UT HB0055

Education entities must terminate contracts with third-party ed-tech vendors who violate state or federal student privacy laws (including FERPA and COPPA) and fail to remedy the violation within 30 days of notification

Contracts with third-party contractors must include provisions prohibiting fees or financial liability for termination due to privacy violations

The State Board of Education student data privacy team must investigate suspected privacy violations reported through an established reporting process and conduct compliance audits when warranted

Third-party contractors must automatically return or delete all personally identifiable student data when a contract ends, unless the student's parent provides written consent for data retention

Repeals the provision that previously allowed third-party contractors to respond to student requests for information or feedback

Effective date: July 1, 2026