision:
(a)
the student's parent, if the student is not an adult student; or
(b)
the student, if the student is an adult student.
Section 2.
Effective Date.
This bill takes effect on
July 1, 2026
.
2-17-26 1:39 PM