53E-9-309. Third-party contractors.
1,173 words·~5 min read·
/ut/title-53e/chapter-9/53e-9-309A research copy — for the controlling text, always check the official state or federal source. Not legal advice.
Effective 7/1/2026
53E-9-309. Third-party contractors.
(1)A third-party contractor shall use personally identifiable student data received under a contract with an education entity strictly for the purpose of providing the contracted product or service within the negotiated contract terms.
(a)When contracting with a third-party contractor, an education entity, or a government agency contracting on behalf of an education entity, shall:
(i)require the following provisions in the contract:
(A)requirements and restrictions related to the collection, use, storage, or sharing of student data by the third-party contractor that are necessary for the education entity to ensure compliance with the provisions of this part and state board rule;
(B)a description of a person, or type of person, including an affiliate of the third-party contractor, with whom the third-party contractor may share student data;
(C)provisions that, at the request of the education entity, govern the deletion of the student data received by the third-party contractor;
(D)except as provided in Subsection
(4)and if required by the education entity, provisions that prohibit the secondary use of personally identifiable student data by the third-party contractor;
(E)an agreement by the third-party contractor that, at the request of the education entity that is a party to the contract, the education entity or the education entity's designee may audit the third-party contractor to verify compliance with the contract; and
(F)provisions describing the education entity's or government agency's statutory duty to terminate the contract in the case of a privacy violation in accordance with Subsection (2)(a)(iii) and prohibiting any fee or financial liability for the termination;
(ii)within 30 days after the day on which the education entity or government agency discovers a third-party contractor's unauthorized usage of student data or information in violation of state or federal privacy laws, including this chapter, the Family Education Rights and Privacy Act and related provisions under 20 U.S.C. Secs. 1232g and 1232h, the Children's Online Privacy Protection Act, 15 U.S.C. Sec. 6501 et seq., and any associated regulations, provide notice to the third-party contractor of:
(A)the violation of the relevant state or federal privacy law; and
(B)the education entity's or government agency's duty to terminate the contract under Subsection (2)(a)(iii) ; and
(iii)no sooner than 30 days after the day on which the education entity or government agency provides the notice described in Subsection (2)(a)(ii) , terminate the contract with the third-party contractor if the contractor does not:
(A)remedy the privacy violation to the greatest extent practicable, in the determination of the education entity or government agency; and
(B)establish processes and procedures to prevent the failure of compliance from re-occurring.
(b)A third-party contractor may not impose a fee, seek damages, or otherwise assert any financial liability against an education entity or government agency that terminates a contract as a consequence of the contractor's unauthorized usage of student data or information in violation of a relevant state or federal privacy law under Subsection (2)(a)(iii) .
(i)A person may submit a report of a suspected violation directly to the state board student data privacy team, through a reporting process that state board policy establishes.
(ii)Upon receipt of a report described in Subsection (2)(c)(i) , the state board student data privacy team shall, in accordance with state board policies and procedures:
(A)conduct an initial review to determine whether the report is credible, relevant, and sufficiently specific to warrant action; and
(B)if the report meets the standard described in Subsection (2)(c)(ii)(A) , initiate a compliance audit or investigation of the relevant third-party contractor.
(d)To combat data protection misunderstandings or misconceptions, state board staff shall create materials or resources to be made available to third-party contractors.
(3)As authorized by law or court order, a third-party contractor shall share student data as requested by law enforcement.
(4)A third-party contractor may:
(a)use student data for adaptive learning or customized student learning purposes;
(b)market an educational application or product to a parent of a student if the third-party contractor did not use student data, shared by or collected on behalf of an education entity, to market the educational application or product;
(c)use a recommendation engine to recommend to a student:
(i)content that relates to learning or employment, within the third-party contractor's application, if the recommendation is not motivated by payment or other consideration from another party; or
(ii)services that relate to learning or employment, within the third-party contractor's application, if the recommendation is not motivated by payment or other consideration from another party;
(d)use student data to allow or improve operability and functionality of the third-party contractor's application; or
(e)identify for a student nonprofit institutions of higher education or scholarship providers that are seeking students who meet specific criteria if the criteria does not include a personal identity characteristic as that term is defined in Section 53B-1-118 :
(i)regardless of whether the identified nonprofit institutions of higher education or scholarship providers provide payment or other consideration to the third-party contractor; and
(ii)only if the third-party contractor obtains authorization in writing from:
(A)a student's parent through the student's school or LEA; or
(B)for an adult student, the student.
(5)At the completion of a contract with an education entity, if the contract has not been renewed, a third-party contractor shall return or delete all personally identifiable student data under the control of the education entity unless the student's parent gives written consent to the third-party contractor's maintenance of the personally identifiable student data.
(a)A third-party contractor may not:
(i)except as provided in Subsection (6)(b) , sell student data;
(ii)collect, use, or share student data, if the collection, use, or sharing of the student data is inconsistent with the third-party contractor's contract with the education entity; or
(iii)use student data for targeted advertising.
(b)A person may obtain student data through the purchase of, merger with, or otherwise acquiring a third-party contractor if the third-party contractor remains in compliance with this section.
(7)The provisions of this section do not:
(a)apply to the use of a general audience application, including the access of a general audience application with login credentials created by a third-party contractor's application;
(b)apply if the student data is shared in accordance with the education entity's directory information policy, as described in 34 C.F.R. 99.37;
(c)apply to the providing of Internet service; or
(d)impose a duty on a provider of an interactive computer service, as defined in 47 U.S.C. Sec. 230, to review or enforce compliance with this section.
(8)A provision of this section that relates to a student's student data does not apply to a third-party contractor if the education entity or third-party contractor obtains authorization from the following individual, in writing, to waive that provision:
(a)the student's parent, if the student is not an adult student; or
(b)the student, if the student is an adult student.
Amended by Chapter 18 , 2026 General Session