Student Data Protection Law in Texas, New Amendments

The Texas Student Privacy Act is a data protection law that was initially passed in the U.S. state of Texas in 1995. The law has been amended several times, most recently in 2017, with the goal of protecting the privacy of the personal information that students within Texas disclose to educational institutions and online operators in regard to furthering their education. More specifically, the “Texas Student Privacy Act limits the use and disclosure of student personal information by a website, online service, online application or mobile application (collectively ‘Site’) that are used primarily for a school purpose and are designed and marketed for a school purpose (Tex. Educ. Code § 32.151 et seq.).”

How are online operators defined under the law?

Under the Texas Student Privacy Act, an online operator is defined as “the operator of a website, online service, online application, or mobile application who has actual knowledge that the website, online service, online application, or mobile application is used primarily for a school purpose and was designed and marketed for a school purpose.” Alternatively, the law defines a school purpose as “a purpose that is directed by or customarily takes place at the direction of a school district, school campus, or teacher or assists in the administration of school activities, including instruction in the classroom or at home, administrative activities, and collaboration between students, school personnel, or parents, or is otherwise for the use and benefit of the school.”

What are the responsibilities of online operators under the law?

Under the Texas Student Privacy Act, online operators that collect personal information from students within the state have a number of responsibilities as it concerns protecting this information from unauthorized use, access, or disclosure. These responsibilities include:

• Online operators are prohibited from using personal information pertaining to students within Texas, such as personal identifiers, to create an online profile for a particular student, unless this profile is strictly used for a school purpose, as defined under the law.
• Online operators are prohibited from using personal information obtained from students within Texas for the purposes of targeted advertising.
• Online operators must implement security measures that are designed to protect personal information from unauthorized use, access, disclosure, modification, and deletion.
• Online operators are prohibited from selling or renting personal information pertaining to students within Texas, subject to certain exceptions. Such exceptions include instances where the sale or renting of personal information is in regards to post-secondary educational opportunities or scholarships, among others.

Conversely, online operators within the state of Texas are permitted to disclose personal information relating to students within the state under the following circumstances:

• To protect against liability.
• To participate or respond to the judicial process.
• To ensure legal and regulatory compliance.
• To protect the safety and integrity of an online operator’s website, application, or online service.
• To assist in a legitimate research purpose.
• To assist a student in pursuing post-educational opportunities.

What categories of personal data are protected under the law?

Under the Texas Student Privacy Act, the categories of personal information that are covered under the provisions of the law include but are not limited to:

• Email addresses.
• Physical addresses.
• Educational records.
• First and last names.
• Telephone numbers.
• Health and medical records.
• Social security numbers.
• Political affiliations.
• Religious information.
• Biometric information.
• Discipline records.
• Grades and evaluations.

How can online operators maintain compliance with the law?

As online operators are tasked with both protecting the personal information of students, as well as using this personal information for legitimate purposes such as the furtherance of post-secondary educational opportunities, they will invariably face a dilemma. Nevertheless, one way in which online operators within Texas can maintain compliance with the Texas Student Privacy Act while also serving their respective students is through automatic redaction software. Using an automatic redaction software program, online operators can ensure that the personal information of their students is never used outside of the context of school purposes, enabling them to continue helping said students while also maintaining compliance with the law.

Through amendments that have been made to the Texas Student Privacy Act, students within the state, as well as their parents and guardians, can rest assured that their personal information will not be used for any reason other than the furtherance of their education, or other relevant legal applications. As K-12 students within the U.S. currently utilize websites and online access more than any other generation in American history, legislation such as the Texas Student Privacy Act is needed to protect students from the adverse effects of data breaches and other related cybersecurity incidents.