(1) A third-party contractor shall use personally identifiable student data received under a contract with an education entity strictly for the purpose of providing the contracted product or service within the negotiated contract terms. (2) When contracting with a third-party contractor, an education entity, or a government agency contracting on behalf of an education entity, shall: (a) ensure that the contract terms comply with the standards the board establishes under Subsection 53H-14-502(5); and (b) require the following provisions in the contract: (i) requirements and restrictions related to the collection, use, storage, or sharing of student data by the third-party contractor that are necessary for the education entity to ensure compliance with the provisions of this part and board rule; (ii) a description of a person, or type of person, including an affiliate of the third-party contractor, with whom the third-party contractor may share student data; (iii) provisions that, at the request of the education entity, govern the deletion of the student data received by the third-party contractor; (iv) except as provided in Subsection (4) and if required by the education entity, provisions that prohibit the secondary use of personally identifiable student data by the third-party contractor; and (v) an agreement by the third-party contractor that, at the request of the education entity that is a party to the contract, the education entity or the education entity's designee may audit the third-party contractor to verify compliance with the contract. (3) As authorized by law or court order, a third-party contractor shall share student data as requested by law enforcement. (4) A third-party contractor may: (a) use student data for adaptive learning or customized student learning purposes; (b) market an educational application or product to a student if the third-party contractor does not use student data, shared by or collected on behalf of an education entity, to market the educational application or product; (c) use a recommendation engine to recommend to a student: (i) content that relates to learning or employment, within the third-party contractor's application, if the recommendation is not motivated by payment or other consideration from another party; or (ii) services that relate to learning or employment, within the third-party contractor's application, if the recommendation is not motivated by payment or other consideration from another party; (d) respond to a student request for information or feedback, if the content of the response is not motivated by payment or other consideration from another party; (e) use student data to allow or improve operability and functionality of the third-party contractor's application; or (f) identify for a student nonprofit institutions of higher education or scholarship providers that are seeking students who meet specific criteria: (i) regardless of whether the identified nonprofit institutions of higher education or scholarship providers provide payment or other consideration to the third-party contractor; and (ii) only if the third-party contractor obtains authorization in writing from: (A) the student's parent, if the student is a minor; or (B) the student. (5) At the completion of a contract with an education entity, if the contract has not been renewed, a third-party contractor shall return or delete upon the education entity's request all personally identifiable student data under the control of the education entity unless a student or a minor student's parent consents to the maintenance of the personally identifiable student data. (6) (a) A third-party contractor may not: (i) except as provided in Subsection (6)(b), sell student data; (ii) collect, use, or share student data, if the collection, use, or sharing of the student data is inconsistent with the third-party contractor's contract with the education entity; or (iii) use student data for targeted advertising. (b) A person may obtain student data through the purchase of, merger with, or otherwise acquiring a third-party contractor if the third-party contractor remains in compliance with this section. (7) The provisions of this section do not: (a) apply to the use of a general audience application, including the access of a general audience application with login credentials created by a third-party contractor's application; (b) apply if the student data is shared in accordance with the education entity's directory information policy, as described in 34 C.F.R. Sec. 99.37; (c) apply to the providing of Internet service; or (d) impose a duty on a provider of an interactive computer service, as defined in 47 U.S.C. Sec. 230, to review or enforce compliance with this section. (8) A provision of this section that relates to a student's student data does not apply to a third- party contractor if the education entity or third-party contractor obtains authorization from the following individual, in writing, to waive that provision: (a) the student's parent, if the student is a minor; or (b) the student. Renumbered and Amended by Chapter 8, 2025 Special Session 1
‹ Prev All Utah sections Next ›
Lexace provides legal information, not legal advice, and no attorney–client relationship is created. Statute text is provided for general information and may not reflect the most recent amendments; verify against the official state code.