New Amended Student Data Privacy Law in Utah

Utah’s Student Online Personal Information Protection Act or SOPIPA, also known as SB 207, is a student data privacy law that was passed in the U.S. state of Utah in 2016 and later amended in 2018. Much like other student data protection laws that have been passed around the country in the last decade, such as California’s Student Online Personal Information Protection Act or SOPIPA, Utah’s SB 207 was passed to protect the personal information and privacy of students enrolled within educational institutions located in the state. To this point, the law establishes various regulations aimed at protecting the personal data that students within Utah share with educators, school administrators, and related third parties during the educational process.

How are school officials defined under the law?

Under Utah’s SB 207, a school official is defined as “an employee or agent of an education entity, if the education entity has authorized the employee or agent to request or receive student data on behalf of the education entity.” Conversely, the law defines a third party contractor as “a person who: (a) is not an education entity; and b) pursuant to a contract with an education entity, collects or receives student data in order to provide a product or service, as described in the contract, if the product or service is not related to school photography, yearbooks, graduation announcements, or a similar product or service.”

What are the duties of school officials and contractors under the law?

Under the provisions of Utah’s SB 207, the responsibilities of school officials and third party contractors as it concerns the protection of the personal information of students within the state include but are not limited to:

• School officials and third-party contractors are prohibited from using personal information obtained from students for the purpose of targeted advertising.
• School officials and third-party contractors may only collect personal information in accordance with expressed written consent. Furthermore, when collecting personal information, school officials and third-party contractors are also required to provide both students and their parents or guardians with a collection notice in the form of a stand-alone document, including the specific categories of personal information that are to be collected, as well as the intentions for such information. Moreover, these collection notices must be updated on an annual basis.
• In the event that a data breach occurs, school officials and third-party contractors are responsible for providing notification to all affected individuals and parties.
• School boards within the state of Utah that employ school officials and third-party contractors are responsible for establishing a student data policy advisory group charged with performing a wide range of tasks relating to student data protection, including proposing and enacting future legislation, as well as preparing and maintaining student data governance plans, among other responsibilities.
• School boards within the state of Utah are responsible for designating student data officers to act as the primary point of contact for all student data policy advisory groups.

What data elements are protected under the law?

Under the provisions of Utah’s SB 207, some of the categories of personal information concerning students within the state that are protected under the law include:

• Social security numbers.
• Grades and transcripts.
• Student enrollment records.
• Health and disability data.
• First and last names.
• The names of students’ family members.
• Telephone numbers.
• Email addresses.
• Physical addresses
• Biometric identifiers.
• Social media login credentials.
• Customer numbers that are held within online cookies.
• Juvenile dependency records.
• Student identification numbers.

What are the penalties for violating the provisions of Utah’s SB 207?

In terms of the enforcement of the law, school officials and third-party contractors that are found to be in violation of Utah’s SB 207 are subject to a number of sanctions and penalties. Such punishments include:

• A civil penalty of up to $25,000.
• An award of monetary damages to students or parents, continent upon the scope and severity of the offense.
• A court order to pay expenses related to providing notification to all students and parents in the event that a data breach occurs.
• A court order to pay expenses that an educational institution may incur as a result of the unauthorized use or acquisition of student information.
• A court order preventing school officials and third party-contractors from entering into future contracts within educational institutions within the state of Utah.

Through the provisions of Utah’s SB 207, parents that send their children to school within the state can rest assured that the school officials and third-party contractors will face steep punishments should they fail to protect the personal information and privacy of their respective students. What’s more, in contrast to many other privacy laws around the country, Utah’s SB 207 also provides both students and parents with the opportunity to seek monetary damages should any of their rights be violated under the law. As such, Utah’s 207 provides students within the state with a significant level of protection as it concerns the unauthorized use, access, and dissemination of their personal information.