A third-party contractor shall use personally identifiable student data received under a contract with an education entity strictly for the purpose of providing the contracted product or service within the negotiated contract terms.
Terms Used In Utah Code 53E-9-309
Adult student: means a student who:
(a)
is at least 18 years old;
(b)
is an emancipated student; or
(c)
qualifies under the McKinney-Vento Homeless Education Assistance Improvements Act of 2001, 42 U. See Utah Code 53E-9-301
Contract: A legal written agreement that becomes binding when signed.
General audience application: means an Internet website, online service, online application, mobile application, or software program that:
(a)
is not specifically intended for use by an audience member that attends kindergarten or a grade from 1 to 12, although an audience member may attend kindergarten or a grade from 1 to 12; and
(b)
is not subject to a contract between an education entity and a third-party contractor. See Utah Code 53E-9-301
an individual who has written authorization from a student's parent or legal guardian to act as a parent or legal guardian on behalf of the student. See Utah Code 53E-9-301
the first and last name of a student's family member;
(iii)
a student's or a student's family's home or physical address;
(iv)
a student's email address or other online contact information;
(v)
a student's telephone number;
(vi)
a student's social security number;
(vii)
a student's biometric identifier;
(viii)
a student's health or disability data;
(ix)
a student's education entity student identification number;
(x)
a student's social media user name and password or alias;
(xi)
if associated with personally identifiable student data, the student's persistent identifier, including:
(A)
a customer number held in a cookie; or
(B)
a processor serial number;
(xii)
a combination of a student's last name or photograph with other information that together permits a person to contact the student online;
(xiii)
information about a student or a student's family that a person collects online and combines with other personally identifiable student data to identify the student; and
(xiv)
information that, alone or in combination, is linked or linkable to a specific student that would allow a reasonable person in the school community, who does not have personal knowledge of the relevant circumstances, to identify the student with reasonable certainty. See Utah Code 53E-9-301
Student data: means information about a student at the individual student level. See Utah Code 53E-9-301
Targeted advertising: means presenting advertisements to a student where the advertisement is selected based on information obtained or inferred over time from that student's online behavior, usage of applications, or student data. See Utah Code 53E-9-301
Third-party contractor: means a person who:
(a)
is not an education entity; and
(b)
pursuant to a contract with an education entity, collects or receives student data in order to provide a product or service, as described in the contract, if the product or service is not related to school photography, yearbooks, graduation announcements, or a similar product or service. See Utah Code 53E-9-301
When contracting with a third-party contractor, an education entity, or a government agency contracting on behalf of an education entity, shall require the following provisions in the contract:
(a)
requirements and restrictions related to the collection, use, storage, or sharing of student data by the third-party contractor that are necessary for the education entity to ensure compliance with the provisions of this part and state board rule;
(b)
a description of a person, or type of person, including an affiliate of the third-party contractor, with whom the third-party contractor may share student data;
(c)
provisions that, at the request of the education entity, govern the deletion of the student data received by the third-party contractor;
(d)
except as provided in Subsection (4) and if required by the education entity, provisions that prohibit the secondary use of personally identifiable student data by the third-party contractor; and
(e)
an agreement by the third-party contractor that, at the request of the education entity that is a party to the contract, the education entity or the education entity’s designee may audit the third-party contractor to verify compliance with the contract.
(3)
As authorized by law or court order, a third-party contractor shall share student data as requested by law enforcement.
(4)
A third-party contractor may:
(a)
use student data for adaptive learning or customized student learning purposes;
(b)
market an educational application or product to a parent of a student if the third-party contractor did not use student data, shared by or collected on behalf of an education entity, to market the educational application or product;
(c)
use a recommendation engine to recommend to a student:
(i)
content that relates to learning or employment, within the third-party contractor’s application, if the recommendation is not motivated by payment or other consideration from another party; or
(ii)
services that relate to learning or employment, within the third-party contractor’s application, if the recommendation is not motivated by payment or other consideration from another party;
(d)
respond to a student request for information or feedback, if the content of the response is not motivated by payment or other consideration from another party;
(e)
use student data to allow or improve operability and functionality of the third-party contractor’s application; or
(f)
identify for a student nonprofit institutions of higher education or scholarship providers that are seeking students who meet specific criteria:
(i)
regardless of whether the identified nonprofit institutions of higher education or scholarship providers provide payment or other consideration to the third-party contractor; and
(ii)
only if the third-party contractor obtains authorization in writing from:
(A)
a student’s parent through the student’s school or LEA; or
(B)
for an adult student, the student.
(5)
At the completion of a contract with an education entity, if the contract has not been renewed, a third-party contractor shall return or delete upon the education entity’s request all personally identifiable student data under the control of the education entity unless a student or the student’s parent consents to the maintenance of the personally identifiable student data.
(6)
(a)
A third-party contractor may not:
(i)
except as provided in Subsection (6)(b), sell student data;
(ii)
collect, use, or share student data, if the collection, use, or sharing of the student data is inconsistent with the third-party contractor’s contract with the education entity; or
(iii)
use student data for targeted advertising.
(b)
A person may obtain student data through the purchase of, merger with, or otherwise acquiring a third-party contractor if the third-party contractor remains in compliance with this section.
(7)
The provisions of this section do not:
(a)
apply to the use of a general audience application, including the access of a general audience application with login credentials created by a third-party contractor’s application;
(b)
apply if the student data is shared in accordance with the education entity’s directory information policy, as described in 34 C.F.R. § 99.37;
(c)
apply to the providing of Internet service; or
(d)
impose a duty on a provider of an interactive computer service, as defined in 47 U.S.C. § 230, to review or enforce compliance with this section.
(8)
A provision of this section that relates to a student’s student data does not apply to a third-party contractor if the education entity or third-party contractor obtains authorization from the following individual, in writing, to waive that provision:
(a)
the student’s parent, if the student is not an adult student; or