The Utah legislature passed a higher education student privacy bill (Utah SB 226, Higher Education Data Privacy and Governance Revisions) and sent the legislation to the governor’s office for signature. Notably, the bill limits how vendors can use student personally identifiable information (PII) and creates a group to develop standards for data governance and vendor use of student data.  

S.B. 226 Provisions 

  • Require the state privacy officer to establish a privacy advisory group. Utah’s State Privacy Officer, Whitney Phillips, previously served as the CPO for the Utah State Board of Education for the past 5 years. 
  • Enact requirements for data protection and maintenance for the Utah Board of Higher Education, institutions, and third-party contractors. 
    • At the end of a contract with an institution, if the contract is not renewed, contractors must return or delete (upon the institution’s request) all student personally identifiable information. 
  • Similar to language in K-12 privacy laws, third-party contractors may not sell student data or use student data for targeted advertising.  They can still recommend certain products or services, as long as the contractor does not receive payment or consideration for doing so. 
  • The bill includes penalties for both institutions and contractors if a third-party contractor permits unauthorized collecting, sharing or use of student data
    • If a vendor “knowingly or recklessly” allows for unauthorized collection or use of student data:
      • Institutions cannot enter into a future contract with that contractor, unless the contractor demonstrates they have corrected the error (or can comply with the data regulations). 
      • Institutions may be required to pay a civil penalty of up to $25,000
      • An individual who knowingly or intentionally permits unauthorized collection or sharing of student data may be found guilty of a class A misdemeanor.  
    • The bill also includes a private right of action, allowing a student or minor student’s parent to take legal action against an institution if a third-party contractor violates the law. The bill allows the court to order the institution to pay damages and costs.